Wednesday, April 17, 2013

Forget ICE: put your contact information on your iPhone lock screen

After mass emergencies I often read Facebook posts on about the "In Case of Emergency" (ICE) program:

It encourages people to enter emergency contacts in their mobile phone address book under the name "ICE". Alternatively, a person can list multiple emergency contacts as "ICE1", "ICE2", etc. The popularity of the program has spread across Europe and Australia, and it has started to grow into North America.

Of course this only works if you leave your phone unlocked. That's kinda risky in the era where our smartphone is the key to our lives. In any case business phones have mandated locks.

A much better policy is to have your iPhone (or Android) lock screen display your contact and emergency information in a note. Then if someone taps the power button they see it all. You can organ donor status if you like. Of course this also means that if someone finds a lost iPhone you'll probably get it back.

Here's how I do it on my iPhone:

  1. Create a note with the information to display.
  2. Press home-power button to take a screenshot.
  3. In Settings choose Brightness and Wallpaper. (See how to set your iPhone lock screen).
  4. Tap on the Wallpaper image and make the screenshot you saved your lockscreen, but not your wallpaper.
It takes a minute. I keep the note around in case I want to revise it sometime.
 
I include
Name 
Address
Home phone
Emerg phone (Emily's cell)
My email
My organ donor status
Thanks!

If you have a significant medical condition, you could add a line that with the URL for a web page with key advice, or you could type it in. (On the i5 there's lots of room.) Don't bother adding your blood type, nobody would rely on that.

You can do something similar with Lion and later to help recover a lost laptop: Lost and found: putting contact info on iOS and OS X login screens.

Sunday, April 14, 2013

Apple's two-step verification: Multiple Apple IDs and mac.com Apple IDs?

I like the idea of "two-step verification" for my Apple credentials (aka two factor authentication).

Problem is, I have no faith in Apple's ability to get this right, especially given their many years of unresolved Apple ID problems [1]. In particular I wonder about two things:

  • Can I do two-step verification for my core Apple ID that's tied to all of my App Store and iTunes purchases? That is a mac.com address, and when I tried setting one I wasn't given that option. I think the answer is no -- I'd have to change the email address first. But I know I can't change it to one of my 3 other Apple IDs.
  • Can I do two-step verification from an iOS device for an Apple ID that's not the same as the Apple ID tied to the authenticating device? (iOS: iTunes and App Stores)
Until I get answers to those questions, I'm afraid enabling two-step verification will lock me out of my core Apple ID services

- fn -

[1] Examples below. Their Apple ID failures are one example of why I think Apple's mind-boggling successes of the late 00s may have also broken the company. There are so many things small and large that Apple can't seem to manage. I'm hoping Cook is doing recovery work.

App.net - using Duerig's custom RSS feed to see only root posts from selected people

[See update below, Jonathon has revised his stream generator so you don't need to look up the userid any more.]

I enjoy app.net. I like the conversations, but I particularly like the 'root' or initial posts shared by a few of my followed appnetizens. Problem is, these posts are lost in the streams of the app.net clients I use - Felix (iOS), Kiwi or Wedge (OS X), and Alpha or NoodleApp (web). They are mixed with replies and conversations. Current app.net client UIs aren't a great fit for how I'd like to follow folks; they are best suited to recreational engagement. Thanks to Jonathon Duerig (@duerig), there's a better option. He's providing a special RSS feed that accepts parameters. For example, here's mine:

http://jonathonduerig.com/my-rss-stream/rss.php?user=6172&replies=0&directed=1

In this example

  • 6172 is my app.net userid (I was #6,172 to sign up)
  • replies=0 means I see only root replies
  • directed=1 (just include this, don't ask why) [2].

To find the userid you can mouseover the official (shows all activity) RSS feed icon on alpha.app.net profile pages, like https://alpha.app.net/johngordon. It shows the userid. I've created feeds for several people who I particularly like to follow, and put those feeds into a Google Reader folder called App.net [1]. Now that Duerig has also removed an unnecessary username prefix from each post, the results display very well indeed. Each post comes with a link to alpha.app.net, so I can respond easily in that environment. It's really quite elegant, and should be an inspiration for app.net app builders. I'm looking forward to more like this; Duerig will probably make this to a custom domain and tidy it a bit. For now I've put the feed URL into my Profile Bio to make it easier for others to copy.

[1] I haven't settled on a Reader replacement yet, I'll start doing serious testing in May. I do want folders. [2] Duerig: "A directed post is a post beginning with a mention ... to anyone. .. the concept of a directed post is immensely confusing ... Just do replies=0 vs. replies=1 and you will be happy."

Update 6/30/2013: Duerig has a new format with new header and the ability to use a username instead of a user ID. For example:

rss-app.net/rss.php?user=@duerig&replies=0&directed=1 

I used a list of usernames scraped from the display of people I follow, and Numbers.app concatenate [2], to generate this list of feeds which I've been tediously [3] copy pasting into Feedbin. The current list is below, sorted by name [5]. 

This functionality makes app.net far more interesting for me. I really think it needs to be part of the API, a variation of stream. So we'd have two independent streams:

  • Twitter-style conversational stream: see all posts by members of follow list.
  • Prime stream: "Root" posts stream - akin to news, item share

For some people I want to follow conversations, for others just their initial item share, for others both streams. So these are independent.

Currently I do stream 1 from Kiki/App.net/Felix, stream 2 from Reeder/Feedbin/ReadKit[4].

- ffn -

[2] Numbers.app can't export as tab delimited, which tells one a lot about iWork. It also "escapes" quotes in CSV fashion when you copy to clipboard, so they're all doubled. Not a problem with this exercise, but very annoying when I tried to create OPML XML entries. iWork, not Apple TV, is a hobby.

[3] Feedbin has performance and reliability issues, especially on adding feeds, but those are improving. What's killing me is the extremely limited UI for manipulating feeds - review, sort, revise names, remove, tag. It doesn't scale past 25 or so feeds; I'm over 300. If this doesn't get fixed in the next few weeks I've gonna have to try something else. 

[4] Readkit is promising but obviously in early state for consuming Feedbin, etc.

[5] Full list -- if you're name isn't on here don't worry, I'm building it out. See [3]

(I had to add bullets due to a longstanding Blogger/MarsEdit formatting bug.

  • rss-app.net/rss.php?user=@adamlcox&replies=0&directed=1
  • rss-app.net/rss.php?user=@adrianus&replies=0&directed=1
  • rss-app.net/rss.php?user=@annatarkov&replies=0&directed=1
  • rss-app.net/rss.php?user=@benubois&replies=0&directed=1
  • rss-app.net/rss.php?user=@billkunz&replies=0&directed=1
  • rss-app.net/rss.php?user=@clarkgoble&replies=0&directed=1
  • rss-app.net/rss.php?user=@dalton&replies=0&directed=1
  • rss-app.net/rss.php?user=@danfrakes&replies=0&directed=1
  • rss-app.net/rss.php?user=@danielgenser&replies=0&directed=1
  • rss-app.net/rss.php?user=@darnell&replies=0&directed=1
  • rss-app.net/rss.php?user=@duerig&replies=0&directed=1
  • rss-app.net/rss.php?user=@erikschmidt&replies=0&directed=1
  • rss-app.net/rss.php?user=@fields&replies=0&directed=1
  • rss-app.net/rss.php?user=@glennf&replies=0&directed=1
  • rss-app.net/rss.php?user=@gruber&replies=0&directed=1
  • rss-app.net/rss.php?user=@jdalrymple&replies=0&directed=1
  • rss-app.net/rss.php?user=@johngordon&replies=0&directed=1
  • rss-app.net/rss.php?user=@gruber&replies=0&directed=1
  • rss-app.net/rss.php?user=@jdalrymple&replies=0&directed=1
  • rss-app.net/rss.php?user=@marcozehe&replies=0&directed=1
  • rss-app.net/rss.php?user=@martinsteiger&replies=0&directed=1
  • rss-app.net/rss.php?user=@mfitz&replies=0&directed=1
  • rss-app.net/rss.php?user=@mvp&replies=0&directed=1
  • rss-app.net/rss.php?user=@prometheus&replies=0&directed=1
  • rss-app.net/rss.php?user=@rikishiama&replies=0&directed=1
  • rss-app.net/rss.php?user=@reederapp&replies=0&directed=1
  • rss-app.net/rss.php?user=@brentsimmons&replies=0&directed=1
  • rss-app.net/rss.php?user=@siracusa&replies=0&directed=1
  • rss-app.net/rss.php?user=@sirshannon&replies=0&directed=1
  • rss-app.net/rss.php?user=@snipergirl&replies=0&directed=1
  • rss-app.net/rss.php?user=@spacekatgal&replies=0&directed=1
  • rss-app.net/rss.php?user=@teawithcarl&replies=0&directed=1
  • rss-app.net/rss.php?user=@thomasbrand&replies=0&directed=1
  • rss-app.net/rss.php?user=@treestman&replies=0&directed=1
  • rss-app.net/rss.php?user=@voidfiles&replies=0&directed=1
  • rss-app.net/rss.php?user=@wickedgood&replies=0&directed=1
  • rss-app.net/rss.php?user=@xwordy&replies=0&directed=1

Saturday, April 13, 2013

WordPress attack - lessons from my personal security review

This week there's a  brute force password attack on WordPress sites. That inspired my security review, here are a few things I learned doing it:

  • I again appreciated the FileMaker database I've used since 1997 to track my net credentials. I dump data from it to a now dated version of 1Password, but it's hard to beat the ease of searching and editing my own repository. It lives on an encrypted disk image on my local machine.
  • It's easy to end up with orphan WordPress instances. I have one on Wordpress.com and two on my Dreamhost account, but I only use http://www.kateva.org/sh/. It archives my Pinboard/App.net shares; one day, if I figure out how to do it, I may append my old Google Reader shares (json).
  • I had a strong password on the wordpress.com account, but only pretty-good on my other two and they had the same pw. I upped both to very strong but still typable. I will have to review how IFTTT connects to kateva.org/sh -- obviously there are big security risk with many uses of IFTTT. 
  • I'd been keeping my WordPress blog software current (Dreamhost makes that easy!) but not the plug-ins and themes.
  • I'd changed a theme on one blog recently, and today I learned it didn't include a log-in link! I was briefly shut out, but a bit of web research turned up kateva.org/sh/wp-admin.

The most important thing I learned is that it's not trivial to safely delete a self-hosted WordPress blog. Yikes! No wonder there are lots of vulnerable old blogs lying around for the taking. WordPress.com blogs have a delete tool, but not self-hosted sites. Things can get nasty here -- two WordPress blogs can share the same database, so deletion must be done carefully. Reading some Google hits this is a very unsolved problem with lots of confusion.

We need a fix WordPress.org and we need it very soon. Dreamhost, you could help too.