bradchoate.com

Official iPhone Order Process

2014-09-12T16:38:01Z

Here are the steps to pre-order a new iPhone. Be sure to follow this procedure exactly as outlined to secure your iPhone.

Steel yourself at 11:55 AM Pacific time. The battle is about to begin.
Load store.apple.com at 12:00 AM (Pacific time).
Note “We’ll be right back” page in all written languages.
Refresh page.
Shift in your seat uncomfortably.
Check Twitter.
Refresh page.
Look at your clock.
Refresh page.
Post “Sigh… Apple Store is still down :(” to Twitter to let everyone else know.
Refresh page.
Repeat steps 6-7 until 12:35 AM (Pacific).
Observe the “We’ll be right back” page now gives an error.
Post this new information to Twitter immediately.
Refresh page.
Check the Apple Store app on your phone. Observe the same error.
Force quit the Apple Store app and launch it again (this is how you refresh on mobile).
Note the store loads.
Gasp in amazement. (Softly so you don’t wake anyone.)
Post this to Twitter.
Cautiously tap to buy an iPhone.
Acknowledge the error message. And repeat until it works.
Enter the information to check your upgrade eligibility.
Submit this information and wait 2 minutes. Acknowledge the error and repeat until it works.
If your carrier says you can’t upgrade yet, take inventory of items you posses that you can sell to pay for the full iPhone list price.
Select your iPhone size, color and capacity.
Note that the iPhone you selected is unavailable.
Try choosing a different color and/or capacity. Find a combination that is available and add to cart.
Acknowledge the error and retry until you get that sucker in the cart.
Hey, you may just do this. Note that it is now 1:30 AM (Pacific).
Tap the “Checkout” button.
Acknowledge the error.
Cry softly and try again.
Confirm your address and billing information are correct and submit the order.
Fix the error in your address and billing information and try again.
Acknowledge the error message.
Re-evaluate your life.
Search Google for reviews of the latest Android phones.
Close browser.
Reopen browser and check the Apple Store. Note it is still down.
Tap to submit your order.
Pray.
That’s it!
Post your success to Twitter.
Go to bed.
Wake up at 4 AM in a cold sweat. Towel off and go back to sleep.
Wake up at 6 AM and realize you’re not happy with the color choice you made.
Note that at this point, your preferred iPhone size, color and capacity is available for delivery by launch date.
Go to your email and find the link to manage your order.
View order information and take a deep breath and click to cancel the order.
Acknowledge error.
Keep trying.
Confirm cancelation.
Order a new iPhone.

Year of the burger

2014-07-17T05:22:23Z

Some more stuff about burgers really? I promise this isn’t turning into a food blog.

This is a Storify embed post, so you may need to view it on my site to see it in all it’s iframe’d glory.

The perfect burger joint recipe

2014-07-03T03:34:33Z

Here’s a simple, three-step recipe for creating the perfect burger joint:

Great burgers with bacon
Great fries
Great shakes

Few have followed this recipe, and I don’t understand why.

In-N-Out? Great burgers, but no bacon. Let me repeat: you cannot get an In-N-Out burger with bacon. If you ask, they will say “no.” A burger with 20 patties? Sure. Bacon? GO AWAY. Fries are pretty bad (not that great fresh and worthless after they cool off a bit). Shakes are so-so. I get the feeling their shakes and fries are cheap because their prices are sooo low. They could stand to charge more and improve their offering.

Five Guys? Great burgers and bacon (although a little overcooked, typically). Fries are great and plentiful, but no shakes at all. WHAT. They went to the trouble of adding these fancy soda jukebox machines that let you pick from every soda flavor the Coca-Cola company has ever dreamt of, but there’s no milkshake button (I looked for like an hour). Also, what is with mixing Helvetica and Tekton together in your signage? Stop that.

Super Duper? Ah, here’s a contender. A little pricey and boutique-ish (well, it’s a SF-based place, so I understand), but the burgers are good and the bacon is there. Great shakes. Fries are good but could be better.

Shake Shack is great as I recall on all points. But I have to fly to New York to get one and that’s out of my price range. PLEASE COME TO CALIFORNIA I BEG OF YOU.

#geekcut

2014-05-25T20:38:35Z

Here’s another Storify collection of a personal favorite set of tweets.

If your reader doesn’t show this content, you’ll have to view it on my site directly.

Fast lane Internet

2014-05-19T04:57:53Z

So recently, the FCC ruled that it’d be okie-dokey for the Internet to create tiers of service. What follows is a bit of fun about this very serious issue, one that may very well change the nature of the Internet. I urge you to educate yourself about the real threat of this decision after you read and favorite each of these:

(If you’re viewing this through a news reader, the Storify content may not come through; if not, you’ll have to visit my site to see it.)

Personal Hold Music

2014-01-30T01:47:45Z

Here’s a small innovation I could use from my smart phone (yes, an iPhone): personal hold music. Cause, who likes muzak? Here’s how it would work.

You make a phone call to some customer service center. You navigate their tree of options and end up being put on hold while waiting in line for a person to pick up. They then start playing something hideous while you wait. Personally, I think this is designed to encourage people to hang up, reducing their call volume. But: you have a secret weapon… you’re calling with a smart phone equipped with Personal Hold Music™®.

So, here’s what you’d do: you’d take the phone from your ear and on the screen, there’d be a convenient button to play your music. What would this do? Well, once playing your music with an active phone call, your smart phone would pay attention to the line… since you won’t be able to hear it (cause you’re listening to your sweet, rockin’ beats). If the sound from the phone call changes to voice communication (versus music), your music will be paused and what the person on other end said will be replayed. That’s the tricky part— making the phone recognize when to switch back to the active call. I suppose it would need to do so even for periodic “there are n people waiting ahead of you” prompts, but I could live with that.

This is an idea whose time has come.

My Thoughts on Coin

2013-11-16T02:07:24Z

I crave minimalism. So, Coin interests me, but I don’t think it’s for me. Here are some quick thoughts on Coin.

If you have more than one credit card, the easiest way to get down to carrying one card is cancel the other ones. I have two active¹ cards: a debit card from my bank (which is accepted like a Visa card) and an American Express card which has a yearly cash back bonus (and important: I don’t carry a balance month-to-month, period).
If you use Coin and you find yourself at a place that has to imprint the credit card, you’re out of luck. Hope you brought some cash.
$100 or even $50 (the pre-launch sale price) seems high for this convenience. Especially if the card has to be replaced every 2 years because it runs on a non-rechargeable battery.
I’ll still need to carry my driver’s license; this isn’t for that.
I’ll still need to carry my transit card. It has a chip on it, so I don’t think it can be mimicked by Coin.
I’ll still need to carry my HID building access security card.

So, even if I were to buy one of these — effectively (at launch sale price) a $25/year (due to the battery lifespan) convenience fee — I’d still need a decent wallet to hold everything. I couldn’t get away with a slim phone card pocket case, for instance.

No, I think the future looks something more like using Passbook or even NFC… so, no physical cards. Bluetooth LTE identification for building access. A federal and state-approved method for presenting your identification through with phone. Maybe then you could just carry one card; one that serves as a backup in case you lose or damage your phone.

I also carry a Simple card right now. I’m looking to switch from Chase, so either the Simple or the Chase debit card will be taken out of rotation depending on whether I switch or not. And I love Simple, but so far they don’t support a joint account very well. ↩

What Apple Thinks it Knows About You

2013-10-09T07:08:34Z

This is a response to this.

Sure, our smartphones can have a lot of personal information in them and much of it is shared with “the cloud”. Sometimes that’s the device manufacturer that is supplying services. Sometimes that’s a third-party company that makes a social network you want to participate in. Whatever. Let’s talk about Apple, in particular.

Your identity

Apple asks you to sign in or register an Apple ID during the setup process for iPhone, but you have the option to skip this step entirely. Doing so will limit certain features of the phone. But if you want to create an Apple ID, Apple asks that you supply your name, your birthdate, a valid email address, telephone number, zip code, city, state, country and home address. But you can about these things. Apple doesn’t verify any of this information, save for the email address. And having an email address doesn’t really identify you— there’s no credit card involved in getting a Gmail or Yahoo mail account.

Your credit card information

Apple will have your credit card information if you give it to them. There are avenues for buying the phone itself with cash. And if/when you sign up for an Apple ID, you’re asked for a credit card, but you can decline to fill that in. For app purchases, you can always buy iTunes credit from any number of retailers and redeem them for use in the App Store or the iTunes store.

Your outdoor location

The GPS and location services on your phone are activated during the setup of the device. If enabled, location services can report the phone’s location to Apple. If that bothers you, then don’t enable location services, or turn it off under the “Privacy” section of the Settings app.

Your indoor location

Again, location services are an opt-in feature. Micro-location still falls under location services which are easily disabled.

Your behaviour

If you make purchases in the App Store or iTunes store, Apple can build a purchase profile about you. But no one is holding a gun to your head to buy these things. If you’re really worried about Apple relating your love for Phish, then you can load your entire CD-ripped collection onto the device through a computer. It’s also possible to jail break most iPhones and load software onto it through “alternative” sources (not recommended, but there you go).

Your movement

This part of the article assumes you’ve bought an iPhone 5s. Well, the A7 processor does track your spatial movement through an accelerometer but this information is only shared with applications that have been given your permission to use it. If you are wary of those apps, then don’t grant them permission and simply delete them.

Your face

Apple will store photos you take with your phone on iCloud in a personal Photo Stream if you have enabled iCloud and Photo Stream to begin with. Apple cannot, however, force you to take selfies even if you do use iCloud.

Your fingerprint

The iPhone 5s does use a sensor under the home button to allow you to unlock your device using fingerprint identification. The process for enabling this is simple, but requires a training process that is user initiated. The iPhone will not scan your fingers without enabling Touch ID.

What Apple Really Knows About You

So here’s what Apple can really know, for absolutely certain. That a device of theirs with a particular serial number was purchased and used with a SIM card with a specific serial number and phone number (this is communicated during the phone activation process). That’s it.

As for any of these other things: Apple will only have them if you give it to them yourself. Your identity, credit card, location, behavior, movement, face and fingerprint are all safe from Apple. Now, your wireless carrier might know more information about both you and your location (based on cell tower usage), but that would be the case regardless of what phone you’re using.

In short, there’s nothing to fear here but fear itself.

We promise not to screw it up

2013-05-21T15:09:15Z

Marissa Mayer made the inaugural post to Yahoo!’s Tumblr blog, announcing they were acquiring the service for $1.1 billion dollars (all cash). By modern measures, this seems like a pretty good deal. Remember, they also bought GeoCities for $3.6 billion in 1999 (valued at that amount, it was a stock exchange).

But, what gets me is this bit of her post (and echoed in the official press release). It reads, and I kid you not: “We promise not to screw it up.”

That’s in there because Yahoo! has a poor record of not screwing up things. GeoCities, for one. Flickr was on life support until only recently (I think Instagram and the Facebook buyout of that service for $2 billion had something to do with it). Upcoming.org was another victim of their embrace, languish and shutdown strategy. The Archive Team folks are still backing up that service. Maybe Archive Team should get a head start on Tumblr. Just in case.

But the worst part about that particular sentence is there’s no way for them to live up to it. No way. Cause, let’s face it, “screw it up” is a pretty subjective measure. And the folks measuring it have a very fine measuring stick:

one advertisement, anywhere on Tumblr… even a whiff: they screwed it up.
a Yahoo! logo brandishing the site… even in the footer: they screwed it up.
switching authentication from Tumblr login to Yahoo! login: they screwed it up.
changing terms of service in any way that materially benefits Yahoo! or restricts users: they screwed it up.
repurposing content without permission on another Yahoo! property: they screwed it up.
removing user content for newly adopted content policy: they screwed it up.
one additional promotional email for Tumblr users: they screwed it up.
adding features that promote other Yahoo! services (even if beneficial): they screwed it up.
adding any sort of posting/upload limit for free users: they screwed it up.
introducing any paid level of service while reducing features for free users: they screwed it up.
changing the period at the end of the “tumblr.” logo to an exclamation mark: they screwed it up.

So basically, they can’t touch it at all without breaking that promise.

Literally, she said “we promise.”

Now on the Apple Store: A Dell XPS with OS X

2013-05-16T16:35:53Z

Can you imagine an Apple exec, taking the stage at a main Apple event, promoting a Dell computer that has been optimized for running OS X, and sold exclusively through Apple’s own store? Well, that’s basically what Google did yesterday at Google I/O by announcing they were to sell an unlocked, no-contract Samsung Galaxy S4 running the stock Android OS and sold through Google’s Play store, for $649.

Why did Google buy Motorola for $12.5 billion? And what a slap in the face to all the other Android hardware companies.

The Android ecosystem is truly amazing. And mind boggling.

Google Island

2013-05-16T06:33:34Z

Here’s a Storify post assembled from a bunch of Tweets I just made inspired by the Google I/O presenation this year. Larry Page said there should be a part of the world set aside for unregulated research and science. Well, I think it should be called Google Island…

(if you’re viewing this through a news reader, the Storify content may not come through; if not, you’ll have to visit my site to see it)

Phishing with Forged Links

2013-05-09T15:17:07Z

TL;DR version: Sophisticated phishing attacks can be hard to detect for most. As software developers, we need to build better detection, prevention, and countermeasures into apps and services that relay and present these messages so users will be less likely to fall victim to them.

The Onion is a satirical news web site that looks like a legitimate news company. They make their living at spoofing the real news. So, they should be keenly aware of the fact that things aren’t always as they seem.

Well, recently, their Twitter account was hacked. Compromised by the “Syrian Electronic Army”. And now you can read about how they did it. The Onion’s tech team published an article about it: How the Syrian Electronic Army Hacked The Onion. Go read that now to get some context for what follows.

In short, it was a targeted attack. An email that was baiting the writers at The Onion to come and see an article about their organization. And look— it’s on The Washington Post! How exciting. The text of the link was an address that pointed to “http://washingtonpost.com/…”, but the link itself pointed to another site entirely. I’ve come to call that kind of link a “forged link”; a fraudulent and deceptive hyperlink. The phrase also works in the sense that such a link is deliberately crafted to deceive.

How Forged Links Work

Stepping back a bit, for those that don’t understand how that works. An email message can be like a web page, where most anything in the email can be linked to a web site. Could be text, could be an image, or even white space. So, an address to something, like my own web site would be like this:

http://bradchoate.com/

But see how it isn’t linked? It looks like an address, and it is, but unless it’s written this way, it won’t be usable:

http://bradchoate.com/

This is the HTML representation of a link, and this is how they’re written, but the bits in-between the < and > symbols are hidden from view when reading a web site or email message, since those are instructions to the computer; not really something for a human to read. But that was me being honest. What if I wrote this instead?

http://bradchoate.com/

and remember, you don’t get to see it that way in the actual email message. You’d see it like this:

http://bradchoate.com/

Now then— the link to my site is still shown, and now it’s underlined, which means you can click on it. But, where you go when you click on it is somewhere altogether different. That’s how the forged link works. The link that the unsuspecting recipient at The Onion clicked on did not take them to “washingtonpost.com”, but instead, to a different web site that looked very much like a Google.com account login page. When that happened, it should have sent off alarms in the mind of the user— “why did that happen?”. But instead… at least for one or two that got this far… they entered their Google credentials and unknowingly sent them to their attacker. And, after sending the login information, they were simply passed over to their actual Gmail account, which probably displayed their email since they were likely still logged into Google.

Okay, Blame the User, Right?

The tech guys at The Onion give some advice on how to protect yourself from this kind of attack. But these recommendations put all the onus on the end-users:

“Make sure your users are educated…” Right off the bat— “the user was wrong, so teach them not to do that!”. Well, good luck with teaching everybody.
“The email addresses for your Twitter accounts should be on a system that is isolated…” Okay, so if we can’t avoid these attacks, might as well put their target a little further out of reach.
“All Twitter activity should go through an app of some kind…” Sure, cause nobody would ever attempt to obtain your HootSuite credentials.
“If possible, have a way to reach out to all of your users outside of their organizational email.” Not really anything preventative here, just disaster recovery planning.

Well, I prefer to place more blame on everyone else.

Antispam/Antiphishing Filters Failed

The fact that this email included a forged link like this and was not flagged in some way is frustrating. Computers are great at spotting a discrepancy like this— especially for pure-text links— and they should be helping us to be safe.

Of course, it could have been an image of a link to washingtonpost.com that was linked the bad web site. In that case, it may be necessary to use text recognition on images that are linked to see if they’re misdirecting.

The User’s Email Client (Gmail, Apple Mail, Outlook, etc.) Failed

If the message did reach the inbox, it should be flagged in a way to identify the forged link, and the fact that this is coming from a stranger (someone that has no correspondence history) and as such, links clicked on should be programatically and visually verified.

A programmatic verification would check the domain of the link against a database of known risky web sites.

A visual verification would involve (at a minimum) showing the user the actual link they’re about to visit. But it could also display a screenshot of the web page so they can see where they are about to go in a safe way before they actually visit the site.

Currently, some email apps offer some visual verification in the sense that if you put your mouse pointer on top of a link and hold there for a second or two, it will reveal the link address in a “tip” window. That’s cute, but not good enough.

The User’s Web Browser Failed

The user’s web browser allowed them to enter sensitive information (data into a password field) on a site they’ve never done that on before. The user should be warned— even before the keypress registers in the password field— that they are about to do something potentially risky. Something akin to this, but generalized for any untrusted web site asking for a login (and doesn’t call you an idiot, ideally).

And again, the web browser could check the domain against a database of risky sites (including all of these free web hosting services, God bless ‘em). A stronger warning should be given if the user is trying to enter sensitive information on a web site without a secure connection. These types of attacks rarely ever use a secure web site, since that requires money and creates a paper trail that can be followed.

We Can Do Better Than This

To sum up, there are many gaps to be filled in here. As software developers, we have to stop telling people that they are to blame for falling for these tricks. Let’s at least give them some better tools to arm themselves against the “Syrian Electronic Army” and other hackers out there.

Re: unauthorized access

2013-05-03T15:39:52Z

Earlier this week, I got the following email from my Mom:

From: Mom To: Brad Choate Subject: Fwd: unauthorized access I think you will tell me to ignore this. Right? ————— Forwarded message ————— From: Strife, C Frederic (FRED STRIFE MD) Date: Thu, May 2, 2013 at 4:31 AM Subject: unauthorized access Dear Valued Staff, We suspect an unauthorized access on your account. To ensure that your account was not compromised, please click HERE http://updates.a.nf/ to confirm your identity and update your account. (c) 2013 Webmaster Inc

Now, my Mom is not new to computers. She’s been using them since the ’80s. But she is susceptible to social engineering, because prior to the Internet, she wasn’t trying to be conned all the time. So, every now and then, she forwards an email like this to me, asking if it is legitimate or not. I typically just give a short “Nope; just delete that.” kind of reply, but this time, I decided to give her more to learn from. Here’s my reply:

To: Mom From: Brad Choate Subject: Re: unauthorized access Yes, you can ignore an email like this. There are too many warning signs to even consider this is valid at all:

Who is “Frederic C Strife” and why is he emailing me about my account?
What is “Webmaster Inc.” (from the message)?
Why does this Frederic person think I’m part of his staff (from the message)?
What account is this in reference to in the first place?
What is the “cchmc.org” domain (from their email address)? You’ve probably not seen that address before.
What is the “updates.a.nf” domain (from the link they want you to use)? “nf” is the domain for Norfolk Island, which is a small island near Australia. What would that have to do with any of my accounts?
Why is this email so short on information if it involves something so serious as unauthorized access to my account?

The email subject alone is enough to give me pause: “unauthorized access” — all lowercase, and a phrase that is purely meant to scare you and lure you into this trap. At best, it was sent to you by mistake. At worst, it’s a link that will take you to a web site where it will attempt to install software on your computer than could contain a virus. But in this case, it is sending you to a web page that looks like this: There’s nothing here that tells you you’re on a Google property. It isn’t explaining the situation further at all. It’s simply asking you to hand over your email address and password. They will then take it and attempt to use it to access your email. Why? To sift through it to obtain information about you, or useful things like information about other accounts. They could also change your password to lock you out of it. An email address is often used as a way to verify access to other accounts. They could request a new password for a bank account or your Amazon.com account (which could be discovered from your email history), which would send information to your (now compromised) email address for how to reset that password. So, thanks for asking, but this is just a poor attempt to gain your email account credentials, pure and simple. Don’t fall for these. More information on how to spot these right away: http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx http://idtheft.about.com/od/preventionpractices/ss/phishing_scams.htm -Brad

This spammer was pretty lazy, actually. This is one of the more obvious ones. Some will mimic an email notification from a legitimate service like Gmail, or Yahoo! Mail. And the website itself is also pretty basic and not an attempt to appear to be any website you might recognize. Even the link in the email is unobscured. My guess is that they don’t really have to try. There are enough people that will simply click on that link and fill in a form like that without thinking much about it. (I did find it funny that they’re putting a captcha here… is this form being spammed?)

Be on your guard. As I explained to my Mom, obtaining your email account can open you up to other problems, including accessing other accounts that may be tied to your email address. At the very least, your email account could be used to propagate more spam and phishing attacks like this one.

Additional resources to educate yourself about phishing:

OnGuardOnline.gov - Phishing

My work tools, 2013 edition

2013-04-29T17:50:01Z

From year to year my work tools change. So, periodically I like to capture the state of my work environment on my computer. I’m a software developer (both web and iOS) who dabbles in design. Here’s the latest snapshot:

Computer: 11” MacBook Air (Mid 2011) ($$$). My employer has provided me with this laptop, and it’s the best I’ve had. Can easily power the 27” Apple Cinema display I use with it every day and runs everything I need, from Photoshop to Xcode, even with the bevy of OS X menubar items I keep running. 4 GB goes a long way on this Mac. It travels in a Tom Bihn Ristretto ($$$) which holds my laptop and a 10” iPad easily.
Developer Tools: TextMate 2 ($0), Xcode ($0), CodeRunner ($), Echo ($), Kaleidoscope ($$$), Dash ($), Charles ($$$), iTerm 2 ($0), Patterns ($), CodeBox ($), VirtualHostX ($$$), LiveReload ($)
Design tools: Photoshop ($$$) (but also own and recommend Pixelmator ($$$) and Acorn ($$$)), Coda 2 ($$$), Espresso ($$$), WebCode ($$$), xScope ($$$), PaintCode ($$$), Hype ($$$), Sketch ($$$), OmniGraffle ($$$)
Extensions and Menubar items: MenuAndDockless ($0; requires SIMBL, but worth it), Moom ($), Bartender ($$), PandaBar ($; unavailable at the moment), CloudClip ($0), Sidekick ($$$), PopClip ($), Live Wallpaper ($), Fantastical ($$), iStat Menus ($$), Air Display ($$), Trickster ($), HyperDock ($)
Utilities: Alfred 2 ($0; $$$ for the PowerPack), 1Password ($$$), Dropbox ($0), Textual ($), Transmit ($$$), CrashPlan ($0 for peer-to-peer sync), Hazel ($$$), Clarify ($$$), Soulver ($$)
Office Apps: Google Docs ($0), Pages ($$), Numbers ($$), Keynote ($$)
Writing Tools: Evernote ($0), iA Writer ($), FoldingText ($$$)

Bold items are essential apps. The others make life easier, but I could get by without them. Price legend (based on today’s prices; subject to change): $0 = free; $ = less than $10; $$ = more than $9.99, less than $20; $$$ = more than $19.99. I have more apps actually, but I can’t recommend them as strongly. I have given 5-star ratings to all of the above apps on the Mac App Store.

Catching up

2013-04-26T20:24:00Z

So I should probably give a bit of a recap to bridge the gap I’ve created from not posting here for a few years. Since then, the most notable change for me has been my work situation. It’s changed, but it hasn’t. Six Apart San Francisco merged with Videoegg to form Say Media. I transitioned to Say when that happened. Before that, I had already stepped back about a year or so prior from active work on Movable Type. MT lives on, under the care of Six Apart as it exists today in Japan, where it is in good hands.

Here at Say, I’ve had opportunity to work on a wide variety of products and services with Python/Django, NodeJS, Objective-C and yes, Perl too. We’re developing modern publishing tools as well as ad delivery tools (for web publishing, these go hand in hand). Say also owns a number of sites, like ReadWrite, SplatF, Remodelista and The Kitchn. One of my colleagues wrote about what we’re up to in terms of our direction and focus and sums it up nicely. And we’re hiring — if you’re interested, drop me a line.

And personally, while I’ve been away from my blog, I have been posting semi-frequently on Twitter, and on Please. Fix. That. where I rant about broken things I come across.

Other than that, the wife and kids are doing fine. We’re enjoying our 9th year in California. We own a house as of a couple of years ago and we have two parakeets.

There, you’re all caught up.