Show and Tell – Monday, 06 Nov 2017

Idle at Work

We’re so unprepared for the robot apocalypse | The Washington Post — Analysis around this so-called apocalypse includes a lot of category errors.

One Bitcoin Transaction Now Uses as Much Energy as Your House in a Week – Motherboard – added a link to some comments on this last week too. This whole story is an illustration of a technocratic paradox in action. With the release of the so-called Paradise Papers, the power drain on anonymity is only going to get more intense.

We Know Where You Live

Parenting in the Age of Alexa, Are Artificial Intelligence Devices Safe for Kids? | NPR – The betteridge law of headlines states that any headline that ends with a question can be answered with ‘no’. There are layers of legitimate concerns.

Fraud Detection in Pokémon Go | Schneier on Security – This is a bit of a digression for Bruce Schneider, an intriguing one. Hopefully I can find some time to come back to this, I feel it has come interesting implications for an education context. Consider that analogy when Schneier writes,

Cheating detection in virtual reality games is going to be a constant problem as these games become more popular, especially if there are ways to monetize the results of cheating. This means that cheater detection will continue to be a critical component of these games’ success. Anything Niantic learns in Pokémon Go will be useful in whatever games come next.

Critical Tor Flaw Leaks Users’ Real IP Address — update Now – Despite its reputation, TOR has a lot of legitimate uses. Either way, users don’t use it thinking the6 can leak their IP. It might not be as secure as you think, but you can do something about that by staying on top of updates

Now Look Here

10 Fascinating Things We Learned When We Asked the World ‘How Connected Are You?’ |  the Mozilla Blog – Methodology is always lacking with these types of studies. Try defining what ‘world’ means in this context , and you will understand what I’m getting at. Nonetheless, there are still learnings to be taken

Steve the Fruiterer

An Apple (AAPL) engineer has reportedly been fired after his daughter’s iPhone X review from inside the campus went viral | Quartz – What to say about this.

Broaden Your Mind

But what is a Neural Network? | Deep learning, chapter 1 | YouTube – The narrator is pretty grating, but you might learn something if you can cope with him.

Potentially Useful

Cardhop — I don’t have a great need for contact management at the moment, but it is an important area of administration for academics. If you have unruly contacts, this will be worth a look. I wrote up an alternative to Fantastical a couple of days ago. But when it goes to natural language parsing, Flexibits really have nailed it.

And Now, For Something Completely Different

By Human Error, we mean a Human deactivated his account on purpose – Some nice corporate speak to explain what lead to that brief moment of Jouissance . It might not have lasted long, but it must have felt pretty satisfying to push the button on this.

Inside The Great Poop Emoji Feud – The Emoji wars rage on. First there was the burger, and now this.

1Password 7 Adds Face ID Support, ‘Quick Copy’ Feature for Faster Copy & Paste – MacStories

MacStories have a write up of the latest big update to 1Password. There is enough hype everywhere for the iPhone X. I’ll happily stay away from that. It does, however, mean we have a slew of app updates on the way. I wrote about my preference for 1Password not too long ago, but already that post is starting to look dated. The improvements to the user experience keep coming. The new Quick Copy feature is a good example of the attention to detail from Agile Bits. They seem intent on eliminating little the little annoyances and friction that prevent users from using certain security features. They even tidy up interactions where third-party apps haven’t bothered to implement the system extension.

From Macstories,

First up is Quick Copy, a feature aimed at speeding up the process of filling secure information in apps that do not integrate with 1Password’s action extension. Quick Copy is designed for those times when you’re switching back and forth between an app and 1Password: when you copy a field in 1Password, exit the app, then return to it to copy another field, the field after the one you previously copied is automatically placed in the clipboard. For instance, if you copy your username, close 1Password, then open it again, the password field is automatically copied; if you copy your account’s password, the one-time authentication code (the field displayed after the password one) will be copied instead.

Something Completely Different for 30 October, 2017

Tape.jpg

Crazy couple of weeks in our little corner of the universe. Those of you who check in here regularly will have noticed the relative silence.  Personal interruptions have required my presence elsewhere. At the risk of marking this page with famous last words, the schedule looks to be clearing for the rest of this week.  So I will be back at it, updating the site. I have a whole lot of new content to finish off and post.

In the meantime, here are the results of link gathering on education and tech over the past couple of weeks. A lot of security and privacy material as usual. The ‘Week Links’ title was a bit, well frankly it was weak. Let’s face it, this is not an original endeavour. Nonetheless, in the spirit of sharing I will keep it up. With any luck nomenclature will take care of itself.

Security and Privacy

New KRACK Attack Against Wi-Fi Encryption | Schneier on Security – This is old news by now. But Bruce Schneier’s perspective on anything security related is always worth a look. Even if it is brief. If anyone is still worried about it. Thankfully for Apple users, the patch has been applied

Want to See Something Crazy? Open This Link on Your Phone With WiFi Turned Off. – The demo links in this article no longer work, but enough evidence in screen grabs and first hand experience confirms this is all real. Another confirmation of what we already know. Everything is for sale.

Who Is Keeping Student Data Safe in the Era of Digital Learning? | the Hechinger Report – This problem is something we ought to hear more about . I have mentioned some of the threats facing universities, and steps we might take in light of those threats. But data security in general in education is a massive concern. Huge amounts of data is collected, and it would be naive to think there are not a lot of interested parties.

Stealing Sensitive Browser Data With the W3C Ambient Light Sensor API – I used to run a tricked out version of Firefox, with Avery conceivable privacy add on. Until I realised that Safari gives me all of that protection without having to encumber it with hacky code and a litany of update requests. This is the kind of development tha5 has me caught in a double bind with Apple native apps. John Gruber seems to think that Safari will keep you ahead of this by having to ask for permission. The inevitable shady implementation of this makes me wonder.

iOS Camera Privacy | Felix Krause – Apple trades on privacy, which makes it all the more easy for people to fall into traps. It doesn’t hurt to check over your security settings occasionally. One major improvement in photo/camera security is the way the photo picker API has been update in iOS 11. More granular permissions mean less indiscriminate access, but don’t let that lure you into a false sense of security

Sweep of Educational Apps Finds Some Fall Short on Privacy | Markets Insider – This is a test case, insofar as it relates to Canada. But that is how science works folks, for the rest of us these findings are likely to hold. You will have to click through to the actual report to see the services mentioned, it is suitably detailed.

Professor Shames Entire Class by Publishing Students’ Browsing History | the Independent – This is where my sense of humour meets an impasse with my values. On the one hand the invasion of privacy is shocking. On the other hand, this is very amusing.

Orchid creates internet protocol to defeat censorship and surveillance | Axios – The skeptic in me acts up when I read something like this. We need to be aware of definitions. For one thing this is a VC backed gig. I would like to know more. One suspects being free from censorship doesn’t mean being free from being tracked and traced.

Keybase: Crypto for (Almost) Everyone) – Seeing as we are on the topic Key base refresher

Useful

Updated Mail Vacuuming Script | BrettTerpstra.com – This one is for Apple mail users. You can follow the link through to the original version of Brett’s script, if you want to know more. Essentially it optimises one’s apple mail database, thereby making the whole experience more efficient. I use Airmailmostly, but I check in on Apple Mail occasionally as it has improved out of site in the past couple of years. If you want to use rules with AppleScript for example, then Apple Mail is the way to go. But I digress, this is really only useful for existing users

Workflow iOS- Multi-Site Search With DuckDuckGo – Gabe at Macdrifter.com has been running a series called Tip jar. There are some useful nuggets in there. This is another iOS Workflowrecipe. If you are looking to learn how to use Workflow, looking at examples of how folks use it is a good place to start.

TextExpander dates and times | All this – One of the most helpful tools you will ever invest in is TextExpander, or any of its equivalents. I am still a lightweight user of the technology at this point, but I have still saved an eye popping amount of time by using it. Dr Drang on the other hand, is really someone you can learn from.

Quitting Evernote for DEVONthink – Some of that yet to be finished content I mention up front has to do with my use of DEVONthink. I moved my operation over from Evernote some time ago, and I haven’t regretted it once. Once I got over the UI inertia I had, I was able to Strat peeling back the layers of a very impression onion. More evangelising on DEVONthink soon.

Bits and Bolts

The Ridiculous Amount of Energy It Takes to Run Bitcoin | Michael Tsai – Unintended consequences, and hidden effects. Why bitcoin may not be the force you thought it was. What did you think it was? Incidentally, is it time to cash out yet?

The iPad Pro as main computer for programming – This is not the first time I have come across an affirmative answer to this question. One of the reasons I migrated this site from Squarespace to WordPress was so I could better control the site from my iPad. It is not exactly the same as coding for a living, but the point was that the iPad is capable of this stuff if you want to go there. 1

That Fruit Company

Hey Siri: An on-Device DNN-Powered Voice Trigger for Apple’s Personal Assistant – Apple – If you have the time, and you want to know how machine learning works with Siri. This in language you might understand.

Tim Cook: Mac Mini Will Be ‘Important Part’ of Future Product Lineup – Apparently the Mac Mini is not dead yet. I would love to believe this is true. I guess we shall see. Or not.

Full Scale of Apple’s Patent Loss to VirnetX Is Now Clear: $440 Million – The real reason for those stockpiles of cash. They will be needed.

There’s one good reason to update to macOS High Sierra | The Verge – I have found the update to be pretty good so far. The copy-on-write function of APFS is amazing. But I would have to agree, nothing beats being able to switch of auto play. You could always hack into this, but this is a welcome change. As for the tracking protection, the new provision is a positive development, but in practical terms it is like stabbing an elephant with a clothes peg.

Media Consumption

New VR Tech Aims to Take Surround-Sound to the Next Level | Scientific American – Anyone who has dabbled with VR will know that, while sometimes incredible, often it can invoke a kind of sensory dissonance. This will only be overcome for the technology when the sensory experience is more totalised. These advances are intriguing.

How Elsa, Spider-Man Trick Kids Into Watching Violent YouTube Videos – I have first hand experience of this at work. This is also another illustration of one of the internet’s central dichotomies. The only way to have any real control over the content being imbibed by children is to login and submit to being tracked. It is the digital equivalent of the social contract. We give up our freedom in return for our safety. Except, in this version you give up your privacy for the right to manage what content is consumed. In turn the choices over that content are also handed over, bundled up and monetised.

Technology Overuse May Be the New Digital Divide | the Hechinger Report – You just have to look at the reverse trend in rich Silicon Valley folk sending their kids to device free schools to see this trend is doing an about turn. Moderation is now a privilege

For the Fun of it

Extract from Plato’s Republic: On That Which is Correct Politically | McSweeney’s – There are layers to this. Not that it really matters. Every one of those layers is amusing. It reminded of Stewart Lee’s wonderfully measured bit on the same topic

Media Lab Job Application – I cannot describe how on the money this is. The only possible retort would be to accept the application. So good.

  1. I have also encountered the inevitable pedants, splitting hairs over whether this is really coding on an iPad, or on a remote machine. This is where realists have it all over sophists. The practicality is what matters here.

Week Links – Monday, 16 Oct 2017

Developer Demonstrates iOS Phishing Attack That Uses Apple-Style Password Request – Mac Rumors – Enabling two factor authentication might be best practice, but vigilance and sound password management are still the keys to keeping your credentials from being fleeced. For more on this, Michael Tsai has one of his trademark link roundups:  In-App Apple ID Password Phishing

Evil Blogger Attacks Defenceless Transnational Megacorp | discchord – I’m not sure I would go this far, although I do like the metaphor. For one thing, Apple’s interest is piqued when their own apps are involved. Secondly, audio issues will affect podcasters as much as musicians — well, almost as much. 1 As for anyone wondering why podcasts should be of any more interest to Apple, consider how much free marketing they get from all the fan casts out there. Don’t worry, I’m well aware that my toes are in that same pool, but at least I have the good sense to feel dirty about it.

What Ivanka Trump Knows about Ed-Tech – More than a few hints that some kind of bot wrote the essay in question. Either that or it is the product of infinite MAGA Monkeys. A kind of epic, simian version of The Influencers

Collaborative Annotations You May Want to Join | ProfHacker – Examples of collaborative annotation projects using hypothes.is. If you haven’t yet looked at hypothes.is in action, the results can be mixed, but it is a great example of interactive open web technology. The potential is enormous.

Scientists Can Read a Bird’s Brain and Predict Its Next Song – MIT Technology Review – Having a technology fetish doesn’t make one immune from feeling terrified by certain developments. Being a cynic makes it inevitable.

How Video Games Satisfy Basic Human Needs – If you feel guilty about procrastinating by playing video games, it could be you are just satisfying a basic human need.

Tim Cook Says the Tech “doesn’t Exist” for Quality AR Glasses yet | Ars Technica – Notwithstanding the fact that Google Glass was a huge failure. Black Mirror gave me the creeps on this topic. Still, whenever this code is cracked glasses will be halting point, Robert Scoble made sure of that.

  1. Yes, there are podcasters recording on iOS

Choosing the Right VPN

Choosing the best VPN

Reliable Information

As Ars Technica 1 discovered, choosing a VPN service is difficult. There are some obvious reasons for this. First, VPN services have some of the highest paying affiliate programs online. This means there are often huge incentives for the shady best VPN lists and clickbait that dominate search results. 2 The same incentives hold for ‘worst VPN’ lists. They direct traffic toward venders offering higher rewards.  Second, people feel vulnerable, and with good reason. There is nothing like vulnerability for bringing out the sharks.

Finding reviews of VPN services that are not glorified advertisements is as hard as finding google search results without list posts. The torrent of junk articles, and marketing shills pedalling services they never use, means the only way to find a service that works for you is to either try a bunch yourself, or get a recommendation from a trusted source. I am working toward making this site the latter.

Trial and Error

The advice of trusted sources has led me to try some of the best known and popular VPN services. In this are Cloak VPN — which has recently become Encrypt Me— and Tunnel Bear. Both of which are fine services that will be good enough for a lot of users, but I have set a higher threshold for privacy than either service can provide. If you needs are modest, Tunnel Bear even offers a free tier — although I doubt 500mb will satisfy many people reading this. The best feature ofCloak/Encrypt.me is it’s user friendliness and ability to automatically connect to chosen networks, but I find the service is expensive considering its other limitations.

Until recently access to streaming services in New Zealand was poor. The way around that for committed nerds was to override the geolocation. While this is not the only, or even the main reason I use a VPN, it remains a decent barometer for the quality of service. It is what led me to try the smartDNS and VPN from OverPlay, which is a service plagued with problems. Further trial and error led me to try numerous other services, includingPrivate Internet Access, IPVanish, Express VPN, and Pure VPN. All of which were found wanting in different ways for my particular needs. In some cases the connection speeds would be good, but streaming or something else would break. At other times, the opposite would be true. I kept bumping up against problems that would put me back at square one. From there a host of others either had terrible speeds, are plagued with usability problems, or simply aren’t secure beneath all the bluster 3

So having tried so many VPN services, and having spent hours sifting through the claptrap to read anything that isn’t a glorified advertorial — or self-serving blog posts by service providers. I hope that my opinion at least has some weight behind it. I must stress, however, this is still very much an opinion. As they say, your mileage may vary.

Privacy and Security

Privacy and security are the bread and butter of any VPN service. Every year Torrent Freak runs an updated survey called Which VPN Services Take Your Anonymity Seriously?. The questions range from how each service handles logs, to whether or not they own their own services. They ask what they do in the event of a court order. The strength of their encryption technology, and whether or not they support anonymous payment. I will let you decide for yourself how important each of the answers are to you. Technically the article is an affiliated list, not completely unlike the ones I criticise above. The difference is this one includes a lot of relevant information. Neither does it scream at you with arbitrary ratings, gold stars and fake medallions. This is a worthwhile exercise for the quality of the questions. Putting stock in them has proven fruitful in finding a service that I am happy with.

Elsewhere, similar concerns are addressed by privacytools.io — an excellent privacy and security resource with an active community on Reddit. Particularly the issue of legal jurisdiction. Privacytools.io takes an uncompromising approach to where the service is located, and what legal implications that has for how they operate. The importance of location is something that services like Cloak/Encrypt.me 4 contest for their own obvious reasons. I happen to live in a so-called Five Eyes country — and one that has shown a liberal application of due process at times. So even for my simple needs, I would prefer to err on the side of caution and take the advice of folks who make it their business to know better.

User Experience

Beyond the crucial matters of security and privacy, what remains is the user experience. Yes, the quality of service matters. It matters a lot. Yet, you can be as secure and anonymous as you like, but if getting there requires the use of substandard apps, obscure configurations, and crawling speeds, then I doubt you will be persuaded.

No matter what a VPN service claims it can deliver in terms of bandwidth, there is no such thing as a VPN that doesn’t slow your traffic down in some way. The question becomes how much of a hit you will take. The only way speed issues are addressed in earnest is by having servers close to where you are. If a service can bring together proximity, privacy and security, with a decent user experience, then it starts being worth your time.

Having done all the work balancing out all of these questions, I eventually landed on a VPN service that I can happily say meets my needs. Having used NordVPN 5 for over a year now, I finally feel comfortable with recommending it to others.

This is a further summary of what I feel NordVPN has going for it:

  • The NordVPN apps are a pleasure to use. Just install, login and click to connect. The include a graphical map for choosing the server location. From there you can drill down to chose individual servers. The client includes a kill switch for any apps you choose, so if the service gets disconnected nobody will catch a glimpse of you pulling down your latest ‘public domain’ television episodes
  • The desktop apps include a contextual search engine that will suggest the best servers for particular tasks.
  • The service is truly multi-platform, covering everything from the mainstream operating systems to Raspberry Pi, Open VPN and firmware for just about any router you can think of. They also sell pre-flashed routers to run the service from the point of connection.
  • A single account can connect 6 simultaneous devices. Or as many as you like if you run it on your router
  • They are the only service I have found that consistently keeps ahead of the geo-blocking and VPN blocking efforts of streaming services like Netflix, BBC iPlayer, Amazon Prime, and Hulu. You will sometimes need to contact support to find which servers are working as it continues to be a game of cat and mouse for every service, but the response has always been immediate via their 24/7 chat support
  • The Mac client for NordVPN include a technology they call Cybersec, which blocks trackers, malware and intrusive data hogging advertisements
  • They currently have a network of 1093 servers operating across 61 countries. I am yet to find something I cannot access with the service.
  • A number of dedicated P2P servers are specifically configured for file sharing
  • Double VPN and TOR over VPN are uber privacy services if you ever need to break out the tinfoil hat
  • Support has been quick, responsive and friendly. Not that I have ever needed it for much.
  • The service is comparatively inexpensive, they currently have a deal that amounts to US$3.29 per month — albeit if you sign up for two years. Shorter terms, starting at one month, are also cost effective. You can check out the options here

The Limits of Anonymity

Having covered the good stuff, I want to stress there is no such thing as a perfect VPN service. To my mind, any service that betrays the trust of its users is committing commercial suicide. But that doesn’t mean it hasn’t happened. It also says nothing of mistakes, or of bugs in the code. I trust NordVPN for my purposes, but if your goal is absolute anonymity, then you are going to need a lot more than what any such service can provide. If that is the case, then start with TOR.

Across the board VPN services ted to either lay claim to, to imply, an infallibility that they are not only incapable of delivering, but for most people is impossible to verify. To the credit of services like the VPN formerly known as Cloak, they make no such claims to anonymity, but rather aim to ensure your safety on untrusted networks and so on. I happen to want more from a VPN, but I’m not daft enough to overlook the glaringly obvious fact that using any VPN service requires an unparalleled leap of faith. All of your data is funnelled through a server you have no control over. Somehow I doubt anyone reading this is looking for advice on how to get away with illegal activity, suffice to say I don’t think a VPN is going to cover you if you are.

Why use a VPN?

VPN providers are becoming increasingly important as the ever decreasing circle of internet privacy is squeezed by big advertising and ideological zealotry. While accessing television shows that you otherwise might not be able to, is potentially fun, it is not the reason you need to take this seriously. There are any number of reasons why you should. Consider the draconian laws and mandatory data retention in Australia. The extreme surveillance in the UK, or internet service providers preparing to auction off user data in the US. These are the real reasons that you should consider a VPN. As for the ‘I have nothing to hide’ cliché, my favourite response remains the Snowden line, ‘Arguing that you don’t care about the right to privacy because you have nothing to hide is no different from saying you don’t care about free speech because you have nothing to say’. Believing otherwise is not only naive, it’s dangerous.

As for academics, the cynic in me fears that security measures are only going to become more relevant as the aforementioned circle starts cross the threshold of so-called academic freedom. The signs are there for anyone to see. Sadly privacy and security are something of a privilege and a luxury at this point in time, but if you have the means this is something worth your attention. What a VPN can provide you with is extra security and privacy, but only when combined with competent online behaviour.

I want to end this with something of a disclaimer. I qualify my recommendation with a reminder that you should be clear on your needs when looking at a VPN. Go in with your eyes open. If you want to understand just how subjective this can be, head over to reddit and try to find a VPN provider that hasn’t been trashed by somebody. What works for a gamer on a PC is not necessarily going to translate to an academic researching wanting uninterrupted access across multiple time zones. I also have to add that my choice of service has been a balancing act, for example I have used faster services than NordVPN, but none of them offered enough of the features I needed.

There is a lot of misunderstanding around, and some frankly ridiculous expectations at times. If you keep yours realistic, and test your chosen service against your specific needs, you are less likely to join the such and such service sucks chorus on social media. Despite all of the aforementioned misinformation, there are a number of good VPN services available. If you are not ready to accept my recommendation, start with the list on. Even if criteria your is not as exacting as mine — or for that matter, more so — find a recommendation from a source you trust. 6 NordVPN works well for me. That gives me the confidence to suggest it here, but I cannot guarantee your needs will be met as well as mine. If you try it and are not satisfied, do not be shy about asking for your money back. They will give it to you.

If you do want to try NordVPN, they offer a 30 day, no questions asked money back guarantee. You can sign up at NordVPN.com

Rolling Your Own

If you can’t take the leap of faith required to use a third-party VPN service, and TOR doesn’t meet your needs, there is at least one other option. That is to roll your own VPN service using something like Algo. You will need access to virtual private server to set it up. The Algo repository suggests using Digital Ocean. I recommend using Linode, where you can set up a powerful server in next to no time for $5USD a month. You will need to be comfortable running a few simple commands in the terminal for setting up both the server and the VPN. Don’t let that put you off, if you can follow instructions you will be fine. I’m pretty sure most people learn the command line with a combination of cut, paste and hope anyway.

Once you it up and running you could use something like Shimo to connect to it from your Mac, which is also available with Setapp. Or configure it directly in the native macOS settings. On iOS you can do something similar, either configure it in settings or use a client like OpenVPN. If you are even contemplating rolling your own, I would expect this to make sense.

Further Reading (and watching)

Berkeley Blog – Why Care about Privacy

Nothing to Hide

Why Privacy Matters – Ted Talk

  1. The final subtitle in that article is not a good sign post. Some VPNs can most definitely put you at risk, but the onus is on the user to select a service that won’t
  2. To be clear, this uses affiliate links. However, not only is that is far from its reason to exist, but nothing is linked without personal experience and usually at considerable personal expense. This site runs at a loss as a result. I would hope the difference between this and affiliate marketing is obvious.
  3. To be doubly clear, I am not condoning illegal activity
  4. The name change might appear arbitrary, but I would wager it has something to do with SEO. I also feel uncomfortable with their use of the phrase ‘free apps’ for a service that requires a subscription
  5. Not to be confused with NordicVPN

The Necessity of using a Password Manager

1password For Macos

Have I been Pwned

If you ever need to convince somebody to use a password manager, try playing them  The Russian Passenger on Reply All.  The episode covers a service called Have I Been Pwned, which keeps a record of known data breaches that users can search to see if their credentials have ever been exposed.  Try searching the email addresses of friends, family and colleagues on the site. It won’t take you long to find somebody you know.

A good password manager is easy to use, and simple to learn, and yet convincing people to use one can be difficult. My sense is that most people either don’t realise how insecure their recycled credentials are, or they think ‘that will never happen to me, I have nothing worth stealing’. I can only hope that wouldn’t apply to experienced researchers and academics, but students too need to be aware of how vulnerable university networks are. There are numerous reasons for hackers to target universities, gaining access to thousands of usernames and passwords chief among them. Because of all this, I believe it is critical for anyone working within the walls of a university – virtual or otherwise – to have a secure means for managing their credentials. To my mind, a password manager is the best solution – it is certainly the easiest.

Which Password Manager?

As for which password manager, for sheer user-friendliness, ease of use, and excellent design, I still feel that 1Password is the best choice for most people. It actually has the Pwned functionality inside the app itself.  A lot has been written lately about changes to 1Password. The concern from security experts has to do with the company’s move to a subscription service, and in turn the service itself being moved to a priority cloud based architecture. The concerns are not around the business model, but with certain technical decisions; specifically with the status of where the default user vaults are stored – i.e on the Agile Bits encrypted servers. It should go without saying that the vaults are mega-encrypted, so worthless to anyone without the user’s key, but to end the debate there drastically oversimplifies the matter.

I’m not going to dive any further into the debate itself, as I believe a lot of what is doing the rounds is either based on a combination of misunderstanding, miscommunication, and the wants and needs of edge-case users who aren’t representative of most people. Moreover, some people seem to be conflating the Mac and Windows versions, and the functionality under debate remains very much a part of 1Password. I would argue that regardless of the validity to concerns around cloud-storage, 1Password is still the best password manager for most people. In fact, some of the features that make it so are only available because of the cloud-based architecture. My take is this:

  • The vast majority of people are ludicrously vulnerable at the moment, simply because they have next to nothing in place to manage their online security. For most people, not only are obscure security threats not a huge concern, but there is much more to be gained by using a password manager than maintaining the status quo.
  • In the absence of a clever password scheme – which, let’s face it, most people will never use – even if you do generate strong passwords, you still need an absolutely unique one for every site and service you use. Most people who have taken this half measure are using paper notebooks, or some for of plain text or spreadsheet to store the credentials. Ironically, this is a half measure that will make you doubly vulnerable
  • A Password manager does all the work once you get used to using it. Not only have I found 1Password to have the best user experience in this regard, anybody I have ever got to use it in earnest has taken to it immediately. The browser extension on the Mac, and iOS Safari automatically generates and stores credentials for new registrations, and automatically populates forms and logins. It can also populate payment forms with one click, making it even more useful than Safari’s own Auto-Fill features.
  • Take travelling researchers, with the new 1Password travel mode one can remove the entire app from a device and then reinstate it once any overly officious border police have done with their perusal of any given device.
  • There are further benefits to having secure information in such a vault if you were to ever to lose your mobile device and other valuables. I use 1Password to store my bank cards and encrypted copies of documents.
  • 1Password’s subscription model is one of the more advantageous memberships of its kind. The Families plan gives you 5 licenses for US$5 a month. You can manage vaults for your less technically inclined, younger or older family members. It also means shared vaults for credentials you all need access to, Netflix anybody?
  • The concerns around the cloud-storage model are moot for anyone wanting to sync a password vault and doing it via Dropbox.
  • I could go on, but I fear I have lost enough of you already.
1password Best Password Manager
1Password is the most user-friendly password manager I have used.

Perhaps Agile Bits could have handled this situation better than they have, but to be clear, they are keeping intact the functionality that security boffins most value, i.e local vaults. Unfortunately, it seems people will seize upon anything to reinforce their own reluctance to address their security issues. So controversy like this tends to feed the fear and doubt. My concern is that people use something other than recycling passwords, becoming so blasé about resetting them that they become easy targets for phishing attacks. Attacks that nowadays can easily include the capture of two-factor authentication. A password manager mitigates most of the risks. And without labouring the point, using one will provide a huge improvement to most people’s security.

Other Options

Lastpass – I have been a user of Lastpass in the past. I have never found it to be as user-friendly as 1Password, but it has a lot of fans. The biggest selling point is its free tier, which is a good start for anyone balking at paying for security – and the upgrade price is only US$12 a year. You will need to upgrade to use things like two-factor authentication and device syncing.

Dashlane – I prefer the user interface of Dashlane to Lastpass. It has a similar ‘freemuim’ model, with similar limitations before upgrading.

EFF Annual Report: ‘Who Has Your Back? Government Data Requests 2017’

The linked report can give you a better idea of what you are getting into when you trust your private data to the many apps and services that have become so entwined with our daily lives. Privacy and security being the perennial issues they are, this annual report from the Electronic Frontier Foundation should be mandatory reading for students and researchers. Although the idea that Universities themselves have always been at the vanguard of free speech, academic freedom and individual rights is an easily dispelled myth, generally students – and many academics – have been. Regardless, this is something that everybody needs to be across. As the EFF puts it

 

In this era of unprecedented digital surveillance and widespread political upheaval, the data stored on our cell phones, laptops, and especially our online services are a magnet for government actors seeking to track citizens, journalists, and activists…