Barnes Tech

Artemis II: The Mission and Its Images

Sat, 11 Apr 2026 12:00:00 GMT

Artemis II launched on April 1, 2026, from Pad 39B at Kennedy Space Center aboard NASA's Space Launch System. The crew — Reid Wiseman, Victor Glover, Christina Koch, and Jeremy Hansen — flew a 10-day lunar flyby test mission aboard the Orion capsule (named Integrity). The purpose was to test systems, identify problems, and validate hardware for future lunar landing missions. No landing was attempted.

Watching this mission unfold has been genuinely incredible. In a period where so much of the world is chaotic and uncertain, having something this ambitious and this beautiful to follow has been a welcome reminder of what humans are capable of when they're pointed in the right direction. The images that came back are stunning, and I wanted to put all of my favorite ones in one place.

Dark-Side Earth Photography

Some of the most striking images showed Earth's night side after the spacecraft left low orbit. A thin crescent of sunlight and scattered city lights were visible, while the rest of the cloud cover was faintly illuminated by moonshine — sunlight reflecting off the full Moon back onto Earth.

Longer-exposure versions of these shots revealed additional features:

Venus as a bright point of light
Green auroras visible at high latitudes
The sodium layer — a thin glowing ring around the planet at roughly 90 km altitude, created by atomic sodium deposited from vaporized meteors and excited by sunlight. Astronomers use lasers tuned to this sodium's wavelength to create artificial "guide stars," then measure atmospheric distortion to drive adaptive optics corrections on ground-based telescopes.
Zodiacal light — a faint glow caused by sunlight scattering off interplanetary dust along the plane of the solar system

The Moon's Far Side

As the capsule orbited the Moon, it captured detailed views of the far side, which is heavily cratered compared to the smoother near side. The near side has a thinner crust, likely due to gravitational interaction and concentration of radioactive, heat-producing elements, which allowed more volcanic activity to resurface the terrain with lava flows. The far side, with its thicker crust, preserves a much longer history of impacts. Visible features include crater chains — linear strings of craters formed by ejecta from large impacts like the Orientale basin — and deep multi-ring impact basins.

"Earthset"

The mission produced a now-iconic image of a crescent Earth appearing to set behind the Moon's limb, shot with a long telephoto lens (80–400 mm on a Nikon D5). While visually stunning, the image contains three subtle distortions worth understanding:

Orientation — The photo has been rotated to make it look like Earth is rising or setting over a horizon. From the spacecraft's actual trajectory, Earth was off to the side.
Apparent size — The telephoto lens compresses the scene, making Earth appear far larger relative to the lunar surface than it would to the naked eye.
The concept of Earthrise/Earthset — Because the Moon is tidally locked, Earth doesn't actually rise or set from the lunar surface. From the near side, Earth hangs in roughly the same spot in the sky (with slight wobble from libration). From the far side, Earth is never visible. The apparent motion in these photos is entirely due to the spacecraft's orbit.

The Moon's surface in these shots also looks oddly "rendered" or video-game-like. This is because lighting in space comes from a single source (the Sun) with no atmospheric scattering to fill shadows, producing extreme contrast that our brains read as computer-generated.

The Unplanned Solar Eclipse

The mission's most dramatic visual moment was unplanned. Because of a launch schedule slip to April 1, the departing spacecraft's geometry happened to align so that the Moon passed directly in front of the Sun. The astronauts watched from within the Moon's shadow as the solar corona — hot plasma extending far from the Sun's surface — formed a bright halo around the Moon's silhouette.

The Moon's dark side was faintly illuminated by Earthshine: sunlight bouncing off the distant Earth. Stars and several planets (including Mars, Venus, and Saturn) were visible along the plane of the solar system in the same frame. Victor Glover remarked from orbit that humans probably haven't evolved to process what they were seeing.

Wide Compositions

Several images placed the Orion capsule, the Moon, and the Earth all in a single frame — one captured by a GoPro mounted externally. These compositions drive home the scale contrast between the small, improvised nature of human spacecraft and the vastness of the space around them.

Why These Photos Matter

The most powerful Artemis II images resulted from a combination of luck and deliberate human choices. The launch date created the eclipse geometry. The astronauts chose the compositions, lenses, and framing. Photographs from crewed missions are not just data — they are artistic decisions that shape how humanity processes and remembers spaceflight.

Gallery

All 118 images and videos below are full-resolution NASA originals. Click any thumbnail to view it larger, and use the download button to save individual files or download the entire collection.

Links

Hank Green's breakdown of the Artemis II mission and its images

Claude Code's Source Code Leaked via npm

Wed, 01 Apr 2026 12:00:00 GMT

I've written about Claude Code before and it's a tool I use every day. Yesterday, it was discovered that Anthropic accidentally included the source code for Claude Code.

It's important to note, this is only the specific source code for Claude Code, the coding assistant that Anthropic have, primarily used in the terminal. This is not the source of the actual AI model itself or the Claude app.

Here's what actually happened, what people found inside, and why I think this is mostly just an embarrassing mistake rather than the catastrophic event some are making it out to be.

What Happened

On March 31st, security researcher Chaofan Shou discovered that a recent npm release of Claude Code included a source map file. For the non-developers: when code gets packaged up for distribution, it gets compressed and minified into something that's basically unreadable to humans. It still works fine, but if you opened it up and tried to make sense of it, you'd just see a wall of characters. A source map is a separate file that reverses that process. It maps the compressed code back to the original, readable source. Developers keep these around for debugging, but they're meant to stay internal. You don't publish them to the world.

Anthropic accidentally shipped one to the public.

The result was roughly 1,900 TypeScript files and over 500,000 lines of readable code, essentially the entire Claude Code codebase, sitting right there in the npm package for anyone to extract. Researchers found it, the code spread quickly across GitHub, and by the time Anthropic pulled the release and started issuing DMCA takedowns, the cat was thoroughly out of the bag.

How Does This Happen?

This is actually a pretty common class of mistake. npm packages are defined by a package.json file that specifies what gets included when you publish. A misconfigured .npmignore file or a missing exclusion in the files field, and suddenly your source maps, internal docs, or test fixtures are shipping to production.

The leading theory is that someone on the team enabled richer source maps to debug some rate-limiting issues they were having, and then forgot to exclude them before the next publish.

Anthropic confirmed as much in a statement to the press:

Earlier today, a Claude Code release included some internal source code. No sensitive customer data or credentials were involved or exposed. This was a release packaging issue caused by human error, not a security breach. We're rolling out measures to prevent this from happening again.

It was a build pipeline oversight. The kind of thing that can happen to any team, and has happened to plenty of others.

What's Inside

This is where it gets interesting. The leaked code reveals that Claude Code is a genuinely sophisticated piece of software, not just a thin wrapper around an API.

The architecture is built on Bun (not Node.js), uses React with Ink for terminal UI rendering, and has a modular tool-based system with around 40 built-in tools, each with its own permission gates. The query engine alone, which handles all the LLM API calls, streaming, caching, and orchestration, is reportedly around 46,000 lines.

Multi-agent orchestration is a big part of it. Claude Code can spawn sub-agents (internally called "swarms") to handle complex tasks in parallel, each running in its own context with specific tool permissions. If you've used the Agent tool in Claude Code, you've seen this in action.

There's a persistent memory system, which I've talked about before, stored as files that maintain context about you and your projects across sessions. Seeing the implementation details confirms what the experience already suggested: this is one of the features that makes Claude Code actually useful rather than just clever.

The Most Interesting Stuff

Beyond the architecture, the leak exposed some features and behaviors that raised eyebrows.

Anti-distillation tricks. The code includes mechanisms designed to poison the output if someone tries to train another model on Claude's responses. Essentially, fake tool descriptions and misleading instructions get baked into the output in ways that would confuse a model trying to learn from it. This is Anthropic's attempt to protect against competitors scraping Claude's behavior to train cheaper models. Now that the actual tool list and real instructions are visible, this defense is somewhat undermined.

Undercover mode. There's a flag that instructs Claude not to mention itself, its model name, or Anthropic in commit messages or outputs. The stated purpose is to avoid leaking internal model codenames, but it also raised concerns about AI-generated code being quietly contributed to open source projects without disclosure. I can see both sides of this. If you're an Anthropic engineer using Claude Code to help with a commit to a public repo, you probably don't want "Claude Opus 4.7" in the commit metadata. But the optics aren't great.

A frustration detector. A regex-based system that scans user input for angry or profane language and logs events. This is pretty straightforward pattern matching, not some deep emotional intelligence system.

Unreleased features. The code references a bunch of stuff that hasn't shipped yet: "dream mode" for background memory consolidation, "coordinator mode" for spinning up multiple workers in parallel, "ultra plan" and "ultra review" for long-running remote operations, auto/AFK modes that act while you're away, and references to unreleased models including something codenamed Capiara/Mythos.

Feature flags everywhere. The code uses tons of feature flagging, which is pretty standard, but the sheer number of flags and environment variables suggests this codebase moves fast and experiments constantly.

Why It's Not a Huge Deal

Here's where I'll probably diverge from some of the more dramatic coverage. I don't think this is actually that significant in terms of real damage.

The model is the product, not the harness. Claude Code is an impressive piece of engineering, but it's ultimately orchestration software that makes API calls to Claude. The actual intelligence, the thing that makes it useful, lives in the model weights on Anthropic's servers. Those weren't leaked. A competitor could rebuild the entire Claude Code CLI from scratch using the leaked source and it would still need access to Claude's API (or another model's) to do anything.

Most of this was already knowable. If you've used Claude Code extensively, you already knew about the tool system, the memory architecture, the sub-agent spawning, and the permission gates. The leaked code confirms implementation details, but the overall architecture wasn't exactly a mystery. Anthropic's own documentation describes most of these systems.

The "competitive advantage" argument is overstated. Yes, competitors can now see exactly how Anthropic implemented certain features. But the open-source AI coding tool space is already vibrant and moving fast. Tools like Aider, OpenCode, and others have independently arrived at similar architectures. The ideas aren't secret; the execution quality and the model behind it are what matter.

Anti-distillation being exposed is annoying, not devastating. The poison-pill approach was always security through obscurity. Now that it's visible, Anthropic will need to adjust their approach, but this was never going to be a long-term defense anyway. This is a cat and mouse game that will continue regardless.

The unreleased features are just a product roadmap. Every software company has unreleased features sitting in their codebase. Knowing that Anthropic is working on background agents and parallel worker coordination is interesting but not exactly surprising given the direction the entire industry is heading.

Embarrassing

The real impact here is reputational. Anthropic positions themselves as the "safety-first" AI company, the adults in the room. Having their flagship developer tool leak because of a build configuration mistake is... not a great look for that brand.

The Takeaway

A source map file shipped in an npm package. It happens. The code it exposed is impressive engineering but not the secret sauce that makes Claude useful. The unreleased features are interesting but not shocking. The anti-distillation tricks and undercover mode are worth discussing but not scandalous.

Links

The Government Is Trying to Destroy Anthropic

Tue, 03 Mar 2026 01:22:05 GMT

I try not to post about politics very often. The state of things is genuinely terrible, and dwelling on it is bad for my mental health. But this story sits squarely at the intersection of AI, big tech, and government overreach -- topics I write about often -- and I think it's important enough to talk about.

Full disclosure: I use Anthropic's products every day. Claude Code is my most-used tool. I have every reason to be biased here. But the facts of this situation are so outrageous that bias barely matters. What the Pentagon just did to Anthropic should alarm anyone who cares about free enterprise, the rule of law, or the basic idea that the government shouldn't be able to destroy an American company because it lost a contract negotiation.

What Happened

Last summer, Anthropic was one of four AI companies -- alongside Google, OpenAI, and xAI -- awarded contracts with the Pentagon worth up to $200 million each. Anthropic's contract included their standard usage policy, which the Pentagon agreed to at the time.

In January, Defense Secretary Pete Hegseth issued an AI strategy memo directing that all Pentagon AI contracts include "any lawful use" language -- meaning AI companies must remove all safeguards and let the military use their models for anything not explicitly illegal. This was a direct collision with Anthropic's contract terms.

Anthropic didn't refuse to work with the military. They were the first AI company to deploy on classified military networks. They were the first to deploy at the national labs. Claude was used in the operation that captured former Venezuelan president Nicolás Maduro. They have an extensive partnership with Palantir. They voluntarily cut off hundreds of millions in revenue from Chinese firms linked to the CCP.

Anthropic drew exactly two red lines:

No mass domestic surveillance. Using AI to surveil American citizens at scale.
No fully autonomous weapons. AI systems that select and engage targets without any human in the loop.

That's it. Not "we won't work with the military." Not "we object to military operations." Two specific guardrails on capabilities that don't even exist reliably yet and that most Americans would consider common sense.

The Pentagon's response was to demand Anthropic accept the new terms unconditionally by Friday evening or face consequences.

The Punishment

When Anthropic held their ground, the administration escalated to something unprecedented. Trump called them "Leftwing nut jobs" on social media and directed federal agencies to stop using their products. Hegseth designated Anthropic a supply chain risk.

This designation has never been used against an American company. It was created to deal with foreign adversaries like Huawei -- companies suspected of espionage or embedding malware in American infrastructure. Using it as a cudgel against a domestic company because you don't like how contract negotiations are going is, as Scott Alexander put it, "insane Third World bullshit."

The designation doesn't just cut Anthropic off from military contracts. It bans any contractor, supplier, or partner that does business with the US military from doing any commercial activity with Anthropic. Given how many companies do some business with the government, this could be fatal to Anthropic's business. That's the point. It's not a policy disagreement. It's punishment.

And the whole thing is self-contradicting. You can't simultaneously designate a company a supply chain risk and threaten to invoke the Defense Production Act to force them to provide their technology because it's essential to national security. As Lawfare noted, these two threats are inherently contradictory: one labels Anthropic a security risk, the other labels Claude as critical to national defense. Lawfare's follow-up analysis called it "designation as political theater: a show of force that will not stick."

The Broader Context

This isn't just about Anthropic. This is the US government demonstrating that it can threaten to destroy any American company, with no legal review, for failing to comply with demands that weren't even in the original contract. Every company that does business with the government should be concerned.

As former Trump White House AI advisor Dean Ball wrote: "Even if Secretary Hegseth backs down and narrows his extremely broad threat against Anthropic, great damage has been done. Most corporations, political actors, and others will have to operate under the assumption that the logic of the tribe will now reign."

The Defense Production Act was designed for wartime rationing of steel and aluminum, not for forcing a software company to retrain its AI model to enable mass surveillance. The DPA has never been used to mark a domestic company as a supply chain threat. Criminal penalties apply for noncompliance. The government is wielding a Korean War-era statute to bully a company that had the audacity to include guardrails in a contract that the Pentagon originally agreed to.

And the irony is suffocating. When Biden used the DPA's lightest authority -- Title VII, information gathering only -- to require AI companies to report on training activities, Republicans called it dangerous overreach. Trump promised to repeal it. Now they're threatening Title I compulsion powers, which are orders of magnitude more coercive, against a company that won't let them build unsupervised killbots. The party of free markets and limited government, everyone.

OpenAI Swoops In

The same day Hegseth designated Anthropic a supply chain risk, Sam Altman announced that OpenAI had reached a deal with the Pentagon. He claimed it includes "technical safeguards" addressing the same issues -- prohibitions on mass surveillance and human responsibility for use of force. Whether these protections have any real teeth remains to be seen, and I'm skeptical that OpenAI somehow got the exact terms that Anthropic asked for and somehow the Pentagon is fine with it now.

Over 640 Google employees and nearly 100 OpenAI employees signed an open letter asking their companies to stand with Anthropic and refuse the Pentagon's demands. The letter makes the point that the government was trying to divide the companies with fear that the others would cave. Credit to those employees for standing up.

Why This Matters

Anthropic is the company that has most consistently prioritized safety in AI development. You can argue they're imperfect, that they're too cautious, that their models are annoying sometimes. But they are the only major AI lab that drew a line in the sand and held it when the most powerful institution on Earth threatened to destroy them for it.

Dario Amodei said it plainly in his CBS interview: the supply chain risk designation is "retaliatory and punitive," and Anthropic drew these red lines because "we believe that crossing those lines is contrary to American values, and we wanted to stand up for American values."

He's right. And the fact that standing up for the idea that maybe the government shouldn't conduct mass AI surveillance on its own citizens, or deploy autonomous weapons without human oversight, can get your company destroyed -- that tells you everything you need to know about the people making these demands.

Anthropic says they'll challenge the designation in court. Based on Lawfare's legal analysis, they'll likely win. But the damage in the interim is real, and the chilling effect on every other company is exactly what this administration wants.

Links

Managing Home Assistant with Claude Code

Sun, 15 Feb 2026 23:30:05 GMT

I've written about how I use Claude Code and about Home Assistant separately. This post is about what happens when you combine them. Home Assistant is powerful, but managing it can be tedious. Dashboard layouts are deeply nested JSON. Automations require getting YAML syntax exactly right. Renaming a device means editing an internal registry. None of it is too hard — it's just fiddly and time-consuming. Claude Code turns these tasks into conversations.

How It Connects

The Home Assistant Green runs an SSH add-on with key-based authentication. The SSH key lives in 1Password, and macOS is configured to use the 1Password SSH agent globally. That means Claude Code can run ssh homeassistant "cat /config/automations.yaml" and it just works — 1Password handles the key at connection time, confirming with touchID, no passwords or key files sitting on disk.

The local project directory has a CLAUDE.md that tells Claude Code everything about the HA environment — the SSH hostname, key file paths on the HA instance, dashboard file-to-name mappings, entity IDs, coordinator details, and general notes about the setup. There's also an inventory file listing every integration, device, area, automation, and custom component installed. This means Claude Code starts every session already knowing the full environment without having to discover anything.

What It Does

Automations and Scripts

Claude Code SSHs into Home Assistant and reads configuration files directly. For automations, it can read automations.yaml, explain what each one does, add new automations with correct YAML syntax, or modify triggers, conditions, and actions on existing ones.

The real value shows up with complex tasks. When I wanted to set up appliance monitoring for my washing machine using a community blueprint, Claude Code read the blueprint YAML to understand all of its input options, found the correct entity IDs for the power-monitoring plug, identified my mobile device ID for notifications, and wrote a complete automation entry with power thresholds, debounce settings, notification messages, and status tracking. Then it created the input helper for the dashboard and restarted HA to apply everything. That whole process would have taken me a while to do manually — figuring out the blueprint's input schema alone is tedious.

Dashboard Editing

Home Assistant dashboards are stored as JSON in /config/.storage/. Claude Code downloads the JSON over SSH, parses it, makes changes, and uploads the result. This is where it saves the most time. Adding a conditional badge that only appears when the washing machine is running, setting up dynamic weather icons that change based on conditions, or configuring Mushroom cards with the right entity IDs and display properties — all of this involves deeply nested JSON that's painful to hand-edit.

The workflow is: read the file over SSH, pipe through python3 locally for JSON manipulation (HA OS doesn't have python3 installed), then write the result back. Claude Code handles this entire pipeline.

Device Management

Some changes require editing Home Assistant's internal .storage files directly. When I repurposed a smart plug from a Christmas tree to the washing machine, Claude Code found all entities associated with the device in the entity registry, stopped HA core (so the registry wouldn't get overwritten on shutdown), renamed all the entity IDs and unique IDs, uploaded the modified registry, and started HA core back up. Doing that manually means finding the right JSON file, understanding the data structure, making changes without breaking anything, and getting the stop/edit/start sequence right.

Troubleshooting

This might be where Claude Code adds the most value. Home Assistant problems can be genuinely hard to diagnose. An automation that stopped firing, a device that shows unavailable intermittently, an entity that's returning stale data — these issues often involve tracing through multiple files, checking logs, cross-referencing entity IDs, and understanding how different parts of the system interact. That's exactly the kind of tedious, detail-heavy investigation that Claude Code is good at.

It can pull the HA logs over SSH, read the relevant automation or integration config, check the entity registry for mismatches, and piece together what's going wrong — all in one conversation. Problems that would take me 20 minutes of jumping between files and docs often get resolved in a couple of exchanges.

HA Core Lifecycle

Claude Code can restart or reload Home Assistant through the Supervisor API over SSH. The Supervisor token is an environment variable injected into the SSH add-on container at runtime — it's never stored locally or included in any config files. Claude Code references it by variable name in SSH commands, so the actual token value is resolved on the HA side.

A Word of Caution

I want to be clear: giving an AI tool SSH access to a system that controls your home is something you should think carefully about before doing. Home Assistant manages locks, cameras, alarms, and other things with real physical consequences. If you're going to experiment with this, do it deliberately and with guardrails.

Don't give it more access than it needs. Scope SSH access to the HA config container, not a general-purpose shell. Don't hand it admin credentials to your router, your NAS, or anything else on the network.

Never store credentials in the project or with Claude Code. No API tokens in CLAUDE.md. No passwords in config files. No SSH keys on disk. Use an agent like 1Password's SSH agent so the key material is never exposed. If Claude Code needs to reference a token, it should be by environment variable name, resolved on the remote side — never as a literal value in a command.

Be aware of prompt injection. If Claude Code reads content from external sources — log files, API responses, community forum posts, or anything user-generated — that content could theoretically contain instructions that try to manipulate its behavior. Review what it's about to execute before approving, especially after it's ingested content from sources you don't fully control.

Keep the approval prompts on. It's tempting to auto-approve everything for speed, but for SSH commands against a live system, you should be reviewing each one. The few seconds it takes to read a command before hitting enter is the difference between a safe workflow and a mistake that locks you out of your house.

With all that said, here's how I keep it safe in practice.

How I Keep It Safe

Every command requires approval. Claude Code doesn't silently execute anything. Every SSH call, file write, or shell command is presented in the terminal before it runs. You see the full command and approve or deny each one. You can also configure permission levels to auto-approve reads while always prompting for writes.

No credentials on disk. The SSH key lives exclusively in 1Password. The 1Password SSH agent brokers authentication at connection time — there's no key file for anything to leak. If the vault is locked, SSH fails. Claude Code never sees the private key material.

No stored API tokens. The Supervisor token is a runtime environment variable in the SSH container. It's never written to a file, never included in CLAUDE.md, and never stored locally.

Read-before-write. Claude Code reads existing files before modifying them. It doesn't generate a new automations.yaml from scratch — it reads the current one, understands what's there, and appends or modifies only what's needed. Existing automations, formatting, and comments are preserved.

HA validates on restart. If Claude Code writes malformed YAML, Home Assistant will log the error and either skip the invalid entry or refuse to start with a clear message. It won't silently apply broken configuration. And HA's built-in backup system captures the entire /config/ directory automatically, so restoring from a mistake is straightforward.

Scoped access. The SSH connection lands in the HA OS container, which is sandboxed. It has access to /config/ and the Supervisor API, but it's not a general-purpose Linux box. There's no package manager, no way to install software, and no access to the host OS.

Lessons Learned

HA OS is minimal. There's no python3, no jq, no package manager on the HA instance. Any JSON or YAML processing has to happen locally by piping SSH output through local tools.

Entity registry timing matters. HA writes its internal registries to disk on shutdown. If you edit a registry file and then restart HA, the shutdown phase overwrites your changes with the in-memory state. The fix is to stop HA first (so it writes current state), edit the file, then start HA (so it reads the modified version).

Blueprint inputs aren't obvious. Blueprints can have dozens of inputs with specific expected values — like a literal string "enable_start_notify_options" rather than true. Claude Code reads the full blueprint YAML to discover correct input names, types, and selector configurations rather than guessing.

The Pattern

The common thread is that Claude Code handles the mechanical parts — SSH connections, file parsing, YAML syntax, JSON manipulation, API calls, restart sequences — while I describe what I want in plain language. The CLAUDE.md gives it the environment context, the inventory file gives it the device knowledge, and the approval system keeps me in control of what actually executes. It's the same pattern I described in the Claude Code post, just applied to home automation instead of software development.

Links

How I Use Home Assistant

Sun, 15 Feb 2026 23:17:22 GMT

I wrote a general overview of Home Assistant recently, but I wanted to follow up with how I actually use it. Home Assistant can do a staggering amount of things, and it's easy to get overwhelmed when you first look at it. This post covers the things I use most and find most useful, explained for someone who might not be familiar with the platform yet.

Lighting Automations

This is the first thing most people set up, and for good reason — it's immediately useful and easy to understand.

My front porch lights and outdoor plugs turn on automatically an hour before sunset and off 30 minutes after sunrise. I never think about it. Seasonal changes are handled automatically because Home Assistant knows the exact sunrise and sunset times for my location every day.

I have arrival lighting that turns on the living room lights when someone comes home. It uses multiple triggers — the thermostat switching out of eco mode, a phone entering the home zone, or a Wi-Fi connection being detected — and only fires during daytime hours. There's a toggle in the dashboard to disable it if I don't want it for a while.

There's also a vacation mode that simulates occupancy by turning lights on and off at natural times. Bedroom lights come on at 10 PM with a warm dim setting and turn off at 8 AM on weekdays. A scheduled lamp flips on at 5 PM and off at 11 PM. None of this requires me to do anything once it's set up.

Washing Machine Notifications

I have a power-monitoring smart plug on the washing machine. Home Assistant watches the power draw — when it goes above 10 watts, it knows a cycle started, and when it drops below 5 watts and stays there, it knows the cycle is done. It sends a push notification to my phone when the wash starts and a time-sensitive notification when it finishes.

The trick is debouncing. Wash cycles have periods where the drum stops briefly between stages, and power draw drops temporarily. The automation uses dead zones and repeat checks to avoid false positives. It works really well. I also track the status ( Washing / Finished) with a dropdown helper so it shows up as a badge on the dashboard while it is washing, then disappears when it has finished.

Presence Detection

I have ESPHome presence sensors placed around the house. These are small BLE (Bluetooth Low Energy) devices that detect how close my phone is to each one. Combined with Bermuda BLE Trilateration, Home Assistant can triangulate my position and know which room I'm in — not just whether I'm home or away. That opens up automations that aren't possible with simple presence detection, like adjusting climate or lighting based on where in the house I actually am.

ESPHome is worth calling out specifically. It's a framework for building custom smart home sensors using cheap microcontrollers. You define what the device does in a YAML config file, flash the firmware, and it integrates directly with Home Assistant over your local network. The presence sensors, an air quality monitor I have in my server closet, and Bluetooth proxies are all ESPHome devices. It's one of the more powerful parts of the ecosystem once you start using it.

Water Leak Detection

I have three IKEA water leak sensors placed near the washing machine, water heater, and under the kitchen sink. They connect via Matter over Thread, so they're fast, low-power, and communicate locally without needing the internet. If any of them detect water, I get an immediate critical push notification to my phone with the alert sound. Once all sensors have been dry for 15 minutes, I get an all-clear notification.

This is the kind of thing you set up and hope never fires, but when it does, the early warning can save you thousands of dollars in water damage. The sensors cost about $10 each and since they run on Thread, they work even if your internet is down.

Dashboards

Home Assistant dashboards are fully customizable, and I've built a mobile dashboard that I use constantly. The main view has badges across the top showing the current time, weather conditions, air quality index (color-coded by severity), sunrise/sunset times, front door lock status, package delivery count, and the status of things like the washing machine and 3D printer.

The main section has quick toggles for all lights and switches, media player controls, and network stats. I use conditional visibility heavily — the NAS health stats only appear when CPU or memory usage is elevated, media players only show when something is actively playing, and weather alerts only appear when there's actually something to alert about. This keeps the dashboard clean instead of overwhelming.

There are dedicated views for cameras (live WebRTC streams from doorbell, indoor, and outdoor cameras), weather details, media controls across all rooms, 3D printer monitoring, and package tracking.

The custom frontend cards from the community make a big difference here. Mushroom cards give everything a clean, modern look. Mini Media Player provides compact audio controls. Auto Entities dynamically filters and displays things like battery levels across all devices. None of these come built in, but they're easy to install through HACS (the Home Assistant Community Store).

Infrastructure Monitoring

This one is more niche, but I find it useful. My Synology NAS shows up in Home Assistant with CPU usage, memory, temperature, drive health, and network throughput. I have an ESPHome-based AirGradient sensor in the server closet monitoring PM2.5, temperature, and humidity. NextDNS stats show up as well — total queries, blocked queries, and block ratio.

Having all of this in one place alongside the rest of the smart home data means I don't need to open separate apps to check on infrastructure. If the NAS is running hot or the server closet humidity spikes, I'll see it on the same dashboard where I check the weather.

Everything Else

There's a lot more I haven't covered — Sonos multi-room audio controls, Nest camera integration via a Starling Home Hub for local access, Rachio sprinkler control, package tracking through Parcel, PlayStation and Xbox profile monitoring for the family, Bambu Lab 3D printer status with filament and temperature tracking, and a Bird Buddy smart bird feeder that identifies bird species. Home Assistant is the kind of platform where you keep finding new things to connect to it.

The common thread across all of this is that it's one app, one dashboard, running locally, and I control all of it. No subscriptions required for the core functionality, no reliance on someone else's servers, and it gets better every month with community updates. If any of this sounds interesting, the first post covers what Home Assistant is and how to get started.

Links

Home Assistant

Sun, 15 Feb 2026 22:50:58 GMT

I've written before about my frustrations with HomePods and how Google completely squandered Nest. The common thread is that when you depend on a big tech company for your smart home, you're at their mercy. They can kill products, raise subscription prices, remove features, or just let the software rot. Home Assistant is the answer to all of that.

What Is Home Assistant

Home Assistant is open source home automation software that runs locally on your network. It integrates with over 3,400 different devices and services — Zigbee, Z-Wave, Matter, Thread, Bluetooth, Wi-Fi, and pretty much every major smart home brand you've heard of. Philips Hue, IKEA, Sonos, Shelly, Lutron, and hundreds more. It all gets unified into a single app with a single dashboard.

The key differentiator is that everything runs locally. Your data stays on your network. Your automations don't depend on someone else's cloud server being up. If your internet goes down, your smart home still works. That alone makes it fundamentally different from Google Home, Alexa, or HomeKit, which are all dependent on cloud services to varying degrees. But it's not just about independence from cloud providers — local control also means everything is noticeably faster. Lights respond instantly. Automations trigger without the round trip to a server halfway across the country. Once you experience the speed difference, going back to cloud-dependent smart home controls feels sluggish.

The one thing people worry about with local-only is remote access. Tailscale solves that completely. It connects you to your home network from anywhere as if you were on your couch, without exposing anything to the public internet. I've written about how well it works with Home Assistant before — it's a great combo.

It's also run by the Open Home Foundation, a nonprofit. It can't be sold or acquired. That matters more than people realize when you're building infrastructure for your home that you want to last.

Why People Love It

The community is enormous. Home Assistant was the top open source project by contributors in 2025 on GitHub. It gets meaningful updates every single month — new integrations, new dashboard features, better automations, voice assistant improvements. It's actively getting better, which is the opposite of what happens with most smart home platforms over time.

The automation engine is genuinely powerful. You can trigger actions based on time, presence, sensor data, device states, weather, sun position, or basically any combination of conditions you can think of. Turn on the porch lights at sunset. Get a notification if the garage door has been open for more than 10 minutes. Adjust the thermostat when everyone leaves the house. The complexity ceiling is high, but simple automations are easy to set up through the UI without writing any code.

The dashboards are fully customizable and accessible from mobile apps, a web interface, or even cast to a TV. There's a built-in voice assistant called Assist that runs locally, an energy management system, and you can install additional apps like Node-RED directly through the interface.

But the real reason people love it is control. You own your smart home. No one can change the terms of service on you, raise prices, or shut down the platform. After watching Google kill product after product and Apple let Siri and HomePod stagnate, having something that's actually in your control is a relief.

I still use Apple Home in addition to Home Assistant. It's not mutually exclusive. There are advantages to the built-in functionality that Apple Home can offer, and Home Assistant only enhances that. I can even publish incompatible devices to Apple Home by bridging them through Home Assistant.

Why I Use the Home Assistant Green

You can run Home Assistant on a lot of things — a Raspberry Pi, a VM, a Docker container, an old PC. I ran it in Docker on a Synology NAS for a while and it worked fine for the basics. But running it as a container means you're running Home Assistant Container, not the full Home Assistant Operating System, and there's a real difference. Container installs don't get the app store — which means no one-click installs for things like Node-RED, an MQTT broker, or the file editor. You also lose built-in backups, one-click updates, and out-of-the-box support for Thread and Z-Wave since those are managed by apps that only run on HA OS. You can set all of that up yourself alongside Docker, but at that point you're managing a bunch of moving parts instead of just running Home Assistant.

The Home Assistant Green is exactly that. It's a small box with a quad-core ARM processor, 4 GB of RAM, and 32 GB of eMMC storage. It comes with Home Assistant already installed. You plug in power, plug in Ethernet, and it's running. That's the whole setup.

No flashing SD cards. No configuring Docker. No fighting with a Raspberry Pi that's also trying to run Pi-hole and three other things. No VM overhead. It's a dedicated appliance that does one thing well.

At $159, it's not the cheapest option. A Raspberry Pi can be had for less. But the Green removes every possible friction point from the setup. It comes with a proper power supply, a passive aluminum heatsink so there's no fan noise, and eMMC storage instead of an SD card — which matters because SD cards in Raspberry Pis are notorious for failing over time. The Green is just more reliable hardware for a system that ideally runs 24/7 for years.

The monthly updates install through the web UI with one click. Backups are built in. If you want to add Zigbee or Thread support, you plug in a Home Assistant Connect ZBT-2 USB stick. It also works with your existing Apple HomeKit, Google Home, and Alexa setups, so you can migrate gradually without ripping everything out at once.

The whole experience is closer to setting up a consumer router than building a Linux server. That's the point. I want my smart home platform to be something I configure once and then it just works in the background, not something I have to babysit. The Green delivers on that.

If you're frustrated with the state of smart home platforms from big tech, or if you've been curious about Home Assistant but didn't want to deal with the Raspberry Pi setup, the Green is the easiest on-ramp. Plug it in, open the app, and you're running.

Links

Making Your Site Visible to AI Agents with Cloudflare

Sat, 14 Feb 2026 05:31:22 GMT

The way people find things online is changing. It used to be all about Google and SEO. Now, an increasing amount of traffic is coming from AI agents and crawlers that need structured data from a web that was built for humans. If your site isn't set up to talk to these systems, you're going to get left behind.

Cloudflare just launched two features that make this significantly easier: Markdown for Agents and Content Signals. I've already enabled both on a site I manage at work, and the setup is straightforward enough that there's no real reason not to do it.

Markdown for Agents

The core idea is simple. HTML is expensive for AI to process. All the <div> wrappers, nav bars, script tags, and CSS classes are noise that burns through tokens without adding any meaning. Cloudflare claims this blog post about the feature takes 16,180 tokens as HTML and only 3,150 as markdown — an 80% reduction.

Markdown for Agents handles the conversion automatically at the edge. When an AI agent requests a page with Accept: text/markdown in the header, Cloudflare intercepts the response, converts the HTML to clean markdown, and serves that instead. The agent gets exactly what it needs without wasting compute on parsing junk.

Here's what the request looks like:

curl https://your-site.com/about/ \
  -H "Accept: text/markdown"

The response comes back as text/markdown with an x-markdown-tokens header that tells you exactly how many tokens are in the document. Tools like Claude Code and OpenCode already send these accept headers, so enabling this means those tools immediately get cleaner content from your site.

How to Enable It

If you're on Cloudflare (Pro, Business, or Enterprise), it's a toggle. Go to your zone in the dashboard, find Quick Actions, and flip on Markdown for Agents. That's it.

You can also enable it via the API:

curl -X PATCH 'https://api.cloudflare.com/client/v4/zones/{zone_tag}/settings/content_converter' \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer {api_token}" \
  --data '{"value": "on"}'

There are some limitations worth knowing about. It only converts HTML (no PDFs or other formats yet), it won't work if the origin response is larger than 1 MB or doesn't include a content-length header, and compressed origin responses aren't supported. But for a typical website, these shouldn't be issues.

Content Signals

The second piece is Content Signals, which is a framework built around robots.txt that lets you explicitly tell AI systems what they can and can't do with your content. It's defined at contentsignals.org and uses three categories:

ai-train — Can this content be used to train or fine-tune AI models?
search — Can this content be indexed and returned in search results?
ai-input — Can this content be used as input to AI models (RAG, grounding, agentic use)?

You add these as directives in your robots.txt:

User-Agent: *
Content-Signal: ai-train=no, search=yes, ai-input=yes
Allow: /

The site at contentsignals.org has a generator where you can pick from preset policies and get the exact robots.txt directives you need. You can go as broad as "allow everything" or as restrictive as "disallow all." You can even target specific user agents or specific paths if you want different rules for different parts of your site.

When Markdown for Agents is enabled, converted responses automatically include a Content-Signal header: ai-train=yes, search=yes, ai-input=yes. Custom policy options are coming in the future.

It's worth being clear about what this is and isn't. These are signals, not enforcement. Just like robots.txt has always been a polite request rather than a technical barrier, Content Signals express your preferences. Some crawlers will respect them. Some won't. But having an explicit, machine-readable declaration of your intent is better than having nothing, and it establishes a baseline that responsible AI companies are starting to honor.

Why This Matters

If you run a website and want AI tools to be able to accurately reference your content, you should be making it easy for them to do so. That means serving clean, structured content when agents ask for it, and being explicit about how that content can be used.

I recently enabled both of these on a website at work. The process took about five minutes — flip the toggle, update robots.txt with Content Signals, done. If you're already on Cloudflare, this is one of the easiest things you can do to make your site more accessible to the next generation of how people find things online.

Links

What Is Enshittification?

Thu, 12 Feb 2026 16:51:40 GMT

I reference enshittification a lot on this site. Apple Maps ads, Perplexity's surveillance pivot, Google Search getting worse -- it keeps coming up because it keeps happening. This week, OpenAI started testing ads in ChatGPT, and one of their own researchers, Zoe Hitzig, resigned over it, warning that the most detailed record of private human thought ever assembled is about to be monetized with advertising. We're watching the next wave of enshittification happen in real time with AI, so I figured it was time to actually explain the concept properly since I keep referring to it.

Cory Doctorow coined the term. He's a novelist, activist, and has worked with the Electronic Frontier Foundation for over two decades. The American Dialect Society named "enshittification" the 2023 word of the year. It describes the predictable lifecycle of how platforms decay, and once you see the pattern, you can't unsee it.

The Three Stages

Doctorow defines enshittification as a three-stage process of platform decay.

Stage one: Be good to users. A platform starts by offering genuine value to attract users. Facebook in 2006 told everyone to leave MySpace because Rupert Murdoch spied on them. "Come to Facebook, we'll never spy on you, we'll just show you what you ask to see." Users pile in, and critically, they get locked in -- you love your friends, and you can't convince all of them to move somewhere else at the same time. As long as you love your friends more than you hate the platform, you'll stay.

Stage two: Sell out users to business customers. Once users are locked in, the platform makes things worse for them to attract advertisers and business customers. Facebook goes to advertisers and says "remember when we told users we wouldn't spy on them? Obviously that was a lie. We spy on them from ass to appetite. Give us money and we'll target ads with exquisite fidelity." They go to publishers and say "put your content on our platform, we'll cram it into eyeballs that never asked to see it. Free traffic." The business customers pile in and get locked in too -- they become dependent on the platform.

Stage three: Extract all value. Now the platform makes things worse for the business customers too. Ad targeting fidelity goes down. Ad prices go up. Ad fraud explodes. Procter & Gamble in 2017 zeroed out its $200 million surveillance advertising spend and saw zero drop in sales, because to a first approximation all those ads disappeared down the fraud hole. The platform harvests everything except the bare minimum needed to keep people from leaving. Your feed becomes a homeopathic residue of stuff you actually asked to see, filled with things people paid billions to show you, and they're getting robbed blind. This is ideal for the platform. It's a giant pile of shit.

Why It Happens

There's a tempting but wrong explanation for this: "If you're not paying for the product, you're the product." Doctorow pushes back on this hard. The people who do pay -- the advertisers, the publishers, the business customers -- get shafted too. Everyone gets worse treatment except the platform itself.

The real answer is policy. Four things used to discipline tech companies: competition, regulation, interoperability, and an empowered workforce. All four eroded over the last two decades.

Competition disappeared as the industry consolidated. When you have hundreds of equally sized companies, none of them can conspire to screw users because someone will defect and steal the others' customers. When you have a handful of giants, they don't worry about that.

Regulation got captured. Concentrated industries are much better at lobbying than fragmented ones.

Interoperability got outlawed. This is the big one that non-technical people underappreciate. Interoperability means you can make one thing work with another -- any light bulb in any socket, anyone's gas in your tank. With digital technology, you get even more opportunities because you can always write software that undoes what some other software tries to do. An ad blocker, a third-party printer cartridge, a tool to export your data. This is an enormous source of discipline because once someone installs an ad blocker, the revenue from that user falls to zero forever. No one ever uninstalled their ad blocker.

But laws like Section 1201 of the DMCA (1998) made it a felony to bypass a digital lock -- five years in prison and a $500,000 fine for a first offense, even if no copyright infringement takes place. Companies started wrapping everything in a thin layer of digital lock. Your printer cartridge has a chip that does a cryptographic handshake to prove it came from HP. Ink is now $10,000 a gallon. Your audiobooks on Audible are wrapped in DRM so you'd forfeit everything if you left the platform. Your tractor, your car, your insulin pump -- all locked down.

Worker power collapsed. A quarter million tech layoffs in a couple of years destroyed the leverage that tech workers once had to push back internally when their bosses wanted to do something harmful to users.

It's Not Inevitable

Doctorow is insistent that this didn't have to happen and doesn't have to continue. The platforms were genuinely good once -- that wasn't our imagination. The same people running them then are running them now. What changed was the environment, everything that used to keep them in check.

The way out is restoring those four constraints. Of particular interest right now is interoperability. Every country adopted laws like the DMCA because the US trade representative made tariff-free access conditional on it. Those laws primarily benefit American tech giants. Other countries could repeal them, allowing domestic companies to build tools that jailbreak locked-down devices, export data from walled gardens, and create competitive alternatives. As Doctorow puts it: the first country that does it gets a durable advantage, and there's going to be a race to the top.

The AI Wave

This brings us to right now. AI companies are burning through cash at staggering rates, and the enshittification playbook is already in motion. Perplexity's CEO announced their browser will track everything users do online to sell hyper-personalized ads. Google is stuffing ads into AI Overviews. And OpenAI, the company that positioned itself as a mission-driven AI safety lab, just started testing ads in ChatGPT.

Zoe Hitzig, who spent two years as a researcher at OpenAI working on AI models, pricing, and safety, resigned and wrote in the New York Times that OpenAI has the most detailed record of private human thought ever assembled, and is about to monetize it with advertising. People share their medical symptoms, relationship problems, financial anxieties, career fears -- things they might not tell another human. The surveillance advertising model applied to that data is a different beast entirely from what we've seen with social media.

The pattern is clear. Stage one is already over -- AI tools attracted hundreds of millions of users by being genuinely useful. We're entering stage two now, where the platforms start selling out users to business customers. If history is any guide, stage three won't be far behind.

As Doctorow says, the real culprits aren't the ketamine-addled billionaires running these companies. They're just filling a void created by policy. The policymakers who created the enshittogenic environment that guarantees people who do the worst things in the worst way will make the most money -- those are the people who need to change course.

If you want to hear Doctorow explain it himself, here's a great clip from The Daily Show, and I'd also recommend the full Organized Money podcast episode where he goes deep on all of this.

Links

How I Use Claude Code Every Day

Sun, 08 Feb 2026 22:30:29 GMT

I've written about AI tools a few times on this blog, but I haven't really talked about the one that has most fundamentally changed how I work. Claude Code is Anthropic's CLI tool that gives Claude direct access to your terminal, filesystem, and development environment. At this point it's involved in essentially every project I touch, whether that's a web app, a native macOS app, Python scripts, workflow automations, or infrastructure configs.

CLAUDE.md

CLAUDE.md is a markdown file you put in the root of a project that gives Claude Code context about your codebase — architecture, commands, conventions, gotchas. Claude reads it automatically when you open a project.

This is the single most important feature. It's what turns Claude Code from a generic AI assistant into something that actually understands your project. It knows your build commands, your deployment pipeline, your file structure, and the decisions you've made along the way. Without it, you're re-explaining basics every session. With it, Claude starts every conversation already up to speed.

Memory

Claude Code also maintains a memory directory where it stores things it learns across sessions. API quirks, patterns that work well in a codebase, bugs that were painful to track down. The kinds of things that are easy to forget between sessions. This means Claude gets better at working in each project over time, and you don't repeat the same mistakes.

Skills

Skills are predefined workflows triggered with slash commands. The ones I use most:

/commit — Analyzes staged changes, generates a good commit message, and commits. /commit-push-pr goes further and handles the full commit, push, and PR creation flow. I actually get better commit history from this than when I was writing messages manually.
/code-review — Reviews a PR for bugs, security issues, and whether changes follow the patterns in your project. Because it has the CLAUDE.md context, it understands your conventions rather than just applying generic rules.
/feature-dev — A guided workflow for building features. It reads the existing code, identifies patterns, and proposes an implementation that fits naturally into what's already there. Useful for larger features where you want to think through the approach first.
/frontend-design — Builds production-quality UI components with Tailwind and shadcn/ui. It's opinionated about avoiding generic-looking AI output, which is a common problem.

Plugins

Firecrawl

Firecrawl gives Claude the ability to search the web, scrape pages, and do research without leaving the terminal. Need to check API docs, look up how a library handles an edge case, or research a topic? Firecrawl handles it. This blog post used it for research.

Sentry

The Sentry integration lets Claude pull up recent issues, dig into errors, and trace them back to the code. /sentry looks for open issues and helps resolve them. The Seer feature lets you ask natural language questions about your Sentry environment. The part I find most useful is the PR code review integration — if Sentry flags something on a PR, Claude can analyze it and fix the root cause.

Why a Terminal Tool?

I know a terminal-based AI tool is not for everyone. Most people reaching for AI help with code are pasting snippets into ChatGPT or the Claude app, and that works fine for one-off questions. But the difference with Claude Code is that it's already inside your project. It can read every file, understand the full directory structure, reference the CLAUDE.md and memory files, run your build commands, execute tests, and commit code — all without you copy-pasting anything.

That context is the whole game. When I ask Claude Code to fix a bug, it doesn't just see the snippet I pasted — it can trace through the actual imports, check the actual database schema, and run the actual tests to verify the fix. When I ask it to build a feature, it reads the existing patterns and matches them. That's fundamentally different from explaining your codebase in a chat window and hoping the AI infers the rest.

The agentic workflow is the other big difference. Claude Code doesn't just suggest code, it writes files, runs commands, creates commits, and opens PRs. It's doing the work, not just advising on it. Once you get comfortable with that, going back to copy-pasting between a browser and your editor feels slow.

What Makes It Work

The CLAUDE.md gives it project knowledge. Memory gives it learning across sessions. Skills automate repetitive workflows. Plugins connect it to external services. Each piece is useful on its own, but together they make something that feels like a real development environment rather than a chat window.

It still makes mistakes, sometimes confidently. But the baseline quality with good context is remarkably high, and the speed at which I move through projects is genuinely different than it was a year ago. If you're not using Claude Code, it's worth trying.

Links

Raycast Hotkey Guide

Thu, 15 Jan 2026 17:57:11 GMT

Raycast has been doing a series of videos about how to effectively use hotkeys with Raycast. The one that came out today is really good - https://www.youtube.com/watch?v=N4eiUgRYoL4

The specific ideas in this include -

Clipboard History → Shift+Cmd+V or similar (pairs naturally with paste)
Window Management → Ctrl+Opt+Cmd+Arrow keys for left/right half, center, fullscreen
AI Chat → Hyper+A for quick access
Emoji Picker → Ctrl+Cmd+Space to replace the native macOS picker
Frequently Used Apps → Option+letter (e.g., Option+S for Safari)
Quick Links → Treat them like apps with similar modifier patterns
Folder Access → Ctrl+Cmd+letter for Downloads, Desktop, etc.
Display Presets → Option+Shift+Plus/Minus for screen recording resolution changes

Definitely worth watching this series from Raycast if you're a Raycast user. If you're not, you should be!

Links

AI and the Human Condition - Stratechery

Tue, 06 Jan 2026 00:12:36 GMT

I think Ben Thompson is an excellent writer and analyst. I think this is worth reading as I think a somewhat optimistic take on AI at the moment - https://stratechery.com/2026/ai-and-the-human-condition/

On the one hand, it's hard to argue that so much of the world is better than it's ever been, and it's logical that that would continue to some degree.

My main concern with his optimism in the space is with the acceleration of the wealth gap of the hyper wealthy and the "rest of us". It's hard to fathom the wealth that billionairs have, and that's only accelerating. One of my main concerns with AI, honestly similar to the current tech monopolies, is that it will be a way for the hyper rich to even further accelerate their wealth. Sure, things have gotten better for everyone as a whole over history, but the inequity between the hyper wealthy and everyone else is historically a pretty recent phenomenon and I don't see it getting any better any time soon without some serious systemic corrections, and AI will be another way for the rich to get richer and push all of the negative consequences that inevitably will come along with it to the rest of us.

One of my favorite illustrations of just how much wealth the ultra rich have is this site - https://eattherichtextformat.github.io/1-pixel-wealth/. I'm not even sure the last time it was updated but whenever it was, it's only gotten worse since then.

Links

AI Water Use

Sat, 27 Dec 2025 20:57:55 GMT

Hank Green put together a really good breakdown of the AI water use discourse, and it's one of those videos where both sides of the argument come out looking a little dishonest.

The numbers game

Sam Altman claims the average ChatGPT query uses about a fifteenth of a teaspoon of water. Morgan Stanley projects AI data center water use could hit a trillion liters per year by 2028 — an 11x increase from 2024. Both numbers can technically be true, and that's the problem. Resource analysis for any industry is a legitimate field of science, but packaging it into neat, shareable numbers inevitably involves fudging. This complexity makes it really easy to mislead in either direction.

Why Altman's number is misleading

Hank calls Altman's figure "a lie," and I think that's fair. It only counts water used at the moment of answering your query, conveniently ignoring some pretty important stuff. Reasoning models often trigger multiple behind-the-scenes queries for a single user question — potentially 15x or more the stated water use. And training costs are completely excluded. Building these models takes weeks or months of GPU-intensive computing that burns through electricity and water. The University of California estimates training accounts for roughly half of total AI resource use. Altman's number pretends none of that exists, and OpenAI doesn't share the data needed to fairly allocate those costs across queries, so outsiders can't do accurate accounting even if they wanted to.

How the other side inflates numbers too

The biggest source of the inflated AI water numbers comes from thermoelectric power plants. Natural gas, coal, and nuclear plants use massive amounts of water to condense steam after it drives turbines — electricity generation accounts for 40% of all U.S. freshwater withdrawals. But most of that water is returned to rivers and lakes, with only about 2-3% actually evaporating. It's also not municipal water — it's pulled directly from natural water bodies, not treated drinking water. Including this flow-through water in AI's footprint makes the numbers look enormous but is pretty misleading.

That said, even the returned water is a concern. The waste heat dumped into waterways is a real form of pollution. Even a 1-2 degree temperature change in a river can damage ecosystems. It's a legitimate issue that needs regulation, just not the same thing as "consuming" water.

Context matters more than totals

Every region has a finite water budget. A data center in the Pacific Northwest is a completely different situation from one in Tucson. The key question isn't just "how much water?" but "does this place have water to spare?" Building a water-cooled data center in the desert is, as Hank puts it, "just very dumb." Most data centers use evaporative cooling with fresh municipal water — the same treated, drinkable water delivered to homes — so where you build these things really matters.

There's also the chip manufacturing side that most people don't think about. Making Nvidia GPUs requires ultra-pure water far more refined than drinking water. The volume is small compared to cooling, but producing it is energy-intensive. Another hidden layer.

The corn comparison

Hank's most striking comparison is one that puts the whole debate in perspective. U.S. corn production uses roughly 20 trillion gallons of water per year — nearly 80 times more than the entire global AI data center footprint of around 260 billion gallons. And 40% of that corn is turned into ethanol burned in cars and trucks, with each gallon of ethanol carrying an irrigation footprint of about 1,500 gallons of water. Lawn irrigation also uses trillions of gallons of municipal water annually. None of this excuses waste, but it does make you wonder why AI gets the outrage while corn ethanol quietly remains one of the most absurdly wasteful things we do.

Power is the real concern

Hank argues that AI's electricity demand — not water — is the more serious problem, and I think he's right. The projected increase in power demand is an order of magnitude larger as a percentage of existing infrastructure than the water increase. This is going to hit carbon budgets and consumer electricity bills a lot harder than water ever will.

The bigger picture

Hank's biggest worry isn't actually water or power — it's that the massive data center buildout happening right now might be based on an overly optimistic vision of AI's future. Microsoft, Google, and Amazon are each spending over $100 billion a year on this. If more compute doesn't improve AI systems as advertised, or if political and environmental constraints slow things down, the economic fallout could be severe. A significant chunk of S&P 500 value is riding on a future that nobody can predict with confidence.

Both sides of this debate cherry-pick numbers to make their case. The real answer, as usual, is more complicated than either side wants to admit. Expertise matters, public discourse is bad at handling nuance, and corn ethanol remains absurdly wasteful.

Links

https://www.youtube.com/watch?v=H_c6MWk7PQc

Music 2025

Sat, 27 Dec 2025 19:29:43 GMT

As 2025 comes to a close (finally...) I wanted to mention some of my favorite music from the year. These are not necessarily all new music from 2025, just my most listened to music.

Chevelle - Bright as Blasphemy

We finally got a new Chevelle album. Hard hitting as usual, and politically poignant, I really enjoy this album. The first 2 singles released, “Rabbit Hole (Cowards, Pt. 1)” and “Jim Jones (Cowards, Pt. 2),” both hit really hard and deliver blistering critiques of the cowardice and cult-like following that is poisoning the country. Pale Horse is another one of my favorites from the album.

Linkin Park - From Zero

This came out in 2024, but is still one of my top albums. Linkin Park has been one of my favorite bands since their very first album, and it was really hard for me when Chester Bennington passed away. For a few years it was difficult for me to listen to Linkin Park, and I had very mixed feelings when they announced they were coming out with a new album with a new singer, but it's a fantastic album.

The Emptiness Machine was the first single and is still one of my favorites from the album. I feel like it was a great one to start with as it seems to me to directly address some of the hesitation about making new music and some of the struggle with fame. Heavy is the Crown is probably my favorite of the whole album.

One of the songs that has always been one of my favorites, and was one of the top songs of 2025 for me by Linkin Park is "Given Up". It remains one of the most raw emotional songs of all time. If you haven't seen it yet, watch the live performance. Chester's performance is absolutely unbelievable. Incredible performance physically, but also one of the most incredible displays of raw emotion in a performance I've ever seen.

I was extremely excited for TRON: Ares this year. I have always been a fan of Tron, and when they announced that Nine Inch Nails was doing the soundtrack, one of my favorite bands, I was losing my mind. The movie wasn't as good as I hoped it would be, but was still fun and enjoyable, but I really enjoyed several of the songs from the soundtrack. My favorite is the single from it -

Nine Inch Nails - As Alive as you Need me to be

On the other end of things, I really enjoyed Mumford & Sons "Rushmere" album as well. Very Mumford and Sons sounding, but I enjoy that. I'm glad they are making music again.

Mumford & Sons - Rushmere

Their album "Prizefighter" is set to come out in 2026, but the single "Rubber Band Man" just came out recently, and I really like that song as well. Hopefully this is a good sign for the album.

I totally get that Coldplay is not everyone's favorite, but they are one of those bands I would say is on the sound track of my life. While Moon Music came out in 2024, I still listen to it quite a bit. It's comforting to me, and many of the songs are just beautiful. There has been a lot of hopelessness in 2025, and the message of this album helps me feel a little bit of hope.

Coldplay - Moon Music

Of course I listened to a lot of music from bands I will always listen to, such as Tool, Nine Inch Nails, and older albums from some of the bands I have mentioned. I'm not much of an EDM fan in general, but Deadmau5 is uniquely talented in my mind, and I listen to a lot of his stuff as well, particularly as background music while working.

Google Dark Web Monitoring Goes to the Google Graveyard

Tue, 16 Dec 2025 16:26:46 GMT

Yet another Google product killed off.

Ars Technica - Google will end dark web reports that alerted users to leaked data

Links

Enshittification - The Daily Show

Mon, 15 Dec 2025 01:29:15 GMT

Cory Doctorow on The Daily Show recently describing enshittification.

Excellent elevator pitch version of what it means and why it happens.

Enshittification describes the predictable lifecycle of digital platforms: they start by delivering strong value to users to drive adoption, then shift to prioritizing business customers and advertisers at the users’ expense, and ultimately optimize for extraction and profit for the platform itself, degrading the experience for everyone else. The result is a hollowed-out product where usability, trust, and long-term value are sacrificed in favor of short-term financial gains, often leaving users and partners locked in with few viable alternatives.

Links

Google DNSSEC MX Records Disappear

Tue, 25 Nov 2025 23:10:28 GMT

I previously wrote about how Google added DNSSSEC MX Record options, just back in September.

I went to get more information about them, and write a similar blog post for work on our site, but for some reason, Google has removed any reference to this in their support documents, and removed the blog post about the update. Very strange.

I reached out to Google Support for information about this and they basically wouldn't say anything about it (somewhat unsurprisingly). We manage a domain that we moved to these records and they seem to still be working fine, but now I guess they are unsupported?

Does this count as going to the Google Graveyard? So bizarre.

Links

The Power of Vulnerability

Mon, 17 Nov 2025 03:44:19 GMT

Similar to "This is Water", this is one of the most influential talks I've seen in my life. In the off chance you somehow have missed this, I highly recommend it.

Links

Raycast OpenGraph Previews

Wed, 12 Nov 2025 19:12:00 GMT

Another useful feature of Raycast is when you use the clipboard manager, if you have a URL in the clipboard history, it will show you the opengraph image used for that site. I’ve been working on completely rebuilding our website at work, and doing different opengraph images based on specific criteria on different pages, and this has been extremely helpful in testing them out as I deploy new ones.

Links

CarPlay's Longevity

Wed, 12 Nov 2025 01:51:09 GMT

John Gruber, writing on Daring Fireball - Patrick George Thinks CarPlay’s Days Are Numbered; I Doubt It

I don’t doubt that most carmakers are looking at ways to charge subscriptions. I do doubt, however, that they’re going to follow GM’s lead in abandoning CarPlay support.

I think Gruber is a little overly optimistic about how much most people care about CarPlay, but I think the main reason CarPlay may struggle in the future would be because these companies will cram tracking and ads on any screen they can, rather than strictly subscriptions.

Google, Facebook, and increasingly Amazon make obscene amounts of money just from tracking everything you do and cramming garbage in your face any chance they get. Car companies are already doing this as much as they can get away with, and they will continue to push the boundary as far as people let them.

I'm not a CarPlay extremist like many Apple fans. There are a couple of cars I think do a better job at UI / UX than CarPlay, but it's extremely rare, and I definitely get the arguments for wanting to use your own apps like Apple Maps or your favorite podcast player, but for me I really only prefer it in cars that are absolutely awful at software UI / UX / everything (the vast vast majority of cars).

Gruber argues that customers wanting CarPlay may keep competition strong enough that car markers need to support it to compete. That's a real possibility and I hope it's true, but if advertising is the goal, then you are no longer the customer. You're the product.

Links

Meta Made $16 Billion From Scam Ads in 2024

Mon, 10 Nov 2025 02:23:20 GMT

A Reuters investigation revealed that Meta made $16 billion from scam ads in 2024—10% of total revenue. Internal documents show the company knowingly profited from fraud to fund AI development.

Users encounter about 15 billion "high risk" scam ads daily, plus 22 billion organic scam attempts. Meta platforms are involved in roughly one-third of all successful scams in the United States.

Meta's System Makes It Worse

Meta only bans advertisers when it's 95% certain they're fraudulent. Everyone else flagged as suspicious gets charged higher ad rates as a "penalty." So Meta profits more from suspected scammers than legitimate advertisers.

Thanks to "ad personalization", users who click one scam ad get shown more scam ads. It's a feedback loop that maximizes revenue while exposing vulnerable users to escalating fraud.

Some accounts accumulated over 500 strikes before being shut down. Four campaigns alone generated $67 million monthly before removal. Meta's enforcement teams operated under "revenue guardrails"—they couldn't take actions costing more than $135 million per quarter.

The math: Meta estimated $1 billion in potential fines while earning $3.5 billion from risky scam ads every six months. Three-to-one profit margin on fraud.

Real-World Impact

In October 2024, scammers hijacked a Royal Canadian Air Force recruiter's account and ran crypto fraud ads using her identity. Despite over 100 reports, Meta took weeks to act. Five people were defrauded—one victim lost C$40,000 ($28,000 USD) believing he was talking to his trusted friend.

Meta's own safety staff found 96% of valid fraud reports were ignored. Santa Clara County prosecutor Erin West: "I don't know I've ever seen something taken down as the result of a single user report."

Meta claims they reduced scam ad reports by 58% and removed 134 million scam posts in 2025.

Maybe people just gave up reporting because Meta doesn't do anything about it.

Why would they try to fix it? They make tons of money from it, and they dictate the entire process from start to finish. They could make it go away very quickly if they cared to, but they don't. They clearly spent all their time covering it up, instead of trying to fix the problem, because they do not agree on what the problem is. Even with this kind of reporting, my guess is that exactly nothing will change.

Links

Apple Maps Enshitification

Sun, 26 Oct 2025 22:12:17 GMT

Apple Maps users could start seeing ads in the app as soon as next year

According to Mark Gurman.

These companies just can't help themselves but enshitify everything they possibly can. It's legal, and basically free money. A lot of free money.

The Enshitification of Big Tech: A Conversation with Cory Doctorow

Nothing is free, and when you use online services that say they are free, you are actually the product, not the customer. Facebook? Google? Increasingly Amazon...? You are a source of data that they own, and they sell. You effectively have no choice in the matter. One of the main reasons I have always been fine paying (a lot) for Apple products is that it's very clear what you're paying for, where the company makes their money (you know... from us paying for it), and the customer / product relationship is very clear. That line seems to be blurring.

The big risk Apple faces here is a potential consumer backlash. Some customers are already unhappy that the iPhone has been turned into a digital billboard for services like AppleCare+, Apple Music, Apple TV and Fitness+. The company also pushes web-like ad slots within Apple News. When you consider that an iPhone can cost up to $2,000, some see this as an unseemly money grab.

You don't say!

Links

This is Water

Sun, 19 Oct 2025 23:19:23 GMT

I'm sure most people have seen this by now, but I find it really inspiring. I try to rewatch it every couple of years.

Links

Peter Thiel’s Dangerous Ideology

Wed, 15 Oct 2025 02:07:31 GMT

I recently read The Real Stakes, and Real Story, of Peter Thiel’s Antichrist Obsession, recently written by Laura Bullard on Wired about Peter Thiel’s obsession with the antichrist, and it’s terrifying. I’ve known Peter Thiel was a jackass for a long time, and his involvement in Facebook and Palantir were problematic, but I did not fully grasp the depth of how awful he is, and how much he has influenced so much of all of the terrible things going on currently in the world.

By Thiel’s telling, the modern world is scared, way too scared, of its own technology. Our “listless” and “zombie” age, he said, is marked by a growing hostility to innovation, plummeting fertility rates, too much yoga, and a culture mired in the “endless Groundhog Day of the worldwide web.” But in its neurotic desperation to avoid technological Armageddon—the real threats of nuclear war, environmental catastrophe, runaway AI—modern civilization has become susceptible to something even more dangerous: the Antichrist.

First, rather convenient that someone who has so much money invested in tech is going around telling people that trying to put safety in place, or slow down things like “AI” in the name of safety are somehow literally the anti-christ feels laughable, until you realize how dead serious he is.

But you don’t become a billionaire without believing in making money at the expense of literally everyone, right? So the inappropriately over the top sell of his own technologies seems par for the course so far, but that’s just the beginning.

For Thiel and the Nazi theorist Carl Schmitt, the Antichrist’s evil is pretty much synonymous with any attempt to unify the world.

Yeah… Turns out he’s a big fan of Carl Schmitt, the Nazi sympathizer, and Thiel preaches many of the exact same arguments Carl Schmitt made when defending Nazi’s and Hitler, but conveniently doesn’t mention Nazi’s or Hitler directly.

Thiel is also single handedly responsible for JD Vance’s rise in political power, and seemingly much of JD’s racist extremist views as well.

It’s a long article, but it’s worth reading. Thiel is an incredibly powerful, and incredibly dangerous individual.

Links

Notion 3.0 / Notion AI Follow Up

Tue, 14 Oct 2025 23:23:06 GMT

Not too long ago, I wrote about Notion’s announcement of Notion 3.0 (even though the current app version is 4.x… But whatever)- https://barnes.tech/blog/notion-30/. I was optimistic about what they announced. In a nutshell, they added “agents” and significantly updated the AI that powers Notion AI. Notion AI can work with Notion pages or databases but can also connect to all of the other data connectors that you have connected to Notion. Sounds great, and the demos looked good. After testing it out for a day or so I was fairly impressed.

Since then I’ve been using it a fair amount more, and it has been a pretty mixed bag for me. Sometimes it seems to do exactly what they demoed. I can reference a bunch of data, briefly explain what we are planning to do for a project, give it a good example of a well designed project proposal, and it can do an excellent job filling out at least a rough draft of a project proposal based on all that data. It has legitimately saved me several hours of busy work already.

But sometimes it completely shits the bed. It’s very weird. I know AI hallucination pretty well, but as long as you know how to craft prompts, give examples, and are really explicit with what you’re looking for, Claude and OpenAI are pretty good at sticking to the parameters you give it. Notion seems to occasionally just completely lose it’s mind. I’ve now twice had it completely ignore instructions I’ve given it, specifically about content on a page I want left as-is, or formatting I want to remain the same, and completely messes up a page. I’ve now twice had it delete embedded files that I specifically told it in the prompt to leave exactly as-is. Honestly, using a Notion MCP server and just having Claude Code or OpenAI Codex interact with Notion has been much more successful so far, which is strange to me since Notion is using both models under “Notion AI”.

The idea they have here I think is solid, and Notion seems like a great place to use AI when a lot of time I’m just trying to consolidate data, summarize something, or do a bunch of busy repetitive work, but in it’s current state, you better be careful. It feels like this needs to bake in the oven for a while longer before they push it too far.

Links

https://barnes.tech/blog/notion-30/

On the Other Hand...

Wed, 08 Oct 2025 04:22:58 GMT

I recently wrote about how Apple and Tim Cook have been between a tough spot and a tough spot, and that it is more complicated than it might seem on the surface given the state of things. This post by 22 year Apple veteran articulates a potent counter point.

...there is a symmetry to how the larger world equates values and actions; just as one stand against an invasive and unlawful request could help people see that Apple was genuinely committed to security and privacy, the removal of the ICEBlock app represents an act that squanders that same good faith.

Giving the bully your lunch money never stops the bully, it makes them take your lunch money more. There has to be a point where you draw a line in the sand and stand up. The comparison to the FBI wanting a back door after the San Bernadine case is stark and apt.

Where is that line? How long will a wannabe dictator bully around a nearly $4 Trillion company?

I am still really glad I’m not in charge of Apple right now.

Links

Good CISOs / Bad CISOs

Sun, 05 Oct 2025 18:08:44 GMT

I came across this recently, and thought it was a really good read - Good CISO / Bad CISO.

Key points

Strategy vs. projects: Good CISOs craft a clear, generative strategy; bad CISOs confuse tool lists and project plans for strategy.
Flywheels vs. firefighting: Good CISOs build scalable, self-reinforcing systems; bad CISOs chase incidents and ticket counts.
Business communication: Good CISOs speak in risk, capital, opportunity with quantified positions; bad CISOs use techno-jargon and FUD.
Ownership and culture: Good CISOs own vendor risk, empower teams, surface bad news fast, and partner with the board; bad CISOs abdicate, bottleneck, and are last to know.

Excellent insights and definitely something I've observed over the years. This applies to all IT leadership, not just CISOs.

IT and Security are so often seen only as a cost center by businesses, but IT and Security leadership can change that if they approach this the right way.

Links

https://www.philvenables.com/post/good-ciso---bad-ciso

Apple - Between a Tough Spot and a Tough Spot

Sat, 04 Oct 2025 23:51:14 GMT

I recently posted Anil Dash’s article, How Tim Cook sold out Steve Jobs. I think it’s an interesting article, and I completely understand all of the sentiment of it. In many regards I feel the same way. The golden statue stunt really grosses me out. The weird dystopian dinner at the White House with tech leaders being forced to compliment the President makes me sick to my stomach. Extorting people for inauguration donations feels blatantly illegal. If it’s not it should be. All of this is not only disturbing, terrifying, gross, etc. but also just feels like this is a bad mafia movie, one with such a bad plot line that would feel way too on the nose to be any good. And I completely agree, this is not how Steve Jobs would have handled this situation, and I miss his presence and leadership at Apple.

But Tim Cook is not Steve Jobs, no one is. This is an awful time in our history, and I think it’s naive to think that Apple, and Tim Cook personally, is necessarily just “wrong” and he should have done the “right” thing. Life is not that simple. There was and is no “right” solution to this mess of a situation.

What would be different if Tim had dug in based on principal? It’s hard to know for sure, but it doesn’t seem to me like things would be any better. It seems reasonable that punitive tariffs would be impacting the price of all Apple products, which would either raise the price of all of them or Apple would have to eat billions of dollars of margin, which surely would impact the stock price significantly. It’s easy to feel like the stock price shouldn’t matter, and I agree it shouldn’t be the only thing, but it does matter. A lot of people’s investments both within Apple and outside of Apple are tied up in there and it’s not just a simple decision to tank that due to moral reasons.

It’s also possible that Apple would be punished in to removing their diversity efforts to one degree or another. I’m not sure how but the administration has been far more effective than they should be able to be at destroying significant progress in those regards across the country. I may be wrong, but it doesn’t seem like Apple has capitulated on that aspect of their internal culture.

I don’t mean any of this as an excuse. This all feels gross. Apple has never been a perfect company, and Steve Jobs was never a perfect person, yet for much of my life it has been a company that I’ve really admired. I’ve worked for Apple or Apple Partners for nearly all of my professional life, and I feel passionate about the products, company, and culture of Apple. This has soured that to some degree. At the same time, I’m not sure that there is any way it could have been handled better to date. I can’t see any good choices, they’re all bad. I also have a pretty strong feeling that Tim hates this too.

One thing is for sure, I am really glad I’m not in charge of Apple right now.

Links

https://www.anildash.com/2025/09/09/how-tim-cook-sold-out-steve-jobs/

Google Home Plus Gemini

Sun, 21 Sep 2025 20:39:57 GMT

Google is talking like they are going to take smart home seriously again with their new "Gemini infused Google Home". I've written several times about how frustrating it has been to be a user of Google products, or rather former products, but The Verge summed it up really well -

The last five years have been trying ones for anyone committed to the Google Home ecosystem and Nest hardware. From discontinued products and increased subscription prices to the removal of features and declining performance of Google Assistant on Nest smart speakers, there hasn’t been a lot to be happy about, as also evidenced by the Google Home “rant and complaints” megathread on Reddit.

What a completely unnecessary mess. I was a huge Nest fan from the very first thermostat they launched, and it has been incredibly frustrating to watch Google completely squander the company that essentially kickstarted the whole smart home concept, and just grind it in to mediocrity. If you dig in to the details of Nest pre-Google it's kind of nuts how many technologies they pioneered, including the early work on Thread and what has become Matter. If Google had been able to keep their foot on the gas and actually improved Nest, it's crazy to think how far of a lead they would have today.

Needless to say, I'm skeptical. Honestly though, even if whatever they are coming out with is absolutely incredible, do any of us trust them to stick with it this time?

Google Dismantled Nest - Can Gemini Save What's Left?

Links

Notion 3.0

Fri, 19 Sep 2025 22:50:39 GMT

Speaking of Notion, they announced several new features yesterday that are pretty substantial. AI got a big upgrade, allowing it to act more "agentic" on your behalf. I tested this and while it's not perfect, it's pretty good! It has already helped me clean up several databases and pages that were disorganized but not quite worth the time of manually cleaning up for me.

You can also customize the agent with memory and custom instructions now. Seems to work relatively well, and is a very welcome change. It's also not perfect but it's excellent progress. It seems like soon you'll be able to create completely custom agents as well, which I'm very interested in seeing and exploring.

Finally, they also added much more granular database permissions which is one of the biggest missing features, and extremely welcome. Add this to the offline mode they launched last month and it has been a very good run so far for Notion this year in my book.

Links

Notion Hex Color Swatches

Fri, 19 Sep 2025 22:19:05 GMT

One thing I've wanted to be able to do in Notion for a while is to have some way of showing a hex color when you put it somewhere in a block, similar to how Slack gives you a little preview, or in Raycast you get a preview as well.

You still can't technically do it, but I found a work around that's better than nothing.

If you use an inline equation block you can put (obviously with whatever color you are looking for. Adding space in there just allows it to be a longer line) -

\colorbox{#3a3a3a}{            }

and it will give you a little preview of that color. Not perfect, but a nice little way to add a little preview of colors right on the page.

Links

https://barnes.tech/blog/raycast

Google DNSSEC MX Records

Fri, 05 Sep 2025 23:30:13 GMT

I'm not sure how long this has been available, but it was news to me today. Apparently Google gives you the option to use DNSSEC secured MX records now for Google Workspace accounts -

https://support.google.com/a/answer/16528693?hl=en

Enhancing Email Security with DNSSEC-Signed MX Records in Google Workspace

Google Workspace administrators can improve domain email security by using DNS Security Extensions (DNSSEC)-signed MX hosts instead of the standard smtp.google.com MX value. DNSSEC adds digital signatures to DNS records, including MX records, which verifies authenticity and prevents tampering or redirection to unauthorized servers.

Implementation Steps:

Follow the standard Google Workspace MX record setup.
In Step 4, for the Value / Answer / Destination field, enter the DNSSEC-signed MX records below instead of smtp.google.com:

| Priority | Server | |----------|------------------| | 10 | MX1.SMTP.GOOG | | 20 | MX2.SMTP.GOOG | | 30 | MX3.SMTP.GOOG | | 40 | MX4.SMTP.GOOG |

By implementing DNSSEC-signed MX records, you strengthen email authentication and reduce risk from DNS-based attacks.

Links

https://support.google.com/a/answer/16528693?hl=en

The Browser Company - More Fallout

Fri, 05 Sep 2025 17:31:21 GMT

Here's a video deep dive about The Browser Company's announcement that they are being acquired by Atlassian, including diving in to why The Browser Company was looking to be acquired, and why Atlassian may have wanted to buy them.

No one online seems to think this is a good acquisition for The Browser Company. It's almost certainly going to make Dia (or any other browsers they are working on) much worse.

There are some really interesting and compelling points.

Links

https://www.youtube.com/watch?v=45fbNFMd_vc

The Browser Company is being acquired

Thu, 04 Sep 2025 15:42:50 GMT

From the Verge - The Browser Company, maker of Arc and Dia, is being acquired

As they say in the amazing documentary "Rejected" -

I honestly hate using any Atlassian software so much. Real bummer. Hopefully some of these other browsers popping up will be something I can switch to in the near future.

Links

AI Laundering

Sat, 30 Aug 2025 19:36:09 GMT

Context Rot

If you've been using LLMs for long tasks like Coding, you probably notice the longer you have an individual chat session, the results start to get worse over time. This is particularly evident when you switch tasks entirely after working on something specific for a while. Some are calling this "Context Rot" Context Rot: How Increasing Input Tokens Impacts LLM Performance.

I find this whole idea pretty interesting. For a while now I've found that if you have one model try a bunch of tasks, then have another model check that work and make suggestions about how to improve it (ideally from another provider, since the training and data from another company seems to add a different perspective). This seems to make much higher quality results. I will often have one LLM be more of the master planner, and another be doing the individual tasks.

To some degree, certain products already do this. Claude code for instance (with the right plan at least) will use the Opus model for planning tasks, then hand it to Sonnet to handle individual tasks laid out by Opus. You can go even further by setting up subagents with individual tasks and even individual instructions / context, however I still find I get better results by handing it back and forth from more than one provider. This isn't only applicable to code either, I often find doing this with text, or documentation, or any number of other things is also quite beneficial.

I've been calling this "AI Laundering". Yes, I do amuse myself.

This has taken a huge leap with OpenAI's recent updates to Codex CLI which has gotten dramatically better in the last week. I try to not mention specific products too much because they are changing so much so rapidly, anything specific about products seems to age like milk, but it's worth noting in this case. Having Claude Code write code, then having Codex check the work and critique it, then go back to Claude Code with the recommendations seems to make a huge difference. I'm not alone either, several others are noting this as well.

Links

Cloudflare vs Perplexity and the Future of the Internet

Sat, 09 Aug 2025 20:01:30 GMT

Cloudflare posted a technically grounded exposé titled “Perplexity is using stealth, undeclared crawlers to evade website no-crawl directives.” They documented a controlled experiment: domains blocked via robots.txt and WAF rules, yet Perplexity reportedly bypassed the protections by rotating IPs, spoofing user-agents (e.g., impersonating Chrome on macOS), and shifting ASNs. The conclusion: Perplexity was removed from Cloudflare’s Verified Bots program and targeted with new heuristics. CEO Matthew Prince went so far as to liken this to “North Korean hackers,” calling it “time to name, shame, and hard block them.”

Perplexity’s reply, “Agents or Bots? Making Sense of AI on the Open Web,” framed their behavior not as crawling but user-driven fetching, aligning it with how a human user navigates a site. They dismissed Cloudflare’s piece as a “sales pitch” and hinted at a third-party being responsible for some of the behavior.

I feel like both articles go too hard after the other. Also, you never know what went on behind the scenes, but from the outside it seems like this was just thrown online in a blog with pretty harsh rhetoric. Seems overly petty to me on both articles, and I'm not sure what it accomplishes other than both companies seemingly trying to get some headline attention.

Still, this isn't a simple problem. Website owners should be able to choose what kind of traffic accesses their sites, and services like Cloudflare are one of the few ways they can enforce things like that. That said, if you're using an "agentic" (still don't love that term) AI platform where you are asking AI to go find something or do something on your behalf, I can see the argument that it should be able to do so with the same access a user would have.

It's not an easy problem.

While I do believe website owners should have control over those things as strictly as they want, Cloudflare feels like they are throwing their weight around too much for my comfort recently. It feels like they have been pushing the line about how much they, as essentially an infrastructure provider, should be editorializing on this kind of thing.

Their “Content Independence Day — No AI Crawl Without Compensation” post further deepens my concern. This feels like it is right on the border between fighting for the rights of content creators, and simply platform fiat. To me, the fact that this is only shown directly to users as enabled on new accounts, and the fact that it can be turned off just barely keeps it from crossing the line to me, it still makes me uncomfortable.

Many people are fretting that AI will be "the end of the open web". I would argue that effectively happened several years ago, but there's no question AI is upending everything left on whatever the web is any more.

Links

Google Backtracks on URL Shortener

Sun, 03 Aug 2025 18:21:32 GMT

From Google's keyword blog -

We’re updating our plans for goo.gl links.

While we previously announced discontinuing support for all goo.gl URLs after August 25, 2025, we've adjusted our approach in order to preserve actively used links.

We understand these links are embedded in countless documents, videos, posts and more, and we appreciate the input received.

Nine months ago, we redirected URLs that showed no activity in late 2024 to a message specifying that the link would be deactivated in August, and these are the only links targeted to be deactivated. If you get a message that states, “This link will no longer work in the near future”, the link won't work after August 25 and we recommend transitioning to another URL shortener if you haven’t already.

All other goo.gl links will be preserved and will continue to function as normal. To check if your link will be retained, visit the link today. If your link redirects you without a message, it will continue to work.

This is much more reasonable, though I'm not sure why they wouldn't have just done this from the beginning. I can't imagine all of this costs Google that much to just keep running. Still, this illustrates a fairly big issue with one company having so much power over the internet.

Links

https://blog.google/technology/developers/googl-link-shortening-update/

Dropbox Password Manager

Fri, 01 Aug 2025 03:27:06 GMT

This week Dropbox announced that they are discontinuing their password manager. I don’t know anyone that actually uses their password manager, so it’s probably not many people impacted… still, this is a super tight timeline.

I’m not sure exactly what would happen if you don’t do anything and they kill it, but if my parents or in laws were using this it would be potentially disastrous.

Links

https://help.dropbox.com/installs/dropbox-passwords-discontinuation

TRMNL X

Wed, 30 Jul 2025 22:47:27 GMT

Announced today, TRMNL is making a new version they are calling TRMNL X. The TRMNL X is interactive, larger, higher resolution, waterproof, and more powerful than the original (Now called the OG) TRMNL. I wrote about how much I like my TRMNL previously - TRMNL. I love it, but there are times I wish there was a bigger one. Now there will be!

I'm really excited about this new version, and have placed a pre-order. Here is my affiliate link again if you would like to place a pre-order as well - https://usetrmnl.com/?ref=robby10

Links

Google URL Shortener

Wed, 30 Jul 2025 22:30:01 GMT

Although this was announced a fair amount of time ago, the time is nearly here. Google is killing off all shortened URLs that were using the https://goo.gl short link.

Google doing what Google does best - Killing off products. There will be an enormous amount of link rot because of this.

It’s a big problem how much of the internet Google controls or heavily influences. It’s not Google per se that is the problem, it’s a problem with any one company controlling that much of the internet.

Dub.co is my favorite alternative for dynamic links. Really great platform that is easy to use, and does exactly what it’s supposed to. They are also launching a new partner platform affiliate / referral platform that we have been in early testing for, and it’s built with the same standard of quality as the rest of the platform.

Links

Apple's Cloud

Mon, 07 Jul 2025 22:38:26 GMT

According to some recent reporting, Apple considered launching a cloud service to compete more with public cloud providers like AWS, Azure, and Google Cloud. Many people are commenting recently on Apple being late to AI, or potentially even too late to it, but I have long believed that the real boat they missed was with Cloud in general. I would argue that them missing out on Cloud is exactly why they are in such a tough position with AI now.

First, when I talk about Cloud, I’m referring more to AWS, Google Cloud, etc. not really what iCloud is. I don’t think it would be that helpful to completely copy what the other providers are broadly doing. There are plenty of good options, and to some degree it’s just a race to the bottom cost wise, but there are plenty of developer and business focused tools that should be available in an Apple cloud.

Some ideas, off the top of my head -

Business grade storage for businesses to use. You should be able to pay for whatever you need, not have weird “buckets” of storage like iCloud has for business customers. You should also be able to manage these like a business. You should have shared spaces for storage that multiple people can access, you should have rich ACL’s, you should be able to transfer data from one user to another as an admin if someone is terminated. This needs to be far more like Box, Dropbox, Google Drive, etc.
- Bonus - If you had the ability to host static files on an Apple cloud with an S3 compatible endpoint, that would be fantastic.
- Bonus bonus - Why do we still not have time machine in the cloud?
Identity manager - Apple should take on the identity providers like Google, Microsoft, Okta, etc. by offering a more capable and business oriented “Sign-in with Apple” infrastructure. At the same time, they need to integrate with the market leaders far more than they currently do. You should have granular access controls, you should be able to federate these identities elsewhere, support SAML and OAuth, allow groups for access controls, much richer HRIS integrations, etc. there is a long list they could do here. It can’t be half-assed, they need to create an alternative that people would want to use because it’s a good product.
- They should extend this to the EDU market too, for free.
- You should (optionally) be able to sync essentially your whole Mac through the cloud. You should be able to walk up to a computer, sign in to it, and have everything laid out and installed the way you like it.
Productivity software - They should push iWork much further than it has ever gone. Make this a real competitor to Office and Google Workspace. They are very nice tools to use, but they seem utterly unaware of how nearly every business uses these tools. They need to be much more interoperable, significantly improve collaboration, and really push the boundaries of what you can do with these apps.
Mail - Email isn’t going anywhere, particularly in business. Apple should make a real, enterprise-grade email service that is designed for businesses. You need to be able to have WAY more control over email than iCloud allows, and add functionality for groups, access control lists, etc. You also need to make it easy to use business email security tools and backup tools. Take e-discovery seriously and provide a way to do that, and allow 3rd party solutions as well. Importantly - Don’t make it restricted to only Apple devices either.
Contacts / Calendars, etc. - To finish out the productivity tools they need to make contacts and calendars business ready too. Shared contacts, integrations with CRM’s, directory syncing, functional deduplication, far more flexible calendar options, scheduling, conference call integrations, etc. There is a long list of what they could do here.
Gaming - If Apple wants to be taken more seriously in gaming (which, honestly I can’t tell if they do or don’t), they should build a similar application to Xbox Live.
iMessage for businesses - They should make something like Slack but not too much like Slack. Make a business version of iMessage that can be used for those kinds of things.
Business photo sharing - We work with a lot of businesses who rely heavily on taking photos for the business and then making sure everyone has access to them. This is surprisingly difficult to do in 2025 without a bunch of manual instructions that no one wants to follow. This might not make sense for every business, but I know several who would pay a ton to have this work seamlessly, and have a repository shared with everyone who needs access to it (same thing with ACLs, etc.)
Remote Desktop - Make this require a cloud subscription. Make it only work for devices in Apple Business Manager. I’d even be fine if it was built in but still required an approval dialogue for the end users before you join to completely share the screen, or maybe a big warning that comes up so you can’t do it without the end user knowing, but this is such a royal pain to deal with on Mac with 3rd party tools, it makes it extremely difficult to support business owned devices.
- This should extend to iOS too. A lot of the plumbing is in place, just need to make it work for businesses.
FaceTime for business - Compete with Zoom, Google Meet, MS Teams, etc.!

Some of these things they have been making glacial progress in with Apple Business Manager over the last few years, but honestly in many ways, it seems like Apple is just oblivious to how all of this stuff works everywhere else. Most of their services are pretty solid for personal use, but when you try to apply them to businesses, they’re just… Weirdly disconnected from how every other service works.

Some of this is in the name of “privacy”, though over the years I am unfortunately starting to think that some of the reason Apple leans on that so much is to be anticompetitive. Privacy should mean a choice of how to use the device and it’s services, not just lock you out of things that Apple doesn’t want you to use. This should apply to business-owned devices too, and the businesses should be able to do what they need to do.

A large cloud infrastructure to support all of this would lead to several things that are critically important to Apple right now. One - How long have they been beating the “Services revenue” drum? Guess who spends an enormous amount of money - Businesses / Enterprise. Second - I truly believe one of the main reasons Apple is struggling with AI, and frankly why Siri has been so bad for so long is that they don’t take cloud seriously. They need to be able to run large models in a cloud, and it should be controlled and operated by them. The cloud-based responses need to be incredibly fast, which means infrastructure needs to be close to people. Cloud would also mean that Apple would need to deploy updates continuously, and move faster than they ever have in this space. They also need to vastly improve their web apps to support functionality.

I could think of a dozen more examples that to me make a ton of sense, but I’m not convinced Apple could do this, even if they decided to. This would cost a ludicrous amount of money, and they would be trying to catch up to some pretty enormous leads. They have a ludicrous amount of money, but I think culturally Apple is just not prepared for this. Hopefully they can at least be more flexible to integrations, and partner with some cloud services providers in the short term to more rapidly improve the areas they desperately need.

Links

Gemini CLI

Wed, 25 Jun 2025 19:22:14 GMT

It is certainly interesting to see the level of competition in the AI space right now. I've become a huge fan of Claude Code (and will likely continue to use it) but Google is coming in strong with Gemini CLI announced today - Gemini CLI: your open-source AI agent.

Gemini has a couple of advantages -

The context window is enormous compared to all of the other models. This is using 2.5 Pro, which has a 1,000,000 token context window, which is kind of mind boggling.
They are offering a pretty significant amount of usage for free. Claude Code and Codex from OpenAI are both pretty good but will rack up the cost pretty quickly.

I've only had the chance to use it for a couple of minutes, but it seems like a nice experience. I've run in to a couple of hiccups though. First, you can't use a Google Workspace account yet. Second, because of that I tried setting up a Gemini API key instead, but for some reason it wouldn't recognize it and kept trying to do the oauth authentication anyway. I switched to a gmail account though and it worked fine.

My favorite terminal app, Warp also announced what they are calling "Warp 2.0" which is essentially adding more "agentic" capabilities to their AI tools as well. I think they might have a hard time keeping up with all these other CLI tools that are taking off right now, but I hope they are able to stick around!

Links

Wispr Flow

Mon, 23 Jun 2025 03:05:02 GMT

I recently came across an app called Wispr Flow. Wispr Flow is an AI powered dictation that works anywhere on the Mac. They have an iPhone app too, which I'll get to in a second.

The platform uses AI to transcribe, auto-edit, and format your speech into polished text, and adapts its tone to different apps. I had 2 thoughts before using it.

Sounds over hyped on their website. I'm always skeptical of software that claims to be a game changer for productivity, but I also tend to not be able to help but test them out.
I don't think I would ever just dictate to my computer. After all, macOS has this built in, and it's decent, and that has never stuck for me.

Like I said, I can't help myself though. I downloaded it and forced my self to really give it a try. After about a day, I was sold. It honestly feels like a game changer for me. I definitely still feel very weird talking to my computer, and I don't use it in all cases, but I find that there are a ton of cases that it's extremely helpful. The auto correction clearly powered by AI is fantastic. You can correct yourself, and it's remarkably good at writing what you meant to say, rather than a mistake you may have said. You can also add a dictionary of specific words / spellings that you use frequently that may be difficult to spell. It will also suggest items for the dictionary if you say something, then go back and correct it.

It also gets some amount of context of where your cursor is, and uses that to help format the text given that context. If you're writing an email, it will format it like an email. If you're using the command line, it will format it like the command line.

There is an iOS app, which also works pretty well, but the limitations of iOS make it fairly clunky. It shows up as a keyboard, but then you have to flip over to the app, turn on dictation, and then flip back. Once you do that, it works well, but that is a pain to do.

Definitely give it a shot if this kind of thing sounds interesting.

Links

https://wisprflow.ai/

Zendesk Voice Summary Tool

Sat, 14 Jun 2025 19:52:26 GMT

How I Built a Voice Transcription Tool for Zendesk (and Made It a CLI)

At work we've used Zendesk for several years for our ticketing. In the last few years we've also used the Zendesk Talk voice for the phone (and SMS) as well. It's not perfect, but it helps keep information about tickets that are phone calls in the same system as everything else. It records each call, and makes it available via API as well. This was a great use case for AI, both in helping me build this tool, and using AI endpoints for transcription and summarization.

Listening to each call and trying to summarize what the issue was and what was done to resolve the issue is tedious. If the person who received the call can immediately summarize it right after the call that can work, but it's easy to forget something, and if we are busy, it's hard to make the time for it. Knowing what the issue was and what was done to resolve it is valuable information though, and helps us remain proactive in support instead of always reactive.

So I built a tool to automate the whole process. It downloads voice recordings from Zendesk tickets, transcribes them with OpenAI's Whisper, generates summaries with GPT-4o, and posts everything back to the ticket.

Here's how it works and how I packaged it up as a command-line tool.

The Basic Architecture

The tool works in three phases:

Download and Transcribe - Grabs all voice recordings from a ticket and runs them through Whisper
Summarize - Takes all the transcripts and creates a structured summary with GPT-4o-mini
Post Back - Adds the summary as a private comment on the ticket.

File Management

One thing I learned early on - you need a consistent naming scheme or you'll lose track of files fast:

file_basename = f"ticket{ticket_id}_call{call_id}"
audio_file = file_basename + ".mp3"
transcript_file = file_basename + ".txt"

This naming convention means I can easily find all files for a ticket, and more importantly, the tool can check if it's already processed something:

if not os.path.exists(transcript_file):
    print("   Transcribing audio with Whisper...")
    transcript = transcribe_audio(audio_file)
    with open(transcript_file, "w", encoding="utf-8") as tf:
        tf.write(transcript)
else:
    if skip_existing:
        print("   Skipping - transcript already exists")

This saves a ton of time (and API costs) when reprocessing tickets.

Handling API Failures

In order to handle potential failures, I built in a simple retry decorator that handles transient failures:

def retry_on_failure(func):
    """Decorator to retry a function on failure."""
    def wrapper(*args, **kwargs):
        for attempt in range(MAX_RETRIES):
            try:
                return func(*args, **kwargs)
            except Exception as e:
                if attempt < MAX_RETRIES - 1:
                    print(f"  Warning: Attempt {attempt + 1} failed: {str(e)}")
                    print(f"  Retrying in {RETRY_DELAY} seconds...")
                    time.sleep(RETRY_DELAY)
                else:
                    print(f"  Error: All {MAX_RETRIES} attempts failed.")
                    raise
        return None
    return wrapper

You can add @retry_on_failure on any function that makes API calls and you're good to go.

The Multi-Call Problem

Tickets often have multiple voice recordings - maybe the customer called back, or there were multiple conversations. I needed to handle this scenario, ideally without creating a bunch of individual private comments, making it hard to digest and adding a lot of noise.

For single calls, it's simple - just add a timestamp header:

def summarize_multiple_transcripts(transcripts_data: List[Dict], context: Dict) -> str:
    """Summarize multiple call transcripts into a single comprehensive summary."""
    if len(transcripts_data) == 1:
        # Single call - just add timestamp header
        data = transcripts_data[0]
        timestamp = format_timestamp(data['started_at'])
        summary = summarize_transcript(data['transcript'], context)
        return f"**Call on {timestamp}**\n\n{summary}"

    # Multiple calls - create sections for each
    # ... (builds detailed prompt for GPT-4)

The output looks like this:

## Call 1 - March 15, 2024 at 10:30 AM MDT

_Duration: 15m 23s | From: +1-555-0123 -> To: +1-555-0456_

### Description of the Call

Customer called about internet connectivity issues...

### Troubleshooting

- Verified modem lights status
- Performed speed test (5 Mbps down, 1 Mbps up)
- Reset modem and router

### Next Steps

- Schedule technician visit for tomorrow
- Follow up email with ticket number

---

## Call 2 - March 15, 2024 at 2:45 PM MDT

_Duration: 8m 12s | From: +1-555-0123 -> To: +1-555-0456_

### Description of the Call

Customer called back to confirm technician appointment...

Making It User-Friendly

I wanted this tool to work both interactively and from the command line. So when you run it without arguments, you get a nice interactive mode:

$ python voice_summary.py

Zendesk Voice Recording Processor - Interactive Mode
============================================================

Enter ticket numbers or URLs (comma-separated or one per line)
Press Enter twice when done:
12345
12346
https://company.zendesk.com/agent/tickets/12347

Found 3 valid ticket(s): 12345, 12346, 12347

Post summaries to Zendesk? (y/n) [default: y]: y
Skip recordings with existing transcripts? (y/n) [default: n]: y

Processing 3 ticket(s)
   Post to Zendesk: Yes
   Skip existing: Yes

Press Enter to continue or Ctrl+C to cancel...

But it also works great for automation:

parser = argparse.ArgumentParser(
    description='Process voice recordings from Zendesk tickets',
    formatter_class=argparse.RawDescriptionHelpFormatter,
    epilog='''
Examples:
  %(prog)s 12345                    # Process single ticket
  %(prog)s 12345 12346 12347        # Process multiple tickets
  %(prog)s --no-zendesk 12345       # Process without posting to Zendesk
  %(prog)s --skip-existing 12345    # Skip tickets with existing transcripts
  %(prog)s https://company.zendesk.com/agent/tickets/12345  # Process from URL
    '''
)

The Progress Display

Here's how it handles progress indicators, which help with longer operations to know that it's still running:

Processing Ticket #12345
============================================================
Fetching ticket details...
   Subject: Internet Connection Issues
   Customer: John Smith
   Agent: Support Team
   Status: OPEN

Searching for voice recordings...
   Found 2 voice recording(s)

Phase 1: Downloading and transcribing 2 recording(s)...

Processing recording 1/2 (Call ID: abc123)
   Duration: 15m 23s
   From: +1-555-0123 -> To: +1-555-0456
   Downloading audio...
    Downloaded: ticket12345_callabc123.mp3
   Transcribing audio with Whisper...
   Saved transcript: ticket12345_callabc123.txt

Phase 2: Summarizing 2 transcript(s) with GPT-4o-mini...
   Saved combined summary: ticket12345_combined_summary.txt

Phase 3: Posting combined summary to Zendesk...
   Added private comment to ticket 12345

Ticket #12345 Complete!
   Processed: 2/2 recordings
   Time: 45.2s

Turning It Into a Real Command-Line Tool

Rather than running this directly with python every time, I decided to make it in to a command line tool to make it easier to run from anywhere.

The Wrapper Script

First, I created a bash wrapper that handles all the environment setup:

#!/bin/bash
# Wrapper script for voice_summary.py

# Configuration
PROJECT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
VENV_DIR="$PROJECT_DIR/venv"
SCRIPT_PATH="$PROJECT_DIR/voice_summary.py"
TRANSCRIPT_DIR="$HOME/zendesk-transcripts"

# Create transcript directory if it doesn't exist
if [ ! -d "$TRANSCRIPT_DIR" ]; then
    echo "Creating transcript directory at $TRANSCRIPT_DIR..."
    mkdir -p "$TRANSCRIPT_DIR"
fi

# Change to transcript directory
cd "$TRANSCRIPT_DIR" || exit 1

# Activate virtual environment if it exists
if [ -d "$VENV_DIR" ]; then
    source "$VENV_DIR/bin/activate"
fi

# Execute the Python script with all arguments
python "$SCRIPT_PATH" "$@"

This wrapper does a few nice things:

Creates a dedicated directory for transcripts (~/zendesk-transcripts)
Activates the virtual environment automatically
Passes all arguments through to the Python script

Installing It System-Wide

Then I wrote an installation script that sets everything up:

#!/bin/bash
# Installation script for voice_summary command line tool

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
WRAPPER_SCRIPT="$SCRIPT_DIR/voice_summary"

# Create ~/bin directory if it doesn't exist
if [ ! -d "$HOME/bin" ]; then
    echo "Creating ~/bin directory..."
    mkdir -p "$HOME/bin"
fi

# Create symlink
echo "Installing voice_summary to ~/bin..."
rm -f "$HOME/bin/voice_summary" 2>/dev/null
ln -s "$WRAPPER_SCRIPT" "$HOME/bin/voice_summary"

# Check if ~/bin is in PATH
if [[ ":$PATH:" != *":$HOME/bin:"* ]]; then
    echo "WARNING: ~/bin is not in your PATH"
    echo "To add it, add this line to your ~/.zshrc:"
    echo "    export PATH=\"\$HOME/bin:\$PATH\""
fi

After running this, you can use the tool from anywhere:

$ voice_summary 12345
$ voice_summary  # Interactive mode

Building a Standalone Executable

For distribution, I also created a PyInstaller build script:

# PyInstaller spec file configuration
a = Analysis(
    ['voice_summary.py'],
    hiddenimports=['openai', 'requests'],
    # ... other configuration
)

exe = EXE(
    pyz,
    a.scripts,
    a.binaries,
    a.zipfiles,
    a.datas,
    [],
    name='voice_summary',
    console=True,
    # ... other configuration
)

The build script handles everything:

#!/bin/bash
# Build a standalone executable using PyInstaller

# Install dependencies
pip install -q requests openai pyinstaller

# Build the executable
pyinstaller voice_summary.spec

if [ -f "dist/voice_summary" ]; then
    echo "Build successful!"
    echo "To install system-wide:"
    echo "    sudo cp dist/voice_summary /usr/local/bin/"
fi

Configuration

Instead of hardcoding credentials, the tool uses environment variables:

# Configuration from environment
ZENDESK_DOMAIN = os.getenv('ZENDESK_DOMAIN', 'yourcompany.zendesk.com')
ZENDESK_EMAIL = os.getenv('ZENDESK_EMAIL', '')
ZENDESK_PASSWORD = os.getenv('ZENDESK_PASSWORD', '')
OPENAI_API_KEY = os.getenv('OPENAI_API_KEY', '')

# Validate configuration
if not all([ZENDESK_EMAIL, ZENDESK_PASSWORD, OPENAI_API_KEY]):
    print("Error: Missing required configuration")
    print("Please set the following environment variables:")
    print("  - ZENDESK_EMAIL: Your Zendesk email")
    print("  - ZENDESK_PASSWORD: Your Zendesk password")
    print("  - OPENAI_API_KEY: Your OpenAI API key")
    sys.exit(1)

This makes it easy to use across different environments without touching the code.

Edge Cases I try to Handle

Closed Tickets

You can't update closed tickets in Zendesk. Instead of just failing, the tool asks what you want to do:

def confirm_closed_ticket_processing() -> bool:
    """Ask user if they want to proceed with processing a closed ticket."""
    print("\nWARNING: This ticket is CLOSED.")
    print("   Closed tickets cannot be updated in Zendesk.")
    while True:
        response = input("\n   Do you still want to process? (y/n): ")
        if response.lower() in ['y', 'yes']:
            return True
        elif response.lower() in ['n', 'no']:
            return False

If they proceed, it shows the summary in the console instead of trying to post it.

Timezone Conversion

The API defaults to using UTC, so I convert everything to Mountain Time:

def format_timestamp(timestamp_str: str) -> str:
    """Convert ISO timestamp to human-readable format in Mountain Time."""
    try:
        from zoneinfo import ZoneInfo  # Python 3.9+
    except ImportError:
        from pytz import timezone as ZoneInfo  # Fallback

    dt = datetime.fromisoformat(timestamp_str.replace('Z', '+00:00'))
    mountain_tz = ZoneInfo('America/Denver')
    dt_mountain = dt.astimezone(mountain_tz)
    return dt_mountain.strftime("%B %d, %Y at %I:%M %p %Z")

Batch Processing Stats

When processing multiple tickets, you want to know what happened:

============================================================
FINAL SUMMARY
============================================================
Tickets processed: 45/50
Recordings processed: 127
Total errors: 5
Total time: 425.3s

Failed tickets:
   - Ticket #12399: 403 Forbidden
   - Ticket #12412: No recordings found

What I Learned

Building this tool taught me a few things:

Phase your processing - Breaking it into download, transcribe, summarize, and post phases made debugging way easier
Cache aggressively - Saving transcripts locally saves API calls, and makes it easier to process in general
Make it interactive AND scriptable - Different use cases need different interfaces
Handle failures gracefully - APIs will fail, tickets will be closed, permissions will be wrong
Clear progress indicators matter - Make it easier to know it's still running on longer operations.

The Results

This tool has been extremely helpful in automating summaries of tickets that were phone calls, making it much easier to determine what was talked about and what resolution was reached, helping us determine where to spend time proactively solving problems, and informing our customers the types of items we have been working on with their employees.

Links

https://github.com/robbybarnes/zendesk-voice-summary

Dia Browser

Sat, 14 Jun 2025 17:32:19 GMT

Recently The Browser Company talked about how they are discontinuing Arc, which is still my favorite browser to use. In that article they talked about Dia, their new version of the browser built with AI as the focus. I wrote about this, and how I’m skeptical of it, and frankly irritated that the browser I love is getting killed off.

I remain skeptical, but they have opened up the beta of Dia now to Arc users. I’m a sucker for trying out new software, so naturally I downloaded it, and… I kind of love it.

It’s not quite what I liked about Arc. I miss the side tab bars (Dia puts them back up top where Chrome does), and it’s missing a lot of the settings and developer features that Arc had that I liked, but it does have the best feature of all, which is the one I use dozens of times a day and honestly feels like a feature I can’t live without - ⌘ + Shift + C to copy the current URL. It’s just incredibly useful. I’ve tried some Chrome extensions since writing about all this that are supposed to do this, but they just don’t work well.

The AI features I’m not 100% sold on yet, but I have to admit it is helpful to have a little chat you can open right on any page and ask questions about it, summarize it, have it help you do research, etc. I find myself using it more than I thought I might.

It feels like a bad idea to really start heavily using and relying on another browser from the company that just took away my favorite one. They have yet to make any money as a business, this is all venture backed and at this point, essentially a proof of concept. It’s only a matter of time before they start charging for it or enshittifying it, or just run out of money and go away. I hope they figure out a model that works this time.

Links

Meta and Yandex are de-anonymizing Android users’ web browsing identifiers

Wed, 04 Jun 2025 03:27:07 GMT

From Ars Technica - Meta and Yandex were found to be using embedded tracking scripts to link Android users’ web browsing activity with their app identities, effectively de-anonymizing them, bypassing typical privacy protections like browser sandboxing and incognito mode.

The surveylance economy makes these companies go to some crazy lengths to track everything that you do, just to cram more ads wherever they can. Unfortunately, at least in the U.S., you don't have any recourse.

It's important to note - these trackers will track you and your activity regardless of whether you have an account with them.

Links

Auto Update Tailscale on Synology

Sat, 31 May 2025 20:49:02 GMT

If you are running Tailscale on a Synology (which is a fantastic use case), you can set up a daily task to have Synology update itself, making it muach easier to ensure you stay up to date.

First create a scheduled task, and name it something clear that you will know what it's for. Make sure this runs as root -

Next, go to the "Task Settings" and in the Run Command section, put tailscale update --yes. Select the schedule you want this to run on and you're set!

TRMNL

Sat, 31 May 2025 19:00:19 GMT

A few months ago I bought one of the TRMNL e-ink displays, and I think it's really cool. TRMNL is a small battery powered e-ink display with several free plugins, as well as a developer platform for you to build your own plugins. The 7.5" e-ink display makes it extremely power efficient and really crisp and clear to see. It connects to wifi to allow you to modify settings or to update / refresh the data for any dashboards that you choose to use.

I've been experimenting with several different plugins and information. At the moment, the most useful dashboard I have set up has the weather on the left half, and Google Calendar on the right half, which connects to our shared family calendar. It's very light weight, which made it easy to hang on the kitchen wall using just a command strip with the picture frame hanger hook on it, making it easy to take down and charge when needed.

I got the bigger battery option, but I have it refresh the page fairly regularly. It still goes months without needing a recharge. When I need to charge it, there is a USB-C plug to plug it in and charge.

For me this is the perfect device for me to play with. You could absolutely make something like this yourself, though I'm not sure it would be any cheaper... And for some people that would be more fun. TRNML is helping that community too with all of their open source options allowing you to bring your own hardware, or bring your own server, or both! For me though I don't particularly enjoy working with the hardware, but love tinkering with the software, so the product itself is great. (They even have guides on turning your old Kobo or Kindle reader in to a TRMNL device)

If you want to get one for yourself, I have a referral link that gets you a little discount - https://usetrmnl.com?ref=robby10 or just use the code robby10 at checkout to get it applied.

Links

The Internet of Consent - Anil Dash

Fri, 30 May 2025 01:24:56 GMT

Well worth the read if you have the time - The Internet of Consent

Links

https://www.anildash.com/2025/05/27/internet-of-consent/

The Demise of Arc

Thu, 29 May 2025 15:25:15 GMT

Another great product killed

A few days ago, on Substack, The Browser Company wrote a Letter to Arc members 2025 telling us what we all probably knew was coming all along - Arc is no longer goign to be developed and is being sunset.

This was the only likely outcome if we're honest with ourselves. I resisted starting to use Arc when it first started blowing up online because of this very reason. If I found that I loved it and there were some killer features not available elsewhere, then when it almost certainly died, I would be particularly irritated about it. Well, here we are.

I eventually caved and started using it, and got hooked fairly quickly. There are lots of small things I have liked about Arc. Side bar tabs took me some time to get used to, but now I really prefer it. Split view with 2 tabs - kind of a weird power user thing, but now I find I use it at least once a week, often more. I didn't really care about the AI features, it was the browser that I loved. The killer feature that is truly killing me - They added the keyboard shortcut ⌘ + Shift + C to copy the current URL you are on. It would even automatically strip trackers from the URL string if there were any.

I can't tell you how much I use this now, and everything else feels broken by comparison. I've found a couple of Chrome extensions that try to mimic this, but as of yet, I can't find any that reliably work. If anyone has suggestions here, please let me know.

Maybe they are right. Maybe the browser really does need a full re-think for the "AI Era". I kind of don't think so, but wouldn't bet too much money that I am right. Dia sounds like a big risk. I personally want to try it, but almost certainly don't want to use it as a daily driver. Hope I'm proven wrong, and if so I hope they can stick around for that. Killing this off, regardless of the reasons has lost a lot of trust from me, even though it's not surprising. I really hate coming to rely on a tool just to have the VC bro's not happy with it if it can't take over everything for everyone and kill it off.

For what it's worth, I would have 100% paid for Arc to keep using it. I'd probably get it for all of our employees at work too, particularly if they started adding some basic work controls to it.

What a waste of a great product.

Links

Wasabi Deleter Update

Thu, 29 May 2025 10:49:09 GMT

Quick update on the Wasaabi Deleter that I posted not too long ago - Turns out there were a ton of edge cases I needed to handle, so this has been updated significantly to handle several weird cases where bulk deletes will fail with not terribly clear reasons.

Wasabi Deleter - GitHub

Links

Neon and Databricks

Wed, 14 May 2025 21:02:47 GMT

This morning I got an email from Neon - A really cool database company I've been using for a while, and wrote about recently, saying they are being purchased by Databricks.

I don't particularly have a problem with Databricks specifically, but it seems that about 90% of the time when an acquisition like this happens, it inevitably either disappears in to the main product, which is worse for the use cases Neon was fantastic for, or it will just slowly move to neglect mode and then fade out over time.

Of course, Neon says that won't happen. They all promise that, but it's not in their control. I know the founders saying that mean well, and have the intention of doing so, but the bigger company will always exert what they want at some point. Maybe not today, maybe not tomorrow, but that time always comes.

I hope they are able to hang on and maintain their independence, just with more resources where they need them. It does occassionally happen.

Links

Wasabi Deleter

Tue, 13 May 2025 10:40:07 GMT

At work, we have a couple of clients that have been using Wasabi S3 storage for certain things. For various reasons, we are moving them off of Wasabi to other solutions.

In order to delete a storage bucket in Wasabi, similar to any other S3 storage I'm aware of, you have to delete every version of every object in the bucket, then you can delete the bucket. If you have a very large number of items or large amount of storage being used, this turns out to be somewhat difficult. If you try to do it in the web UI, it basically just freezes and will never finish. I tried some other solutions, including rclone, and some other S3 utilities, but they also just seemed to get stuck, even listing all the objects before it could delete them.

So I made a python script to handle this better.

Here is Wasabi Deleter. This will first list out the buckets that your key has access to, then ask you if you want to delete all of the objects in that bucket. If you choose yes, it will do it 1,000 at a time, so that it doesn't just choke on large amounts of files, and can easily be stopped and restarted later if needed.

This is the first thing I've put out there open source, which is oddly nervewracking, but hopefully someone out there will find this useful.

Links

Bicycle for the Mind

Mon, 12 May 2025 00:28:16 GMT

I think one of the things that really separates us from the high primates is that we’re tool builders. I read a study that measured the efficiency of locomotion for various species on the planet. The condor used the least energy to move a kilometer. And, humans came in with a rather unimpressive showing, about a third of the way down the list. It was not too proud a showing for the crown of creation. So, that didn’t look so good. But, then somebody at Scientific American had the insight to test the efficiency of locomotion for a man on a bicycle. And, a man on a bicycle, a human on a bicycle, blew the condor away, completely off the top of the charts.

And that’s what a computer is to me. What a computer is to me is it’s the most remarkable tool that we’ve ever come up with, and it’s the equivalent of a bicycle for our minds.

~ Steve Jobs

The Noise Around AI

AI has been in the news a lot recently. Half the news is from tech bro's about how "AGI" will save the world. Some are about how AI or AGI will destroy the world, and some are about how AI and AGI are overrated and completely useless. No one can even agree on what AGI is, let alone how close we actually are, or if it's even possible, but the hype cycle is in full swing.

I have a lot of thoughts on all of that, and have been trying to come to a conclusion on how I find these tools useful, how they aren't useful, as well as the complex moral questions about using AI, from the energy consumption to the vast amount of intellectual property with no second thought about the morality or consequences. But, it's complicated. I don't think there is a single answer about any of this.

AI as a Tool, Not a Threat, and Not a Silver Bullet

Then there are the companies laying off people already due to AI.

These tools are pretty incredible, for what they are. Anyone who has used them extensively, however, knows that they absolutely can't replace people in a company. To me, the Steve Jobs quote about the "bicycle for the mind" is a perfect analogy, though he was talking about the personal computer at the time.

A bicycle by itself doesn't do anything. It is a tool to enhance what people are able to do. When computers came out, there was a similar panic about human jobs being replaced. Sure, things changed, but I don't think anyone would argue that people's jobs are not needed. In fact, the personal computer helped create a ton of new kinds of jobs, because people were able to do more. AI is just a tool. It augments what people can do. Like other tools, it has to be used correctly in order to be useful. I believe it truly can improve productivity in several areas, but it should be a way to make people better at what they are doing, not replace them.

None of the companies mentioned need to save money. It isn't about that. Anil Dash wrote about this in his post "AI-first" is the new Return To Office.

Anil knows this space well, and isn't shy about calling out the toxicity that has infected Silicon Valley -

Big tech CEOs and VCs really love performing for each other. We know they hang out in group chats like high schoolers, preening and sending each other texts, each trying to make sure they're all wearing the latest fashions, whether it's a gold chain or a MAGA hat or just repeating a phrase that they heard from another founder. A key way of showing that they're part of this cohort is to make sure they're having a tantrum and acting out against their workers fairly regularly.

He echos a sentiment I've talked about several times, said far more eloquently than I have been able to -

The strangest part is, the AI pushers don't have to lie about what AI can do! If, as they say, AI tools are going to get better quickly, then let them do so and trust that smart people will pick them up and use them. If you think your workers and colleagues are too stupid to recognize good tools that will help them do their jobs better, then... you are a bad leader and should step down. Because you've created a broken culture.

Completely true about AI and similar fields like Self Driving. These technologies are incredible. Using them feels like magic. But that's never enough. The tech bro CEO's and VC's still have to create more urgency, still have to lie about capabilities to keep everyone's attention focused on them, out of sheer insecurity and the insatiable need for more money, more power, and more control. It's exhausting.

Read his whole article, it's really good.

Links

Kandji KST - Multi Tenant

Sat, 10 May 2025 21:52:34 GMT

Streamlining MDM Management: The Kandji Sync Toolkit and Multi-Tenancy

The Kandji Sync Toolkit (KST) is a new command-line utility that bridges the gap between local development and your Kandji MDM tenant. If you manage Apple devices with Kandji, KST enables you to efficiently work with custom profiles and scripts outside the web interface.

What KST Does for MDM Administrators

At its core, KST allows you to:

Create and maintain a local Git repository of your Kandji custom profiles and scripts
Pull existing resources from Kandji to your local repository
Push local changes back to your Kandji tenant
Create new profiles and scripts from templates or import existing ones
List and display detailed information about your resources
Format output in structured formats like YAML, JSON, or plist

This workflow brings the benefits of version control and local development to MDM management - meaning you can track changes, collaborate with others, and use your favorite code editor for scripts and profiles.

At 2Fifteen Tech, we use Kandji across all of the Mac environments that we manage, so to me it was obvious that this could be hugely beneficial to manage things across several tenants, with version control, and dramatically speed up the process of implementing a new environment or updating a script or profile that we use across all tenants. So I worked on adding a few things to make it easier to work with multiple environments.

The Multi-Tenant Enhancement

In the version of KST that Kandji released, Managing multiple Kandji tenants (for example, development vs. production environments, or different client organizations) requires manually switching API credentials and repositories. I added a multi-tenant extension streamlines this process with a new set of commands that make working with multiple tenants effortless.

What I added

The multi-tenant enhancement adds key features:

Tenant Configuration Storage: Securely stores tenant API URLs and tokens in ~/.config/kst/tenants.json
Repository Organization: Maps each tenant to its own repository directory
Automatic Credential Management: Sets the appropriate environment variables when switching tenants
Directory Navigation: Automatically changes to the tenant's repository when switching tenants
Full Tenant Lifecycle Management: Commands for adding, updating, listing, switching between, and removing tenants

How It Works Behind the Scenes

This was implemented in two main components:

TenantManager (tenant_manager.py): A core class that handles:
- Storing and retrieving tenant configurations
- Managing the active tenant selection
- Setting environment variables for the active tenant
- Providing repository path information
CLI Commands (cli/tenant.py): New commands that make tenant management accessible:
- kst tenant add: Add a new tenant with API credentials and repository path
- kst tenant list: Show all configured tenants
- kst tenant switch: Change active tenant and its directory
- kst tenant update: Update tenant configuration (especially useful for API token rotation)
- kst tenant remove: Remove tenant configurations

The design ensures backward compatibility with existing workflows while enabling efficient multi-tenant use cases like:

# Add a new tenant
kst tenant add client1 --tenant-url https://client1.api.kandji.io --api-token "token" --create-repo

# Switch between tenants (automatically changes directory)
kst tenant switch client1

# Use active tenant's credentials automatically
kst profile pull --all

Why This Matters for MDM Administrators

If you're managing multiple Kandji instances, this enhancement dramatically reduces friction:

No more manually exporting/importing environment variables
No confusion about which repository goes with which tenant
Simplified API token rotation
Less chance of accidentally pushing changes to the wrong tenant

With these improvements, KST becomes an even more powerful tool for Kandji administrators who need to manage multiple environments or client organizations efficiently.

This is a fork of the original, which I may make available as open source in the near future. I need to check a few things and clean up the comments on the sections that are modified. Let me know if this is something that would be useful to you though.

Links

Kandji Sync Toolkit

Fri, 09 May 2025 02:37:39 GMT

Super helpful new toolkit from Kandji - My favorite MDM - today if you use Kandji as your MDM. From their announcement -

We are excited to announce the release of Kandji Sync Toolkit (kst).

kst (pronounced /kast/) is a new tool designed to simplify interaction with and management of resources such as custom profiles and scripts within your Kandji tenant, using the Kandji API.

Features

Sync a local repository of custom profiles and scripts with your Kandji tenant without copy/pasting.

Create new custom profiles and scripts locally.

List and show details of local and remote resources and see their status directly from the command line.

Format output as structured YAML, plist, or JSON for use with other tools.

Build your own integration for managing custom profiles or scripts with a fully featured Python client module.

GitHub workflow support for kst to “automagically” manage custom profiles and scripts in a remote git repo.

For more details, see the README in the kst repository.

Here is the repository with installation instructions and how to use the utility - kandji-inc/kst

Links

Facebook AI Companions - Using the Licensed Voices of Celebrity Actors, Will

Mon, 05 May 2025 06:58:16 GMT

Facebook seemingly started rolling out a feature where people can talk to celebrity voices. At least this time they paid the celebrities to use their voices, unlike when they torrented books to train their AI models...

Still, they once again illustrate that they don't really care about safety as it seems the AI companions fairly easily can be talked in to saying really explicit things, regardless of the user. Daring Fireball, quoting the Wallstreet Journal article

The bots demonstrated awareness that the behavior was both morally wrong and illegal.

Facebook often says they are doing all they can for online safety, but history repeatedly says otherwise. Again, why would they care when no one is stopping them.

This from the company that hosted an AI Hitler...

Links

Facebook Ad Targeting

Sun, 04 May 2025 01:51:34 GMT

From Futurism - Facebook Allegedly Detected When Teen Girls Deleted Selfies So It Could Serve Them Beauty Ads

Often when people think about ad tracking, they downplay it, thinking these companies are just tracking their online shopping and browsing to make recommendations on purchases, but it goes far deeper than that. This outlineds the far nastier things that they exploit with people all to maximize profits.

Though Facebook's ad algorithms are notoriously opaque, in 2017 The Australian alleged that the company had crafted a pitch deck for advertisers bragging that it could exploit "moments of psychological vulnerability" in its users by targeting terms like "worthless," "insecure," "stressed," "defeated," "anxious," "stupid," "useless," and "like a failure."

This isn't the first report of this, and likely won't be the last. Why doesn't this change? Facebook made $164.5 billion in revenue in 2024.

"This is what puts money in all our pockets."

Much if this information is from Careless People, a book from a former employee at Facebook, which Facebook has tried to legally prevent from ever getting published.

Remember, if you think an online product is "free", you're the product, not the customer.

Makes you wonder what a company could (would) do if they had the infinite money spigot turned on, hyper charged with AI...

Links

You Wouldn't Steal a Car...

Tue, 29 Apr 2025 09:37:00 GMT

Man, I find this absolutely hilarious. Apparently that "You wouldn't steal a car" anti-piracy ad apparently stole the font they used - “You wouldn’t steal a car” anti-piracy campaign may have used pirated fonts.

It seems they may have also stolen the song that was used... Just hilarious unbelievable irony.

Links

Dub

Mon, 28 Apr 2025 03:38:46 GMT

Another tool that I wanted to talk about is Dub.co. Primarily, Dub.co is a link shortening platform, similar to Bitly, but in the vein of really streamlined, developer focused tools that I have become a big fan of recently, Dub.co is really great.

You can easily connect your own domain, campaign tracking, click analytics, even custom branded QR codes. I use this at work for several things, and even use the free plan on my personal domain for a few things.

The API is also really great to use. There's a project I'm building for work which I'm not quite ready to talk about, but I have it integrated with Dub.co to generate short links, and branded QR codes on the fly. It's really nice. Of course, there are a million ways to do this kind of thing out there, but Dub.co is very pleasant and easy to use.

Bonus - There is a fantastic Raycast Extension for Dub.co which makes creating short links or quickly checking click analytics even esier. Here's my post about Raycast - Raycast

If you feel so inclined, here is my affiliate link - https://refer.dub.co/robby-barnes

Links

Perplexity Enshitification

Sun, 27 Apr 2025 01:22:39 GMT

Perplexity is a tool that I've mentioned before. It is a lot of things, but in general, it's a search engine that uses several different AI models to understand what you're asking and essentially research what you're looking for, providing source links, and so forth. I really liked it, though I've stopped using it since others have gotten close enough in functionality that I can't justify paying for another tool...

Unfortunately, it looks like Perplexity is headed straight in to Enshitification - Perplexity CEO says its browser will track everything users do online to sell ‘hyper personalized’ ads.

Social media and search have been hyper catalysts for surveilance marketing, which I don't think is hard to argue is the source of many large global problems today. They won't stop because it is a firehose of money, either. One of the things I'm most worried about with AI is that it will make the surveilance advertising we have today seem quaint in comparison. There are many scary scenarios that could result from this. And of course they are going to do it, it's essentially infinite money, and we are unable to create functional laws to stop them.

Links

Gemini Usage Numbers

Sat, 26 Apr 2025 23:12:41 GMT

Recently, in Ars Technica - Google reveals sky-high Gemini usage numbers in antitrust case Google talks about the "significant increase"

During day three of Google's antitrust remedies trial, the company presented a slide showing that Gemini reached 350 million monthly active users as of March 2025. That's a massive increase from last year, showing that Google is beginning to gain traction among competing chatbots.

Seems to imply that it has improved significantly, leading to people using it more... But could it possibly have anything to do with Google just forcing it on to every Workspace customer, and every corner of all of their products?

Snarking aside, I have found Gemini to be more useful than it used to be, but it still is far less useful to me than ChatGPT. The embarassing part for Google, is that I find that even integrating ChatGPT with Google Drive works FAR better than the built in Gemini Side Panel...

Links

Automatically Deploy a Tailscale Exit Node on GCP Using Bash

Tue, 22 Apr 2025 01:33:19 GMT

Tailscale makes creating software-defined networks easy. This is a quote right from their site but it's 100% true. In this post I want to talk about a script I made that will allow you to easily set up a Google Cloud linux machine, install and authroize Tailscale with an ephemeral authentication token, and then set up network rules in Google Cloud to allow connection. This is a great, really easy way to get around any geofenced conent on the internet, if you found yourself needing something like that.

For this to work, you will need a Google Cloud account, as well as the Google Cloud CLI set up on whichever machine you are running this on. You'll also need to be an admin in your Tailscale Tailnet to be able to generate the auth keys.

What the Script Does

This script handles provisioning a cloud-based Tailscale exit node using the Google Cloud Platform (GCP) and Tailscale's API, and connects it to your Tailnet without any interaction on your part. It sets up Linux to be an exit node (so you can route traffic through that node), as well as setting up Tailscale SSH, which is a fantastic way to just connect to the box if needed.

In this example, I have it set to be an ephemeral key, which will remove itself from Tailscale shortly after the machine goes offline, but you wouldn't necessarily need to do that, just be cautious with the type of auth key you are generating. The idea is to set up a machine to easily and quickly connect to, then have it destroy itself as soon as you're done. For the amount I use this, it makes it effectively free.

Additionally, I use tags to change ownership to the tailnet instead of me specifically. In this case I use the tag "streaming", which I put on my Plex and Jellyfin server, and is set with several rules that could potentially allow streaming from whatever geography you were connecting to. You can change the tag to whatever makes the most sense for your use case.

Note - Whatever tag or group or users you set up make sure to set the ACL rules correctly in Tailscale. I will do another post about that in more depth.

Step-by-Step Breakdown

1. Generate a Tailscale Ephemeral Auth Key

The script first makes a POST request to the Tailscale API to generate a one-time-use authentication key. It enables:

Ephemeral mode (expires when the device disconnects)
Preauthorization (no manual approval needed)
Tagging (tag:streaming in this example)

curl -X POST https://api.tailscale.com/api/v2/tailnet/<your-tailnet>/keys

This key allows the new VM to automatically join your Tailscale network without interaction.

2. Validate the API Response

After sending the request, the script parses the response to check for a successful status code and then extracts the newly issued auth key.

3. Generate a GCP Instance Startup Script

Using a temporary file, the script creates a startup script that will run on the new GCP instance when it boots up. This script:

Installs Tailscale
Brings the node online with the generated auth key
Enables SSH via Tailscale
Advertises itself as an exit node with a tag
Sets up basic IP forwarding and NAT (via iptables)
Ensures the firewall rules persist across reboots

4. Provision the GCP VM

Finally, it provisions a VM using the gcloud CLI, specifying:

Machine type and zone
Boot disk size
Debian OS
IP forwarding enabled
Metadata to run the startup script
Proper scopes and network tags

Once the instance boots, it will automatically connect to your Tailscale network and act as an SSH-accessible exit node.

Final Output

After the script runs, you'll have a fully functional, cloud-hosted Tailscale exit node with minimal effort. It’s perfect for setting up private, secure tunnels for streaming, remote work, or general internet privacy. In my experience it is up and going and ready to connect to in about 30 seconds.

This version will only create the server for you. In my workflow I just manually delete the instance when I'm done, but I will work on a version that potentially does that in the script itself. Still trying to think through how I want to do that exactly. Once you delete the server in Google Cloud, however, shortly after the machine in Tailscale will also remove itself if you used the ephemeral key option.

This little experiment of mine was mostly a proof of concept for myself, but I'm already thinking of a few other crazy things I could try with what I learned during this.

Here's the script in full -

#!/bin/bash

# === CONFIG ===
TAILSCALE_API_KEY="<your-tailscale-api-key>"
TAILNET="<your-tailnet-domain>"
GCP_PROJECT="<your-gcp-project-id>"
ZONE="<your-gcp-zone>"
INSTANCE_NAME="tailscale-node"
MACHINE_TYPE="e2-micro"
DISK_SIZE="10GB"

echo "🔒 Generating Tailscale ephemeral auth key with tag:streaming..."

# === Step 1: Call the Tailscale API and capture the full response
RESPONSE=$(curl -s -w "\n%{http_code}" -X POST "https://api.tailscale.com/api/v2/tailnet/$TAILNET/keys" \
  -u "$TAILSCALE_API_KEY:" \
  -H "Content-Type: application/json" \
  -d '{
    "capabilities": {
      "devices": {
        "create": {
          "ephemeral": true,
          "preauthorized": true,
          "tags": ["tag:streaming"]
        }
      }
    }
  }')

# === Step 2: Separate JSON and HTTP status
HTTP_BODY=$(echo "$RESPONSE" | sed '$d')
HTTP_STATUS=$(echo "$RESPONSE" | tail -n1)

# === Step 3: Parse key or show debug info
if [[ "$HTTP_STATUS" != "200" ]]; then
  echo "❌ Failed to create Tailscale auth key. HTTP status: $HTTP_STATUS"
  echo "Response body:"
  echo "$HTTP_BODY"
  exit 1
fi

AUTHKEY=$(echo "$HTTP_BODY" | jq -r '.key')

if [[ -z "$AUTHKEY" || "$AUTHKEY" == "null" ]]; then
  echo "❌ Auth key was not found in the response."
  echo "Full response:"
  echo "$HTTP_BODY"
  exit 1
fi

echo "✅ Tailscale auth key created: $AUTHKEY"

# === Step 4: Build startup script with injected auth key
STARTUP_SCRIPT=$(mktemp)
cat > "$STARTUP_SCRIPT" <<EOF
#!/bin/bash
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up --authkey=$AUTHKEY --ssh --advertise-exit-node --advertise-tags=tag:streaming
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y iptables-persistent
iptables-save > /etc/iptables/rules.v4
EOF

echo "🚀 Creating GCP instance '$INSTANCE_NAME' in '$ZONE'..."

gcloud compute instances create "$INSTANCE_NAME" \
  --project="$GCP_PROJECT" \
  --zone="$ZONE" \
  --machine-type="$MACHINE_TYPE" \
  --image-family="debian-12" \
  --image-project="debian-cloud" \
  --boot-disk-size="$DISK_SIZE" \
  --can-ip-forward \
  --tags=tailscale-exit-node \
  --metadata-from-file startup-script="$STARTUP_SCRIPT" \
  --scopes=https://www.googleapis.com/auth/cloud-platform

rm "$STARTUP_SCRIPT"

echo "✅ Instance created and fully configured as a Tailscale exit node with SSH."

Links

Tailscale Tips

Fri, 18 Apr 2025 04:35:36 GMT

Tailscale Tips

There is a lot I love about Tailscale, but their video content is one of the best things. They just posted 5 beginner friendly tips to get more from your Tailnet, with some really great tips about using Tailscale.

Links

https://www.youtube.com/watch?v=jOcYJ81-3xM

The Enshitification of Big Tech: A Conversation with Cory Doctorow

Thu, 17 Apr 2025 03:09:21 GMT

Cory Doctorow recently on Organized Money talking about the Enshitification of Big Tech. Really good listen from the person who actually coined the term.

Links

https://overcast.fm/+ABLSluPAuKI

Open AI Social Network

Wed, 16 Apr 2025 08:45:43 GMT

Today, The Verge reported that OpenAI is building a social network. While I can mildly appreciate sticking the middle finger to Zuckerberg and Musk, I’m so tired of the Silicon Valley pissing contest.

I use OpenAI nearly every day at the moment. I totally understand all the complaints and problems with AI. I get it, and I am conflicted about it, but it has become an incredibly useful tool to me too. That said, I’m almost positive that the unbelievable amount of money being shoveled in to OpenAI will almost certainly rot the brains of leadership and it will become a toxic shit show like nearly every big tech company has become. Social network seems like an unbelievable accelerant toward inevitable enshitification.

Links

Nest Protect - Another Google Casualty

Sun, 13 Apr 2025 04:37:10 GMT

No one should be surprised any more when Google kills more products, but it doesn’t stop being incredibly frustrating. Google recently announced that the next excellent product on the chopping block is the Nest Protect. I would argue this was the second revolutionary product Nest came out with after the thermostat. Far more expensive than alternatives, it became extremely popular because of it’s aesthetic and excellent functionality. It’s a product that came along, completely blew away everything that came before it, and people were willing to pay a premium for it. The motion sensing for home presence was way ahead of it’s time, and triggering the clever little night lights was very smart and looks super cool.

Nest Protect has not been updated for many years now, but honestly, it didn’t need to be. They still work incredibly well. Why is Google killing it off? Honestly who knows, other than they probably get some money from the new “partnership” with First Alert, which is an uglier and less functional version, and I think it’s clear that Google doesn’t particularly care about any product that isn’t a conduit for advertising for them.

Google is also killing off the Nest / Yale smart lock that they used to make, which is less frustrating. It was always more of a half assed Yale lock trying to talk to Nest in a weird way. It was neat when Google had their Alarm System (which was fantastic and also killed off), and the Nest / Yale lock would also disarm the alarm when you unlocked the door, but it is a weird product that doesn’t feel very “Nest”y. The replacement is essentially a better looking version of the same thing from Yale, and it seems like it’s more just dropping the Nest labeling. Not terribly surprising or upsetting. There are much better options out there, and that remains true.

I’m so tired of buying Google products because they are significantly better than the competition (at least at the time), and then being punished by Google’s lack of focus and follow through. I also really wish Google had not been the one to buy Nest, which they have completely squandered.

Links

Something's Rotten

Fri, 14 Mar 2025 01:01:48 GMT

Something's Rotten

Yesterday, John Gruber posted on his site Daring Fireball a blistering commentary, “Something Is Rotten in the State of Cupertino” on Apple’s recent announcement that the “Advanced Siri” would be delayed further than expected. While I disagree with some of the specifics, in all I agree with him on this. This is completely uncharacteristic of Apple, and unfortunately it is an area Apple is not great at.

To be clear, I love Apple and the products they’ve made, but there are several things they are just not great at. Online services is one of them, and I would argue that’s very closely linked to the “AI” craze going on at the moment. Sure, they’ve improved since the MobileMe disaster that Gruber mentions in this post (for the record, I worked in an Apple Store when that launch happened, and it was just awful. Our phone activation servers also went down… with a new phone, and a new cloud syncing platform all in the same day…). iCloud is a decent platform for most people. I’d even say it is really good at a few things, but we just kind of ignore the other things because we know they won’t change.

Compare this to other cloud services. What AWS can do, what Google Cloud can do, what Azure can (sometimes*) do, iCloud is extremely basic. Dig a little deeper and you realize that iCloud is actually running on these other cloud services for most of the hard work. Apple does a lot of work to keep things private and portable between platforms, which is great, but if you’re talking about a ~$4 Trillion company? It’s kind of embarrassing how little they do with the cloud.

You could easily argue that this doesn’t matter. Apple is largely a hardware company, and the software that runs on that hardware. As long as they continue to do that well, and lately I think they’ve been doing that extremely well, then people will keep buying their hardware, even if a lot of the work they do is to connect to a SaaS platform to do some sort of work. That might be true, but it’s potentially a little shaky. Now that AI is seemingly making a huge impact across the industry, it could be a bigger problem.

You can make arguments either way on whether AI will actually be revolutionary, or if it’s mostly hype and won’t live up to the expectations, but that isn’t really the point here. All of the leading AI companies / models right now have something in common - Huge amounts of cloud infrastructure to run these extremely computationally expensive models. OpenAI - Essentially unlimited access to the resources in Azure. Gemini - Google has probably the most advanced cloud infrastructure to run all of this on, despite missing (or squandering) their enormous AI lead, they have the infrastructure to at least stay relevant if not catch up or even win. Amazon - Huge amount of infrastructure, but kind of struggle with focus. Still, Alexa+ is supposedly coming soon, they have their own large models that are actually available and being used, and they partner with Anthropic to run much of their model building as well.

Apple of course has essentially unlimited money, so they of course could just throw that at one of these clouds and run models that way, but so far it kind of seems like they aren’t. Now the competency of modern cloud, and everything that comes along with it, seems to become a problem. Private Cloud Compute is interesting, and seems to have some cutting edge privacy features, but it’s hard to tell how much it’s actually being used right now, or what the plan is in the future. Almost feels like too little, too late. More importantly - they seem culturally incompatible with the way successful companies have built out similar products.

Still, I think Apple would be fine being the hardware that everyone wants to run AI models on. If they had thrown huge amounts of money at OpenAI, or Anthropic, and run those models more natively, Advanced Siri would likely be in a demo-able state, if not already pretty good. There are definitely arguments against doing these kind of partnerships, but from a technology standpoint, it would get them closer to what they promised. And that’s the big problem, as Gruber points out. The promise.

Can they pull this out? Of course they can, but it’s not guaranteed. They told everyone very specific things at WWDC about Apple Intelligence, and to Gruber’s point it is seemingly just vaporware to this day. That’s not ok. They advertised heavily on features that just straight up don’t exist.

The question unfortunately remains - Can they do it at all? It’s hard to say. This is something they are historically bad at. How many times have we been promised better Siri over the years? It’s fundamentally broken, and I’m not sure that the culture is right in that part of the company to truly do what it needs to do to fix it. They also clearly focus on running things on-device. This got us a long overdue increase in base RAM across the product line, which is fantastic. But is that enough? We obviously aren’t running what they promised, so what if they guessed wrong on the hardware requirements to even do that? That would be a huge misstep, and one of the big risks of pre-announcing things you aren’t completely sure is even possible…

*I couldn’t help myself…

Links

rclone and ChatGPT

Thu, 13 Mar 2025 08:28:58 GMT

If you haven’t heard of rclone, it’s a fantastic utility that you should check out. It’s an open source Swiss Army knife of data transfer tools, and something I use frequently.

It’s often something I run in the background and just let it run, and I’m not too concerned about how fast it goes. Sometimes I need it to go a little faster. I knew you could add additional flags to make it use more resources and go a little faster but I had never gone through the documentation to figure out the correct incantation. Somehow I had never really thought about using ChatGPT for this but today I did and it kind of blew my mind.

First I ask what flags you can use with rclone to make it go faster, and it answered really well, including explanation of each flag and what it does. Cool and helpful, I expected that. Then it connected to my terminal, Warp (which is fantastic), and saw the specific command I was running, and gave me the updated one with my specific paths. That’s really cool as well, but I have used that a few times. Then it asked me if I wanted to tell it my CPU, RAM, and available network speed and it would craft a specific command based on my available resources to maximize the upload speed. I did so and it worked like a champ. I now have a transfer running nearly 10x as fast as the default settings. 🤯

Links

Raycast

Thu, 06 Mar 2025 11:15:43 GMT

In an effort to distract myself from the state of the world, there have been a few tech things I have been spending a lot more time diving in to recently and I wanted to talk about a few of them here on my blog and how I’m using them. (Have I told you about Tailscale? 😆)

Today I wanted to write about Raycast. At a basic level, Raycast is an application launcher, similar to Apple’s built in Spotlight, or other 3rd party replacements for Spotlight like Alfred, LuanchBar, and several others. I have tried the popular ones and they were alright, but I settled on Raycast for this fairly simple replacement a few years ago and had been very happy with it. I mostly started using these tools because Spotlight can often be slow, stuck indexing, or honestly just miss something obvious. It has been a fantastic tool since it launched, but it’s one of those tools where if you can improve it even a little bit with a 3rd party app it makes a big difference over time. I use the ole ⌘ + Space dozens if not hundreds of times a day.

I was happy doing basic app launching and basic file searches, but I knew Raycast could do a lot more. I had done some more “power user” things with Alfred, but for one reason or another none of them really stuck over time, and I had not spent much time going in to the deeper features of Raycast until the last couple of months. I decided to revisit this, and Raycast has become a tool that I now pay for and honestly have a hard time thinking I will ever live without it on Mac again.

There are so many things you can do with it there’s no way I could write them all, but here are a few of my favorite things. I know other tools can do these, but the way Raycast has implemented these became second nature to me very quickly, and just feel fantastic.

Application Launching - The first reason I came to Raycast. It automatically ranks the apps in the suggestion based on your usage, but if you want to do more, you can favorite specific applications to always show up on top. Additionally you can assign an application to a hotkey, which leads me to my next item -
Hotkeys - In Raycast you can assign hotkeys to all sorts of actions. When you go to the Raycast settings, under “Extensions” you can see all of the many many things you can assign a hotkey to. These can be actions, or they can simply be opening a specific application. I’ll talk more about hotkeys in some other examples I use.
Hyperkey - If you already have a bunch of keyboard shortcuts you don’t want to mess with, Raycast has what they call the “Hyperkey” which you can use to attach to hotkeys. The “hyperkey” defaults to all of the left keyboard modifiers pressed at the same time - ⌃⌥⌘⇧. You can combine that with other keys to do shortcuts, something like ⌃⌥⌘⇧+V to paste in plaintext or something like that. More recently they have made it so you can bind the hyperkey to other keys, including a clever way to use the caps lock key as the modifier, all while determining whether you are using it as a keyboard shortcut, or actually turning on caps lock. This is outlined in their YouTube video published recently.

This took a little while to get my muscle memory used to this, but it has been a complete game changer for me. Some examples I have -

⌃⌥⌘⇧ + A = “Open Arc”
⌃⌥⌘⇧ + M = “Open Mimestream”
⌃⌥⌘⇧ + E = “Open Eagle”
etc.

Many people use it for ⌃⌥⌘⇧ + V to open clipboard history, but I use a different hotkey for that.

Aliases - If you have an app that is named one thing, but you always think of it as another thing, you can put in an alias for it. This also works for any other extension, so many actions that are directly supported or even extensions you install from the store, which I’ll cover separately. For example, I use Parcel for delivery tracking, but sometimes I just think “Delivery” so I made an alias for Parcel of “Delivery” and now if I start typing that, it will come up first as well.
Store - There are thousands of extensions available in the store. I believe they are all free, but they give you even more functionality right in Raycast. There are extensions for Notion, Slack, 1Password, Google Calendar, and many many more. I use several of them daily. I’ll do another post on this, but dub.co has an extension as well and I use this a surprising amount.
Actions - From anything you search for in Raycast you can use ⌘ + K to pull up available actions for what you have selected. Custom add-on extensions can have any number of actions available, but even for built in macOS apps the options are fantastic. Show in finder is right there, show info in finder also great, but even things like copy file path, copy app name, copy bundle ID, quit app, force quit app, and even delete app are all right there. Most of them have their own keyboard shortcuts you can do right from that menu if it’s something you do all the time.

Bonus - When you delete an app this way, it does something similar to Hazel, or other potentially scammy apps, where it will remove all of the library files created, settings files, etc. all across your system, giving you the option to really delete the file.

Clipboard Manager - If you want, you can set up Raycast as your clipboard manager. I had been using Pastebot for years and loved it, but consolidating has been nice. I pay for Raycast so I get the cloud sync as well which is great. You can optionally enable unlimited clipboard history too if you are on the paid version. Another great feature is that you can easily go in to the history and with another keyboard shortcut, you can delete specific items from the history if you need / want to. The previews for things like links in your clipboard history in Raycast are fantastic and a huge help.
Emoji Picker - I remapped the emoji picker ( ⌃⌘ + Space ) to Raycast’s emoji picker instead of the macOS one and it is amazing how much better it is. Instant, every time (I’m confused why the macOS one is always so slow…), search is MUCH better, and you can even favorite your own emoji if you want, as well as add other keywords to specific emoji if it makes more sense to you. Seems like a small thing, but this is a huge quality of life improvement.
Calculator - The calculator built in to Raycast is fantastic. When you do some quick math, and hit “Return”, it saves the answer to your clipboard automatically. It even saves it in the history in Raycast so you can go back and search if you need to. It’s also fantastic at things like unit conversions, date conversions, and even things like “2 weeks from now” or “December 25 - 3 weeks” or things like that. Truly great and incredibly helpful.

There are a million other things it can do. Many people use it for more advanced window management as well. I currently use BetterSnapTool, which has been perfect for me, but I may try out the Raycast window management as well in the near future.

The 101 things you can do with Raycast video is a great way to learn more about what parts you might want to dive in to more.

Bonus - If you have Raycast, try typing in “Confetti”. You can actually use a callback URL for this at the end of scripts if you feel so inclined as well 🎉

Links

Tailscale - Home Assistant

Sat, 01 Mar 2025 03:15:33 GMT

I won't post constantly about Tailscale, but I have recently started going down the Home Assistant rabbit hole (more on that in another post). Unsurprisingly, Tailscale not only works fantastically well with Home Assistant, but they posted a YouTube video about how to do it.

Their YouTube videos are probably my favorite of any tech product. Excellent detail, explain everything very well but don't treat you like an idiot or that you should already know everything. It's not just a big advertisement for themselves, and they use a ton of real examples of how people could use it, both as a corporate network and for nerdy home lab use cases. If you use Home Assistant this is a great one to check out.

Humane AI Purchased by HP

Fri, 21 Feb 2025 05:08:47 GMT

This week it was announced that Humane AI is being purchased by HP for a ludicrous $116 million. I honestly can’t think of another product so over hyped that had such a big flop. On top of that, the founders seemed so incredibly arrogant every video they made, or for the weird commercial wrapped in a Ted Talk they did…

Surely they are refunding everyone who spent $700+ on top of the required monthly cellular plan, right? Haha, no. The support document and FAQ are just a big and clear fuck you to anyone who bought this garbage.

Beyond the fact that this is an incredibly dumb purchase by HP, they are welcome to waste their money however they want, but you shouldn’t be able to launch a company that promises such ambitious goals, completely under delivers, charges customers a fortune, then pulls the rug out from everyone without any refunds all while getting an enormous pay day.

I get that companies don’t survive. If humane was going out of business I would get it. You can’t support the servers if you go under. There is a risk buying in to such early technology. But that’s not what is happening. They all get huge pay days, get to just bounce on their awful failed product, and only the customers who were suckers get screwed on this. Couldn’t use part of the $116 million to give the people their money back, could we? Pretty messed up.

Links -

https://www.theverge.com/news/614883/humane-ai-hp-acquisition-pin-shutdown

https://support.humane.com/hc/en-us/articles/34243204841997-Ai-Pin-Consumers-FAQ

Links

Tailscale Update

Tue, 18 Feb 2025 11:54:16 GMT

I’ve written about Tailscale before, but I wanted to write about it again as I am using it much more than I was in the past. It is one of my favorite tools of the last several years. No one likes VPNs, but I have felt for years like VPNs were just so antiquated compared to so much technology these days. It’s difficult to set up, it’s difficult to connect additional endpoints, and even when it’s all working the way it’s supposed to it’s usually really slow.

I don’t need to go in to the details of all of the features, but we use this at work now and honestly it just works. We have Tailscale agents deployed in all of the networks that we need and we can just connect to whatever we need securely. Tailscale checks our computers for compliance and users logged in with Okta, then we can just access whatever we need. It’s like magic.

Since last time I wrote I have been using Tailscale SSH and Tailscale Funnels much more and they are fantastic. The Tailscale Synology app is also fantastic. I will likely write another post about some tips with the Synology app.

Tailscale also has a generous personal use plan for home labs. I use the Apple TV app both personally and at my parents house to troubleshoot things. If you haven’t yet, you should check out Tailscale.

Links

Social Media, the Internet, and Content Filtering

Mon, 02 Sep 2024 19:39:14 GMT

I have to admit, my thoughts and feelings on the internet (and to some degree, tech in general) have soured quite a bit over the last few years. Don't get me wrong, I still use the internet every day, my job heavily depends on it, and many aspects of it I still geek out pretty hard with, but in many, many ways, the internet as it should have been is completely dead. I'm not the first one to say this, and I know I won't be the last, but my thoughts are slightly different than what most people I have heard talking about it say, so I wanted to outline some of it here.

Although I'm not sure I would have ever considered myself a complete internet libertarian, I've always thought there should be some rules in place, but I definitely found the idea of an "open internet" appealing. I largely felt that you should be able to do whatever you want on the internet, essentially as long as it was legal, and you'd have to pay the consequences if it was illegal. Frankly, similar to how real life is. Do whatever you want, but if it's something illegal, you may have to pay the price for it.

This was probably fine when the internet was full of personal blogs and a few low-traffic sites. The majority of people who roamed the internet early on were just having fun for the most part. Security and privacy weren't a concern because it was a fun new toy that everyone could use and seemed to basically only be upsides. I know there were exceptions and dark places of the internet, but it didn't really impact you unless you went looking for it.

I don't need to go through the whole history, but the two things that I think began the rot were "personalized" advertising and social. Particularly together. To some degree, this is oversimplifying, but honestly I don't think it is a whole lot. When surveillance advertising started to work really well, and social media saw this, the birth of engagement-based timelines was born, and everything on the internet shifted. On the surface, engagement-based timelines don't seem awful, just slightly annoying. I think it has become clear over time that this just amplifies our worst attributes and that the most engaging content is usually rage-based, fear-based, etc. We also tend to find ourselves in echo chambers of whatever hot-topic item we find engaging, all while becoming more and more addicted to whatever service it is we are using, and becoming more isolated from each other. See also - enshittification

The large tech companies that run these engagement casinos have shown over and over again that they do not care how this impacts anyone. They take to the stand in Congress and pretend like there's nothing they could have done for the teenage suicide caused by negativity and the relative anonymity of social media, coupled with the constant "engagement" with harmful content. Harmful content doesn't have to mean terrorism, or drug use, or pornography, it could be as simple as amplifying a teenager’s insecurity by constantly showing them unrealistic body expectations, or any number of other topics that are easy for companies to claim don't ever cause any harm, while refusing to even allow anyone to study the effects or any of the engagement algorithms.

Finally, more recently, the whole argument of constitutional "free speech" has come up, which is something that really bothers me. Social companies have enjoyed the problematic Section 230 which has essentially shielded them from any form of responsibility, allowing them to print money as fast as they feel like at the expense of our mental health, privacy, and arguably the foundations of democracy. They personally don't care because they make so much money, coupled with the fact that they essentially legally have complete legal immunity on their platforms. Section 230 was meant to protect utility companies, such as your internet provider or phone company, from any liability if you did something illegal while using their service, or a blog site that someone posts a problematic comment on, but it has been wielded by social media and search giants as a shield from needing to do any of the hard work of protecting people. Section 230 has come under fire recently, and I don't think it's a coincidence that the conversation has been taking a hard right turn to claiming "Free Speech" instead of hiding behind a law that no one likes.

This to me is ridiculous. Should you have free speech online? I definitely think so, but I do not think that is connected to social media companies at all, not to mention "free speech" is wielded as a weapon by people who typically don't understand what it even means (or know exactly what it means but want to convince people not paying attention that they are right). To me, free speech means you can host whatever you'd like on the internet. You can spin up a server and put whatever filth you want out there. If it's illegal, law enforcement should be able to shut it down and find you. I don't think that means that companies out there should have to host your information, and it certainly does not mean anything for "promoting" content on algorithmic timelines. These are private (or publicly traded) companies running commercial enterprises. They are not a "Town Square" or a platform you should just get to say whatever you want.

When the government even implies that they want to provide some guidelines, they freak out and claim "censorship" as if they were some crucial bastion of a democratic society, but then they choose what to amplify and what to demote so no one ever sees it all based on an algorithm clearly motivated only by selling the most ads by keeping you addicted to doom scrolling, and they keep it in a tight black box that no one can ever see. They act like it's "too complex to understand" but panic like a toddler when you try to take a toy away any time someone tries.

This has slowly shifted to starting to say that the whole concept of content filtering is essentially authoritarian censoring, but they literally never even let you see things the way you want to. It is ALWAYS their version of what you see. In other words, it is literally all filtered all the time, no matter what. It’s just in their financial favor. Filtering things to be more healthy for the rest of us, or turn the heat down on a certain topic, just turns down their free money spigot a little, so why would they? Why would you stop promoting Covid misinformation when lots of people will click on the content (doesn't particularly matter what you believe, because it's a charged topic either way)? So keep the unlimited money train coming and throw a fit about “censorship," then go hide in your giant bunker in Hawaii so you don't have to actually be around the rest of us when the democracy you live in crumbles around you.

On the flip side, somehow unironically, some states are trying to simultaneously rage about "government censorship" when it comes to accountability of rich white adults, but also trying to force religious conservative values onto these platforms and the internet as a whole by law. Believing in these things isn't good enough; you have to force everyone to follow your religious beliefs apparently. This is what Texas tried to do by forcing any tech online to verify people's age and then filter out content considered "harmful material" to minors. What does "harmful material" mean? It doesn't say. I'm sure that would never be a problem, since it could just be interpreted as anything, right?

But on the flip side, as reported by The Verge - Social networks can't be forced to filter content for kids, says judge - the other side of the argument seems to be back to what I was talking about earlier. "You can't force these companies to filter anything because they are immune from everything" is the essential argument. This is also a huge problem. Neither side is right in this case, and there seem to be more and more of these coming up all the time.

This is the kind of thing that is pushing the internet to essentially die. There is a lot more to the internet than social and search, powered by algorithmic timelines, but if you look at the traffic and time spent, the rest is a vanishingly small part of the overall internet. These lawsuits will come up and get struck down, and we keep spinning our tires and never doing anything, all while these companies cash in on taking advantage of all of us, surveilling everything we do and never taking any responsibility. Why would they, if they don't have to?

Links

SMS Spam

Mon, 02 Sep 2024 18:21:49 GMT

It seems I am not alone in getting absolutely bombarded with SMS Spam recently, particularly political spame. Daring Fireball, by John Gruber recently talked about the same issue he is having in What to Do With Unwanted Political Spam Texts. It is interesting to see some concrete evidence about what the mysterious iMessage "Delete and Report Junk" button that seems to behave like the elevator close buttons that aren't even hooked up to anything.

I've worked with a few SMS services programmatically in the past, and I know that every programmatic text that is sent is expected to comply when you send back "Stop", and in almost all cases, if they use an SMS Short Code the chances are pretty high that it will respect it. Getting a short code is expensive, and much more heavily monitored by providers (such as Twilio, etc.). There is a theoretical fine of $10,000 per message that ignores these rules, however I'm not aware of this ever actually happening. With short codes, at least the providers seem to be pretty strict about it, possibly because they themselves are afraid of those fines.

Regular SMS numbers though are trivial to get. While the "Delete and Report Junk" may help move that message to the junk folder in your messages (yes, this exists, but I'm not sure it ever actually works), you have to explicitly block the number to prevent new messages coming in from that number. I tried this for a while and it has made absolutely no difference for me personally, because every message comes from a new number.

I get literally up to 15 messages some days and it's rare that I go a full day without a single message any more. I respond stop to every single one, and I went through the effort of blocking for a while but it does nothing.

This is a small issue compared to many issues we face as a nation and as a globe these days, but it is absolutely infuriating to me, and frankly dangerous for most people. Carriers won't do anything unless they are forced to by the government, and the government seems to have absolutely no willingness (frankly, I'm not convinced they even understand how this all works) to fix the issue. Until they do, scams will continue to grow nearly exponentially, and we'll keep getting blown up with messages we never signed up for and cannot effectively opt out of.

Links

Slack AI Training Backlash

Mon, 20 May 2024 07:13:30 GMT

Slack is under fire this week as the internet seemed to discover that user data from all Slack instances, paid or not, are being used to train Slack's AI model, unless you opt out.

From Ars Technica - Slack users horrified to discover messages used for AI training.

This is a really bad look, and maybe they'll back off of this given the backlash, but to me it isn't the key issue. If large companies can get away with it, they will absolutely use your data for this kind of thing. Even if they think it will result in a lawsuit, they will likely make more money from it than they would lose in a lawsuit. The problem is our privacy laws. Companies do this because they can. That's the part that needs to change.

Absolutely bare minimum, it should be illegal to update any data usage policy like this and make it opt-out, but there really should be a lot more than that. In this case, it's honestly not even clear what Slack's policy even is, but even if they back track, someone else will do it in the future if they can.

We desperately need updated privacy laws in this country, or companies will keep pushing the boundaries of how they can use our information to make money for themselves.

Links

https://arstechnica.com/tech-policy/2024/05/slack-defends-default-opt-in-for-ai-training-on-chats-amid-user-outrage/

PSA - Google Workspace Passkeys

Sat, 11 May 2024 09:07:50 GMT

Passkeys are a form of passwordless authentication that enhances security and simplifies the login process for users. Unlike passwords, which can be phished, guessed, or stolen, passkeys rely on cryptographic key pairs (a public key and a private key) to verify a user's identity. This method is inherently more secure because the private key, which is necessary for authentication, never leaves the user's device. Passkeys offer a more secure and user-friendly alternative to passwords. I have been using passkeys everywhere I can since they launched, and they are fantastic.

Google is one of the companies that is working on the Passkey standard, and one of the largest early adopters. In June 2023, they announced Google Workspace would be adding support for Passkeys. As part of a company that is a Google partner I have a ton of Google accounts, and this was a huge thing for me. It has been excellent!

Today, on the MacAdmin Slack channel, another admin discovered that for Google Workspace, there is no way for admins to reset or remove passkeys for users. You apparently can't see if a user has one set up, either. You do have the ability to block them domain wide, org unit wide, or to specific groups.

This leads to some potentially big problems. It's not uncommon when organizations let someone go to just reset their password, sign in sessions, app passwords, etc. so that forwarding works, or a manager can have delegate access. The problem is that this apparently does not remove or reset the passkeys. Passkeys also don't show up anywhere in the user's security settings. This means a terminated employee could potentially still sign in if you have "Allow users to skip passwords at sign-in by using passkeys". I spoke to Google Support, and according to the person I spoke to, this appears to be known.

I understand this feature is in "beta", but this seems like a pretty big oversight. Passkeys are presented as a highly secure alternative for authentication, so this kind of thing feels like a pretty big oversight. At the very least, Google should be very clear when enabling this feature that this is something to consider.

As a work around, it does seem that putting a user in a group or org that has passkeys disabled does seem to remove them, so you can create an off-boarding group or OU with that disabled, and add that to your off-boarding procedures, but hopefully this is something Google will resolve in the near future.

Links

The Usefulness of AI, and Tools That I Use

Sat, 30 Mar 2024 20:34:53 GMT

AI is a bit of a polarizing topic as of late. Most people fall into one of a few seemingly extreme camps. Either AI is the most revolutionary technology ever, and will trigger its own industrial revolution size change to our society, or it's equally powerful but will cause more of an apocalypse of some sort, or it's all just hype with no substance and seemingly completely useless. I don't really think any of these are accurate, and it makes me sad that so many people have seemingly lost the ability to think or articulate nuance in complex topics. I think this is something that has been hyper-accelerated by social media, and is a huge problem. No topic is actually completely polar, but that's how many people seem to talk about it any more.

I'm not going to pretend that I know where AI is going to go, or what it will be capable of in the future. I've heard people who are much smarter than me in the area make claims that Artificial General Intelligence (AGI, which would essentially be a "conscious" AI that could improve itself, much like humans, though there is some debate on the definition as well), is just a few years away, and others say things like the recently super popular Large Language Models are very impressive but are likely to plateau in capability pretty soon, and will only marginally improve in the future. Anyone who claims to know one way or the other is lying.

The naysayers out there are quick to point out how easy it is to get tools like ChatGPT to either be wrong, or straight up "lie", as if it was an actual conscious being already, and therefore can somehow be either "dumb" or "malicious" when it can confidently tell you something incorrect. Many people compare it to the hype of Crypto or Web3, which has never materialized into much more than just money speculation, fraud, and financing criminal activities. I could write a ton about how much of an empty hype Crypto has been, but to me there is a pretty clear and meaningful difference.

I want to start by saying I do actually think AI is over hyped right now. I also think it's pretty incredible and for me has been extremely useful already, and I'm really excited for its future. These are both true.

Many people know this, but many also struggle with this idea. You have to understand the things current AI is good at, and tailor how you use it to fit that. If you do, I think it can be a very useful tool. Importantly, you have to know and understand that it is not actually knowledgeable, and therefore is not always correct. If you know that, it can still be really powerful.

When I am using AI tools in ways that it is helpful with, it reminds me of Steve Jobs talking about the computer being like a "bicycle for the mind". It helps me do the things I would normally be doing, but significantly faster and more effective. Here are some ways and specific tools I have found useful -

Summarization - So much of the internet has been filled with absolute SEO garbage, and a lot of times I just need a quick summary of something. Much of the time I have found AI very good at summarizing the key points of something. Sometimes a web page, sometimes a long PDF where I just need some highlights, and many more. It's important to realize that it's very possible it will miss something, or be slightly wrong on part of its summary, so if there is an important document like a contract, you probably don't want to use AI to just summarize it and call it good. But most of the time, I don't need it to be 100% accurate, and speed can be important. It's excellent for that.

I use Readwise Reader as my "read later" app. It has a summarize feature built in that I use all the time. More often than not, the summary tells me if I want to read the entire article or not. It often does actually get me to read a whole article I might not have otherwise.
Coding - I am well aware AI is not a great coder. But I'm not either. I'm in IT, and I dabble in code from time to time. Frankly, I've had many developers work for me over the years, and unfortunately most people developers aren't very good either. But if you know that, it can still be useful. It's often better than I am, and if you ask things in the right way, it's honestly pretty impressive. Sure, I'd rather have a highly experienced and talented developer I could just call on any time, but I don't, so things like ChatGPT and GitHub Copilot have been a great resource for me. Of course I test everything, and don't just trust that everything it comes back with is correct, and if it's something high stakes I'd have a person who knows what they are doing review it before making something production, but it has helped me do a lot more than I could or would have otherwise.
Rubber ducking and brainstorming - Somewhat related, I have found it a great resource to rubber duck and brainstorm ideas with. If I code something and I don't completely understand what made it work, or why something had to be a certain way, I can ask one of these tools, and gain a better understanding. If I'm writing a blog post, particularly for work where we are just trying to establish a presence online, I can bounce ideas off of it really easily. I often find the way it writes to be a little weird or overly formal, but if I take these ideas and run with them, and make them my own, it not only often gives me great ideas or places to start, but dramatically speeds up the time I can do it.
Search - Search is one that it seems like a lot of people struggle with. ChatGPT, for instance, is not really search. There are millions of comparisons to how ChatGPT fails at some search-like thing where Google search does just fine. But that's not really what ChatGPT is. For this, I use Perplexity AI. Perplexity uses several of these LLM technologies under the hood, but has put them together in a way that honestly has completely changed search for me.

In their own words, this is what Perplexity is -

Perplexity is an alternative to traditional search engines, where you can directly pose your questions and receive concise, accurate answers backed up by a curated set of sources. It has a conversational interface, contextual awareness and personalization to learn your interests and preferences over time.

Perplexity’s mission is to make searching for information online feel like you have a knowledgeable assistant guiding you. It is a powerful productivity and knowledge tool that can help you save time and energy with mundane tasks for a multitude of use cases.

How does Perplexity accomplish this?

With the help of our advanced answer engine, it processes your questions and tasks It then uses predictive text capabilities to generate useful responses, choosing the best one from multiple sources, and summarizes the results in a concise way.

Perplexity to me has been like a research assistant. It is truly AI powered search. It does a fantastic job answering simple questions, but importantly provides links to the references that were used. I've seen many online publications panic about tools like this (It's similar to Arc Search as well, which I use on my phone), because it will often just answer a question, meaning you don't have to click through to get an answer. While that logic makes sense, I honestly find myself clicking through far more than I ever do with Google.

With Google, so many results are just SEO garbage that increasingly don't even answer your question. Content farms pump out keyword filled garbage articles, cram as many ads per inch as they possibly can, and game Google's system very effectively. As I've written several times recently, this ruins the quality of results and honestly has made Google search nearly unbearable. Perplexity somehow seems to cut through that junk, and not only answer my question well, but all the links are much much higher quality in my experience. Because of this, I find myself clicking through FAR more regularly to the linked resources for more information.

The downside is that if you need to do more than a couple of searches and you want the highest quality where it searches for you, you have to pay for it, and these tools add up quickly. The time it saves me and how much it helps me with my work make it absolutely worth it to me, but this isn't going to replace "free" search engines, but this is the first time in many many years where I feel like Google has some legitimate search competition. If you haven't tried it yet, I encourage you to do so.

I think there will be many more extremely useful applications for AI soon. For instance, once it can more effectively use your own data as a source of information, I think that will be pretty revolutionary.

AI Tools I Use The Most

ChatGPT / OpenAI - https://chat.openai.com and OpenAI API for certain scripts, Zapier automations, and more - https://platform.openai.com/

Note - Using the paid version for GPT 4 makes a big difference in quality of results
GitHub Copilot - https://github.com/features/copilot I use my student copy of this with JetBrains to have integration right in my IDE. I have found this slightly less useful than using ChatGPT, but more convenient for specific scenarios.
Perplexity AI (Referral link. You get a discount on the first month if you use this link)- https://www.perplexity.ai/

Links

Google Search is Getting Worse

Thu, 21 Mar 2024 08:28:39 GMT

Quick follow up to what I wrote the other day - How Google Lost its Way, the Decoder podcast recently did an episode about Why Google Search feels like it’s gotten worse, where they discuss how "SEO" is essentially breaking the internet, and (my words) how gaming Google Search has made the internet far worse. Google, at least hypothetically, cares about the quality of your search results, but they way they do that is more aligned with advertising, both for Google themselves and for all the people trying to game the system, leading to full on enshittification of essentially all of the internet due to Google's search dominance. Regardless of how intentional it was, or how much of a blind eye Google turns to the problem, it's hard to deny that it is a problem.

To reiterate what I wrote, Google is seemingly in trouble. Not only are they vulnerable to better search, which has suddenly become far more possible from companies like Perplexity AI, coupled with how Google is seemingly unable to determine the quality of results with the deluge of crap constantly being shoved on to the internet. The garbage content is already in hyperdrive with generative AI, and that's only going to get worse.

Google is a big powerful company. They aren't realistically going anywhere any time soon, but they have seemingly been caught completely off guard in so many ways. Not only did they seem to completely squander their lead in AI, it all of a sudden feels like Google being the undisputed search leader is seemingly not a given any more either.

Overcast link to Why Google Search feels like it’s gotten worse - Why Google Search feels like it’s gotten worse

If you are interested in Perplexity AI, which I have found incredibly useful, here is my affiliate link. I will write more about Perplexity, and why I have found it so impressive soon - Perplexity AI

Links

How Google Lost Its Way

Mon, 18 Mar 2024 04:47:49 GMT

I thought this was a really great article about how Google has lost it's way as of late, from Business Insider How Google Lost its Way.

As I've written several times, Google has been repeatedly and needlessly shooting themselves in the foot over the last few years with so many different things. No one trusts them to manage a product because they are so trigger happy about killing things off, and don't seem to take anything seriously outside of their advertising business.

As mentioned in this article, the stock value of Google has significantly gone up under Sundar, but I honestly believe the company is in a really bad place right now. He seems like a sharp guy, and personally I honestly kind of like him as a person, but after these repeated problems as a company I'm not sure he's the right person to take them out of their current state.

Most of Google's stumbles over the last few years shouldn't have been a huge deal, though I would argue the sentiment because of them kind of snowballs in people's perception of the company. Most people I talk to either don't trust Google because of privacy (totally valid) or because they don't think Google can be trusted with a product someone might care about (also valid).

There are two pretty big problems right now that put Google in a tough spot. First, they were clearly caught completely off guard by what has happened with AI since ChatGPT. They literally invented this kind of AI, and by nearly every measure were in the lead in AI for years, but they have clearly squandered that lead. Sure, they have listed a few reasons why that's the case, primarily around safety, but the fact that they are still so far behind is a problem. Not to mention, even after slowing down for safety, when they do launch something it has had some pretty significant problems.

Not only is Google behind in AI as a product, but I think the recent AI tools are honestly the first time in decades that there has been any real threat to Google's search dominance. Bing has seen significant growth since adding Copilot to their product, though it's still a small fraction of the market, but other tools such as Perplexity AI offer a very compelling alternative. I will write more about Perplexity AI shortly, but for me it is the first tool to make me replace Google in my daily usage, which is significant for me. The current iteration is likely not going to work for everyone in the world, but it's a crack in the glass surrounding Google's search dominance, and unfortunately as outlined in the Business Insider article, they are not doing enough to diversify their revenue outside of that. Every interesting new project they have they half ass, then cancel without warning.

The other problem is the company culture. The article goes in to more detail, but there is clearly a culture problem at Google and the employees are not happy. The once safe cushy jobs at Google are not seeming so safe, and there is a lot of discontent within the organization that does not seem to be being addressed very effectively, at least from the outside.

To me it falls in the same category, but to see more cultural issues at Google going back for years, you should check out Tony Fadell's book, Build. Tony worked at Apple for years on several ground breaking products, then started Nest which sold to Google, and he goes in to some detail about how that basically sucked all the life that made Nest unique and great out of the company. It's not hard to see that the innovation on Nest has essentially hit a brick wall since being acquired, which is extremely unfortunate.

All of this personally frustrates me because I really like a lot of what Google does. I vastly prefer Google Workspace over Microsoft 365, but I find myself wishing more and more that productivity platforms weren't such a duopoly. I wish there was a 3rd platform that was really truly competing with those two, because honestly neither choice is great at the moment, but there aren't any great alternatives for most companies out there. I also like Chrome, I loved Stadia, Google Fiber has been absolutely incredible. If they could just get their shit together, I think they could get back to greatness.

Links

NSA Buys American's Data

Sun, 28 Jan 2024 18:00:38 GMT

Recently it has been widely reported about how the NSA is buying up American's data - New York Times, and Tech Crunch.

Senators are obviously acting like this is some huge scandal, because it's part of the government doing this, but I don't understand how they are confused by this. (I do actually know, it's because Congress doesn't understand technology, but my point is the same). Of course the NSA is buying this data. It's valuable, and critically it's commercially available. This means pretty much anyone could buy it if they really wanted to. You think Google and Facebook don't just vacuum up the same data?

To me the problem is not the NSA buying this data, it's that it's possible to buy this data. It's that companies are somehow allowed to gather and keep this data in the first place, so that anyone can buy it. The internet is so addicted to surveillance on all of us, just to squeeze a tiny bit more money out from advertising, but it's a huge problem.

We desperately need laws in this country to protect our privacy, or this can and will continue to happen. We should all have the right to know what data is being gathered and what it is being used for, and importantly have a choice to NOT have it collected.

Links

Neon Database

Fri, 19 Jan 2024 09:57:27 GMT

I recently wrote about Resend, a transactional email service I found that is focused on developers, and is really a fantastic tool. Today I wanted to mention another tool I've found that is really awesome.

Neon follows a similar philosophy and allows developers to create serverless PostgreSQL databases. Like Resend, this seems to be a service that is built on top of AWS technologies, but abstracts out a lot of the (in my opinion, dumb) technical overhead that accompanies all AWS services. It is shockingly easy to get set up and running with Neon, and there is a ton of flexibility on how your database will work, how many resources it will be allowed to pull from, and more.

I love how easy it is to create new users, roles, and even new databases, but some of the more advanced features really make Neon unique. For instance, they have a feature called "Branching", where you can create a "branch" of your database either from a snapshot you save, or from the current database. Nearly instantly you have a second copy of your DB that you can use to test something out with.

There are lots of other features, like automatic snapshots, auto-scaling, and one-click read replicas. I also love how they help you generate credentials to connect from whatever project you are working on. For instance, I'm working on a Django project at the moment, and in Neon, I was able to just choose Django as a source, and it gave me the exact code to add the database to my Django project. Copy, paste, run the migration script, and it was done. I really was that simple.

I have seen several apps similar to this pop up lately, where they take something that one of the big cloud companies does, and specializes in just making it a really good experience, and I love it. More of this kind of thing please.

I have a couple more I will mention over the next few weeks, but I'm loving these.

Links

Resend

Fri, 19 Jan 2024 09:57:12 GMT

I have recently found a couple of really neat tools specifically designed for developers recently that I have been super happy with and wanted to share. (Caveat - I'm not a developer, but I have been trying to learn a bit more about coding.)

The first one I wanted to mention is called Resend. This is a transactional email service, similar to Sendgrid, Amazon Simple Email Service (SES), Mailgun, Mailchimp Mandrill if that still exists, and many others.

I have been using several different transactional email services over the years. Several have started out pretty well but they have seemingly just gotten really frustrating over the years. For what it's worth, I primarily use these for sending emails to customers such as an alert, or our service desk holiday hour reminders, or if there's a big change we're making in the company and we want to email all our customers or something like that. I don't particularly like marketing emails, and personally don't really have any interest in trying to do those, so nothing I am talking about is in the context of how these tools are used for marketing.

Amazon SES is the engine behind many other services people offer, and is likely the largest option out there, but I kind of wonder if they were trying to be sarcastic by naming it "Simple". It is, like many AWS services, way more complex to set up than it should be, and if/when it has problems they are certainly not going to make it easy to figure out what the problem is or how to fix it.

Sendgrid is what I have been using more recently, and it started out ok, but I swear every time we go in to use it it fights you a little more on what you are trying to do. Whenever I want to send a quick email out to a bunch of customers, it seemed like it would always take 2x or more time than I anticipated. I tried making some scripts to use their API to streamline things, but wow... What a mess.

I wish I remember how I found Resend, but I took a look at their product and it seemed to be saying all the right things to me. It seemed far more simple, straightforward, and designed to do exactly what I was looking to do. I signed up and have been incredibly happy so far.

They posted an article introducing themselves and explaining what they are trying to do and why. So far, this matches the reality for me - Introducing Resend. The documentation is straightforward. The interface when you log in is simple and straightforward. The API's are easy and make sense, and - This is important - they WORK.

I don't know exactly how they are doing everything on the backend for this service. For all I know this is just a layer in front of Amazon SES, but honestly, totally fine with me. I love tools like this that are well designed, a pleasure to use, and just make my life easier. If this sounds like something interesting to you, I recommend checking it out!

I have found a couple other tools that to me are in the same camp - Smaller projects designed by developers who want to do something really well, with nice design, and are simple to do what you are trying to do. I plan on writing a few more of these in the coming days.

Links

5G

Sun, 10 Dec 2023 18:30:37 GMT

I have recently been extremely frustrated with my phone service. While I agreed at the time that carriers (and Apple for that matter) were over-hyping 5G, I also felt like people were being too harsh in their criticism. Deploying new networks takes time. I even wrote about it here.

I wrote that in early 2021, and we are getting close to 2024 now, and I have to say, 5G has been an enormous disappointment for me. My experience is on Verizon, which is one of the carriers who pushed 5G being a revolution the hardest. When I wrote that, there were only little pockets of good 5G coverage, but when you were in those spots, it felt like sci-fi. I was getting over 2.5 Gb/s (Yes, Gb/s, not Mb/s) on my cellular, which is unbelievable to me still. The problem was you had to be within about 200-300 feet of one of their mmWave towers. Still, I thought at least in high traffic areas, this would be a game changer.

I get season tickets to MLS soccer here locally (Real Salt Lake) and often go to University of Utah Football games. Stadiums are one of the worst places for cell service, and one of the clearest benefits of where mmWave 5G would make a ton of sense in my mind. Well it's been years, and although I think they have added some towers near the stadiums, I almost never actually get any service. Likewise, other places I used to consistently get the mmWave signal, no longer seem to be working very consistently. A local Taco Bell has an mmWave tower right in the parking lot, and I used to always connect at hyper fast speeds. Now it only connects to it maybe half the time, if that.

I also live in the city, not right down town, but definitely in a very populated area. My work is about a 10 minute drive for me, and yet about 90% of that drive, my phone won't connect to 5G at all. Just LTE the whole way. More than that, there are spots now where music struggles to stream. In a city. In 2023.

It doesn't really matter how good 5G could be, if it won't ever work. I pay more every month for the "faster" service to be on the bleeding edge of connectivity, but I'm not sure what the point is.

The Verge wrote an article this week around the same kind of thing - The race to 5G is over — now it’s time to pay the bill. It seems investors are also getting impatient about 5G being smoke and mirrors. It's hard to tell if the US Carriers just completely botched this rollout, or if the technology from Chinese chip makers really killed the rollout for the US, or if 5G was just an overhyped technology that is actually worse in far more ways than we were lead to believe, but either way it's incredibly frustrating.

Links

Warp Terminal

Sun, 10 Dec 2023 10:20:57 GMT

Warp is a modern macOS terminal that I have been using for quite a while now and to me, and it keeps getting better.

Warp is built with Rust, and is extremely fast, works really well, and has some really neat features. It's highly customizable with several themes, and you can set your own font (I have been using SF Mono for a while now and really like it), and you can easily change the specifics of the information that your prompt shows directly.

There is also a fairly new feature called Warp AI, which I have found pretty useful from time to time. It can help you craft prompts (be careful with this of course), but also interpret outputs in Terminal which I find to be extremely useful.

The feature I have begun to rely on the most though which is fantastic is one they call Warp Drive. This is where you can set up specific workflows that you use frequently, and add arguments as part of the workflow, which are basically like variables within your workflow. Warp Drive workflows can be used with teams as well, which is pretty cool that you can share common workflows, but currently I just use them personally. I found them immediately helpful, but recently they made it so you can use a keyboard command to search them, and that has made it something I would have a hard time ever moving from.

One thing to mention is you do need to sign up for an account to use this. That doesn't bother me, but it's something to be aware of. This is used to sync your workflows across computers, but it is not optional even if you don't want to sync.

There are a ton of other features but I have really enjoyed this tool so far, so I wanted to share. Here is my referral link if you are interested in giving it a shot.

Referral Link - Warp

Links

Inside Apples Chip Lab

Mon, 04 Dec 2023 03:13:16 GMT

CNBC recently got access to one of Apple's Silicon Chip labs - Inside Apple’s chip lab, home to the most ‘profound change’ at the company in decades.

I thought the video was pretty interesting, but the conclusion toward the end around Apple and AI is a common narrative that doesn't make sense to me. "Mainstream" news organizations seem to be somewhat obsessed with the idea that Apple is behind in the "AI boom" taking place recently.

I understand where this comes from. Siri to me is a prime example of how you can make the argument that Apple is behind in AI. To this day I can barely stand using Siri because it's so awful for me. In some cases, it feels like it's getting worse... But that's a story for a different article.

Leaving aside the arguments about what "AI" really is, Apple uses in lots of applications. They tend to be really careful to call it ML when they refer to it (more accurately), but it's all over the place. To me though, this isn't even the main point that these companies are missing. They tend to just point toward what OpenAI, ChatGPT, and sort of by proxy Microsoft are doing, and to some degree how Google and Amazon are catching up with OpenAI and Microsoft. This seems to be something they like lumping together because they are all in "Tech", but it doesn't make sense to me. That type of "AI" is really only going to be possible in the cloud with huge server farms to train the models, and make them accessible to whatever degree necessary as a cloud service. This is just not an area Apple is interested in. There are hundreds of services offered by the big cloud giants that Apple has no direct answer for, and I don't think it makes any sense for them to.

I'm certain Apple is working on internal models to be used in their products, and possibly even for internal use. We also know that if they are doing this, Apple will be a lot more conservative with safety and privacy, and this will always put them behind the "state of the art" with this type of tool, and that's ok. Reports like the CNBC ones seem to think that this is an existential threat to Apple if they don't have something in the space soon, but I don't see the relation. I can access all of these technologies from Apple devices when needed, because they are on the cloud. There are definitely times I wish Apple were better at cloud/internet type services on their own, but it clearly hasn't impacted their ability to be the most valuable company in the world, and I don't really think the "AI" tools will change that.

Links

https://www.cnbc.com/2023/12/01/how-apple-makes-its-own-chips-for-iphone-and-mac-edging-out-intel.html

Okta Breach Another Update

Mon, 04 Dec 2023 02:21:53 GMT

I recently posted a couple of articles about the recent Okta breach, here, and here. I mentioned how their response was completely tone deaf, essentially blaming customers and a specific employee instead of taking responsibility for themselves, and also seemingly downplaying the size and magnitude of the breach, almost seemingly bragging about how it was just a tiny percentage of customers impacted.

From Okta's Security Blog Post on November 3rd -

Having finalized our investigation, we can confirm that from September 28, 2023 to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers, or less than 1% of Okta customers.

Well, turns out that wasn't entirely accurate. On November 29th, Okta posted a follow up article explaining that in fact the threat actor was able to download at least some information from all Okta customers. October Customer Support Security Incident - Update and Recommended Actions.

Once again they seem to be downplaying the incident, and giving even more suggestions of what their customers should do, and a whole lot of nothing that Okta is doing.

Security incidents are going to happen, but companies as important as Okta need to do a better job with both their internal security, as well as how they handle these breaches. Really not a good look for Okta, or their CSO David Bradbury.

Links - https://sec.okta.com/articles/2023/11/unauthorized-access-oktas-support-case-management-system-root-cause

The Record - Okta security breach affected all customer support system users - https://therecord.media/okta-security-breach-all-support-users Tech Crunch - Okta admits hackers accessed data on all customers during recent breach - https://techcrunch.com/2023/11/29/okta-admits-hackers-accessed-data-on-all-customers-during-recent-breach/

Links

Jamboard - Another Google Casualty

Mon, 04 Dec 2023 02:16:19 GMT

Google is once again killing off another product. I don’t think it’s terribly surprising if you have been paying attention to the amount of effort Google has(n’t) been putting in to the product over the last few years, but it’s a cool idea, and it’s a shame Google continues to be allergic to putting any effort in to products.

Google is telling users to go to alternatives like Miro for the app functionality, and 3rd party digital boards for the actual hardware. On the one hand, the 3rd party options are much better than what Jamboard ever offered. I’ve been testing out Miro recently and it’s very nice. We’ll likely end up using that internally at work. But on the other hand, part of why they are so much better is because Google completely ignored their own product for years.

It’s frustrating that now users have to pay for yet another recurring monthly cost for something that was included in Google Workspace already. Oddly enough, Google isn’t lowering the price for Google Workspace as they continue to remove apps and functionality… In fact it keeps going up in price, while the pace of products seems completely stagnant.

Once again, Google frustrates me, not because they can’t make good products. They do. But They just cannot focus on keeping them around or improving them. In the productivity space, I FAR prefer Google over the Microsoft alternatives with their 1,000,000 license types, and completely unnecessary complexity, as well as their superpower for vendor lock-in. Google Workspace by comparison is in my opinion much nicer to use, but the more Google does this, the more difficult it is to continue to rely on them for anything, business or personal. I can’t believe they don’t see this as a critical problem internally.

We desperately need a real 3rd competitor in the productivity suite space… Someone needs to compete with Microsoft and Google, the duopoly is not good for anyone.

Links

Apple Security Prompts

Sun, 03 Dec 2023 19:49:25 GMT

Recently Daring Fireball and Six Colors posted articles about how obnoxious Apple's security prompts have become, particularly when you're setting up a new device.

Six Colors - A picture is worth a thousand permissions requests

Daring Fireball - MacOS Security Prompts Need a Rethinking

Both are worth reading, and I completely agree. I understand Apple is trying to help people be as secure as possible, but I think they've gone too far for most people, honestly. The actual things they are doing for security may be fine, but the implementation has become a huge pain to deal with. The picture posted at Six Colors almost feels like a joke, but it definitely isn't.

There are 2 scenarios I run in to frequently -

Power Users

First, my own experience, as well as colleagues I work with. I am in the IT field, working for an Apple Consultant that specializes in helping companies with their Apple products. We do setups a LOT, both for ourselves and for customers, and it has become a huge pain to deal with all of these prompts. From an admin perspective, I really want the ability to just set all of the settings I want in bulk. For me, I know what I want my computer to do and not to do, and I'm tired of fighting with the system every time, with every individual pop-up that comes up. Some of this can be deployed via MDM, which helps, but I'd still like a way to just do this in bulk on my own. Make it difficult to do so people won't ever accidentally do it, but some way would be great.

On that note, I understand why Apple makes it so difficult to screen share with someone, but it's a bit ridiculous. In my opinion, at the very least, if a device is purchased for a business via Apple Business Manager (ABM) so that it's part of the Automated Device Enrollment, you should be able to deploy a Privacy Profile that allows apps to screen share without the end user approving it. I think it's fair to say that it shouldn't be a completely silent screen sharing, but it needs to be easier to do. Sonoma shows in the menu bar when an app is screen sharing, which I think is a good thing, and should stay in place. Maybe a good middle ground would be to allow an app to screen share, but prompt the user with an "approve" and "deny" pop up when the app tries to screen share. This would be easier than the current method of going in to System Settings and enabling screen sharing for the app, and requesting that the user quit and re-launch the app.

We use Splashtop to screen share with clients all the time to help troubleshoot. Even though we deploy it and do as much as we can to approve everything possible with a Privacy Profile, nearly every time our customer gets confused with approving screen recording in System Settings. It's just not a good experience. Prompting the user with a simple prompt to approve or deny access would be much easier.

Other Users

The next scenario is far more common. In my experience, the average Mac user just doesn't understand all of the prompts that come up, and in many cases just click something to move past the prompt, often with unintended consequences. For instance, I have had to fix several family computers because family members don't understand the login item prompts coming from more recent macOS versions, and then they don't understand why some apps don't work well any more because they can no longer run in the background. Is this increasing their security? I would argue it doesn't because they don't understand it.

Too many prompts are not educating the users on what is happening, it just feels like poking the user in the eye several times as they set up their new Mac. This is something Apple needs to figure out how to do in a better way that doesn't take forever, and explains in simpler terms what it is asking, as well as allow them to bulk accept some of these prompts.

Links

Judge Throws Out Car Privacy Lawsuit

Sat, 11 Nov 2023 03:48:48 GMT

In another blow to privacy, The Verge reports

A federal judge upheld the dismissal of a class action lawsuit that alleged automakers unlawfully collected and recorded car owners’ text messages, as first reported by The Record. In a ruling on Tuesday, the Seattle-based judge said the claims aren’t severe enough to be considered a violation of the state’s Washington Privacy Act (WPA).

Your car can keep collecting your data after a judge dismissed a privacy lawsuit

This is unfortunate, but the real issue is the lack of laws around privacy in the US. Of course cars are going to spy on you and sell your data if they can. Why wouldn't they? No one is stopping them. If this remains unchecked, it will be a race to the bottom like how TV's are. Cheaper TV in order to extract as much data as possible to sell.

You're the product, not the customer.

Links

https://www.theverge.com/2023/11/9/23953798/automakers-collect-record-text-messages-federal-judge-ruling

Ars Technica Okta Writeup

Sun, 05 Nov 2023 07:44:27 GMT

Following up on the Okta breach and disclosure issues I mentioned the other day, on Friday Okta published a follow up article on their security blog Unauthorized Access to Okta's Support Case Management System: Root Cause and Remediation. Pretty stark difference to me in how Cloudflare handled a post mortem, and how Okta did with this response. Granted, they aren't exactly the same scenario, but this is also not the first time Okta has been completely tone deaf in their response. After their first half assed response, several security researchers called them out on how poor of a response it was. You would think Okta would take the opportunity in creating their detailed response to maybe address some of the complaints about how tone deaf their response was. Well... Not really.

Ars Technica published a post about the detailed response, excoriating Okta for essentially now blaming one employee for the issue.

Accessing personal accounts at a company like Okta has long been known to be a huge no-no. And if that prohibition wasn’t clear to some before, it should be now. The employee almost surely violated company policy, and it wouldn’t be surprising if the offense led to the employee’s firing.

However, it would be wrong for anyone to conclude that employee misconduct was the cause of the breach. It wasn’t. The fault, instead, lies with the security people who designed the support system that was breached, specifically the way the breached service account was configured.

This is all completely true. You can absolutely block logging in to personal accounts entirely, not to mention block the password saving feature. Given the sensitivity of what Okta does, this is completely on the leadership team, not on that employee. It probably will not be the senior leadership that pays the price though.

Given the similarities to the January 2022 breach, outlined in this Cloudflare Blog post, it's hard to believe Okta has learned it's lesson here. Their support system is clearly a huge vulnerability, and it does not seem like they treated the situation appropriately, and from the outside it's hard to believe they have taken many (if any) steps to correct the issue going forward. It's hard to assume otherwise when this happens more than once, and there is almost no transparency in either case. What's worse, in both cases we found out about the situation first from someone other than Okta.

Okta needs to get their head out of their ass on this stuff. As a security company, particularly one that is so crucial to so many customer's security stacks, they NEED to do better. They should be a gold standard in the industry, and no one should ever have to question whether they are doing everything they can to keep customers safe. That should be table stakes for a leading security company. They have a great product, but none of that matters if people can't trust them, and they are making it harder and harder to trust them.

Here's a link to the Ars Technica article - https://arstechnica.com/?p=1981227

I want to also point out that there was another Ars Technica article this week titled Okta hit by another breach, this one stealing employee data from 3rd-party vendor. I don't think the title is fair on this. Okta wasn't breached in this case as far as everything I've been able to find, it was a 3rd party company that Okta works with to handle internal employee data. I don't think this constitutes as "Okta hit by another breach". While technically not false, I think it's fairly misleading.

That said, there are some important things from this that have similarities. In the article, Ars links to a copy of the letter sent to employees -

“The types of personal information contained in the impacted eligibility census file included your Name, Social Security Number, and health or medical insurance plan number,” a letter sent to affected Okta employees stated. “We have no evidence to suggest that your personal information has been misused against you.”

What does that even mean? Of course it will be used against employees. This reeks of a legal team saying and doing the bare minimum they can, while vaguely patting themselves on the back, but essentially saying "Sorry, nothing we are going to do about it". It's hard to know how much, if anything, Okta itself could have done to prevent this from happening. All of that information is likely needed by the healthcare provider, and the healthcare provider clearly did not have good security in place to have this happen, but this was an opportunity for Okta to actually try to help their employees, and they instead chose to just cover their own legal asses.

Later in the letter they say -

What We Are Doing. Okta regularly reviews and updates the measures it takes to protect your personal information. While we have no evidence that your personal information has been misused, as an added precaution, we are making available to you access to 24 months of complementary credit monitoring, identity restoration, and fraud detection services, through a product called IdentityWorks, offered by Experian.

More boiler plate "cover your ass" bullshit clearly from a lawyer. This is just the go-to canned response from most data breaches any more, and it honestly pisses me off. Experian, and frankly all of the credit bureaus, are essentially rackets, and they are all honestly some of the worst companies in the world. I have some personal reasons that I may write about at some point about why I personally hate them so much, but I don't think anyone has to imagine too hard, and no one is a big fan of any of them. Regardless, their "credit monitoring, identity restoration, etc..." services are completely useless. I've gotten this for "free" a few times due to breaches and other scenarios and they are bait-and-switch services that just try to loop you in to paying them for it long term, and it does not really solve anything. If I were one of the employees impacted by this, I'd be really irritated by this being offered as the solution.

Okta should realize that all of this personal information leaking will be used for spear phishing employees to try to gain access to their systems. Hackers just gained access to a bunch of sensitive information about employees of the company which can now be used for extortion or false familiarity campaigns when attacking Okta employees, which loops back in to the previous article and discussion. But I guess next time it happens again, Okta can just blame the employee again...

Links

Cloudflare Control Plane Outage - Another Post Mortem

Sun, 05 Nov 2023 05:24:20 GMT

First of all, what a wild ride. It sounds like a really rough week for Cloudflare engineers, dealing with such a crazy set of circumstances.

More importantly though, I personally always really appreciate how detailed Cloudflare is on post mortems. They explain in detail what happened, why it happened, and what they are going to do to prevent the same issue happening again. That's not easy to do, both technically and swallowing your pride to admit mistakes, but they do it time and time again.

While this was clearly not caused by something that was their fault, they also acknowledge that that should not matter, because they could have done more to prevent this scenario. Taking ownership of the circumstance no matter the scenario is extremely admirable.

Other companies could learn a lot from Cloudflare on how to transparently handle these scenarios. Okta specifically comes to mind...

If you haven't read this yet, I recommend it, it's pretty fascinating.

Post Mortem on Cloudflare Control Plane and Analytics Outage

Links

My HomePod Experience

Sun, 29 Oct 2023 09:01:23 GMT

In a recent Accidental Tech Podcast (ATP) episode, Marco Arment discussed his journey from HomePods to Sonos, and how irritating the HomePods have been. While part of the conversation about sound quality is subjective, I have been thinking about this topic in general for a while, and Marco's comments made me finally want to write it down.

ATP - 558: Multilevel Pizza Oven

I have been somewhat of an Apple fanatic ever since high school. That year I took a video editing class where we would produce a TV show for the school every week, and I got to start really using Macs for the first time. I primarily edited using Final Cut Studio on the flowerpot G4 iMac (still my favorite Mac design of all time). I was hooked, and quickly got one of the first iPods, and have been an Apple fan ever since. About 5 months before the iPhone was announced, I started working at Apple Retail, where I worked for almost 5 years. After that, I went to work for a company called Simply Mac, an Apple Premiere Partner that had explosive growth for several years, and now I'm working at a Managed Service Provider that is part of the Apple Consultants Network. I mention all of that just as an illustration of where I'm coming from.

I won't go through all of the Apple products I've gotten over the years, but it's a lot. Like... A lot. I've also always really been in to Music, and audio in general. Next to Apple, I've probably spent more on speakers, amps, etc. than any other tech. It's more than I care to think about. So naturally when the HomePod came out, I was thrilled. After hearing them in person I was even more excited. I went all out on HomePods. They sound fantastic, particularly in a pair... When they work. Unfortunately that turned out to not be a given.

In all I ended up with about 6 HomePods, and of all of the Apple products I've ever gotten over the years, they are the first and only product that I completely regret getting.

Let me first mention Siri. This part has honestly not surprised me. Siri has always been a mess. This is probably a whole other discussion, but Siri has been really bad for as long as I can remember. Some people seem to have better luck than me, though I honestly don't think anyone has a good experience with it. Some people are also just less picky than I am about that. I bring this up because Siri has been really bad for me on HomePod, but for me, this was fairly expected. I have hoped for years that it would improve, and I hoped the HomePod would be better, but it wasn't. And if that was the only issue, for myself personally, it is not a deal breaker.

As I mentioned, the sound quality is fantastic. When they work I love how they sound. But they were immediately plagued with software bugs that are infuriating. AirPlay works like 75% of the time. Sometimes the HomePod pair doesn't work right. In some cases that means it just won't play until I reboot both of them. Sometimes it will only play through one until I reboot both of them. AirPlay sometimes just wouldn't start, or would freeze. Other times it starts streaming directly to the HomePod when started from my phone while other times it would stream from the phone. If it starts streaming directly, after a few minutes my phone would just go back to it's own playlist and forget to "remote control" the HomePods. I couldn't ever get it to consistently do one or the other though. Sometimes when it did start playing, it would become unresponsive to remote controls at all. Often (and this seems to happen with all Apple Music unfortunately...) it just decides to stop playing mid playlist. Why? Who knows. It never tells you.

This didn't happen every day, or every time, but it happened enough that it has been driving me crazy. Luckily, these are software problems, right? So they should be able to fix this with future updates... Right? Well in my experience, they have gotten worse over time. Some updates make them clearly worse, others make them slightly better than a previous one, but overall they are worse than when they started.

On top of that, after about a year, some of them started clearly having electric issues. They would become unresponsive entirely, and would occasionally just do a fairly loud speaker pop on their own when nothing was playing. Shortly after that started happening, those HomePods would completely die. I've had 2 completely die, and a 3rd that is showing the same signs.

These issues have largely made it so I don't use them almost ever. It is hugely disappointing to me. These were released in 2018, which is not very long ago, especially for speakers. My parents have a set of nice speakers by Boston Acoustics that are nearly as old as me, and still sound fantastic. I have a Sonos Soundbar and Sub that I've had for over 10 years and still work and sound fantastic as well. HomePods were $350 each when they launched, or $700 for a pair to make them sound truly fantastic. That's a lot of money in general, though not unreasonable for a nice set of speakers, but also definitely not "cheap", yet these have effectively not lasted more than a couple of years.

From the sounds of it, Marco's experience is that the HomePod 2 is not much better. They probably fixed the complete failure issues, though time will tell, but the underlying software issues seem to still be there. Even if it did fix all the issues, it's not reasonable for Apple to expect people to replace all their 1st generation ones with the new ones.

I don't know what the right answer is for this scenario, but I feel like they were bad enough that Apple should have done something to make it right for people. I am still a huge Apple fan, but I feel burned by the HomePod. Some products I've disliked more than others over the years. Not every one will knock it out of the park, but HomePod is different. It feels like a defective product in my opinion, and I strongly regret not getting Sonos at the time.

Links

https://atp.fm/558

Okta Faces Another Security Breach in Customer Support Unit

Mon, 23 Oct 2023 00:47:28 GMT

Recently reported by KrebsOnSecurity, Okta experienced a security breach targeting its customer support unit. Attackers exploited a stolen credential to access Okta’s support case management system, potentially viewing sensitive files uploaded by certain clients. Although Okta asserts that a minimal number of customers were affected, it's concerning to note that the intruders had access for approximately two weeks before containment.

While the impact seems to be minimal, this is not the first time Okta has been compromised through their support system, which it seems is either entirely or at least mostly outsourced. In January 2022 there was a similar breach, outlined in this blog post -

Okta Concludes its Investigation Into the January 2022 Compromise

Unfortunately, from their “Lessons Learned” section they specifically mention the following -

Third-party risk management:

Okta is strengthening our audit procedures of our sub-processors and will confirm they comply with our new security requirements. We will require that sub-processors who provide Support Services on Okta's behalf adopt “Zero Trust” security architectures and that they authenticate via Okta’s IDAM solution for all workplace applications.

While it’s difficult to know for sure, it doesn’t seem like this was actually done given the current breach.

Cloudflare was specifically targeted in both cases once Okta was compromised, which makes sense given how impactful it would be if you could successfully use Okta to gain access to privileged accounts within Cloudflare. In both cases, Cloudflare’s internal security practices prevented the compromise, and in both cases they wrote some good blog posts about how they were able to prevent access.

January, 2022 -

Cloudflare’s investigation of the January 2022 Okta compromise

And October 2023 -

How Cloudflare mitigated yet another Okta compromise

In the October 2023 post, it is clearly much more pointed, and you can see their frustration leaking through, I think with good cause.

Recommendations for Okta

We urge Okta to consider implementing the following best practices, including:

Take any report of compromise seriously and act immediately to limit damage; in this case Okta was first notified on October 2, 2023 by BeyondTrust but the attacker still had access to their support systems at least until October 18, 2023.

Provide timely, responsible disclosures to your customers when you identify that a breach of your systems has affected them.

Require hardware keys to protect all systems, including third-party support providers.

For a critical security service provider like Okta, we believe following these best practices is table stakes.

On the surface, this may seem harsh, but for an identity provider like Okta, it is absolutely critical that they are following the strictest security standards, and they can’t cut corners at all. If an attacker is able to compromise an identity provider like that, that’s essentially the keys to the kingdom. Cloudflare is right, Okta absolutely needs to do better.

While Okta addresses this directly in their post, honestly it seems a tiny bit tone deaf, and kind of underplays the whole situation -

Tracking Unauthorized Access to Okta's Support System

Unfortunately they spend the majority of the article explaining why it isn’t that big of a deal, then seem to kind of pivot toward “This is why our customers need to be vigilant, and watch for suspicious activity”

Attacks such as this highlight the importance of remaining vigilant and being on the lookout for suspicious activity. We are sharing the following Indicators of Compromise to assist customers who wish to perform their own threat hunting activity. We recommend referring to our previously published advice on how to search System Log for any given suspicious session, user or IP. Please note that the majority of the indicators are commercial VPN nodes according to our enrichment information.

Yes, customers need to be vigilant, and should be looking for suspicious activity, but this was Okta’s fault, not their customers. They need to do a better job of owning up to that, and a better job of communicating. More than anything, they absolutely need to tighten up their security internally. This kind of thing cannot be happening to a company that is built on trust.

Here is BeyondTrust’s article about discovering the compromise - Okta Support Unit Breach

I am a big fan of Okta. Their product is great and in my opinion they are the clear leader in the identity provider space, which is becoming more crucial for companies as a core pillar of your cybersecurity posture. But the more this kind of thing happens, it’s difficult to trust them, and without trust, it won’t really matter how good the product is.

Blog post - Okta Support System incident and 1Password

While it looks like 1Password was able to shut this down during the recon phase, and seemingly nearly immediately, and confirm that none of their internal systems or customer systems were accessed, this reiterates why companies like Okta need to be as bullet proof as possible. If an attacker was able to compromise Okta, then compromise companies like Cloudflare or 1Password, there is an unbelievable amount of damage that could be done.

Blog Post - Okta’s Latest Security Breach Is Haunted by the Ghost of Incidents Past

Jake Williams (a former NSA hacker) seems to echo the sentiment I was trying to convey about Okta's blog post -

“Okta's suggestion—that somehow the customer must be responsible for stripping session tokens from the files they specifically request for troubleshooting purposes—is absurd,” he says. “That's like handing a knife to a toddler and then blaming the toddler for bleeding.”

Links

Build the Life You Want

Tue, 17 Oct 2023 03:00:28 GMT

I was recommended this podcast episode the other day, and quite liked it. It's from The Happiness Lab, and I thought it had some great insights in to what actually makes us happy.

They talk about the book, Build the Life You Want, which I definitely plan on reading in the near future.

Build the Life You Want… Advice from Arthur Brooks and Oprah

Links

https://www.pushkin.fm/podcasts/the-happiness-lab-with-dr-laurie-santos/build-the-life-you-want-advice-from-arthur-brooks-and-oprah

Steve Jobs 2023

Sat, 07 Oct 2023 21:36:07 GMT

This past week marked 12 years since Steve Jobs passed away. Steve had an amazing mind, and an incredibly unique outlook on the world. He personally meant a lot to me, and inspired much of my life. I was working at Apple when he passed away, and the memorial we held within the company was truly one of the more meaningful experiences of my life, and I like to reflect on it around this time.

I have posted these before, but there are a few things that I like to read through or think about. First, if you haven't checked out the Steve Jobs Archive, there is a lot of great stuff there -

Steve Jobs Archive

Next, I watch this about once a year - This is the commencement speech that Steve towards the end of his life, and it has been incredibly influential in my life.

Steve Jobs - Stanford Commencement Speech

Image credit - Basic Apple Guy Mastodon

Links

Cars and Data Privacy - Follow Up

Sat, 07 Oct 2023 15:09:23 GMT

In a recent post, I discussed cars and data privacy - Cars and Data Privacy, but since then, Mozilla has published a far more detailed and in depth report about how truly awful the privacy of modern cars really is.

Some key points from the article -

Car brand collect too much personal data - Every car brand collects more personal data than is necessary, and they use it for reasons that have nothing to do with the operation of the car.
Most car brands share or sell your data - 84% of car brands can share your personal data, and 76% can sell it. 56% share it with the government.
Drives have essentially no control over their personal data. 2 car brands in Europe have some control in place for individuals, but none of them outside of Europe have any ability for the driver to control their own data.
Car brands have a poor security and privacy track record - 68% of car brands have had leaks, hacks, and breaches in the last 3 years.

It is absolutely worth reading the whole article by Mozilla. It's extremely concerning to me and we need to get some meaningful regulation in place.

Here's the article from Mozilla - It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy

I think there are a few absolutely minimum items we need to legislate on -

Our data needs to be our data. Companies need to get permission to gather and especially to sell our data.
The only exception should be data gathered for the use of the product itself, and there should be strict regulation in place that puts the burden on companies to prove that they need data, not on individuals to try to prove that data is misused. Companies should face heavy penalties if that data is sold or used for targeted advertising in any way.
You should have the right to see what data is gathered about you, and if it's anonymized in any way, how that works, so that it can be audited by security and privacy professionals.
You should have a right to be forgotten by these companies.

I'm sure there is a lot more to do, but we (in the US anyway) desperately need to get something in place. Reading this about cars is honestly offensive to me, and unlike the normal web in my house where I have lots of tools to try to throw off tracking and protect my privacy, there's absolutely nothing you can do with what your car gathers and then sells about you.

Links

Platformer - It's time to change how we cover Elon Musk

Fri, 11 Aug 2023 02:50:52 GMT

From Casey Newton's Platformer newsletter - It's time to change how we cover Elon Musk

Elon's antics are exhausting. In this newsletter, Casey Newton talks about how it's time for the media to change how it covers Elon, and his constant gaslighting. It's well worth reading if you care about this kind of thing.

Links

https://www.platformer.news/p/its-time-to-change-how-we-cover-elon

Cars and Data Privacy

Wed, 09 Aug 2023 18:22:52 GMT

Most people would be shocked at the amount of information that is gathered and transmitted from cars that we drive around every day. There have already been stories about Tesla employees inappropriately viewing and sharing intimate videos that were recorded without users knowing or consenting. This is obviously an extreme case, but there are constantly huge amounts of data being sent from any modern car.

Cars measure and transmit things like your location, location history, all sorts of telemetry about how you are driving, when the brakes are applied and how hard, seat position, HVAC usage information, information about the media you are playing, and for driver and passenger seats in almost every car (and in some cars all the seats) they even transmit things like the weight of the person sitting in there. We know that companies like Tesla are constantly streaming all of the cameras back to Tesla, but most cars have many cameras now, and it's never clear what they are doing with that data.

They probably (hopefully) do a rudimentary pass at "anonymizing" the data, however, anyone who knows how that has gone on the web knows that any one of those pieces of data could easily be aggregated with other things to pinpoint exactly who it belongs to.

It's not hard to imagine a scenario where this massive amount of data is kept by car companies and is compromised by a malicious actor, and used to significantly enrich other compromised data, allowing for impersonation or even extremely targeted phishing campaigns.

Possibly less obvious, but arguably just as upsetting, there's nothing stopping these car companies from selling all that data to other data aggregators who can then sell it to law enforcement, social media apps, online advertisers, or really anyone who wants to pay for the data. Coupled with all the other data that is collected about you, they can add to their ever-growing live feed of exactly what you are doing any time. Hell, why not sell that info to your insurance company so they can comb through your data and find any nit-picky reason they want to either charge you more for your insurance, or deny any claims they feel like?

The Record asks if it's time to regulate this industry - As cars hoover up more and more driver data, is it time to regulate the industry?

I would say it's far past time to do so. As it stands, they don't have to tell you what they are collecting about you. You also have no say in it. There's no way to "opt out" of this, other than buy a car from before all this telemetry was being collected, which is not a real solution.

On another level, I feel like if we are the people generating valuable data, we should get something out of it. This is a pipe dream and half meant as a joke, but it is messed up that there are multi-billion dollar companies that make ALL their money off of surveillance on all of us (There are several good books and articles about "Surveillance Capitalism" out there that I recommend reading), yet we are the ones creating the value. They want us to feel like we are the customer, but we're the product, and we aren't compensated at all for that "privilege."

More than anything it is far past time for strict laws giving people more control over their own privacy, and choice over how OUR data is being used. I don't really believe that we should be paid to allow surveillance. That leads to a bad place, but it is meant as an illustration of the bigger problem of data. We need it codified that it is even OUR data (which right now it kind of... isn't.), and then we need laws in place allowing us to choose how that is or more importantly isn't being used.

Links

https://therecord.media/connected-cars-hoover-up-data

Google Firebase Dynamic Links Killed

Sun, 06 Aug 2023 09:10:51 GMT

Yet another pretty widely used Google product that is being killed off...

Is it a huge deal? Probably not, but every one of these erodes confidence in Google's platforms.

Google Shutting down Firebase Dynamic Links

Links

https://blog.pragmaticengineer.com/google-shutting-down-firebase-dynamic-links/

Google AR Software Lead Leaving

Tue, 11 Jul 2023 10:22:02 GMT

"Google’s unstable commitment and vision"

Google? Unstable commitment and vision? You don't say...

Google’s AR software leader is out over the company’s ‘unstable commitment and vision’

Links

https://www.theverge.com/2023/7/10/23790393/google-ar-software-leader-mark-lucovsky-project-iris

Reddit Shit Show

Fri, 30 Jun 2023 04:14:02 GMT

Reddit is losing it’s mind

Anyone paying attention to tech news over the last couple months has probably seen Reddit decide to follow the shit show of Twitter. In short, earlier this year, Reddit told it’s API users (which had been offered for free for years), that it would begin charging for API usage. I don’t think any reasonable person who understands how all this works thinks that’s unreasonable, and many app developers who build Reddit apps agreed that was totally fine. Reddit even specifically said it would not make any drastic changes, and any changes they did make would roll out over the coming years. Well, they (seemingly primarily the CEO, Steve Huffman) changed their minds, and announced incredibly high API fees, and essentially yanked the rug out from under developers by giving them roughly a month before the changes were going to be made.

Why would Reddit do this?

Well I think there are a few parts to that question.

I’ll start with the rational reasons that make sense why they would charge for the API. First, servers and web services cost money to run. If you’re giving that away for free to developers, that is costing you money. You could argue that it is also not generating any profit for you. In literal terms that is true, but one could argue that the content generated by the users on these apps is providing value, which could definitely be an argument about the ROI on providing the API for free, but I get it. You can’t really prove that, or measure how much, etc. So you should at least cover the costs of running the API if you can, and I think that’s reasonable.

Second, Reddit has been rumored to be trying to go public for a couple of years now. So that would be a reason to make costs and income look as good as possible on paper. Ok, also somewhat reasonable I suppose.

Third, I think it’s fairly obvious that Steve is upset that OpenAI and other Large Language Model (LLM) based AI tools which have exploded in the last few months were able to train their models on Reddit essentially for free. To some degree this makes sense as well.

Steve said in an interview recently - "Reddit represents one of the largest data sets of just human beings talking about interesting things… We are not in the business of giving that away for free.” Well… Kind of true. Literally that is what they have been doing, but I get the point. If you have that much data, other companies should not be able to just ingest huge amounts or all of it for free and essentially build a new product off of the data that is in there.

Given the overall reactions, however, it honestly seems like Steve is lashing out because he doesn’t know what he’s doing and was somehow blind sided about how these LLMs used their data.

What happened?

I will post several links that go in to more detail on all of this below, but in short they announced a huge price for the API, and essentially gave developers about a month notice about the change. This is effectively killing off 3rd party Reddit apps with extremely little notice, after essentially lying about what they were going to do, and when they were going to do it. How do we know they were lying? Well one of the most publicized apps being killed off is Apollo (My personal favorite Reddit app), made by Christian Selig, and he happened to record all of the interactions, and has recently posted about it. It’s a lot, but it’s pretty wild, and I think worth reading - https://gist.github.com/christianselig/449b0bd374167ff7335fab2b823120ef

At this point, it could have just been an awful PR execution of the changes that they were going to make, and a competent and mature executive would just swallow their pride, admit that it was handled poorly, clarify what they are trying to do, and try to minimize the PR damage. That is definitely not what Steve did. He continues to double down on just being an asshole about this.

Reddit CEO Steve Huffman isn’t backing down: our full interview

Jay Peters Interviews Reddit CEO Steve Huffman for The Verge

Reddit CEO tells employees that subreddit blackout ‘will pass’

They also seemingly started doubling down on just lying to everyone too. Moderators of several subreddits decided to protest the way things have been handled by changing popular subreddits to private, or marking them as NSFW, specifically because Reddit doesn’t put ads on NSFW subreddits. Reddit said they would not be overruling the mods on these decisions -

Reddit goes dark

Reddit communities with millions of followers plan to extend the blackout indefinitely

Reddit says it won’t overrule mods and force subreddits back open (but will it?)

But that didn’t last long -

Reddit is telling protesting mods their communities ‘will not’ stay private

Reddit will remove mods of private communities unless they reopen

Reddit starts removing moderators behind the latest protests

Community Value

Beyond the 3rd party apps, another absolutely tone deaf aspect of Steve’s responses is how clear it is that he doesn’t understand the actual value of Reddit. Reddit’s website is a cluttered and slow mess, and their first party app is a dumpster fire. So why is Reddit so important on the internet? It’s because of the communities. There are a lot of awful subreddits to be sure, but there are also a lot of extremely good and valuable ones. People spend a lot of time creating content on these, and the moderators of these subreddits deal with an unbelievable amount of work curating these, making the subreddits as good as they can be. The users and the moderators do all of this for free. Without this content, Reddit is nothing. Steve’s comments throughout this process make it clear he only cares about making money, not about cultivating these communities.

Reddit should have been clear

This all doesn’t make sense to me because it all just seems like an unforced error. If they had just been clear about what they were trying to do, this all would have been a much smaller deal. I’m personally upset because I love using Apollo, and the Reddit app is not something I’m going to use, but if they had just come out and said that they weren’t going to allow 3rd party clients, we’d be upset but whatever. It’s their right to do that, so if that’s what they wanted they can do that.

Alternatively, they could require 3rd party apps serve ads or pay more for ad-free. Hell, they could even require that users be part of Reddit premium in order to use 3rd party apps. There are lots of ways they could have made this work, but they were clearly not interested.

To put a nice little bow on everything, it’s clear where Steve’s inspiration is coming from…

Reddit CEO praises Elon Musk’s cost-cutting as protests rock platform

Links

Google Domains Continued

Mon, 26 Jun 2023 04:16:42 GMT

On this week's free edition of The Pragmatic Engineer newsletter, Gergely discusses some other points about Google Domains shutting down that I hadn't even thought about, but they are excellent points.

Google Domains to shut down

He also mentions that Google is also shutting down the Google Cloud specific Google Domains, which is so strange to me. I honestly don't understand what Google is doing here...

Link to my first post on this - Google Domains

Links

AI Regulations

Wed, 21 Jun 2023 03:06:02 GMT

I am not quite as optimistic as John Gruber in this. I do think we need AI regulation and that it will be a big problem in the next few years.

Regulation for Thee, but Not for Me

I’m optimistic about many of the benefits it will bring and I actually think Open AI and Sam Altman have been saying a lot of good things about the dangers as well as curbing some expectations or what AI can to. But it seems to me like allowing these companies to help write the regulations would be like asking tobacco companies how they should be regulated. Or asking oil companies what they think about environmental protections.

Yes, I know big companies lobby their way in to these all the time, but it’s hard to see any good outcomes that has ever had. Unfortunately it’s a broken process in a broken system.

Links

https://daringfireball.net/linked/2023/06/20/regulation-altman

Google Domains

Tue, 20 Jun 2023 05:25:48 GMT

At this point, it seems like Google just can’t help themselves. They just love killing products.

It’s hard to know what else to say that I haven’t already covered in other posts, but somehow they still surprise me. This week, Google announced that they are selling their Google Domains to Squarespace.

Google Domains is yet another useful service to get the ax in favor of “focus”“

Google sunsets Domains business and shovels it off to Squarespace

Listen, some products it makes sense for them to kill off. Honestly if you go read Google Graveyard’s website, most people wouldn’t have ever even heard of most of them. And I completely understand that you can’t be good at too many products. Apple is a company that for the most part is really good at staying focused on what they do well (though there are definitely some areas I could complain about, I’ll leave that for another time. I think overall they do an excellent job at focus, particularly for their size). But with Google, I don’t think there’s any evidence of focus going on. Look at their constantly changing absolute cluster f*** of messaging apps, just as one particularly messy example - A very brief history of every Google messaging app

To me, it seems obvious where Google should be focusing, and they even say similar things from time to time. Google Workspace and Google Cloud Platform are 2 of the biggest areas they should be razor focused on right now, I’d say even more than ever given that they essentially squandered their huge lead in AI. First and foremost, Google is an internet services company. As such, domain registration and DNS should be absolutely key. For years we used Amazon’s Route 53, which despite being more complicated than I feel like it needs to be, it was rock solid, very developer minded, and had all the dials and knobs you would ever want to use when doing public DNS routing. Google Domains was more customer focused, but it seemed for a while like Google was slowly getting their heads out of their a**es in that regard with Google Cloud Domains, which unfortunately to this day is still pretty half baked for many use cases.

To be fair, I’m not clear on whether this sale includes Google Cloud Domains, or if this is literally just the “consumer” portion of Google Domains, but regardless it reiterates the notion that Google will kill any product any time because they can’t focus, and that makes it really hard to rely on them as a business. This frustrates me so much because I really like most of the products Google makes. They truly are one of the best (I would argue THE best) at planet scale infrastructure, and web applications. Somehow translating that enormous amount of talent, engineering, technology, footprint, etc. in to products people can rely on has been a struggle.

I could go on about this, but at the end of the day, there’s yet another really great product that I recommended to people that is being killed off for reasons that make no sense to me. I’m sure it wasn’t a huge money maker for them, but I also know that they have a serious reputation problem and every one of these is making that worse. They really need to get their shit together over there or other companies are going to keep chipping away at their dominance. If they can lose the lead in AI, they can lose their lead in anything they are doing.

For the record, I have moved all of my personal domains (and the customers I work with) over to Cloudflare, both for DNS records and for domain registration. I have been and continue to be very impressed with Cloudflare as a company and their products, and they do not mark up domain costs, which is very nice as well. It’s not the most user friendly registrar for someone who doesn’t understand DNS (I’d say “consumer” in this case), but it’s pretty straight forward compared to things like Route 53, and extremely powerful.

Also, I do want to state that I quite like Squarespace. I have done several websites with them and will likely continue to do so in the future. I just don’t like this move, and I don’t particularly like having the domain name and website in the same place. I don’t know what Squarespace is planning on doing with this purchase but to date they also don’t have great DNS settings. I hope that changes, but regardless, I don’t blame Squarespace in this scenario.

Links

Twitter, then Reddit

Sun, 11 Jun 2023 23:17:37 GMT

It’s been rough for 3rd party social media apps made by small developers lately. First Twitter effectively killed 3rd party apps, and now Reddit is effectively doing the same. At the time, the way Twitter handled the situation seemed like it couldn’t have been handled any more poorly, and while that is probably still the case, Reddit decided to sure give them a run for their money.

To some degree, I think everyone knew Twitter would do this with the new ownership in place, though it’s hard to think anyone would have predicted how poorly it was communicated and executed, I hardly think anything outside the timing and actual execution was surprising. Reddit, on the other hand, had always been pretty open to working with developers. Well, that certainly didn’t last.

A few months ago, Reddit started reaching out to developers about some API changes they were going to be making, primarily around starting to charge for previously free APIs. This seems to me to be in response to the recent explosion of LLM chat apps that have been trained on public internet data, including most social media sites, though I’m not sure Reddit ever explicitly said that this was why. While kind of a bummer, I think it’s reasonable to charge for API usage. The developer of my favorite Reddit app, Apollo, seemed to feel the same way. In several posts on Reddit and Mastodon, he was open to the idea of reasonably priced API calls, even though he may need to restrict his app a bit and possibly only allow it for higher tier plans to account for the cost. He was even assured multiple times by people at Reddit that they intended to work together on pricing that was reasonable. Unfortunately once the pricing was announced it was absurdly high. For Apollo specifically, the cost at the new rate would be somewhere around $20 Million per year -

A developer says Reddit could charge him $20 million a year to keep his app working

This is insane. To me it’s clear that they are just trying to kill off 3rd party apps, and possibly try to cash in on AI companies training their data. There’s no way those companies will pay that, so I think it’s clear they are just trying to block them from doing so. But if they just wanted to stop AI companies from training their data, or even somehow if they think they would actually pay that price, they could have just changed their developer guidelines specifically for training data, and either deny it or specifically have a different pricing structure for that.

Additionally, if their goal was to kill 3rd party Reddit apps, why not just say that? Instead their CEO essentially went on a smear campaign against Apollo and the developer making it in a bizarre series of posts on Reddit. Christian, the developer of Apollo, luckily chronicled all of the conversations he has been having with Reddit and it’s quite the ride.

Reddit’s CEO for some reason decided to do an AMA which… I’m not even sure what to say about it. It was a train wreck. I’m not sure why he would think it was a good idea to do in the first place, but then he acted like an angry child in many of his responses. At best, he would dodge the questions, and at worst he would double down on smearing Apollo for some reason, even though Christian produced specific evidence to the contrary.

📣 Apollo will close down on June 30th. Reddit’s recent decisions and actions have unfortunately made it impossible for Apollo to continue. Thank you so, so much for all the support over the years. ❤️

Many people on social media pulled out some of the best / worst responses during the AMA. For example -

Reddit communities should go dark to demand this guy leaves. This is some of the most incompetent management I’ve seen.

Regardless, it’s frustrating to me that two of my absolute all time favorite apps are being killed off by the social media companies that they connect to. Tweetbot for Twitter and Apollo for Reddit were both fantastic apps that made the toxic services they connect to actually tolerable to use. I stopped using Twitter and I will stop using Reddit now as well. I know it won’t make a difference but I don’t want to support companies that do shit like that.

To be clear, I am all in support of paying for services like this. A fair API price is not a problem, and I would have paid more for either app to support those changes. Hell, if Twitter had just required Twitter blue to use the API or if Reddit did the same with whatever the hell their paid version is, I may have done that. But this back handed bullshit is not ok. If you want to kill off 3rd party apps, just say it. Don’t pull this chicken shit jerking people around.

Links

Mimestream

Tue, 30 May 2023 23:12:13 GMT

Apple Mail is a mess under load

I am a big fan of Google Workspace and Gmail in general. Once you get used to how Google manages email, it can really help you plow through email quickly and efficiently, particularly if you use keyboard shortcuts, and once you get used to how Labels work.

Plus, as a bonus, it’s not Microsoft! 😆

Years ago I was a fan of using Apple Mail both on iOS and macOS, but as the years went on and I got more email, it started choking all the time. New messages would stop coming through until I quit and re-launched the app, or *maybe***** they would come through 15+ minutes after they actually came through. It also just always fought with how Google does things, and I got tired of it.

I primarily went to using Chrome and had Gmail in a pinned tab. It worked much better than Apple Mail, but it didn’t have native notifications or anything like that, so it was… fine.

I tried Superhuman for a few months, and it had a lot of advantages. I could go even faster through email, and their iOS app was WAY better than Google’s for organizing mail, but it is very pricey.

Mimestream

I signed up for the beta of Mimestream almost 2 years ago, and it has been making steady progress ever since then. Honestly the whole time I’ve used it in beta, it has been rock solid. There was one release (which I believe was actually a change macOS made) that crashed the app periodically, but they fixed that within a day.

On May 22, the 1.0 version was announced, and I’m extremely happy with it.

I expected once they launched 1.0 that it would essentially be saying “this is stable enough now that we feel comfortable charging for it and supporting it” but of course they added several new features as part of 1.0.

Here is the blog post announcing it, along with the new 1.0 features -

What’s new in Mimestream 1.0?

I always enjoyed the aesthetics of Apple Mail, I just couldn’t reliably use it. Mimestream to me combines the best of Apple Mail, but uses modern Google API’s to directly talk to Google rather than using IMAP, which is always a bit flaky, and not that secure by modern standards. The result is a MUCH faster, solid way to connect to Google mail accounts. Since it is integrating with Google, they added other Google API integrations such as Contacts, Calendar, and as part of 1.0 you can now integrate with several Google settings directly as well.

Direct Google integration allows for things like server-side filters / mail rules, vacation settings, and more. This means you can set those in Mimestream, but unlike Apple mail, they will work on messages no matter when they come in, and whether or not your computer is online at the moment, which is fantastic. Additionally, whatever you have your signature set to in Gmail, it will automatically show up in Mimestream and vice versa. Trying to do this in Apple Mail is… not easy, and pretty fragile.

Another feature that is a game changer for me is that you can choose whether you want to use the same keyboard shortcuts Apple Mail uses, or you can use the same ones Gmail uses. Years ago I was used to the Apple ones but in the years since then I have become completely used to the Gmail keyboard shortcuts. It would be very difficult to unlearn that muscle memory at this point, and I can’t sort email nearly as efficiently without keyboard shortcuts.

I think Mimestream is the perfect combination of being all the benefits of being a native Mac-Assed Mac App, as well as the benefits of a truly great web service (which Apple is not great at).

Price

The price may be a sticking point for some people, but so much of my professional life relies on email that it was a no brainer for me. It’s either $5 a month or $50 per year, but there’s a 40% discount for the first year as a launch special. For me I am thrilled to pay it. I want to support the development of amazing apps like this and I know they have big future plans for this, including an iOS app which I’m really looking forward to.

Here’s an article over on TidBITS that goes through why they like Mimestream and a lot more detail about the app itself -

Why I Use Mimestream for Gmail - TidBITS

Links

AI Reading Tools

Fri, 28 Apr 2023 08:06:02 GMT

There are a million different stories about all the new AI tools based on large language models (LLMs) and all the things they are able to do, ChatGPT being the most popular one recently.

I have been using AI tools a lot more recently, as I’ve written before but I wanted to call out a couple of specific apps I use a lot and how they have implemented these models in extremely useful ways.

For me, one of the most immediately useful things these models seem to do quite well is being able to summarize documents, articles, etc. and even provide the ability to ask questions about the document. Two reading apps I use a TON have implemented AI, and it nearly immediately became invaluable to me.

First, the “read later” app that I use is called Reader, by Readwise.

Readwise Reader: The first read-it-later app built for power readers.

I think it’s an excellent app, and I also use Readwise to highlight and clip things that I read, and their reader app is really well integrated with that. I also sync those highlights to Notion, which is also great. Reader has a feature called “ghost reader” which allows you to “ask the document a question”, “summarize the document”, “generate thought-provoking questions”, or “generate Q&A pairs based on your highlights.”

I frequently use the first two options, and they have been great for me. I have tried the other options and they do a surprisingly good job, I just don’t have the need for them quite as often.

Another reading app I use is called Artifact, and they just launched some summarization tools as well.

Artifact - Broken link removed

Artifact is a personalized news app that I have found to be very good, and they just added AI powered summaries as well.

They added some funny options as well, including a Gen Z mode and a Summarize this article in Emoji. Both made me laugh pretty hard when I was trying them out.

Summaries Tool, Now in Artifact

Links

iPhone Audio Message - Save Location

Fri, 21 Apr 2023 03:31:53 GMT

My family has recently been sending more audio messages to each other than we ever previously did, as my daughter has been making up a lot of songs lately, and we like sharing them with each other.

My parents asked me where those go when you save them from Messages, and I realized I didn't actually know the answer. I started searching around the internet, and there is a TON of garbage articles out there that are 1. wrong, and 2. usually trying to sell you some scammy iPhone recovery utility.

So here you go - They save to voice memos. Why? I'm not entirely sure, but that's where they seem to go.

Steve Jobs - Make Something Wonderful

Sat, 15 Apr 2023 09:00:38 GMT

The Steve Jobs Archive recently released a book that has a collection of some of Steve's speeches, interviews, and emails. I find Steve incredibly inspiring and thought this was a great read. It is available for free as an Apple book or in ePub format on the Steve Jobs archive website.

Steve Jobs Archive

Links

https://stevejobsarchive.com/

Set up Okta SSO with Meraki and multiple SAML roles

Sat, 15 Apr 2023 08:49:42 GMT

I wanted to quickly write a post about how we used Okta internally to set up Cisco Meraki SSO, because in our use case, none of the documentation I could find actually worked the way we wanted to use this. It seems like it should be a pretty common use case, at least for MSPs, so I wanted to write up the details on how we got it to work.

First, a little bit of background. We are a Managed Service Provider (MSP), so we help fully manage several customers IT infrastructure, including their Cisco Meraki networks, which is our preferred vendor to work with. We also have different roles within our org, which need different levels of access when we log in to our networking equipment.

Many Single Sign On (SSO) integrations essentially match up your username, typically an email, to a user that is in the system, and then that username is assigned roles (like super admin, partial admin, or read only, etc.) either directly or through a group that they are in. More advanced implementations can actually provision new users or groups on the fly from the SSO provider, such as Okta. Cisco Meraki does not do it this way, in fact SSO will not work correctly if your username conflicts with a username that is already in the Cisco Meraki dashboard. Instead, you set up roles as a user attribute which gets passed along in the SSO request, and then grants the access to the user based on that role that is passed through.

If you only have one role in your organization, this is pretty easy to set up in Okta. You can use the pre-built Cisco Meraki Okta app, and follow the instructions provided by Okta. During the setup process, Okta provides a specific field called SAML administrator role. Simply put your SAML role that you set up in the Meraki dashboard, along with the other necessary information, and you’re good to go in a few minutes.

But what if you have different users that need different roles? We needed this, and I also didn’t want to have a conflict for users that have regular accounts in Cisco Meraki dashboard. We have a couple of users that need to use the Cisco Meraki API, which you can only generate with a regular user account, and not a SAML SSO login. You certainly could create new accounts that use email aliases or something like that, then have the SSO pass through the primary email and it would work fine, but ideally I didn’t want to have any conflicts and didn’t really want to re-do our regular accounts and API keys, etc.

So rather than using the built in Okta Cisco Meraki application, I decided to just create a custom SAML app, and see if I could get it working that way. I will assume for the sake of this post that you already know how to create a custom SAML app in Okta.

First, I created a custom profile attribute in the Okta directory where I can store the SAML role that I want to assign to specific users. I called the attribute Meraki Administrator Role with a variable name of adminRole.

In the first section, I added the SSO URL and Audience URI (you can follow Cisco Meraki’s documentation on these), but rather than passing email through as the Application Username, like the pre-built app integration does, I pass through the Okta Username prefix, which solves the conflict issue.

Next, under the Attribute Statements (Optional), I added the following fields to match up with what Cisco Meraki is expecting in a SAML request.

Name -

https://dashboard.meraki.com/saml/attributes/role

Name Format -

Unspecified

Value - (the adminRole is coming from the custom profile attribute from above)

user.adminRole

And a second Attribute Statement with

Name -

https://dashboard.meraki.com/saml/attributes/username

Name Format -

Unspecified

Value -

user.firstName

With this all set, I added the SAML role from the Meraki dashboard that we set up to everyone’s user profile, assigned the app, and it worked great!

Links

Google Kills More Products

Sat, 15 Apr 2023 08:07:08 GMT

Google will shut down Dropcam and Nest Secure in 2024

Google has announced, yet again, that they are killing off products. Earlier this month, Google announced that Nest Secure, and the old Dropcam devices will stop working altogether.

Dropcam cameras have been around and working for a very long time, so to some degree I don’t think this is a huge deal. You can’t realistically support cloud based hardware forever, though I also understand that some people will be frustrated by this. It’s frustrating when you have fully functional hardware and it just stops working at some point because the company behind it stops supporting it. You can’t help but feel like it’s a little bit of a bait and switch, even though the reality is that it’s not possible or reasonable to support something like that indefinitely.

While I wish I was surprised by the Nest Secure being killed off too, the writing was on the wall when they discontinued it fairly abruptly shortly after selling it.

The Nest Secure is a great product. It looks really nice and works really well. When it launched it had even better functionality too. It integrates really well with the other Nest products, has a built in battery so that it can function for some time even if the power goes out, and initially had a cellular connection that could be used to alert authorities even if the internet was out. There was a small subscription fee to keep the cellular working but otherwise this all worked without a subscription.

On top of the built in Nest controls, I also have a Starling Home hub (which I highly recommend if you have Google home or Nest products and you’re an Apple house), which let me automate certain functions using Apple’s Shortcuts. For instance, every night at a certain time, the alarm arms itself, then in the morning it disarms itself shortly before we all wake up. It also disarms the alarm automatically when you put in the code on the front door lock. It’s all very handy and has worked extremely well.

Around the same time, Google announced that they are essentially killing off support for 3rd party smart displays. There have been some pretty good ones over the years, and I was close to getting one a couple of times.

Google cuts off third-party smart displays as Assistant support dwindles

Its honestly a joke how often Google wildly shifts directions and kills off products, often ones that are very popular. None of these announcements are terribly surprising unfortunately, and they probably make financial sense for Google, but this just continues to feed the legitimate concerns about relying on Google for anything, particularly if it’s important.

I really like a lot of what Google does. They are honestly the world leader in web based applications and services, and obviously Chrome is enormously successful. But how many times do customers need to be burned by Google before they don’t take them seriously as an option? I’m coming from the standpoint of being a big fan of most of what they do, but honestly at this point I am hesitant to invest more in to the ecosystem. I invested in Nest because I genuinely think they did (and still do for the most part) a better job than their competitors. But when the life of the product is so wildly unpredictable, it is extremely frustrating.

I think this is a serious problem for Google, but I’m not sure how they are ever going to change. It’s a culture issue at this point, but honestly I think it is costing them probably billions of dollars on lost opportunities because they can’t be relied on. It’s not about the specific products, it’s about trust in the brand, and that’s going to be extremely difficult to regain.

Links

Mastodon Verification with Hugo and Cloudflare Pages

Sun, 02 Apr 2023 22:30:20 GMT

I run my blog on Cloudflare Pages, using Hugo to generate the specific static pages. I recently set up my own Mastodon server with my own domain as well, at barnes.social, and I wanted to verify my blogs website on my Mastodon account. It wasn’t immediately obvious to me how to do that, so I thought I would write out what I ended up needing to do.

In a Hugo-generated website, you'll typically add the rel="me" link to one of the template files in the layouts folder. The specific file depends on your site's structure and theme.

Here are some common places to add the rel="me" link:

layouts/partials/header.html or layouts/partials/head.html: Add the rel="me" link in the header section, which will include it on every page.
layouts/partials/footer.html: Add the rel="me" link in the footer section, which will include it on every page.
layouts/partials/sidebar.html or layouts/partials/navigation.html: Add the rel="me" link to a sidebar or navigation menu, which will typically include it on every page.

If you are using a theme, you may need to copy the relevant file from the theme's layouts folder (for instance., themes/your-theme/layouts/partials/header.html) to your site's layouts folder (for instance, layouts/partials/header.html) before making the changes. This will ensure you're modifying your site's layout, not the theme's default layout.

Once you've located the appropriate file, add the rel="me" link, which can be found on your Mastodon account. It will look similar to this:

<a href="https://your-mastodon-instance.example/@yourusername" rel="me">My Mastodon Profile</a>

Replace your-mastodon-instance.example with your Mastodon instance's domain, and @yourusername with your Mastodon username.

It can take a few minutes for the verification to happen, and unfortunately there’s no way (that I could find anyway) to manually tell your account or server to check now, however it seemed to take only a couple of minutes.

Links

https://your-mastodon-instance.example/@yourusername"

Tailscale Apple Shortcuts

Thu, 26 Jan 2023 02:26:08 GMT

I've written about Tailscale before, but it is a very cool product that creates a custom WireGuard VPN between whatever you need, and is a great tool.

Yesterday they updated their app with some Apple Shortcuts, and wrote a great post about how you could potentially use them. Definitely worth checking out -

Tailscale actions for iOS and macOS Shortcuts

Links

https://tailscale.com/blog/ios-macos-shortcuts/

Ivory

Thu, 26 Jan 2023 02:03:54 GMT

I don't have the energy to do a play by play of all of the Twitter drama, but last week they decided to officially make it a rule to disallow 3rd party apps that imitate Twitter's own functionality. While I understand the decision, in Twitter / Elon fashion, they did not communicate it, they just yanked the cord on everyone with no warning and over a week before there was any explanation.

Regardless, I can't stand using the actual Twitter app, and I'm just getting tired of all the bullshit going on over there.

I started using Mastodon a couple of months ago, and I will say the app that you use to access Mastodon makes a big difference in the experience. Luckily the team at Tapbots that made Tweetbot, my preferred Twitter client, have been working on a Mastodon client, which just came out yesterday. If you've wanted to give Mastodon a try, I'd highly recommend checking out this app.

Links

https://tapbots.com/ivory/

Mastodon Tipping Point

Wed, 28 Dec 2022 05:03:30 GMT

Today was a bit of a personal tipping point for my personal use of Mastodon. I have always been a bit of a timeline completionist, regardless the platform, which is why I use apps like Tweetbot and now Ivory (currently in alpha testing).

Today was the first time where I opened up Twitter and Mastodon, and actually had more content to read through in Mastodon than Twitter.

Regardless of people's thoughts on whether Mastodon is good or not (there are plenty of opinions both ways), it all doesn't really matter too much if no one ends up using it. For me, I really liked Google Plus when that came out back in the day. I thought they had a lot of fantastic ideas that were better, and still are better, than any other social media out there today. But it didn't particularly matter because people never used it, so it never gained traction anywhere.

Mastodon is a little different. The nature of the way it's built probably means that it will never go away, but if people don't use it, it may stall out and never really grow in to anything.

So far I really like it. A good 3rd party app dramatically improves the experience in my opinion, so I hope more of them become available more widely soon.

Who knows if it means anything, but for my timelines, I thought it was quite interesting.

Mastodon Verification - ARCHIVE

Wed, 28 Dec 2022 00:39:35 GMT

I have recently started to use Mastodon more than Twitter. I'm sure I don't need to explain why.

I will post later some more in depth thoughts about Mastodon, but in general I am enjoying it. One nice thing Mastodon does is that it allows you to add your own personal websites to your bio, and then provides a method of verifying that you are the owner of that site. For instance, my Mastodon account has https://barnes.tech and is now verified that I'm the owner. I didn't need to pay anything for any check marks, and unlike Twitter, it's actually verifying something about me and a domain I own!

Typically this is extremely easy to do. Mastodon provides a small link that you can provide in the header of your site and whatever Mastodon server you on will be able to reach out and verify ownership based on that. However, my blog is built as a static website with Hugo on top of Cloudflare Pages. I will do a more in-depth about how I do this in the future, but it essentially runs serverlessly on Cloudflare's infrastructure as a static website, so it loads SUPER fast. I am able to build my blogs in simple markdown files in a "blog" folder, and then as soon as I commit the changes to GitHub, the whole website rebuilds itself (and only takes about 10 seconds). It's really cool.

The only problem is I wasn't sure how to add the link to verify my page with how Hugo templates work. This is probably something pretty easy for someone who really understands all the plumbing going on in Hugo, but that person is not me.

I stared by doing what everyone does, and Googling it. The results were not great. There are lots of unrelated articles about how to verify a Mastodon server with your website (but does not include Hugo sites) and some results about Hugo sites (without any information about verifying them with Hugo). Not super helpful.

I've been doing what every nerd on the internet has been doing for the last few weeks, playing with OpenAI's Chat bot, and I've been kind of blown away by how good it can be. Sure, at times it's laughably wrong, and countless people on the internet have written about how inaccurate it can be with some of it's answers, however everyone is writing this because of how creepy good it is most of the time. It's almost like they are bargaining with themselves by telling themselves that this isn't a huge leap forward in AI. Again, I will write another post to go in to more detail on my thoughts on this, as well as some links from both sides of the argument, but it's pretty indisputable how good it can be a lot of the time.

I didn't think it would be a huge amount of help with this, but as I've been doing a lot lately, I figured I'd ask and if nothing else, I'd maybe get a laugh out of it's response. But it actually completely answered me, and correctly, and now my site is verified on Mastodon. Here's how the exchange went -

Wow. Well that's a lot closer to what I was looking for, but not quite there. It gives me a good detailed explanation of how to verify the site in general, with a better answer than I get from Googling anything, but I need to know how to do this specifically in Hugo.

Well there you go. That gets super specific about Hugo. But let me play dumb for a minute. I found the head file that this was referring to, and I assume that's where I add this link, but let's keep going down this rabbit hole.

Well there you have it. That's exactly where it is. I went and added the link to my head file, and within seconds, I was verified.

Super cool, but a little freaky.

Links

Free Speech

Mon, 19 Dec 2022 04:01:30 GMT

I found this substack article today that I thought was exceptionally well written about Free Speech. This is an increasingly weaponized term, which is relevant given the social media shitstorm going on right now.

I'm inferring this, but he seems to take a slightly more optimistic take than I would and seems to believe that the main problem is that people don't quite understand the term Free Speech, and almost seems to think it's just a misunderstanding that is the problem. While I agree there is a big misunderstanding, I believe the weaponization of the term is entirely purposeful and is just a way to manipulate people into being angry so they are more easily manipulated. Maybe he agrees, and that just wasn't the point of this article.

Regardless, I highly recommend giving this a read.

In Defense of Free Speech Pedantry

Links

https://popehat.substack.com/p/in-defense-of-free-speech-pedantry

Social Media - Part 2

Mon, 19 Dec 2022 03:19:30 GMT

I feel it's time to follow up on my other post about social media. I laid out some of my thoughts in my last post

It would take a lot of time to go through all of the specifics of how Twitter has continued to take an almost unbelievable nosedive, but there are a couple of things worth mentioning.

First, Elon decided to start banning all sorts of reporters who reported on him, claiming that they were doxing him. Clearly, this was just his increasingly fragile ego reacting to a situation that personally irritated him. The sheer hypocrisy of what he said about free speech and what he's doing is somewhat sickening, but Tech Dirt did a much better job going into the details of what happened and why it's bad than I could. I do want to note, though, that if Twitter had actually ever put as much effort into protecting marginalized people as it has in the last week protecting Space Karen's Twitter feed, it would be a far safer and happier platform.

At the time, and as mentioned in the Tech Dirt article, it seemed that they were starting to flag Mastodon links as "Malicious". Well, as of today, it is Twitter's "official policy" *

We recognize that many of our users are active on other social media platforms. However, we will no longer allow free promotion of certain social media platforms on Twitter.

— Twitter Support (@TwitterSupport) December 18, 2022

Here's a screenshot just in case the tweet disappears.

I have not decided what I am personally going to do yet, but I am not ok supporting Twitter as a platform anymore. I also don't know exactly what that means. I for sure will not participate in any of the advertising, and although I didn't post a ton historically, I don't particularly want to feed the content machine in any way either. I will likely just let my account sit, as is, and just stop using it.

I'm under no illusion that me participating or not participating makes any difference at all to these platforms, but it's also pretty much the only thing I can do.

I'm trying out Mastodon right now. I may spin up my own server just to see what it's like, and to mess around with it more. The Mastodon clients are not terribly polished right now, but that's ok. It feels like Twitter from years ago where there is a sense of optimism and even a small amount of excitement. Bonus that it's not run by a want-to-be fascist.

If you feel so inclined, my main account is @robby@barnes.social. I will update this post if I set up my own server and change that name.

Updated Mastodon link since I moved servers

Links

Apple and Advertising

Sat, 05 Nov 2022 22:13:33 GMT

As many people have noticed, and many people have written about, Apple has recently started fairly dramatically increasing the number of advertisements in their products. Apple has had advertisements in the App Store for a long time, but they initially were fairly subtle. They focused initially on high-quality editorial content where a team at Apple would review high-quality apps and recommend them, primarily in the “Today” view. Over the last couple of years, Apple has been adding more paid ad slots, then started sending push notifications for their own “services”, and finally, in the last few weeks have dramatically increased the number of ads across the app store.

To me, this dramatically cheapens and worsens the experiences, and frankly, I think this presents some problems for Apple as a brand and company.

Several sites had reported over the last year, in particular that Apple was posting more jobs about advertising and that they were going to start pushing into the space more and more. I was hopeful that this was primarily an effort in the TV+ space, particularly as they start to get major sports packages. I think it totally makes sense to have ads in those spaces, just like linear TV offers (though given the option, I will always pay more to have no ads), but it appears that it won’t just be limited to TV.

What’s wrong with ads? Well, lots of things. First, I feel like it just cheapens the overall experience and is bad for the brand. I think one of the worst things that has happened to tech in the last couple of decades, and to the internet in general, is the explosion of ad-driven “free to use” products. It has led to many people thinking the products are free and don’t really think about how things are being paid for.

Facebook, Twitter, Google, and even Amazon more recently vacuum up everything they possibly can about users, so they can build profiles about you and sell more expensive advertising targeted at you. People were given free products that they grow to love (or become addicted to) then after people are used to it, these companies slowly turn on the advertising spigot, then it doesn’t take long before they are crammed into every corner of your life.

It shouldn’t be surprising, but companies were purposely misleading to get people on their platforms. Time after time, we are “sold” the idea that we are customers of a product like a social media site and that ads are there to just help keep the lights on. Sometimes they even tell you that you should like ads because they are “personalized” for you. They really mean targeted, and they can do that essentially by essentially spying on everything you do in as many ways as possible to try to make their “profile” of you more accurate, AKA more valuable. The customer is someone who pays for a product, so you aren’t the customer for social media or other “free” online services, the advertisers are. You, the user of the site, are actually the product to be sold, and you essentially have no choice.

Apple has always sold itself as different from that. Apple products are expensive, partially because they are premium products, and partially to make a point clear, you are buying a product, and you are the customer of that product. It’s clear where Apple is making its money, and its priority has been almost always the customer, where its money is directly coming from.

Apple has also been pushing itself as the privacy company. You, the actual customer, should have a choice in your own privacy. Facebook, Amazon, Google, etc. will do everything in their power to track everything about you, and Apple was saying very clearly - “You should have a choice in this, and if you don’t want to be tracked, you should be able to make that choice”. The more choice Apple has given people, the more they choose to not be tracked. You can see this hammering the revenue of companies that rely on tracking (surveillance) revenue.

Several companies and lawmakers started talking about how this seemed anti-competitive, which I previously disagreed with since they were only giving you the choice, in some cases, not to be tracked across apps. I absolutely think everyone should have the right to choose whether they are or not tracked on the internet. But then Apple started pushing more into advertising, and have repeatedly explained that they see it as different when it’s “first party” data instead of “third party” data. That’s when it started getting gross to me.

This is the second problem to me. I am certainly no lawyer, but I don’t see how it possibly couldn’t be considered anti-competitive when you make a move to purposely knee-cap other companies’ advertising businesses, regardless of the reason, then immediately ramp up your own advertising, often in the exact same space.

On top of that, even if there was nothing wrong with any of this that Apple is doing, they are also just bad at it. When Apple launched their more aggressive ads recently, many people noted major issues. If you searched for an app to help with gambling addiction, you would be suggested gambling ads. If you searched for marriage counseling apps it would suggest dating apps, or even thinly veiled adult chat apps. This in addition to the fact that these garbage apps were showing up for other developers who just didn’t want these kinds of ads showing up next to their app. More info here, from Fast Company. It’s (historically at least) rare for Apple to be this tone-deaf with a product.

I don’t think it’s a stretch to think Apple might be bad at ads because it tries to preserve privacy. I often wonder if that is why Siri is so bad compared to Google Home and Amazon Alexa or how Apple Photos is so much worse at face and object recognition compared to Google Photos, but if that’s the case, they will either always be bad at ads (and shouldn’t do them) or they will slowly start compromising on privacy. Frankly, either way, to me it dramatically cheapens the brand.

Not terribly surprising, but do developers see any money from the ads placed next to their app? Nope. Is anything from apple getting cheaper because of this? Actually, they are getting more expensive at the same time.

None of this is going to immediately change my purchasing habits with Apple products, but it has definitely put a really sour taste in my mouth.

Coupled with the recent change on TV, Apple has been taking a turn for the worse lately in services. I hope they change course but companies rarely make moves to turn down huge gobs of money. Hopefully an antitrust lawsuit will make them back down on this.

Here are some other articles I read around the same topic you should check out - Apple App Store tax is a direct shot at Meta - The Verge Apple is an ad company now - Wired App Store ads gone wild - Daring Fireball

Links

Google Platforms Continued

Mon, 10 Oct 2022 22:53:00 GMT

One more comment on Google's platform issues, this post is 11 years old, but it's depressing how accurate it still is -

Direct Link

In case the link ever goes away, here is the original post -

Stevey's Google Platforms Rant

I was at Amazon for about six and a half years, and now I've been at Google for that long. One thing that struck me immediately about the two companies -- an impression that has been reinforced almost daily -- is that Amazon does everything wrong, and Google does everything right. Sure, it's a sweeping generalization, but a surprisingly accurate one. It's pretty crazy. There are probably a hundred or even two hundred different ways you can compare the two companies, and Google is superior in all but three of them, if I recall correctly. I actually did a spreadsheet at one point but Legal wouldn't let me show it to anyone, even though recruiting loved it.

I mean, just to give you a very brief taste: Amazon's recruiting process is fundamentally flawed by having teams hire for themselves, so their hiring bar is incredibly inconsistent across teams, despite various efforts they've made to level it out. And their operations are a mess; they don't really have SREs and they make engineers pretty much do everything, which leaves almost no time for coding - though again this varies by group, so it's luck of the draw. They don't give a single shit about charity or helping the needy or community contributions or anything like that. Never comes up there, except maybe to laugh about it. Their facilities are dirt-smeared cube farms without a dime spent on decor or common meeting areas. Their pay and benefits suck, although much less so lately due to local competition from Google and Facebook. But they don't have any of our perks or extras -- they just try to match the offer-letter numbers, and that's the end of it. Their code base is a disaster, with no engineering standards whatsoever except what individual teams choose to put in place.

To be fair, they do have a nice versioned-library system that we really ought to emulate, and a nice publish-subscribe system that we also have no equivalent for. But for the most part they just have a bunch of crappy tools that read and write state machine information into relational databases. We wouldn't take most of it even if it were free.

I think the pubsub system and their library-shelf system were two out of the grand total of three things Amazon does better than google.

I guess you could make an argument that their bias for launching early and iterating like mad is also something they do well, but you can argue it either way. They prioritize launching early over everything else, including retention and engineering discipline and a bunch of other stuff that turns out to matter in the long run. So even though it's given them some competitive advantages in the marketplace, it's created enough other problems to make it something less than a slam-dunk.

But there's one thing they do really really well that pretty much makes up for ALL of their political, philosophical and technical screw-ups.

Jeff Bezos is an infamous micro-manager. He micro-manages every single pixel of Amazon's retail site. He hired Larry Tesler, Apple's Chief Scientist and probably the very most famous and respected human-computer interaction expert in the entire world, and then ignored every goddamn thing Larry said for three years until Larry finally -- wisely -- left the company. Larry would do these big usability studies and demonstrate beyond any shred of doubt that nobody can understand that frigging website, but Bezos just couldn't let go of those pixels, all those millions of semantics-packed pixels on the landing page. They were like millions of his own precious children. So they're all still there, and Larry is not.

Micro-managing isn't that third thing that Amazon does better than us, by the way. I mean, yeah, they micro-manage really well, but I wouldn't list it as a strength or anything. I'm just trying to set the context here, to help you understand what happened. We're talking about a guy who in all seriousness has said on many public occasions that people should be paying him to work at Amazon. He hands out little yellow stickies with his name on them, reminding people "who runs the company" when they disagree with him. The guy is a regular... well, Steve Jobs, I guess. Except without the fashion or design sense. Bezos is super smart; don't get me wrong. He just makes ordinary control freaks look like stoned hippies.

So one day Jeff Bezos issued a mandate. He's doing that all the time, of course, and people scramble like ants being pounded with a rubber mallet whenever it happens. But on one occasion -- back around 2002 I think, plus or minus a year -- he issued a mandate that was so out there, so huge and eye-bulgingly ponderous, that it made all of his other mandates look like unsolicited peer bonuses.

His Big Mandate went something along these lines:

All teams will henceforth expose their data and functionality through service interfaces.
Teams must communicate with each other through these interfaces.
There will be no other form of interprocess communication allowed: no direct linking, no direct reads of another team's data store, no shared-memory model, no back-doors whatsoever. The only communication allowed is via service interface calls over the network.
It doesn't matter what technology they use. HTTP, Corba, Pubsub, custom protocols -- doesn't matter. Bezos doesn't care.
All service interfaces, without exception, must be designed from the ground up to be externalizable. That is to say, the team must plan and design to be able to expose the interface to developers in the outside world. No exceptions.
Anyone who doesn't do this will be fired.
Thank you; have a nice day!

Ha, ha! You 150-odd ex-Amazon folks here will of course realize immediately that #7 was a little joke I threw in, because Bezos most definitely does not give a shit about your day.

#6, however, was quite real, so people went to work. Bezos assigned a couple of Chief Bulldogs to oversee the effort and ensure forward progress, headed up by Uber-Chief Bear Bulldog Rick Dalzell. Rick is an ex-Armgy Ranger, West Point Academy graduate, ex-boxer, ex-Chief Torturer slash CIO at Wal*Mart, and is a big genial scary man who used the word "hardened interface" a lot. Rick was a walking, talking hardened interface himself, so needless to say, everyone made LOTS of forward progress and made sure Rick knew about it.

Over the next couple of years, Amazon transformed internally into a service-oriented architecture. They learned a tremendous amount while effecting this transformation. There was lots of existing documentation and lore about SOAs, but at Amazon's vast scale it was about as useful as telling Indiana Jones to look both ways before crossing the street. Amazon's dev staff made a lot of discoveries along the way. A teeny tiny sampling of these discoveries included:

pager escalation gets way harder, because a ticket might bounce through 20 service calls before the real owner is identified. If each bounce goes through a team with a 15-minute response time, it can be hours before the right team finally finds out, unless you build a lot of scaffolding and metrics and reporting.
every single one of your peer teams suddenly becomes a potential DOS attacker. Nobody can make any real forward progress until very serious quotas and throttling are put in place in every single service.
monitoring and QA are the same thing. You'd never think so until you try doing a big SOA. But when your service says "oh yes, I'm fine", it may well be the case that the only thing still functioning in the server is the little component that knows how to say "I'm fine, roger roger, over and out" in a cheery droid voice. In order to tell whether the service is actually responding, you have to make individual calls. The problem continues recursively until your monitoring is doing comprehensive semantics checking of your entire range of services and data, at which point it's indistinguishable from automated QA. So they're a continuum.
if you have hundreds of services, and your code MUST communicate with other groups' code via these services, then you won't be able to find any of them without a service-discovery mechanism. And you can't have that without a service registration mechanism, which itself is another service. So Amazon has a universal service registry where you can find out reflectively (programmatically) about every service, what its APIs are, and also whether it is currently up, and where.
debugging problems with someone else's code gets a LOT harder, and is basically impossible unless there is a universal standard way to run every service in a debuggable sandbox.

That's just a very small sample. There are dozens, maybe hundreds of individual learnings like these that Amazon had to discover organically. There were a lot of wacky ones around externalizing services, but not as many as you might think. Organizing into services taught teams not to trust each other in most of the same ways they're not supposed to trust external developers.

This effort was still underway when I left to join Google in mid-2005, but it was pretty far advanced. From the time Bezos issued his edict through the time I left, Amazon had transformed culturally into a company that thinks about everything in a services-first fashion. It is now fundamental to how they approach all designs, including internal designs for stuff that might never see the light of day externally.

At this point they don't even do it out of fear of being fired. I mean, they're still afraid of that; it's pretty much part of daily life there, working for the Dread Pirate Bezos and all. But they do services because they've come to understand that it's the Right Thing. There are without question pros and cons to the SOA approach, and some of the cons are pretty long. But overall it's the right thing because SOA-driven design enables Platforms.

That's what Bezos was up to with his edict, of course. He didn't (and doesn't) care even a tiny bit about the well-being of the teams, nor about what technologies they use, nor in fact any detail whatsoever about how they go about their business unless they happen to be screwing up. But Bezos realized long before the vast majority of Amazonians that Amazon needs to be a platform.

You wouldn't really think that an online bookstore needs to be an extensible, programmable platform. Would you?

Well, the first big thing Bezos realized is that the infrastructure they'd built for selling and shipping books and sundry could be transformed an excellent repurposable computing platform. So now they have the Amazon Elastic Compute Cloud, and the Amazon Elastic MapReduce, and the Amazon Relational Database Service, and a whole passel' o' other services browsable at aws.amazon.com. These services host the backends for some pretty successful companies, reddit being my personal favorite of the bunch.

The other big realization he had was that he can't always build the right thing. I think Larry Tesler might have struck some kind of chord in Bezos when he said his mom couldn't use the goddamn website. It's not even super clear whose mom he was talking about, and doesn't really matter, because nobody's mom can use the goddamn website. In fact I myself find the website disturbingly daunting, and I worked there for over half a decade. I've just learned to kinda defocus my eyes and concentrate on the million or so pixels near the center of the page above the fold.

I'm not really sure how Bezos came to this realization -- the insight that he can't build one product and have it be right for everyone. But it doesn't matter, because he gets it. There's actually a formal name for this phenomenon. It's called Accessibility, and it's the most important thing in the computing world.

The. Most. Important. Thing.

If you're sorta thinking, "huh? You mean like, blind and deaf people Accessibility?" then you're not alone, because I've come to understand that there are lots and LOTS of people just like you: people for whom this idea does not have the right Accessibility, so it hasn't been able to get through to you yet. It's not your fault for not understanding, any more than it would be your fault for being blind or deaf or motion-restricted or living with any other disability. When software -- or idea-ware for that matter -- fails to be accessible to anyone for any reason, it is the fault of the software or of the messaging of the idea. It is an Accessibility failure.

Like anything else big and important in life, Accessibility has an evil twin who, jilted by the unbalanced affection displayed by their parents in their youth, has grown into an equally powerful Arch-Nemesis (yes, there's more than one nemesis to accessibility) named Security. And boy howdy are the two ever at odds.

But I'll argue that Accessibility is actually more important than Security because dialing Accessibility to zero means you have no product at all, whereas dialing Security to zero can still get you a reasonably successful product such as the Playstation Network.

So yeah. In case you hadn't noticed, I could actually write a book on this topic. A fat one, filled with amusing anecdotes about ants and rubber mallets at companies I've worked at. But I will never get this little rant published, and you'll never get it read, unless I start to wrap up.

That one last thing that Google doesn't do well is Platforms. We don't understand platforms. We don't "get" platforms. Some of you do, but you are the minority. This has become painfully clear to me over the past six years. I was kind of hoping that competitive pressure from Microsoft and Amazon and more recently Facebook would make us wake up collectively and start doing universal services. Not in some sort of ad-hoc, half-assed way, but in more or less the same way Amazon did it: all at once, for real, no cheating, and treating it as our top priority from now on.

But no. No, it's like our tenth or eleventh priority. Or fifteenth, I don't know. It's pretty low. There are a few teams who treat the idea very seriously, but most teams either don't think about it all, ever, or only a small percentage of them think about it in a very small way.

It's a big stretch even to get most teams to offer a stubby service to get programmatic access to their data and computations. Most of them think they're building products. And a stubby service is a pretty pathetic service. Go back and look at that partial list of learnings from Amazon, and tell me which ones Stubby gives you out of the box. As far as I'm concerned, it's none of them. Stubby's great, but it's like parts when you need a car.

A product is useless without a platform, or more precisely and accurately, a platform-less product will always be replaced by an equivalent platform-ized product.

Google+ is a prime example of our complete failure to understand platforms from the very highest levels of executive leadership (hi Larry, Sergey, Eric, Vic, howdy howdy) down to the very lowest leaf workers (hey yo). We all don't get it. The Golden Rule of platforms is that you Eat Your Own Dogfood. The Google+ platform is a pathetic afterthought. We had no API at all at launch, and last I checked, we had one measly API call. One of the team members marched in and told me about it when they launched, and I asked: "So is it the Stalker API?" She got all glum and said "Yeah." I mean, I was joking, but no... the only API call we offer is to get someone's stream. So I guess the joke was on me.

Microsoft has known about the Dogfood rule for at least twenty years. It's been part of their culture for a whole generation now. You don't eat People Food and give your developers Dog Food. Doing that is simply robbing your long-term platform value for short-term successes. Platforms are all about long-term thinking.

Google+ is a knee-jerk reaction, a study in short-term thinking, predicated on the incorrect notion that Facebook is successful because they built a great product. But that's not why they are successful. Facebook is successful because they built an entire constellation of products by allowing other people to do the work. So Facebook is different for everyone. Some people spend all their time on Mafia Wars. Some spend all their time on Farmville. There are hundreds or maybe thousands of different high-quality time sinks available, so there's something there for everyone.

Our Google+ team took a look at the aftermarket and said: "Gosh, it looks like we need some games. Let's go contract someone to, um, write some games for us." Do you begin to see how incredibly wrong that thinking is now? The problem is that we are trying to predict what people want and deliver it for them.

You can't do that. Not really. Not reliably. There have been precious few people in the world, over the entire history of computing, who have been able to do it reliably. Steve Jobs was one of them. We don't have a Steve Jobs here. I'm sorry, but we don't.

Larry Tesler may have convinced Bezos that he was no Steve Jobs, but Bezos realized that he didn't need to be a Steve Jobs in order to provide everyone with the right products: interfaces and workflows that they liked and felt at ease with. He just needed to enable third-party developers to do it, and it would happen automatically.

I apologize to those (many) of you for whom all this stuff I'm saying is incredibly obvious, because yeah. It's incredibly frigging obvious. Except we're not doing it. We don't get Platforms, and we don't get Accessibility. The two are basically the same thing, because platforms solve accessibility. A platform is accessibility.

So yeah, Microsoft gets it. And you know as well as I do how surprising that is, because they don't "get" much of anything, really. But they understand platforms as a purely accidental outgrowth of having started life in the business of providing platforms. So they have thirty-plus years of learning in this space. And if you go to msdn.com, and spend some time browsing, and you've never seen it before, prepare to be amazed. Because it's staggeringly huge. They have thousands, and thousands, and THOUSANDS of API calls. They have a HUGE platform. Too big in fact, because they can't design for squat, but at least they're doing it.

Amazon gets it. Amazon's AWS (aws.amazon.com) is incredible. Just go look at it. Click around. It's embarrassing. We don't have any of that stuff.

Apple gets it, obviously. They've made some fundamentally non-open choices, particularly around their mobile platform. But they understand accessibility and they understand the power of third-party development and they eat their dogfood. And you know what? They make pretty good dogfood. Their APIs are a hell of a lot cleaner than Microsoft's, and have been since time immemorial.

Facebook gets it. That's what really worries me. That's what got me off my lazy butt to write this thing. I hate blogging. I hate... plussing, or whatever it's called when you do a massive rant in Google+ even though it's a terrible venue for it but you do it anyway because in the end you really do want Google to be successful. And I do! I mean, Facebook wants me there, and it'd be pretty easy to just go. But Google is home, so I'm insisting that we have this little family intervention, uncomfortable as it might be.

After you've marveled at the platform offerings of Microsoft and Amazon, and Facebook I guess (I didn't look because I didn't want to get too depressed), head over to developers.google.com and browse a little. Pretty big difference, eh? It's like what your fifth-grade nephew might mock up if he were doing an assignment to demonstrate what a big powerful platform company might be building if all they had, resource-wise, was one fifth grader.

Please don't get me wrong here -- I know for a fact that the dev-rel team has had to FIGHT to get even this much available externally. They're kicking ass as far as I'm concerned, because they DO get platforms, and they are struggling heroically to try to create one in an environment that is at best platform-apathetic, and at worst often openly hostile to the idea.

I'm just frankly describing what developers.google.com looks like to an outsider. It looks childish. Where's the Maps APIs in there for Christ's sake? Some of the things in there are labs projects. And the APIs for everything I clicked were... they were paltry. They were obviously dog food. Not even good organic stuff. Compared to our internal APIs it's all snouts and horse hooves.

And also don't get me wrong about Google+. They're far from the only offenders. This is a cultural thing. What we have going on internally is basically a war, with the underdog minority Platformers fighting a more or less losing battle against the Mighty Funded Confident Producters.

Any teams that have successfully internalized the notion that they should be externally programmable platforms from the ground up are underdogs -- Maps and Docs come to mind, and I know GMail is making overtures in that direction. But it's hard for them to get funding for it because it's not part of our culture. Maestro's funding is a feeble thing compared to the gargantuan Microsoft Office programming platform: it's a fluffy rabbit versus a T-Rex. The Docs team knows they'll never be competitive with Office until they can match its scripting facilities, but they're not getting any resource love. I mean, I assume they're not, given that Apps Script only works in Spreadsheet right now, and it doesn't even have keyboard shortcuts as part of its API. That team looks pretty unloved to me.

Ironically enough, Wave was a great platform, may they rest in peace. But making something a platform is not going to make you an instant success. A platform needs a killer app. Facebook -- that is, the stock service they offer with walls and friends and such -- is the killer app for the Facebook Platform. And it is a very serious mistake to conclude that the Facebook App could have been anywhere near as successful without the Facebook Platform.

You know how people are always saying Google is arrogant? I'm a Googler, so I get as irritated as you do when people say that. We're not arrogant, by and large. We're, like, 99% Arrogance-Free. I did start this post -- if you'll reach back into distant memory -- by describing Google as "doing everything right". We do mean well, and for the most part when people say we're arrogant it's because we didn't hire them, or they're unhappy with our policies, or something along those lines. They're inferring arrogance because it makes them feel better.

But when we take the stance that we know how to design the perfect product for everyone, and believe you me, I hear that a lot, then we're being fools. You can attribute it to arrogance, or naivete, or whatever -- it doesn't matter in the end, because it's foolishness. There IS no perfect product for everyone.

And so we wind up with a browser that doesn't let you set the default font size. Talk about an affront to Accessibility. I mean, as I get older I'm actually going blind. For real. I've been nearsighted all my life, and once you hit 40 years old you stop being able to see things up close. So font selection becomes this life-or-death thing: it can lock you out of the product completely. But the Chrome team is flat-out arrogant here: they want to build a zero-configuration product, and they're quite brazen about it, and Fuck You if you're blind or deaf or whatever. Hit Ctrl-+ on every single page visit for the rest of your life.

It's not just them. It's everyone. The problem is that we're a Product Company through and through. We built a successful product with broad appeal -- our search, that is -- and that wild success has biased us.

Amazon was a product company too, so it took an out-of-band force to make Bezos understand the need for a platform. That force was their evaporating margins; he was cornered and had to think of a way out. But all he had was a bunch of engineers and all these computers... if only they could be monetized somehow... you can see how he arrived at AWS, in hindsight.

Microsoft started out as a platform, so they've just had lots of practice at it.

Facebook, though: they worry me. I'm no expert, but I'm pretty sure they started off as a Product and they rode that success pretty far. So I'm not sure exactly how they made the transition to a platform. It was a relatively long time ago, since they had to be a platform before (now very old) things like Mafia Wars could come along.

Maybe they just looked at us and asked: "How can we beat Google? What are they missing?"

The problem we face is pretty huge, because it will take a dramatic cultural change in order for us to start catching up. We don't do internal service-oriented platforms, and we just as equally don't do external ones. This means that the "not getting it" is endemic across the company: the PMs don't get it, the engineers don't get it, the product teams don't get it, nobody gets it. Even if individuals do, even if YOU do, it doesn't matter one bit unless we're treating it as an all-hands-on-deck emergency. We can't keep launching products and pretending we'll turn them into magical beautiful extensible platforms later. We've tried that and it's not working.

The Golden Rule of Platforms, "Eat Your Own Dogfood", can be rephrased as "Start with a Platform, and Then Use it for Everything." You can't just bolt it on later. Certainly not easily at any rate -- ask anyone who worked on platformizing MS Office. Or anyone who worked on platformizing Amazon. If you delay it, it'll be ten times as much work as just doing it correctly up front. You can't cheat. You can't have secret back doors for internal apps to get special priority access, not for ANY reason. You need to solve the hard problems up front.

I'm not saying it's too late for us, but the longer we wait, the closer we get to being Too Late.

I honestly don't know how to wrap this up. I've said pretty much everything I came here to say today. This post has been six years in the making. I'm sorry if I wasn't gentle enough, or if I misrepresented some product or team or person, or if we're actually doing LOTS of platform stuff and it just so happens that I and everyone I ever talk to has just never heard about it. I'm sorry.

But we've gotta start doing this right.

Original URL

Follow-up URL

Hacker News URL

Links

The Death of Stadia

Wed, 05 Oct 2022 06:00:00 GMT

Most people knew this day was coming, however on September 29th, Google seemingly abruptly decided they were throwing in the towel on Stadia. With a blog post and a few emails, Google announced they were done with Stadia -

Stadia - A message about Stadia and our long term streaming strategy

I wish I could say I was surprised, but honestly, Google is kind of a joke at this point with their attention span on products, regardless of how good they are. I wanted to write a few thoughts on Stadia specifically and on what I see as a huge problem for Google, which somehow they seem unaware of (or worse, they don't care).

First, a bit about Stadia.

I tried out stadia a long time ago when it was just a beta test of Assassin's Creed Odyssey in 2018. While it was far from perfect, I immediately saw the appeal. It worked shockingly well for streaming a game entirely in your browser.

When Stadia was officially announced, I signed up for the Founders Edition. I would not classify myself as a hardcore gamer, but I play games quite a bit. I also love being an early adopter of tech, so this was a no-brainer. Throw in the fact that you could choose a Gamertag before everyone else so you can get a really good name? No question, I'm sold.

I want to start by saying, I really like(d) Stadia. To this day, I use it almost every day. However, there were some signs from the very beginning that were concerning, especially given Google's track record with... Everything.

When it was released, it was definitely a "minimum viable product". Several features mentioned during the initial announcement were just not ready yet. For companies that have a really good track record, this is not always very concerning. Apple, for instance, will usually preview the next year of software when they announce macOS or iOS. Some features don't make the first release of the new OS, but it's rare that those features don't get added before the next iteration. Google, on the other hand, loves to talk things up, then either underwhelm, or change their mind.

But, who knows? Many of the features were pretty ambitious and it's totally fair that some of them might not be ready on day 1. Particularly since many of them would clearly require game developers to support on their end, even if the platform itself was ready. But that's why Google had their own gaming studio, right? Did I expect some amazing AAA games from Google's brand-new game studio? Absolutely not. They were new to this, and gaming is a very difficult industry. But surely they could make some proof-of-concept games to show the massively scalable infrastructure, right? Or the Google Assistant being integrated right into the game from the controller? Right? Surely YouTube Streaming directly from Google Cloud was one of the highest priorities for this whole project... Right?

Well, they delivered on some of the hype. Eventually. Kind of. And some of it worked really well! YouTube took MUCH longer to integrate than I would have thought (and frankly, much longer than it should have), but it worked really well when it came out. I don't feel the need to stream to YouTube, but I understand the appeal. I tried doing it a few times just for fun, and it was pretty flawless.

All of these should have been signs. The big games starting to bail were also pretty clearly bad signs, but then once in a while, you would get a glimmer of hope. When Cyberpunk 2077 first came out, it was an absolute mess. It was not built well and was not able to take advantage of the newest generation of game consoles. Only high-end PC hardware was handling it ok, except for Stadia. All of a sudden, the appeal of a cloud-based console was popping up in articles all over the place. First of all, it WORKED. That was a huge bonus. Then, as they started rolling out enormous patches trying to fix the game, Stadia was again in the news since you never had to update anything. 100GB update? Not if you were using Stadia!

Well apparently that was not enough. For me, I never really saw it as a next-gen console competitor. It seemed unlikely that it could compete with a fairly high-end console I have right here in front of me, plugged right into my TV, and 10 feet from my controller. However, it absolutely worked great for most of the gaming I do. I played Destiny on there a LOT, and it was great. Cyberpunk also worked great. Anything, where I was not competing with player vs. player (which I don't do on Destiny very often), was absolutely awesome. I fantasized about playing hardware-heavy games like Civilization 6 on there (even if it required a keyboard and mouse). It's a CPU-heavy game, but a small amount of lag won't matter. Also, the updates and add-ons are enormous. Seems perfect. Or even if I could play some of my very favorite retro games, that would be amazing. Even without that, I still played it a lot.

I used it primarily on my phone. Apple decided these kinds of apps can't exist (which is a whole other topic) but they released browser support for iOS and it frankly worked nearly flawlessly. I have a phone mount for my Stadia controller and it's awesome. If I want to dive into a game and get the best experience, I would play on my Xbox, however, if we're watching some mindless TV at the end of the day and I want to grind some resources or do some Vanguard playlists on Destiny, it was phenomenal for that.

I have tried Nvidia's version of this and Microsoft's and Amazon's. To be honest, from a technology standpoint, Stadia in my experience, was far superior.

So why did Stadia fail? Well, obviously, it doesn't have enough users to justify keeping it up. It seems like maybe it was a good idea, but there is no future or market for it, right? Well... I don't know how much I agree with that. I think a big part of this is a core problem with Google. If there was no market for this kind of gaming, I don't think you'd see Nvidia, Microsoft, and Amazon all directly competing with this.

From day 1, all across the internet, and even among my social circles, people would joke that Google was just going to kill it, so why bother? On Reddit, fans of Stadia would get incredibly heated in their defense. This is a superior technology and experience. The world will see. There's no way Google will kill this. Matter of fact, Google would repeatedly promise that they were taking it seriously and were not going to kill it off.

But I, like many on the internet, had my doubts. Google kills things off at a comical rate. Often, it's because they have some crazy ideas, and unlike many companies, they will try them out instead of just talk about it. Other times, they kill off products that many people love, or even heavily rely on, to the point where it's basically a joke on the internet. There are sites dedicated to just keeping track of the Google products that they have killed, such as - Killed by Google

Some of these pretty clearly no one cares that much about. Most people probably didn't even know they existed. However, some of them were key products that people relied on. When Google Reader shut down, it nearly killed off the entire RSS reader industry. There are some great alternatives now, but the broader internet has still never recovered to the point it was at when Google Reader was shut down. Others are even part of their paid products. Google Cloud IoT Core had some great ideas, but they killed it off. Google Hire was an AI-driven hiring tool that was meant to be an add-on for Google Workspace Enterprise. I used it briefly at my last job, and it honestly felt like magic. Google App Maker was a low-code automation/app-building tool that was part of Google Workspace. All of these were just killed off. If you had invested a significant amount of time into any of these products, well... Tough luck. In some cases, there was a replacement, in others, just tough luck.

I have been a Google Partner in both of my last 2 jobs. I really like a lot of what Google does. Chrome is excellent. No one scales products across the internet quite like Google does. The way the infrastructure is built for Google Cloud is just better than the other big clouds. I love the way you can use really robust apps right in the browser. I love the "internet first" approach to apps, and frankly, the way the company completely restructured after China hacked them and essentially rocked the entire cybersecurity industry with their Zero Trust methodology, as well as their contributions to continuous delivery methods, hyper scale applications, and data... There is a huge list of things that Google is second to none in the world.

But if you don't believe that a company will keep something around, why would you invest in it? Why would you build on Google Cloud if you don't even know if the tools that run the app will still be there? If you're a customer, why would you buy Stadia and invest time into these games if they just kill it off in a few years?

In contrast, Microsoft is relentless with these things. Do they kill off products? Absolutely, but it's not their reputation. They will come into a market they have no business being in, and just iterate year after year and just stay with it until it bears some fruit.

Sometimes it feels like Google lacks focus. Or maybe it's lacking direction. It's hard to say. Even for products that don't get killed off, look at the mess that they continually create for themselves with their messaging platform. To a lesser degree, but still similar, their video messaging with Duo vs. Meet. I follow this space very closely, and it's hard for me to keep track of what they are doing with all of their products. I understand consolidating and things like that but they never seem to even be able to successfully do so, and you end up with changed plans a million times, and confusion and frustration from users.

At work we use Slack instead of Google Chat. I like Slack, but why should I pay for a messaging tool when our Google Workspace (Enterprise, nonetheless) has a chat platform built in? Well partially because it's a mess. One day it's a separate app. They announce some cool features, then back track on those, then they merge it into the Gmail interface for some kind of "Unified messaging" platform, then they let you back track from that. At least temporarily. All the while barely actually adding functionality beyond more emoji or things like that.

I could go on with countless other examples, but I think the point is clear, and I don't think Google realizes how big of a reputation problem they have by killing off products like Stadia. When big Google fans (like myself) have a hard time trusting that Google will keep something around, we are hesitant to even try new things. What if we like it, and start to rely on it, then it's gone? I personally am really tired of it, and I know I'm not alone. If your promoters and early adopters are scared to use your new products, and you're a company that thrives on innovation, that's a huge problem. Google desperately needs to address this image or it will really hurt them in the future. Either stick with products even if they lose money, and use those learnings on future products, or hold your cards to your chest longer so things can bake more before you release them.

Links

Google Drive Quicksearch

Mon, 19 Sep 2022 10:14:13 GMT

Recently I found out that if you have the Google Drive Desktop app installed on Mac, you can invoke a quick search function that works much like Spotlight, but for your Google Drive data. I don't know what this feature is actually called. It's likely not quick search, but I also didn't have anything else to call it.

If you have it installed and signed in, simply press command + option + G and it pulls up a search box.

It's worth noting that in more recent versions of Drive Desktop, you can directly enable Spotlight indexing as well in the preferences, however I've had mixed luck with how well it works, and honestly for me if I'm searching for something in Drive, I know it's there and I like having the mental separation between the two.

Cloudflare Access

Sun, 11 Sep 2022 23:52:38 GMT

As I have mentioned in a previous post, I truly believe we are on the edge of some pretty radical changes in corporate networking. The buzzword for the concept is SASE (Pronounced “sassy” and stands for Secure Access Service Edge). The buzzword is pretty cringeworthy in my opinion, but the idea is solid. It’s important to note that it’s just a marketing term (similar to “Zero Trust”). It represents a concept, not a specific “thing”, and therefore different vendors offer different functions in the space.

As I’ve been testing out different offerings out there (including this article I wrote about TailScale), Cloudflare’s offering has been the most interesting to me. The naming is a little confusing, but I really like what they have been doing. In general, their SASE offering is called Cloudflare One. This is really a platform with several products within it. I will go into detail in other posts, but for this one I’m working with Cloudflare Access, which is part of their Zero Trust platform, which in turn is part of Cloudflare One.

I see lots of potential with Cloudflare Access. In general, I want to replace VPN’s. They are old, clunky, and don’t work well. They are a heavy-handed solution to specific problems and no one really likes using them. If employees hate to use them, then they typically try to get around using them. I think with modern technology, we should be able to increase security significantly while also actually making it a smoother better experience to actually use.

Cloudflare can create tunnels to specific resources, allowing you to use Access to directly and more securely connect directly to resources. For this post, I set up a direct connection to an RDP instance on a Windows server from my Mac. I then wanted to make sure that the tunnel was set up automatically for me whenever I booted my computer. The idea is based on this tutorial provided by Cloudflare - Connect through Cloudflare Access over RDP

If you follow that tutorial and have a Cloudflare tunnel running on both sides, you can run the following to create a direct tunnel, which allows you to connect RDP to localhost:3389

cloudflared access rdp --hostname {{subdomian}}.barnes.tech --url localhost:3389

My goal was to completely and silently deploy both cloudflared and the above command via MDM, but also have that maintain the connection in the background, and even start it back up after reboot.

The tutorial above walks you through creating the destination tunnel using the config.yml file, which you need to create and authenticate locally on that machine. This works fine, but Cloudflare has since added the ability to create these tunnels directly in the cloud Zero Trust dashboard, and give you one command to set up the tunnel, authenticate with a token, and set up everything you need for RDP. An example of how this looks is something like this -

Windows

`\path\to\cloudflared.exe service install {{service token}}`

Mac

`cloudflared service install {{service token}}`

Deploying this way, it is pretty easy to deploy through a script in an MDM. You can just create a script like this -

#!/bin/bash

mostCommonUser=$(/usr/bin/last -t console | awk '!/_mbsetupuser|root|wtmp/' | /usr/bin/cut -d" " -f1 | /usr/bin/uniq -c | /usr/bin/sort -nr | /usr/bin/head -n1 | /usr/bin/grep -o '[a-zA-Z].*')

# Install Cloudflare Tunnel
/usr/bin/su - "${mostCommonUser}" -c "/opt/homebrew/bin/brew install cloudflare/cloudflare/cloudflared"

/opt/homebrew/bin/cloudflared service install {{service token}}

With that in place, you can create a LaunchDaemon to run the previous command to open an access tunnel and make it available at localhost

I just created one called com.barnes.cloudflare.plist. In Kandji, you can easily deploy this file by zipping it, and then creating a custom application that just unzips the file to /Library/LaunchDaemons. After it does that, you need to use a postinstall script to load the Launch Daemon. First the Launch Daemon -

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>KeepAlive</key>
	<dict>
		<key>SuccessfulExit</key>
		<false/>
	</dict>
	<key>Label</key>
	<string>local.job</string>
	<key>ProgramArguments</key>
	<array>
		<string>/opt/homebrew/bin/cloudflared</string>
		<string>access</string>
		<string>rdp</string>
		<string>--hostname</string>
		<string>{{subdomain}}.barnes.tech</string>
		<string>--url</string>
		<string>localhost:3389</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>ThrottleInterval</key>
	<integer>5</integer>
</dict>
</plist>

These can be pretty complex to create these correctly and without any errors, and it will just not work if there are any errors, so I used Launch Control to create this.

For PostInstall I used this script -

#!/bin/bash

sudo /bin/launchctl load -w /Library/LaunchDaemons/com.barnes.cloudflare.plist

And that’s it! With this all in place, the tunnel is automatically deployed and the Launch Daemon makes sure it reconnects after reboot automatically!

Links

Malwarebytes Uninstall

Sun, 17 Jul 2022 23:07:05 GMT

Antivirus and other endpoint security tools are fairly notorious for being difficult to uninstall, so I wanted to write a few posts about different uninstall tools and processes as I figure out how to remove them. This is how to remove Malwarebytes, and do so silently through an MDM or with a script.

Malwarebytes makes an uninstaller app that you can download from their website, however in order to run it, you need to interact with the app, making it difficult to deploy in bulk.

If you pull apart the app package, inside the contents of the app, in the resources section, there is a script called uninstall_reinstall.tool which is actually just a bash script in disguise.

If you open the contents in a text editor, you can see the script. You can take this script and run it, and it will work directly, however it attempts to get you to reinstall it at the end, or switch to the "home" version. Still not ideal for bulk deployment.

Here's what the original script looks like -

At the end of the script there is a function for User Input called run install function which runs several AppleScripts for the user input. You can simply remove this section and it will make the script completely silent.

Final version with the removed Apple Scripts is here -

Mac - Adobe Creative Cloud Silent Uninstall

Wed, 06 Jul 2022 21:47:31 GMT

I had a situation yesterday where I had to create a script to silently uninstall the Adobe Creative Cloud. For what we were trying to do, the Creative Cloud app had been installed accidentally on some computers that did not need it, so we only needed to uninstall the creative cloud app itself. This will not uninstall any other Creative Cloud apps that may have been installed.

Adobe’s documentation and forums were not terribly helpful in this regard, but after poking around a little bit, we were able to get it figured out.

Adobe has an uninstaller app that you can use at -

/Applications/Utilities/Adobe Creative Cloud/Utils/Creative Cloud Uninstaller.app

This works fine if you are uninstalling it on your own machine, and have admin privileges, but if you are trying to trigger this from an MDM, you can’t use this directly.

In order to script the action, you need to go inside this app bundle and find the executable itself. To find this, right click on the .app file and then select “Show Package Contents”, then look for an executable inside the folders in the .app bundle. For this app, this is found at -

/Applications/Utilities/Adobe Creative Cloud/Utils/Creative Cloud Uninstaller.app/Contents/MacOS/Creative Cloud Uninstaller

Pro Tip - If you hold down Option on Mac while looking at the context view (right click on a file or folder), then the Copy option of the file becomes Copy “file” as pathname which makes it much easier to then paste in to a script or terminal session. For terminal you can also click and drag the file in to terminal and it will drop the path in there, but I personally usually use the context menu option, so I can paste it anywhere else.

Scripting the Uninstaller

Once we found the executable file, we knew that we could just call this in a script pretty easily, making it much easier to do this through MDM.

To test this out, I just ran in terminal directly on my test machine -

sudo '/Applications/Utilities/Adobe Creative Cloud/Utils/Creative Cloud Uninstaller.app/Contents/MacOS/Creative Cloud Uninstaller'

But this popped up with a prompt asking if we want to uninstall or repair. For what we are doing we did not want it to prompt the user at all, and just run the uninstaller.

After trying several of the most common flags to force it to silently do the uninstall (i.e. --silent or --no-gui, etc.) with no luck, I was able to find on some documentation that Adobe has that passing -u in might do it, and it did the trick!

So with that in mind we wrote a bash script to do what we needed to do.

Note -

We use Kandji as our primary MDM, so this script is written so that it could be used as an audit script if we needed to in the future. In this case I just added it to Self Service, and it should work in any MDM that supports scripts, but the format is specifically with being an audit script in mind

#!/bin/bash

APPPATH="/Applications/Utilities/Adobe Creative Cloud/ACC/Creative Cloud.app"
if [ -e "$APPPATH" ]; then
	sudo "/Applications/Utilities/Adobe Creative Cloud/Utils/Creative Cloud Uninstaller.app/Contents/MacOS/Creative Cloud Uninstaller" -u
	exit 1

else

	exit 0

fi

This script will first check to see if the app is there, then if it is, it will run the uninstaller mentioned above. If not, it will just exit the script with 0, so that it passes the audit.

1Password 2FA to iCloud Keychain

Sun, 05 Jun 2022 00:11:47 GMT

I am a huge fan of 1Password. It's an app / service that at this point I can't live without.

If you aren't familiar with 1Password, you should check it out. It is a password manager that is really easy to use, syncs across all of your devices, and has a lot of advanced features. You can set up different "vaults" to keep things organized, and you can even share certain vaults with certain people. You can even use a work account and a personal account at the same time, and it helps keep things organized and secure for you. My wife and I share a home vault for passwords and accounts that we both use and both need access to, while at work I have different vaults shared with different teams based on what they need as well.

I partially use 1Password because of all of these advanced features, but I specifically use it instead of iCloud Keychain because I do not use Safari on the Mac. I use Chrome for almost everything on a Mac, but Safari on iOS. 1Password works across all of this no problem so it makes things really easy.

2 Factor Authentication support is awesome in 1Password. 1Password supports adding TOTP (Time-based One Time Password) 2FA codes, similar to how Google Authenticator or Authy work, and it can keep this information right next to your password. It will even auto-fill the 2FA code automatically for you when you have 1Password fill in the username and password.

There are some specific cases where there's a password I use a lot on my phone, and therefore in Safari, and I like having iCloud keychain store the username and password for me, since it will actually fill out slightly faster (since it is built in to the OS and is not a 3rd party app), however I want ALL my passwords in 1Password. That's the vault where everything should be no matter what.

So how do you have them in both places? Well for username and password this is easy, you just create an entry for username and password in both locations. But Apple recently introduced the ability to also support TOTP 2FA, so can you have a code like that in both places? Yes! You can! It's not super intuitive, but it's definitely possible.

It's much easier to set this up on the Mac if you can, then let it sync to your iOS device, even if you aren't going to use Mac Safari. When you go in to the "Passwords" section in Safari's preferences, you can easily see how to add new passwords for different sites. Once you create one, you can "Edit" it, and you'll see the option for 2FA show up. The verbiage they use is not terribly standard, and can be a little confusing, but they call it Verification Code, and you'll see the option to Enter Setup Key.

Enter Setup Key is also a little bit confusing wording, unless you only use Safari and never save these things anywhere else. Safari tries to make this easy when you log in on a website for the first time, and will offer to set this all up for you automatically. It's pretty neat, but if you do it that way, you're going to have a very hard time copying that info back out of Safari, so I'd recommend starting by creating it in 1Password first.

Many times, if a site supports 2FA, 1Password will automatically prompt you and tell you how to set up 2FA, however in some cases it doesn't know that specifically. In those cases you can just add a "One Time Password" field to your login item, and then it will let you scan the QR code directly.

Once a TOTP is saved in 1Password, you can then "Edit" that login, and you can see more info about the TOTP itself. You will see a long string of text that is saved in there that is actually generating the time based code. It includes the issuer (or site that it's from) the username it is associated with, and most importantly a secret. The section that is secret=SomeTextString is the important part we are trying to get to.

Simply copy the text string after secret=. In some cases there will be text after the secret, which will be separated by the & symbol. We want everything before the & and after secret=. You can just double click on the first couple of characters and it will hilight the correct section for you.

Now go back to Safari's password settings, and use the secret you just copied and put that in to the Setup Key. That's it! Now you will have the same TOTP code across both systems!

Cloudflare Dev Tools

Wed, 11 May 2022 21:34:46 GMT

I've been a big fan of what Cloudflare is doing for a long time. They seem to have a great mission, and approach problem solving in a unique way that has always resonated with me. I am working on writing an in depth blog post about the Zero Trust tools that they offer (Collectively called Cloudflare One), but Cloudflare has been building out a lot of other tools as well.

I have not seen many people comparing Cloudflare to AWS, Azure, and Google Cloud, however with several tools they have recently released, I think they will be a bigger competitor than people give them credit for.

Cloudflare R2 enters open beta - Cloudflare S3 like storage launching in beta soon. Compatible with S3 API's, which makes it immediately accessible to tons of applications out there. S3 is great, but super expensive for what it is, so the more competition in this place the better.
D1 - Cloud hosted SQL Database A small but important first step in to a lightweight cloud hosted database. This is another area where the more competition the better.

Really looking forward to see what else Cloudflare launches in these spaces.

Links

Atlassian Outage

Sat, 16 Apr 2022 00:41:21 GMT

If you follow tech on the internet, you've likely heard about the unbelievable outage that Atlassian has had, which is still (as of this writing) going on. On April 4th, many of their services went offline for several customers, and it has been an absolutely wild ride since then.

If you haven't read this yet, The Pragmatic Engineer has an excellent timeline and breakdown of everything that Atlassian has done, and it's honestly astounding.

I understand as well as anyone that things happen and systems will go down, but it's hard to put in words how poorly they have handled this.

As Gregely points out in the post, it's kind of insane that Atlassian literally wrote one of the most well known books on incident handling in the business, yet clearly just straight up do not follow it internally.

Current Atlassian status - https://status.atlassian.com/

Links

Sync Downloads Folder

Mon, 04 Apr 2022 20:14:17 GMT

Many people may not want to use this one but recently I have had several people make a comment when they see it and ask how it’s done so they can do it.

Note - these instructions are only for Mac and assume that you have an iCloud account. You could very quickly run out of storage on a free account so I would highly recommend using a paid iCloud account with enough storage if you want to use this method.

Sync your downloads drive to iCloud on all computers

If you are familiar with iCloud sync for documents and desktop, this just takes that one step further and does the same thing with the downloads folder.

For me personally I really like having everything I download all synced across devices. This includes your phone and iPad (which automatically save to the iCloud Downloads folder already)

First, make sure that you do not need anything in your current downloads folder as this process will wipe anything in there. You can move them to another folder if you need to. Don’t worry, you can move them right back when this is done.

We will be creating a sym link between the folder in the iClouds container for downloads (used by iOS etc) and placing the symlink on macOS where the downloads folder typically is.

Note - You have to be a little fast doing this. If you wait too long after deleting the folder, macOS will repair itself and put the folder back.

Step One

Delete the downloads folder for your user. Since this is a system made folder we will need to use Terminal to delete it. Open terminal to run the commands listed below.

Replace the {YourUser} with the user on your computer (don’t use the brackets either. Just your username between the / symbols.

sudo rm -R /Users/{YourUser}/Downloads

Step 2

Next we need to create the sym link (short for symbolic link) between the iCloud Downloads folder and your local user Downloads folder.

The basic syntax of a sym link is like this -

ln -s /path/to/original /path/to/link

So we will need to use both the file path for iCloud Downloads as well as the file path of where the old Downloads folder is. It will typically look something like this -

ln -s /Users/{YourUser}/Library/Mobile\ Documents/com\~apple\~CloudDocs/Downloads /Users/{YourUser}

Pro tip 1 - you can click and drag a folder in to terminal directly and it will drop the file path directly

Pro tip 2 - Alternatively, if you hold down option while right clicking on a file, the copy option becomes copy file path which allows you to just paste the file path in to terminal. I use this option ALL the time.

And that’s it! It should be all set now.

Conclusion and other notes

Now that the downloads are linked, downloads will sync with iCloud. You can repeat this process on any other Mac to keep more than one computer in sync. iOS devices will also download to the same folder, so that stays in sync too.

A few things to note -

First, if you had a Downloads “stack” in your dock, that will have been linked to the old ~/Downloads folder, and will break when you initially do this. To fix this, manually find the iCloud downloads folder in finder and drag that down to the dock instead. The path should basically be at

/Users/{YourUser}/Library/Mobile\ Documents/com\~apple\~CloudDocs/Downloads

Likewise, if you want “Downloads” in your side bar in finder, you will have to navigate to the iCloud Downloads folder and click and drag that over to the favorites in Finder as well.
One of the reasons I like doing it this way is that you don’t have to change your browsers for this to work properly. I have a ton of different browser profiles that I’m constantly bouncing between, so if I just went in to each browser and changed their “Downloads” manually to the iCloud path, it would be extremely time consuming. It would also only do that for the browsers which you manually do this for. The sym link method works for everything immediately, and will include downloads from other sources too.

Security (and IT) Obstructionism

Sun, 20 Feb 2022 18:21:24 GMT

Kolide recently posted an article - End Security Obstructionism with Security Automation Orchestration, where they discuss some of the common issues with legacy thinking with enforcing security in an onerous, monolithic way.

I think it’s pretty common for organizations to feel like IT and the rest of the organization are adversarial, and that it is always a battle between what most of the company is trying to do, and what IT is trying to force you to do.

For a long time I’ve thought that most of this was a combination of communication problems, and in many cases, IT teams just being lazy. They just want to get something done, and don’t want to put the effort in to making the experience for the organization better. There are, of course, exceptions but they seem to be pretty rare.

Unfortunately, it doesn’t take much time looking on Reddit in IT or system administrator forums to realize that many IT people also feel like it’s an adversarial relationship, and that users are just there to battle the IT team. No, Reddit is definitely not representative of real life, but you do see the same sentiment to some degree in lots of organizations.

Kolide offers several examples of what they are calling “Security Obstructionism” (I think it’s a good term, and a useful concept to really think about), which they are referencing another blog by Kelly Shortridge, and I think it is worth reading both blogs in more detail, but some examples include forcing a user to restart their computer without warning, using phishing simulations to “trap” users in to clicking on links, then forcing them to go through training because they fell for some trick, or really anything that is purposely getting in the way with someone doing their job.

Why would we want to put in more effort, when we can force these things anyway?

I strongly believe that if you can put in the effort to align IT with the business and the user, it will pay off in several really big ways.

First, you get buy in from the users. Despite what some IT professionals may believe, it’s actually pretty uncommon for a user to actually want to mess things up, or do something that is not secure. Typically when they do something they shouldn’t, it’s because it’s easier than doing the “right” thing. They also often don’t really understand why they need to do something a certain way, and the “legacy” way of forcing them to do trainings doesn’t always work.

This is where automation and orchestration can come in. When you design your IT infrastructure and processes to be user first, and have automatic actions that include the user, you can help them understand and do the right things without making them feel like they are being punished, or that they have done something wrong, or even making them feel stupid.

When I design systems, I am trying to make it as seamless as possible. If there is something that can be done silently in the background with no interruptions, we’ll do that. If something needs to be disruptive for a bit (an update that needs a restart, or something like that), we try to prompt the user that it’s going to happen and give plenty of time for them to do it themselves. We strive for zero touch deployments, with screens that prompt the user with what exactly is happening on their system, to help them understand and feel included in the process, but also to keep friction to a minimum.

Another huge benefit of this method is that if you can get the buy in from the users, and even put in the effort to understand the business, and how IT can help, then IT starts to become part of the conversation about business goals and initiatives, instead of being an afterthought expected to “just make it work” after decisions have already been made.

Conclusion

I think it is critical to think about this concept in IT, and it is key modern IT management. Companies are starting to expect this level of service from IT, whether it’s internal IT or Managed Service Providers. Technology has to be a key part of business strategy any more, and if IT wants to be included in those conversations (and they do need to be!) then achieving these principles are going to be vital.

Kolide makes a wonderful product that can help with many of these areas. Their guide on Honest Security outlines their company philosophy, and is well worth reading. We mix in the Honest Security principles with how we do things, and I think it’s great to see a different methodology on how to effectively manage users in an organization.

Links

BeyondCorp and Zero Trust

Mon, 14 Feb 2022 11:50:56 GMT

Zero trust has been one of the most over used buzz words (or buzz terms, I suppose?) in cyber security for several years, however I think it’s important to understand what it actually is, and what it means, because it’s really important once you see through all of the marketing smoke and mirrors that are out there.

Where did Zero Trust come from?

For many years, Cyber Security primarily focused on perimeter defense. You would force all of your secure assets, applications, data, etc. on to one fairly monolithic network, and then have a firewall in place to act like a gatekeeper to that network. Only secure company resources should be allowed on this network, and when you’re on the network you can access the sensitive or secure data that you need.

This methodology lasted a long time, and over time slowly matured to include things like network segmentation, where you could have sections of less secure devices but still keep the “crown jewels” locked down more tightly. People also started introducing several “layers” of security, so hopefully if someone were able to get past one layer of defense, there would be something else in place (i.e. extra authentication) to prevent you from being able to get all the way in to whatever you were trying to access.

As threats evolved, however, this became somewhat outdated. Several things were changing. Attacks were becoming far more sophisticated, and our legitimate needs to use networks were rapidly expanding and evolving, and with more access requirements, we were opening more and more attack surfaces. Attackers could also just compromise a legitimate user, and then use that User’s access to move laterally through the network to get whatever they were looking for.

In 2011, Lockheed Martin published a paper about a new kind of framework, with a similar methodology based on military strategy, and called it the Cyber Kill Chain.

The Cyber Kill Chain introduced ideas such as an advanced persistent threat, where someone could establish a foothold at one point, then just wait to execute a payload until later. It also defined several different types of threats. This methodology modernized the approach to cyber security in many ways, and informs how we look at many modern threats to this day. One of the key ideas is to try to assume that you are already compromised, and then design defenses to limit the material damage that can be done given that fact.

The idea of the kill chain is that for a successful attack to take place, they often need to chain together several exploit methods to gain access or attack your infrastructure, and rather than a perimeter defense acting only as a gatekeeper, you would have multiple methods of defense looking for all types of exploits, lateral movement within a secure network, or evidence of advanced persistent threats, and you try to head off the chain of attack, rather than strictly preventing entry to your network.

Cyber Kill Chain is primarily a new methodology to approach Cyber Security, but in 2014 Google published their now famous BeyondCorp papers, which laid out a new kind of architecture methodology. A way to design your network and applications in a far more resilient way. BeyondCorp really started the concept of Zero Trust.

What is Zero Trust really?

Zero Trust is difficult to define for a few reasons. First, I see it more as a philosophy of how to design architecture, rather than a specific thing that you can directly “implement”. There’s no such thing as a perfect Zero Trust deployment, but it’s a goal that continues to evolve as technology becomes available to help implement it, and as we evolve our systems to be made in ways that support Zero Trust.

So again, what is Zero Trust really? Well the broad idea is first, the traditional perimeter based network is essentially completely gone. Access should be limited to only what you need, and verification that you are who you say you are, and that you are safe to access something is a continual process including several parts.

User trust - Determining that a user is who they say they are. This is where identity verification comes in. Realistically you need an identity provider to provide this part well. A good identity provider is looking at all sorts of data to determine that you are who you say you are. Username, password, multi-factor authentication, possibly biometric authentication, and several other factors go in to determining the likelihood of you being who you claim to be. Ideally, this is not just a one time verification, but something that is continuously checked during any session to help prevent session hijacking.
Device trust - Next, it is important to learn about the device that you are using to connect from. Typically organizations will want to check the device to see if it is a corporate owned device, so verifying that it is in inventory would be one part of device posture. There are several other things that you can check, such as an up to date endpoint security tool (sometimes you may just want to check that they have any endpoint security, other times you may want to only allow access with your corporate controlled endpoint security, allowing you to enforce other policies as well), or you may even want to check that a certificate is installed on that device. There are many things that can be checked on the device posture to ensure that the device is safe and authorized to access whatever resource is being accessed.
Application Policy - Each Application itself (Application can be a little loose here, this could be an actual application or any other type of network resource really) can have a granular policy with a different fine-grained set of requirements in order to access the resource. Depending on what the application policy is set to, it can react differently based on the User and Device trust. For instance, an Application could even present more challenges to a User if the confidence isn’t high enough that a User is who they say they are. Or maybe in some cases, if they meet a more relaxed set of policies, maybe they can have read only access, but a more strict set of policies are required in order to actually write to the data. This can be extremely flexible based on the org and the Applications that they use.

A key part of the application policy that is not something companies have been very good at is that application access should only be granted to people who actually need it. Do not give any access that is not needed.

Sounds great! I’ll have one of those!

Zero Trust as an idea is great, but like I said earlier, it is more of a philosophy. It all sounds great, but actually implementing it is extremely difficult, and arguably, you probably can never actually “achieve” it. Even Google, who has spent an enormous amount of time, effort, and boatloads of cash implementing this is definitely not 100% there. In fact, from the BeyondCorp papers themselves -

Despite all the best efforts to define, roll out, measure, and enforce controls, you may inevitably face the harsh reality that 100% uniform control deployment is a mythical state where unicorns frolic unconcerned about malware and state-sponsored attackers.

If Google, who custom builds their entire platform from the hardware that runs in their data centers (even the fiber running between them) to the cloud software and applications, to even the browser where almost all of their internal work takes place, can’t 100% implement BeyondCorp or Zero Trust implementations, what chance do we have?

Well, it doesn’t take long on the internet to find a bunch of people on both sides of this argument. People love to write how it’s impossible to achieve and that everyone saying otherwise is lying. They aren’t completely wrong, because on the other side, there are thousands of companies out there claiming that if you “buy their product, they can just plug and play Zero Trust”, which is absolutely not true. I don’t think it’s hard to see that 100% compliance with this idea is possible, but I’m also pretty optimistic about Zero Trust the concept, and think it’s extremely worthy of pursuing.

Conclusion

There are many pieces to Zero Trust, and each piece will require specific tools, and sometimes multiple tools. Some of these are far more mature than others. Identity management has come a long way in the last few years. Azure AD, Okta, Google Identity, and others are all tackling this problem, and more and more SaaS applications are fully supporting these authentication methods (although many charge more for it, which I think is a problem. You can help shame these companies by looking at https://sso.tax).

Device posture is making a lot of progress more recently, but still has a long way to go. This is a very segmented part of the market and most tools do not talk to each other. Additionally, many legacy Applications are still in use out there, and for many of these, solutions to help plug those in to a Zero Trust environment are still being made, or are in the very early stages of even working.

Another thing to be mindful of is that this is not entirely exclusive to “users” to “applications”, but also should apply when applications need to talk to each other, or if an application needs to talk to a database, etc.

Still, I think the technology is further along than many people might think, and you can do some really great things in this space. In fact, I would argue that if you take the time to design these correctly, you not only have a more secure environment, but a more flexible one (more important now than ever with our changing work environments), and I think even a better user experience. I see a world where a correctly configured device just has access to everything it needs, keeps itself automatically up do date with device posture policies, and people are able to more easily access network resources without the need for clunky and unreliable VPN’s.

Links

Open In

Sun, 30 Jan 2022 04:27:57 GMT

I wanted to quickly mention an app that has dramatically improved my workflow for the better.

Open In is a Mac App that allows you to choose how different links are handled, such as only opening in a specific browser, or even which specific Chrome Profile, which is the real game changer for me. Now I can set up a specific list of URL's to open only in my work profile, and other URL's to only open in my personal profile. You can also have it just ask you which browser to open in when you click on a link.

Check out Open In from the Mac App Store.

Links

Web3 Continued

Sun, 30 Jan 2022 04:18:31 GMT

Recently I posted a link to Moxie Marlinspikes article about his skepticism on all the Web 3 hype lately. Full post here.

I wanted to add to the skepticism with this video on YouTube. Titled "The Line Goes Up - The Problem With NFTs", this video really goes in to a lot of the problems with cryptocurrency and blockchains in general, and how they are basically just fuel for scams. It's a long watch, but extremely well done.

External link to video on YouTube - The Line Goes Up - The Problem With NFTs

Links

Determining Mac Hardware Manufacture Date Using OSQuery

Sat, 22 Jan 2022 05:00:36 GMT

We use Kolide on our managed Mac fleet for our customers, which has proven to be an incredibly powerful tool. They recently wrote in a blog post how you can use OSQuery to look up the hardware manufacture date of your Macs. It’s pretty cool, check out the article here -

Determining Mac Hardware Manufacture Date Using OSquery

UPDATE

Here is the actual query that the article ends up with, but I highly recommend reading the whole thing. I think it is extremely interesting.

WITH
serial_partial AS (
  SELECT
    SUBSTR(hardware_serial,4,1) AS char_4,
    SUBSTR(hardware_serial,5,1) AS char_5
  FROM system_info
),
mac_manufacture_year(char_4,year,offset) AS (
VALUES
('C','2020',0),('D','2020',26),('F','2021',0),('G','2021',26),('H','2022',0),('J','2022',26),('K','2013',0),('L','2013',26),('M','2014',0),('N','2014',26),('P','2015',0),('Q','2015',26),('R','2016',0),('S','2016',26),('T','2017',0),('V','2017',26),('W','2018',0),('X','2018',26),('Y','2019',0),('Z','2019',26)
),
mac_manufacture_week(char_5,week) AS (
VALUES
('1',1),('2',2),('3',3),('4',4),('5',5),('6',6),('7',7),('8',8),('9',9),('C',10),('D',11),('F',12),('G',13),('H',14),('J',15),('K',16),('M',17),('N',18),('L',19),('P',20),('Q',21),('R',22),('T',23),('V',24),('W',25),('X',26),('Y',27)
),
merge_data AS (
  SELECT
    year,
    (week + offset) AS week
  FROM serial_partial
  JOIN mac_manufacture_year USING(char_4)
  JOIN mac_manufacture_week USING(char_5)
),
date_modified AS (
  SELECT
    year || '-01-01' AS year_start,
    ('+' || (week * 7) || ' days') AS offset_days
  FROM merge_data
)
SELECT *,
  date(year_start,offset_days) AS manufacture_date
FROM date_modified;

Links

Chrome Keywords Update

Wed, 12 Jan 2022 12:18:26 GMT

I wanted to provide a quick update to some previous posts about Chrome search engines in these 2 posts -

Previously when I posted those, Google would start the search as soon as you hit the space bar, which often made it a little difficult. Recently Google added the option to switch the keyword to either Space or only Tabs. I find it much easier to use Tab.

Links

Web3

Mon, 10 Jan 2022 03:29:20 GMT

I have been pretty skeptical of the whole web3 craze that has been going on lately (let alone ceding control to certain large social media company…). Regardless, I thought this was a very interesting take on it and some of the problems present in the current “web3” technologies out there.

I have a lot of conflicting ideas on “centralized” internet and technologies but I think there are a lot of really good points about it in this article.

Moxie Marlinspike >> Blog >> My first impressions of web3

Links

https://moxie.org/2022/01/07/web3-first-impressions.html

Homescreen - 2022

Sun, 09 Jan 2022 10:10:29 GMT

As we start 2022, I thought it might be interesting to document my main home screen on my phone and talk about some of my favorite apps.

Widgets

Fantastical - Fantastical is an amazing calendar application. The subscription is a little pricey, and there are some good free calendar solutions out there. I also have the Google Calendar app on my home screen, which I’ll explain in a bit. On the second page, I have another Fantastical widget that shows me what is coming up next on my calendar, but on the home page I just like being able to see the day and date really clearly. Tapping on it opens up the Fantastical app. The built in iOS calendar app is very nice looking, but lacks a lot of features. It might not be a problem, but when you use Google Workspace or Microsoft 365 calendars, it is not very good at picking up changes very quickly, which to me completely defeats the purpose of the calendar app.

Carrot Weather - I started using the Carrot Weather app years ago, because of the snarky comments that are pretty funny, but over the last year the developer added a huge amount of customization options, allowing you to essentially create your own personal weather app with exactly the info you want, and how you want it to look. Unfortunately over the last couple of years, things like the Air Quality Index and Wet Bulb temperature have become more important to track, and it’s really nice to be able to make those front and center.

Apps

Google Calendar - There are some features that only the Google Calendar app or website offer, such as seeing other people’s availability, or setting your time to out of office. It’s a little bit of a weird workflow, but for me it works to use both Google Calendar and Fantastical.

Bear - Bear is a markdown based note taking app that I really love using. I started using this when Evernote started becoming super bloated, slow, and costing too much money for what it does.

1Password - 1Password is an amazing password manager that I highly recommend. You absolutely should use a password manager and generate complex and unique passwords, and for me 1Password is the best of all of them. I use it for business and personal, and it does a great job handling both, while also keeping them separate.

Tweetbot - I really dislike algorithmically based timelines in social media apps. I won’t go down that rabbit hole in this post, but needless to say, I think it’s extremely toxic. I don’t enjoy using the main Twitter app, but luckily Twitter has allowed 3rd party apps to build off their API, and there are some pretty good ones. Twitter has actually been enhancing their API recently which allows these apps to be even better. Both Twitterific and Tweetbot are fantastic, but I prefer the features available in Tweetbot personally. Chronological timeline, being able to mute people for specific amounts of time or indefinitely, and more.

Overcast - My favorite podcast app. Simple to use, and has really great voice boost and smart speed technology to make podcasts even better. I listen to a lot of podcasts and use this all the time.

Apollo - Same reasons as Tweetbot, but for Reddit. 3rd party app that makes the experience much more enjoyable and much less toxic.

Reeder - This is a new app for me. This is a pretty great RSS reader, which recently added iCloud sync for the RSS feeds, which is important to me. Lots of RSS readers are good, but most of them require that you pay for an additional RSS aggregation service, and I personally really don’t want to do that.

Superhuman - Superhuman is expensive, particularly if you are already paying for Google Workspace, but if you get a large volume of email, and sorting it quickly and efficiently is important to you, I highly recommend it. It saves me a huge amount of time every week and helps me stay organized. Secondary to that, I use the Gmail app over any other mail app. It integrates with the Gmail API rather than SMTP like most other apps do, and the notifications will be on time, and it loads your inbox and folders extremely quickly.

Intel Problems

Wed, 20 Jan 2021 07:00:00 GMT

I have been saying for a couple of years that Intel has been dropping the ball big time. They have had massive delays over several promised product launches and process shrinks and unfortunately for them, the rest of the world has caught up or even surpassed them. They clearly totally missed the mobile revolution, and with big moves from companies like Apple moving to their own silicon design, and even public cloud providers like Google and Amazon making their own server silicon based on ARM, Intel has gone from dominant giant to playing defense.

Ben Thompson writes about this in detail at Stratechery, and does an excellent job of summarizing some of the biggest problems facing Intel, which I highly recommend.

Intel Problems

Links

https://stratechery.com/2021/intel-problems/

5G Misconceptions

Mon, 04 Jan 2021 00:54:46 GMT

There are so many tech journalists who are writing about how 5G doesn’t seem like it’s that big of a deal, then compare it to when networks changed to 3G and then 4G. There are a few things that stand out to me about the commentary that is consistent almost all across the board.

First - They complain about how it isn’t super widely rolled out yet. They just have really short memories. Compared to 3G and 4G, the 5G rollout is MUCH further along in the same timeframe. In fact, I was working at Apple when 3G first rolled out, and it was an utter disaster. The network completely died when the iPhone 3G launched, and had consistent problems for several months after. 4G was definitely not as messy, but the coverage was sparse for a VERY long time. Both technologies revolutionized how we do things, once they hit maturity, and I don’t think 5G will be any exception.

Second - Speed tests are sometimes the same speed or slower than 4G LTE. Anyone who has worked in IT long enough knows that speed tests are only a small part of the overall network story. The speed you get to a speed test server is important, but it’s not all that is required for you to be able to do things on the internet. Sub 6GHz 5G speed tests are going to be approximately the same as 4G right now, and in some cases might be a little slower than LTE (it’s a brand new network still being rolled out, I think we can cut it some slack at the moment…) but that’s not the point of the sub 6GHz network. I’ll talk about that more in a bit.

Third - Sure, mmWave speed tests are pretty insane, but why do I need that much speed? Well, I think there are two answers to that. Maybe you don’t and never will, but I think that’s short sighted. At almost any point in the internets history, you can point to people saying that they don’t need more speed than whatever they are getting at the moment, but they don’t seem to acknowledge the fact that new technologies become available when more speed is accessible. At one point, loading pictures on a web page seemed crazy, now we can stream 4K TV and movies no problem, back up our whole computer to a cloud based backup service, and even stream console quality games in 4K over the internet with unbelievably low latency (Like Stadia)

I think part of the confusion is that 5G is really two different stories coming out at the same time. The mmWave technology with insane speed (I got 2.2 Gb/s download speeds when I tested it on my phone yesterday), and the sub-6GHz technology. mmWave is really about building for the future, but will be a much slower rollout. The advertisements for 5G love to focus on the mmWave part. With those speeds and incredibly low latency, you could perform surgery remotely over a wireless connection. You could load gigantic AutoCAD files or Final Cut Pro files in minutes if not seconds. As I said earlier, this will also likely lead to technologies that we aren’t considering right now. Just because it isn’t widely available though, doesn’t mean it isn’t awesome and won’t be revolutionary.

Sub 6GHz is a less flashy technology, but it is important for a few reasons. First, it can use the same towers as 4G LTE, so it can (and has been) deployed much faster. Verizon has a very good coverage map already, and AT&T is getting close to nation wide coverage as well. The speed difference won’t be immediately evident, and may never be hugely faster than 4G LTE, but the two major advantages are related to network capacity. Similar to WiFi 6, all 5G network connections are using MIMO (Massive MIMO in 5G’s case), as well as beam forming, which will give you a more consistent network experience, as well as dramatically increase the number of connections a cell tower can handle at a time.

A lot of people talk about how this will help at sporting events, or concerts (remember when we could go to those?) but it will also become increasingly important as more things connect to the internet, and can do so via cellular. I think carriers have been reluctant to allow IoT devices to connect to their network without a substantial premium, simply because of overall network capacity issues. With 5G that can, and will change. Over the next few years, look for more things to connect to cellular networks, and keep an eye on what cutting edge tech like mmWave opens up. In a few years it will seem obvious in retrospect.

Flash

Fri, 01 Jan 2021 00:00:00 GMT

On December 31, 2020, Adobe finally officially pronounced Flash end of life. You really should have removed Flash a while ago but if you haven’t yet, now is definitely the time.

Over here at Der Flounder, there’s a script for Mac that will help you do just that.

Here’s a direct link to the script on GitHub - Link

Links

macOS FileVault

Wed, 30 Dec 2020 18:00:00 GMT

In a recent blog post, Kolide speaks about a recent update to OSQuery that will now correctly determine the difference between a modern Mac being encrypted vs. having FileVault enabled. Historically, those meant essentially the same thing. If your Mac was encrypted, it meant that FileVault was turned on. Ever since Apple started introducing the Secure Enclave on their Macs, however, that is no longer the case. All disks are encrypted, and that is not necessarily the same thing as having FileVault enabled.

Kolide briefly explains this in this section of their post -

Before the introduction of the T2 security chip, disk encryption was synonymous with FileVault configuration on macOS. However, with hardware encryption this distinction became multi-faceted. This nuance was particularly problematic for security agents that did not differentiate between a disk that was ‘encrypted’ and a device that had FileVault configured.

Luckily OSQuery is now updated to know the difference. Read their full blog post to find out more info.

One thing I wanted to add is why Apple does this. There are a few reasons why the disk is encrypted regardless of whether FileVault is enabled or not. There are many specific edge case reasons I won’t get into, but one of the biggest reasons is that it makes it much easier to erase the disk with this method. It also makes the process much more secure, without sacrificing speed. In fact, it’s significantly faster than it was historically.

With old systems, if you booted to a recovery mode, or an external disk, then erased the internal disk of a computer, you were essentially just telling the disk “this space is now available and can be written over”. The data wasn’t actually erased, and much if not all of it could be recovered if someone knows what they are doing and has the right tools. If you were selling a machine, for instance, this isn’t very good. You could tell Disk Utility to write zeros over the whole disk, but this was a very slow process since it literally has to write data to the whole disk before it’s complete.

With Macs using the Secure Enclave, and the whole disk is encrypted (again, even if FileVault isn’t enabled. Even if you don’t have a password on the machine at all) then all the machine needs to do to erase the whole disk securely is to erase the keys that were used to encrypt the disk. This effectively wipes the whole drive in a very secure way where the files are no longer recoverable and happens MUCH faster than writing zeros to the whole disk.

All of this is important to know, however, I would still strongly recommend just enabling FileVault on your machine. It adds a significant layer of security to your machine, and the overhead performance cost of doing so is completely gone on modern Macs. Additionally, you absolutely should never have your computer not have a password at all anymore.

Kolide provides a hosted OSQuery instance that provides fast and detailed insight into your endpoints and is built around user-focused security. Check out their product and other blog posts.

Links

https://kolide.com

Godaddy Fake Bonus

Sat, 26 Dec 2020 00:00:00 GMT

As originally reported in the Copper Courier, GoDaddy sent an email to employees this last week, promising a $650 bonus. The email starts -

2020 has been a record year for GoDaddy, thanks to you!

Though we cannot celebrate together during our annual Holiday Party, we want to show our appreciation and share a $650 one-time Holiday bonus!

To ensure that you receive your one-time bonus in time for the Holidays, please select your location and fill in the details by Friday, December 18th.

The email was sent from happyholiday@godaddy.com and promised a small bonus in a year where everyone could desperately use some relief. Turns out, it was just an internal phishing test, and a few days later, another email was sent to everyone who clicked on the email from GoDaddy’s Chief Security Officer saying that they had failed a recent phishing test and will need to retake the company Security Awareness Social Engineering training.

There are many problems I have with all of this. I’ll start with the most obvious, that I hope everyone can agree on. While I am not going to argue that someone who was actually trying to be malicious might try to pull something like this, because we know they would, that doesn’t mean that GoDaddy should be so incredibly tone-deaf during such an awful year. It would be one thing if they did this, and it was a phishing email, but the bonuses were still handed out. I still think that’s an asshole thing to do, but at least they wouldn’t be dangling a small piece of financial security over people and then yanking it away just to make people take another training.

Additionally, the effectiveness of these kinds of tests are dubious at best. I have been in IT for many years, including managing many very large email deployments, and I would argue that this type of phishing email tests are absolutely useless. End-users need to be involved in security, absolutely, but this is not the right way to do it. You need users to understand the importance of security, know what to look for in emails that may potentially be malicious, and most importantly, you need them to buy into the overall security of your company. You need them to be invested in what’s best for the company. Purposely laying traps for your employees is not how you do that. That’s how you make your employees resent working for you, resent the security and IT teams, and just not want to engage in the company in general.

Additionally, it is definitely possible with the right tools in place to almost completely eliminate phishing and malicious emails for your domain, particularly people trying to spoof your domain. Spoofing your domain is when you impersonate a company domain, in this case potentially making your email look like it’s coming from godaddy.com when it would really be coming from somewhere else. Since it is possible (I’d even say not that difficult) to very effectively block these kinds of attacks, I think that it is safe for employees to assume a certain level of baseline security within their organization, and if they see an email that looks like it’s legitimately from godaddy.com, and it made it through any filters that are in place, I don’t think it’s inappropriate to assume that the Security team did their jobs and it’s safe to click on that link. This is a failure of the Chief Security Officer, not of the employees at GoDaddy.

I won’t name the company, but at a previous job, we were a subsidiary of a larger company. We had about 9,000 employees at the time, and our parent company reached out to us and told us that they wanted to do a phishing test, similar to this. It was not anywhere near this tone-deaf in its message, but regardless I pushed back for all of the reasons I listed above. I was told we needed to do it anyway.

There was a 3rd party security company that was actually sending the emails on our behalf, and (shocker!) our spam/phishing filters immediately blocked it 100%. I had been told that I can’t tell anyone else on the team about this email, because IT was being targeted for this test as well. So I was asked to specifically put this sender on the permanent “allowlist” so they could send it again. It went out and a few people manually marked it as spam, which triggered an internal IT ticket, and one of our IT employees reviewed it, determined that it was not legitimate, and triggered a script to remove it from all end-users emails again. Only one person had clicked on the link out of all 9,000 employees before this process was triggered. Naturally, the 3rd party company and our parent company weren’t happy about this (the parent company had done much worse in this test).

Eventually, we had to manually place the email in everyone’s inboxes manually, and essentially disable all of our security measures in order to allow the email to stay there. I had to let the IT team in on it to prevent our fail-safe processes from being triggered as well. Naturally, after disabling all of our security measures, many more people “fell for” the phishing email and were required to take security training courses. In this particular case, it reflected poorly on our own IT department, not even on the parent company or the other 3rd party “security” company that was running this test. To this day, that whole experience does not sit well with me.

As long as these kinds of “gotcha” security awareness, we aren’t going to solve anything. It’s demoralizing, and it does not encourage the kind of user buy-in that is needed to have effective security.

Chrome Keywords Examples

Fri, 15 Mar 2019 00:49:40 GMT

Some follow-up specific examples regarding my last article about Chrome Keywords. In these examples, you can set the keyword to whatever you would like, and whatever makes sense to you, but I wanted to provide some example URL's with the %s in the string. The Keywords I provide below are just what I have used and what I recommend.

Duck Duck Go -

Keyword - duck URL with query in place -

https://duckduckgo.com/?q=%s

Bing -

Keyword - bing URL with query in place -

https://www.bing.com/search?q=%s&PC=U316&FORM=CHROMN

Google Cloud Search -

Keyword - cloud URL with query in place -

https://cloudsearch.google.com/cloudsearch/search?authuser=0&q=%s

Wolfram Alpha -

Keyword - wolf (also considered “wa”) URL with query in place -

http://www.wolframalpha.com/input/?i=%s

GitHub -

Keyword - github URL with query in place -

https://github.com/search?q=%s&ref=opensearch

Google Drive -

Keyword - drive URL with query in place -

https://drive.google.com/drive/search?q=%s

Google Maps -

Keyword - maps URL with query in place -

https://www.google.com/maps/search/%s?hl=en&source=opensearch

YouTube -

Keyword - youtube URL with query in place -

https://www.youtube.com/results?search_query=%s&page={startPage?}&utm_source=opensearch

Hope these are helpful, and can get you started on thinking of your own keywords to use!

Chrome Keywords - Power User

Wed, 06 Mar 2019 07:00:00 GMT

This week I learned about a powerful feature within Chrome that has honestly completely changed my workflow. After looking around on the internet I found out that this has existed for a while, but it is something new to me, so I thought I would share.

I discovered this because I was trying to find a way to use Google Cloudsearch (Google Cloud Search: Search Gmail, Drive & More | G Suite) more effectively. If you are a G Suite customer and haven’t used Cloudsearch before, I would highly recommend you give it a shot. Think of it like Google, but for your G Suite data. You can type a search in for just about anything, and it will find it in your G Suite docs, emails, calendar, etc. and is much better at understanding natural language than the Gmail, Docs, or calendar searches that are built in to each individual product. They also recently opened up the API to allow applications to use Cloudsearch with external applications as well. I will do a longer write up on Cloudsearch at some point, but it’s an amazing tool, and I rarely use it because you need to go to a specific URL (https://cloudsearch.google.com) to use it. I wanted a chrome extension, or a keyboard shortcut that I could use so I could use Cloudsearch more easily.

In searching for some solution on how to invoke Cloudsearch more easily, it was recommended to me to set up a “keyword” in chrome. Something like “Cloud” that I could type and it would know to use Cloudsearch to do whatever I was typing next.

To edit keywords, open up your Chrome settings by going to chrome://settings and then scroll down to Manage Search Engines. You can also go there directly by going to

chrome://settings/searchEngines

Google will automatically create some keywords for you. I didn’t realize that this is what it was doing, but for instance if I typed in youtube.com in my chrome and just did a space at the end of it, it would come up with a search field for YouTube, without even going to the site. The cool thing is, these are all customizable, and you can even go in and create your own!

For me, the first thing I did was remove the .com from all of the ones that I actually use. I changed youtube.com to just youtube,github.com to github, and even made maps.google.com to just maps. If you want, you can make it really easy to use a different search engine, just by typing a keyword first. For instance I set up duck duck go with the keyword duck to make it easy to switch, in case I want to do a more private search.

In the case of Cloudsearch, they didn’t pre-populate one for me to edit, so I needed to add a new one on my own. I went in to Add under “Other search engines” and named it Cloud Search, with the keyword cloud (you can use whatever you’d like, that’s just what I chose). In the URL section you need to replace the query section of the URL with %s, so in this case my URL is

https://cloudsearch.google.com/cloudsearch/search?authuser=0&q=%s

That’s it! Now I can just type cloud in to the URL, followed by a space, and it will just search my Google Cloud search for whatever I type in. For me this was a HUGE time saver!

Steve Jobs - Seven Years Later

Sat, 06 Oct 2018 06:24:21 GMT

Seven years ago today, Steve Jobs passed away. I wanted to briefly reflect on him, as he had a huge impact on my life and is someone I greatly admired.

I had the fortune of working for Apple for several years, and after Steve's death, we closed every Apple Store in the company so that we could live stream the memorial service. It was one of the most meaningful memories that I have, and one of the actual attendees brought me a program from the memorial, which is one of my prized possessions.

In the program, it contains all of the words from his Stanford commencement speech, which I can honestly say changed my life the first time I heard it, and is something I revisit at least once a year. Here is the full text of the speech -

I am honored to be with you today at your commencement from one of the finest universities in the world. I never graduated from college. Truth be told, this is the closest I’ve ever gotten to a college graduation. Today I want to tell you three stories from my life. That’s it. No big deal. Just three stories.

The first story is about connecting the dots.

I dropped out of Reed College after the first 6 months, but then stayed around as a drop-in for another 18 months or so before I really quit. So why did I drop out?

It started before I was born. My biological mother was a young, unwed college graduate student, and she decided to put me up for adoption. She felt very strongly that I should be adopted by college graduates, so everything was all set for me to be adopted at birth by a lawyer and his wife. Except that when I popped out they decided at the last minute that they really wanted a girl. So my parents, who were on a waiting list, got a call in the middle of the night asking: “We have an unexpected baby boy; do you want him?” They said: “Of course.” My biological mother later found out that my mother had never graduated from college and that my father had never graduated from high school. She refused to sign the final adoption papers. She only relented a few months later when my parents promised that I would someday go to college.

And 17 years later I did go to college. But I naively chose a college that was almost as expensive as Stanford, and all of my working-class parents’ savings were being spent on my college tuition. After six months, I couldn’t see the value in it. I had no idea what I wanted to do with my life and no idea how college was going to help me figure it out. And here I was spending all of the money my parents had saved their entire life. So I decided to drop out and trust that it would all work out OK. It was pretty scary at the time, but looking back it was one of the best decisions I ever made. The minute I dropped out I could stop taking the required classes that didn’t interest me, and begin dropping in on the ones that looked interesting.

It wasn’t all romantic. I didn’t have a dorm room, so I slept on the floor in friends’ rooms, I returned Coke bottles for the 5¢ deposits to buy food with, and I would walk the 7 miles across town every Sunday night to get one good meal a week at the Hare Krishna temple. I loved it. And much of what I stumbled into by following my curiosity and intuition turned out to be priceless later on. Let me give you one example:

Reed College at that time offered perhaps the best calligraphy instruction in the country. Throughout the campus every poster, every label on every drawer, was beautifully hand calligraphed. Because I had dropped out and didn’t have to take the normal classes, I decided to take a calligraphy class to learn how to do this. I learned about serif and sans serif typefaces, about varying the amount of space between different letter combinations, about what makes great typography great. It was beautiful, historical, artistically subtle in a way that science can’t capture, and I found it fascinating.

None of this had even a hope of any practical application in my life. But 10 years later, when we were designing the first Macintosh computer, it all came back to me. And we designed it all into the Mac. It was the first computer with beautiful typography. If I had never dropped in on that single course in college, the Mac would have never had multiple typefaces or proportionally spaced fonts. And since Windows just copied the Mac, it’s likely that no personal computer would have them. If I had never dropped out, I would have never dropped in on this calligraphy class, and personal computers might not have the wonderful typography that they do. Of course it was impossible to connect the dots looking forward when I was in college. But it was very, very clear looking backward 10 years later.

Again, you can’t connect the dots looking forward; you can only connect them looking backward. So you have to trust that the dots will somehow connect in your future. You have to trust in something — your gut, destiny, life, karma, whatever. This approach has never let me down, and it has made all the difference in my life.

My second story is about love and loss.

I was lucky — I found what I loved to do early in life. Woz and I started Apple in my parents’ garage when I was 20. We worked hard, and in 10 years Apple had grown from just the two of us in a garage into a $2 billion company with over 4,000 employees. We had just released our finest creation — the Macintosh — a year earlier, and I had just turned 30. And then I got fired. How can you get fired from a company you started? Well, as Apple grew we hired someone who I thought was very talented to run the company with me, and for the first year or so things went well. But then our visions of the future began to diverge and eventually we had a falling out. When we did, our Board of Directors sided with him. So at 30 I was out. And very publicly out. What had been the focus of my entire adult life was gone, and it was devastating.

I really didn’t know what to do for a few months. I felt that I had let the previous generation of entrepreneurs down — that I had dropped the baton as it was being passed to me. I met with David Packard and Bob Noyce and tried to apologize for screwing up so badly. I was a very public failure, and I even thought about running away from the valley. But something slowly began to dawn on me — I still loved what I did. The turn of events at Apple had not changed that one bit. I had been rejected, but I was still in love. And so I decided to start over.

I didn’t see it then, but it turned out that getting fired from Apple was the best thing that could have ever happened to me. The heaviness of being successful was replaced by the lightness of being a beginner again, less sure about everything. It freed me to enter one of the most creative periods of my life.

During the next five years, I started a company named NeXT, another company named Pixar, and fell in love with an amazing woman who would become my wife. Pixar went on to create the world’s first computer animated feature film, Toy Story, and is now the most successful animation studio in the world. In a remarkable turn of events, Apple bought NeXT, I returned to Apple, and the technology we developed at NeXT is at the heart of Apple’s current renaissance. And Laurene and I have a wonderful family together.

I’m pretty sure none of this would have happened if I hadn’t been fired from Apple. It was awful tasting medicine, but I guess the patient needed it. Sometimes life hits you in the head with a brick. Don’t lose faith. I’m convinced that the only thing that kept me going was that I loved what I did. You’ve got to find what you love. And that is as true for your work as it is for your lovers. Your work is going to fill a large part of your life, and the only way to be truly satisfied is to do what you believe is great work. And the only way to do great work is to love what you do. If you haven’t found it yet, keep looking. Don’t settle. As with all matters of the heart, you’ll know when you find it. And, like any great relationship, it just gets better and better as the years roll on. So keep looking until you find it. Don’t settle.

My third story is about death.

When I was 17, I read a quote that went something like: “If you live each day as if it was your last, someday you’ll most certainly be right.” It made an impression on me, and since then, for the past 33 years, I have looked in the mirror every morning and asked myself: “If today were the last day of my life, would I want to do what I am about to do today?” And whenever the answer has been “No” for too many days in a row, I know I need to change something.

Remembering that I’ll be dead soon is the most important tool I’ve ever encountered to help me make the big choices in life. Because almost everything — all external expectations, all pride, all fear of embarrassment or failure — these things just fall away in the face of death, leaving only what is truly important. Remembering that you are going to die is the best way I know to avoid the trap of thinking you have something to lose. You are already naked. There is no reason not to follow your heart.

About a year ago I was diagnosed with cancer. I had a scan at 7:30 in the morning, and it clearly showed a tumor on my pancreas. I didn’t even know what a pancreas was. The doctors told me this was almost certainly a type of cancer that is incurable, and that I should expect to live no longer than three to six months. My doctor advised me to go home and get my affairs in order, which is doctor’s code for prepare to die. It means to try to tell your kids everything you thought you’d have the next 10 years to tell them in just a few months. It means to make sure everything is buttoned up so that it will be as easy as possible for your family. It means to say your goodbyes.

I lived with that diagnosis all day. Later that evening I had a biopsy, where they stuck an endoscope down my throat, through my stomach and into my intestines, put a needle into my pancreas and got a few cells from the tumor. I was sedated, but my wife, who was there, told me that when they viewed the cells under a microscope the doctors started crying because it turned out to be a very rare form of pancreatic cancer that is curable with surgery. I had the surgery and I’m fine now.

This was the closest I’ve been to facing death, and I hope it’s the closest I get for a few more decades. Having lived through it, I can now say this to you with a bit more certainty than when death was a useful but purely intellectual concept:

No one wants to die. Even people who want to go to heaven don’t want to die to get there. And yet death is the destination we all share. No one has ever escaped it. And that is as it should be, because Death is very likely the single best invention of Life. It is Life’s change agent. It clears out the old to make way for the new. Right now the new is you, but someday not too long from now, you will gradually become the old and be cleared away. Sorry to be so dramatic, but it is quite true.

Your time is limited, so don’t waste it living someone else’s life. Don’t be trapped by dogma — which is living with the results of other people’s thinking. Don’t let the noise of others’ opinions drown out your own inner voice. And most important, have the courage to follow your heart and intuition. They somehow already know what you truly want to become. Everything else is secondary.

When I was young, there was an amazing publication called The Whole Earth Catalog, which was one of the bibles of my generation. It was created by a fellow named Stewart Brand not far from here in Menlo Park, and he brought it to life with his poetic touch. This was in the late 1960s, before personal computers and desktop publishing, so it was all made with typewriters, scissors and Polaroid cameras. It was sort of like Google in paperback form, 35 years before Google came along: It was idealistic, and overflowing with neat tools and great notions.

Stewart and his team put out several issues of The Whole Earth Catalog, and then when it had run its course, they put out a final issue. It was the mid-1970s, and I was your age. On the back cover of their final issue was a photograph of an early morning country road, the kind you might find yourself hitchhiking on if you were so adventurous. Beneath it were the words: “Stay Hungry. Stay Foolish.” It was their farewell message as they signed off. Stay Hungry. Stay Foolish. And I have always wished that for myself. And now, as you graduate to begin anew, I wish that for you.

Stay Hungry. Stay Foolish.

Thank you all very much.

1Password and iOS12 - Released!

Tue, 18 Sep 2018 06:00:00 GMT

Apple released iOS 12 yesterday, with a whole bunch of awesome new features.

One of my favorite new features, however, has largely flown under the radar. At WWDC, it was announced in one of the developer sessions that they would be adding support for password managers to use the native API for password auto fill, meaning Dashlane, 1Password, LastPass, and others would be able to present you your managed passwords natively in iOS, without you needing to link it to the other app.

This seems like it may be a small deal, but it honestly has already radically changed my workflow on iOS for the better.

More information about how this works, as well as a few other features of iOS 12 that weren't directly talked about by Apple at their developer conference can be found here, at The Verge, by Chris Welch.

Links

Back to my Mac Removal

Tue, 21 Aug 2018 00:00:00 GMT

Apple has made the decision to remove "Back to my Mac" from the forthcoming macOS Mojave.

I have had mixed luck with Back to my Mac. When it works, it works well, but it seems like a lot of the time it just doesn't connect, and doesn't give you a clear reason as to what happened, or how to fix it.

From Apple's support site -

If you have multiple Macs, screen sharing lets you use one Mac to view and control your other Mac remotely. This means you can open, move, and close files and windows, and use apps — even if you're in another location — so you can always get what you need. Learn how to set up and use screen sharing

The part that is interesting to me is the even if you're in another location. It's not very clear to me what that means. Apple also recommends Apple Remote Desktop for remote Mac management, and again mentions the term another location

If you have more than one Mac, Apple Remote Desktop also lets you run apps and work with files that are on your other Mac, even if you're in another location. So if you want to run an app that's only on your other Mac, you can. Learn more about how to use Apple Remote Desktop.

Maybe I'm reading in to this, but that phrase makes me think that you'll basically be able to do the same thing that you can now, it's just a different mechanism than "Back to my Mac" has been. It's also interesting to me that Apple talks about using Apple Remote Desktop, and I wonder if they'll finally give that some love after years of neglect.

Apple has a very interesting feature in iMessage where you can request and grant screen share with other people, presumably for things like troubleshooting. I wonder if anything is going to happen to that feature in Mojave.

Links

Google Workspace Can Now Alert Admins of Government Based Attacks

Wed, 01 Aug 2018 06:00:00 GMT

Google today announced that in their G Suite accounts, admins will be able to set up alerts based on if Google believes that a government based attack has been attempted on any users within the domain.

Google writes -

If an admin chooses to turn the feature on, an email alert (to admins) is triggered when we believe a government-backed attacker has likely attempted to access a user’s account or computer through phishing, malware, or another method. It does not necessarily mean that the account has been compromised or that there was a widespread attack on an organization.

I have been the G Suite administrator for a very large domain for some time now, and I have often wondered why political campaigns don't use something like G Suite for their email, considering the security tools that Google offers. Between security keys to log in, Google AI backed phishing and malware detection, spoofed email and domain detection, and several other security tools, I feel like it's definitely possible to protect something like a political campaign from email attacks.

This new tool makes total sense given the current political climate, as well as the information companies like Google are able to gather at scale. I wasn't expecting any sort of announcement like this, but I think it's a really cool tool.

Links

https://gsuiteupdates.googleblog.com/2018/08/control-government-backed-attack-alerts.html

Google Employee Phishing

Tue, 24 Jul 2018 06:00:00 GMT

The timing of this report form Brian Krebs on his security blog Krebs on Security, was perfect. This morning I was getting on a flight to the bay area, and right as I was getting on the plane, I received a chat message from someone wanting me to look in to an email they had received and weren't sure if it was legitimate or not.

For me it was relatively easy to see that it was a phishing scheme, and since the user forwarded it to me for further inspection, clearly the user felt so too.

My next thought was "That's strange, I can't remember the last time we actually had a phishing attack even show up in a users inbox. We have 10,000 licenses in our G Suite account, and it has genuinely been months since we've had a single phishing attack. It wasn't that long ago, that there were dozens to hundreds per day.

An interesting thought, but this week I am down at Google's Cloud Next conference, learning about all sorts of things, and it was interesting timing with everything. I went to dinner with a couple of Googlers, and they were mentioning some of the very strict security guidelines that they have to follow, then I get back to my hotel and read Krebs article about how Google has 100% effectively eliminated phishing entirely since early 2017. From Krebs -

Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes

85,000 employees is a lot of people that can make mistakes, and on top of that, I would wager Google is a huge target for this kind of stuff. I'll bet before any filtering, each employee at Google, regardless of role would bet bombarded with toxic email.

Again, I'm super impressed by that number. We do well with our 10,000 accounts, but not perfect.

It's hard to mention all of this without singing praises of G Suite and Google Cloud. This sounds like a sales-pitch but I can assure you I'm not getting paid for this. G Suite's set of anti-phishing, anti-malware, and frankly whole security suite have made it very easy to effectively manage all of this kind of mess. Google Cloud's tooling runs G Suite, which gives powerful analytics and searching capability, as well as how it allows G Suite to use AI to help with things like Phishing and malware detection, and much more.

Google, according to this article has taken it up even further on their own computers.

Links

Apple Combines AI/ML Team With Siri Team

Tue, 10 Jul 2018 06:00:00 GMT

Matthew Panzarino, at Tech Crunch -

Apple is creating a new AI/ML team that brings together its Core ML and Siri teams under one leader in John Giannandrea.

Apple confirmed this morning that the combined Artificial Intelligence and Machine Learning team, which houses Siri, will be led by the recent hire, who came to Apple this year after an eight-year stint at Google, where he led the Machine Intelligence, Research and Search teams. Before that he founded Metaweb Technologies and Tellme.

The internal structures of the Siri and Core ML teams will remain the same, but they will now answer to Giannandrea. Apple’s internal structure means that the teams will likely remain integrated across the org as they’re wedded to various projects, including developer tools, mapping, Core OS and more. ML is everywhere, basically.

I'm very excited for what this can mean for Siri and AI/ML at Apple. Although Apple is pretty far behind in this realm, the article brings up a good point about how Apple has by far the largest edge compute network in the world. Edge computing is a term associated with cloud computing, that refers to computing happening on users devices instead of in a datacenter somewhere. Both datacenter cloud computing and edge computing have their own unique advantages. It will be interesting to see where this all goes.

Siri is clearly way behind Google Assistant, or Amazon Echo in terms of functionality, however it has advantages in how it's so tightly integrated in to the Apple ecosystem, that if John and his new team can iron out some of the basic functionality, I think Siri becomes a serious player again.

Links

https://www.apple.com/leadership/john-giannandrea/

Health Data

Wed, 04 Jul 2018 06:00:00 GMT

When Apple released iOS 11.3, they quietly announced the beta of a new feature within the Health app.

From Apple -

With the Health app in iOS 11.3, a new beta feature makes it easier than ever for users to visualize and securely store their health records. Now your patients can aggregate their health records from multiple institutions alongside their patient-generated data, creating a more holistic view of their health.

To me this is fascinating. One of the big problems with health records is that they are almost always isolated to whatever healthcare system you use. With rare exceptions, if you see a doctor in one system, and for whatever reason need to see another doctor in a different system (different state, or sometimes your work may change medical plans), the second doctor can’t directly see any information about your first visit. Sometimes they can request those records, but it’s often a surprisingly manual task for all that are involved.

Apple isn’t solving all of the problem, at least yet, but another big problem is how difficult it can be to view your own medical records. Sure, you have the “right” to, but that doesn’t mean anyone is going to make it easy for you. At least until now.

If your medical provider (or multiple providers) support Apple’s new Health feature, it will import and organize all the data for you. It presents it in a clean, easy to understand manner, and if it’s importing from multiple sources, it will even combine the data for you.

Nation wide, many providers don’t support this feature yet, but they are being added at a surprisingly good clip. I noticed this evening that my provider, Intermountain Healthcare, was on the list, so I gave it a shot. One quick login to my online account and everything populated in a matter of minutes. It’s remarkably simple. Within a few more minutes of looking at my data, I could quickly see all my doctors appointments, medication, lab results, etc, and it all made sense to me.

This by no means solves the whole problem with medical records, but I think it’s a huge step in the right direction. It may seem like a weird thing to get excited about, but I’m excited about it. Now that my medical records are stored on my phone, I’m even more glad Apple takes an obsessive approach to individual privacy. I’m hopeful this is just the first step in Apple trying to revolutionize even a small part of the medical system.

Check here to see the list of supported providers.

Links

https://support.apple.com/en-us/HT208647

Apple Maps

Sun, 01 Jul 2018 06:00:00 GMT

Matthew Panzarino, writing for Tech Crunch this last week broke the news that Apple would be redesigning their maps from the ground up in iOS 12.

This is nothing less than a full re-set of Maps and it’s been four years in the making, which is when Apple began to develop its new data-gathering systems. Eventually, Apple will no longer rely on third-party data to provide the basis for its maps, which has been one of its major pitfalls from the beginning.

This was interesting to me, because although I knew Apple was working with 3rd party companies to augment their map data, I was under the impression that they still created the majority of the data already.

I have mixed feelings on this whole story. On the one hand, Apple Maps definitely needs some love, as it has not worked very well since it was introduced six years ago. Although the maps has noticeably improved since it's initial launch, I have found that I still fairly frequently have it search for an address that is nowhere near what I'm actually searching for. Sometimes, maddeningly, searching for the exact same thing more than once yields different results.

Matthew interviewed Eddie Cue, SVP Internet Software and Services, who has taken over the maps project at Apple for this article, who to his credit did not seem to shy away from the fact that Apple messed up with Maps, and that they need to do better. They seem to acknowledge and understand what the problems are, but I wonder if they really know how to fix it.

To me, one of the worst parts of Maps is the searchability. Matthew briefly discusses this in one paragraph -

Search is also being revamped to make sure that you get more relevant results (on the correct continents) than ever before. Navigation, especially pedestrian guidance, also gets a big boost. Parking areas and building details to get you the last few feet to your destination are included, as well.

That sounds like the right things to say, but it doesn't exactly have the same substance as the rest of the article does. To me, things like that worry me that this won't be enough, or more accurately that they won't be focusing on the right things.

Emphasized several times in this article is how importantly Apple is taking privacy. I think this is becoming more and more important in today's world, and I truly appreciate the effort that Apple puts in to each product to protect the users privacy. I'm not sure if this is making a tangible difference in who wants Apple products versus any other product, but in a way that makes it all the more impressive that Apple puts the time and money in to doing it correctly. It's the right thing to do, and I'm glad they are willing to do it.

I do look forward to the improved accuracy and visual upgrades that are coming to Apple Maps. Apple's attention to detail, and tight system integration allow them to make a truly beautiful and easy to use map system in to iOS. I genuinely hope that they are building a system that is enough of an improvement that people can, and will, rely on it for their mapping and give other companies a run for their money.

I think the timing of this new map data is interesting, given iOS 12 will allow 3rd party map apps to integrate with CarPlay. To be completely honest, the only times I ever used Apple Maps instead of Google Maps was if I am plugged in to my car, so I can see it on the dashboard. If I ever needed to actually look for something, I would switch to Google Maps.

I'm willing to give it another shot, whenever this becomes available outside of Northern California. I wonder how many other people will.

Follow up article with Q&A, also by Matthew Panzarino

Links

Every Default Mac OS Wallpaper in Glorious 6K Resolution

Sun, 01 Jul 2018 00:00:00 GMT

Every Default macOS Wallpaper – in Glorious 6K Resolution 512 Pixels frequently has great nerdy Apple articles, but this one really stuck out to me. There is a lot of nostalgia in these wallpapers. Check it out!

Links

https://512pixels.net/projects/default-mac-wallpapers-in-5k/