Using the iPad Naked

03. May 2016 · Categories: Apple

What many people are not realizing is that the iPad Pro 12.9″ is lighter naked than the 9.7″ model combined with a keyboard and case1. Not having this extra weight is what makes all the difference when we want to use the iPad handheld. With a light, naked iPad, I can hold it in my hands, type on the glass effectively, maybe holding it up while sitting in my chair, using the armrest. Or I can put it down on my lap, and also use the pen to draw or explore ideas. It is still a bit heavy, and I still would love the iPad to lose half its weight again, but with the current, naked weights, I can already use it for long periods without feeling that I need a table to rest the iPad on2. I do not miss a physical keyboard. The typing speed on glass is a bit slower3, but it is still much faster then using a pen, and more than fast enough to keep up with my thoughts. We tend to greatly underestimate the time needed for clearly formulating our thoughts, typing is a relatively minor part of the time I need for a post. I see that a physical keyboard enables you to type blindly, without having to glance from time to time. This is valuable for transcribing talks, but only journalists and secretaries do this often, and I believe this wrongly colors journalists opinions about the necessity of a physical keyboard.

So start treating your iPad as a tool that can withstand use, and enjoy the light weight. Maybe get a sleeve4 to protect your iPad during transport, which can also serve as a nice place to rest your iPad on a table. Trust Apple to make a solid piece of hardware that does not need extra protection.

  1. The 12.9″ iPad is 714g, the 9.7″ is 437g. For the 9.7″ model, the Smart Keyboard weights 225g, the silicone case 84g, and a Smart Cover would add 110g. For the 12.9″ model, the keyboard is 340g, the case roughly 125g, and the cover 164g. So a fully protected 9.7″ is with 746g heavier than its larger sibling naked. My thanks to Jason Snell for measuring this. 9.7″ case is estimated because of lack of data. 
  2. It probably helps that I am swimming regularly. Even once a week will train muscles in the arms and fingers that are typically neglected, and it makes it easier to hold the iPad. 
  3. A trained typist gets pretty close, losing only about 2o% of his speed. And I was surprised to find that this also holds true for myself. 
  4. I love the sleeves from Joli Originals, they are absolutely marvelous. 

Referendums and Democracy

14. April 2016 · Categories: Politics

The outcome of the Dutch Ukraine referendum shows how problematic they are: it was a consultive one, so people have felt free to use it as a protest vote. Even the organizers have openly said that they do not care about Ukraine, they have openly highjacked the process to organize a vague protest vote, and in the event just 32% of voters bothered to even vote.

There is a reason that we vote for representatives: our modern world is complicated, there are a lot of competing interests and to create a good policy, an acceptable compromise to deal with issues is hard. It takes time to properly understand things, which most people do not have. In addition, people enthusiastic about a policy will skew the turnout and we can get results that most people do not really want. So we should reform the referendum process to ensure that decisions are made by informed, representative people. This should lead us to the following process:

  • for consultations, use sampling: choose hundred people randomly, put them into a hotel for a week, brief them on the issue at hand, and get their concerns and priorities.

  • for referendums, treat them as a corrective mechanism against the risk that politicians ignore an issue.

A consultation mechanism provides much more nuance, and chances to figure out which parts of specific legislations are problematic. It might be that a policy is good, but that not enough help had been provided to aid those affected by the change. It might be that the concern is something related, and that we need to address that as well. It is a perfect companion to our democracy, significantly cheaper to implement than a referendum, and would underscore the consultive nature of such a people’s senate.

Making referendums a corrective mechanism would mean that it should have high hurdles to justify overruling the parliament. So I suggest that the acceptance threshold should be 60% of votes cast, and 40% of eligible voters1. This is a high hurdle, but it would ensure that any act passed this way has the broad support of the people, and has enough standing that parliament cannot simply overrule it2. One needs to engage almost the entire population to get one passed, and so it puts pressure on ensuring that proposals are well thought out. Also such a mechanism should allow us to introduce new bills, to increase the chance that it actually addresses the basic concerns. The Swiss allow parliament to add its own version for a referendum, and I believe this has greatly improved the quality of the passed referendums.

  1. One consequence is that the required turnout is between 40% when everyone votes for it, and 66.7% when 60% do. It also removes the incentive for people to stay away to keep participation below the required threshold. 
  2. I believe a constitution changing majority should be required for an overrule, or a new referendum. 

Tesla 3

07. April 2016 · Categories: General

It is interesting to see the demand for the just announced Tesla 3. The demand confirms that the Tesla is seen as the gold standard for electric cars, and the promised performance makes it one of the best cars to own as long as you do not need to travel more than 150km one way (or already have a charger available at your endpoints). This range is good enough to make it a very viable second car for a family, where you have a different car you can fall back to for long journeys. It also illustrates that choosing a range of 340km is a very smart decision: unlike the 100km ranges of commuter cars it covers enough range that you will want more only rarely, and this makes all the difference in justifying the purchase: No backup is needed.

How long the range will be be under practical circumstances we do not know: we lack info on battery aging, to estimate the loss over time. Also I guess the demand as the only car of a household will be limited, as traveling longer distances where you need to recharge during your journey does not work well. It starts with the relatively low density of the charger network, which Tesla is working hard to improve. The stations are roughly 200km apart and typically can charge 6 cars at once. A fast charger needs about 35 to 40 minutes to add another 200km of range, so can serve only 10 cars per hour. This is completely inadequate when there are a few hundred owners wanting to go on holidays on the same day1. The other problem is that the long charge times reduce you average speed significantly: when you are driving 130 km/h normally, adding charge pauses can slow your speed down to just 94 km/h.

The new Tesla will be a success, but it is only a small part of the way forward to a more ecological car fleet. I believe the biggest leap will come when automatic driving will finally allow a complete reconfiguration of travel.

  1. Building a charger network is a problematic proposition: you need roughly 100x the stations to cover the same number of cars doing long distance travel (40min for 200km vs 2min for 800km fill ups), and because you will normally charge your car at home overnight, charger utilization will be highly seasonal, making it harder to spread the costs. 

iPad Pro 9.7″ and iPhone SE

03. April 2016 · Categories: Apple

The new iPad Pro 9.7″ has surprisingly many improvements to its older, larger sibling. The cameras are understandable, as the size is much easier to hold in hand, but it is disappointing that the color temperature matching has not been a part of the large one already. Otherwise the pricing is surprisingly low compared to the 12.9″ model. The larger screen must still be relatively difficult to manufacture, because it is otherwise difficult to see why one should pay $200 more for one, when the medium model is better specified. Of course, as we can already see with the iPhone, Apple is in the enviable situation of not having to compete against close substitutes, allowing it some measure of pricing discrimination, so this could just be Apple’s decision to increase its profits. I feel though that one would be much better served buying the large Pro instead, the larger screen real estate allowing us to work much more efficiently, especially with two apps side by side.

The iPhone SE is a very nice phone, $250 cheaper than the 6s, and basically only missing 3D Touch1 while having better battery life. It is even a bit heavier than the 5s, so Apple obviously has decided that battery life is now more important than reducing weight even further. It has the potential to be a very popular phone, a lot of great technology, a reasonable price, and no longer any competition in the small but powerful phone space. It will be interesting to see how many people will buy this instead of a 6 or 6s. I would not be surprised if this phone, especially the 64GB model, will capture around 25% market share until the next refresh. At the very least, it will provide very good feedback about which screen sizes people are actually preferring to use, even when this will be biased by price as well. John Gruber has noted in his review that he feels typing on the iPhone SE is a bit problematic, but I do not share this concern, you could type quite fast on the 3.5″ and 4″ iPhones. The issue is more that once you use one size of iPhone, you build a muscle memory for the keys, and you will need a few weeks to a few months to relearn the keys after switching sizes. And until you have finished with your thumb training, you will be frustratingly slow and error prone.

  1. Plus worse front camera, slightly inferior screen, slightly lower speed, slower fingerprint sensor, no barometer, no 128GB option, none of which I rate as absolutely must have. 

Securing the iPhone

02. March 2016 · Categories: Apple, Politics

The iPhone currently cannot be protected against backdoors that Apple is forced to make, and in general it is impossible to defend against that. There is only one intermediate step that Apple can still take to make breaking into an iPhone more difficult: ensure that the user must approve any update before it is applied. Combine this with the ability to check a cryptographic hash of the update, and you now make it incredibly difficult to target individual iPhones for accepting backdoors: you no longer can surreptitiously push backdoors, they would go to all phones, greatly increasing the risk of discovery and collateral damage.

Apple will need to change the processor to make it happen. The current architecture has no place to store the users consent securely: only the UID key is secret, and any data stored is on externally accessible flash memory. So an attacker could save the flash content, use the backdoor OS to generate the approval key, and then place back the backup user data: on the next boot, the backdoor has access to the memory. So we need the ability to store this consent safely within the processor itself, which means adding a small amount of embedded flash. Embedded flash is relatively easy to read when you are willing to destroy the processor, so it should be encrypted with the UID to make this task more difficult. Since the guide is not clear about it, any RAM used by the secure enclave needs to be either encrypted or on-chip to prevent side channel attacks. There are now chips that have real time RAM encryption baked in, this would be very helpful for the enclave as well.

It is important to keep in mind that there is nothing that can protect us from an insider attack. We can only work hard to ensure that security cannot be reduced after the phone has left the factory1. This is why Apple needs to fight so hard to keep the trust of its users: a government mandated backdoor would completely and permanently destroy the trust into that software. It would be the end for closed sourced operating systems and also applications, the risk that they are used to backstab us would be just too great. This is also the best reason why those backdoors will not be granted in the end: the risk from terrorism is simply not that great that it would justify losing billions of annual tax revenues alone, especially since strong encryption is now widely and publicly available. And I believe several countries with strong constitutions would be more than happy to lay the welcome mat for Apple, should the US decide otherwise.

The following discussion assumes that you have read the iOS Security Guide. The goal of the changes is that when we load iOS, it will only be able to access user data when the update was previously authorized by the user. For this, we will add extra flash storage to the processor, which has a dedicated interface with exactly two functions: create new key and load key into AES unit. Unfortunately this will be relatively expensive: an entire flash unit with error correction ability and random number generation implemented in dedicated hardware to prevent any software backdoors, but now transistor counts are so high that this perfectly doable. This key will take over the role of the file system key (FSK), and it will also be used to encrypt the class keys. Now the boot loader is changed that it will check the OS not only for a valid Apple signature, but also for a SHA512 hash encrypted with the FSK. Should the hash not match, the boot loader will destroy the FSK and create a new one, effectively erasing all user data. Depending on the available space in the boot loader, we can add two additional steps to make accidentally losing your data less likely: It can ask for confirmation with a specific key combination, and it can allow the user to still provide his passcode via USB as a special recovery mode. Ideally the boot code would allow you to enter the passcode, but this is probably way too much code to be practical.

Should the iOS image become corrupted, we would use iTunes to restore the image, and also use it to ask for the device passcode to sign the image. This adds a new vulnerability in that the computer running iTunes could be hacked, but given that it would only be used when recovering a broken image, it would be a rare occurrence. We could work around this if we would create a known good passcode recovery image, whose hash would be fixed in the bootloader, allowing passcode entry directly on the device. With the hash, its content would be fixed, preempting later attempts at introducing a backdoor.

Addendum: In order to prevent replay attacks, where you use the current OS and replace the flash memory after every try, the replay counter also needs to be on chip, and only accessible to the secure enclave. We can avoid having extra security measures, because before any untrusted code would be able to run, the bootloader will already have destroyed the FSK. The replay counter is updated before every attempt and after every successful login. With a hundred logins per day, the life expectancy of the counter will have to be a few million writes, which is very doable with Flash using partial word writes.

  1. There are two places especially vulnerable to sabotage: the masks for the processor could be subtly altered to weaken the keys or create a backchannel. Or the UID could be recorded during production. The UID though will likely be generated internally by the random number generator, preventing any recording. 

Encryption Backdoors

21. February 2016 · Categories: Politics, Software

What are the options with current technology to provide encryption backdoors? And which policy goals should we have?

As policy, we want backdoors that provide inherent checks on abuse. When police searches a house, it is obvious to the neighbors, it requires the expense of manpower to do the search, and the subject of the search knows about it. Similarly, we want any mechanism to be expensive enough to deter casual use, obvious enough that it does not happen behind our backs, and safe enough that criminals cannot exploit it.

On these counts, a master key is awful policy. It would have to be kept secure in at most a handful offline locations. There would be a huge temptation to make more copies to provide better access, and most governments will want to have their own master key for their subjects. There will be so many copies in the end that at least one will be stolen. The cost for each decryption would be so low, and the act so invisible, that there would be no deterrent from overusing it. Worse, if the master key was stolen, it would be very hard to detect, and probably impossible to prove. And as Jonathan Zdziarski observes, the legal system will basically force the tool into the open for validation, making such a threat very plausible.

A much better alternative would be to include a random key on each device1 used to store enough bits of the password that the full one could be brute forced on a 10 million dollar computer in a week or so. We would also need to update this regularly to account for the increasing processor power that a cracking device can have over time. One would retrieve the key by destroying the processor and carefully checking the nonvolatile storage on it to determine the device key, not an easy task given the small size of such structures. As policy, it would be much better, since it is expensive to hack each device. There is no scaling that after you cracked one, further ones would become much cheaper. You need the device in your physical possession so it is both an additional protection, and you cannot work undetected. And the special equipment needed to analyze the chips would make it difficult for criminals to acquire such equipment unnoticed.

This would require discussion about how difficult we want to make breaking into phones. What should be the price such cracking should be costing? The real big problem is that anything that would be worth spending millions on prosecuting would find it worthwhile to actually use proper encryption software that is effectively unbreakable, while we cannot make backdoors so weak that people would be subject to persecution by repressive regimes. In the end, backdoors are only effective against criminals doing awful stuff while being stupid enough not to employ proper encryption, or for checking on information stored by crime victims. Such a backdoor could be provided such that people can consciously activate it so that in case of death there is still a way to access information. But in general, we know that nowadays we leave such a thick digital trace in all our interactions, plus clandestine surveillance is now so powerful, that law enforcement has more than enough other venues to fight crimes.

  1. The classical way to store secrets on a processor have been eFuses, which are relatively large, in the μm range, and can be read quite effectively. More modern approaches use anti fuses, for example from Sidense and Kilopass. These are much more difficult to read, and I suspect are the technology Apple is currently using to store their per device keys. To read out the keys, companies like Chipworks do look at chips very carefully, and it is interesting to read about the technology used

Dealing with Strong Encryption

21. February 2016 · Categories: Politics, Software

When we are talking about how we should balance privacy and surveillance in the age of encryption, we basically all want the same thing:

Good Guys should be safe from intrusions, from identity theft, from banking fraud, from espionage, from exposure of their private lives that could make them vulnerable to extortion.

Bad Guys should be monitored so that they cannot do bad things, their private lives exposed as needed so that we can put them behind bars preventing further trouble, their plans visible so that we can counter them.

The trouble is that encryption, the technology, itself cannot distinguish between the good and the bad. In fact, our collective understanding of what is good changes over time. So there is no hope of ever achieving such a goal. For Hitler, Stauffenberg1 was terrorist, and when we define any policy of how we are dealing with encryption, we should be careful what the implications are for the Hitlers of our world.

Often people are saying that we should add a backdoor for law enforcement to gain access when needed. This relies on a few key assumptions to work out well:

  • the police is fair, and will not abuse this power. This requires strong checks and balances to prevent the few bad apples from abusing their position. On the other hand, there are counties counting on citations to balance their budget: how can we trust them not to peak into people’s private lives to find some fines?

  • the key for the backdoor is kept safe. Again very difficult to believe given the data breaches governments have. Since it would be a universal key that would expose a few hundred million people, the stakes are high. Will we be willing to guard them as well as we do for nuclear launch codes2 now? Can we guarantee that the guardians will do their job when the rewards would justify 100 million dollar bribes?

  • we have seen governments taken over by bad actors. Is any policy we are formulating robust for such a case?

The impact on foreign governments is important to consider: will they be happy that foreigners can access the phones? Will they demand that they get their own backdoor as well? Or will one universal backdoor be too widely know and quickly spread to thieves? Will they have the same regard for political rights as Western Governments? Wouldn’t the lack of universal encryption make it harder to fight for democracy? I believe the negative impact adding backdoors would have in repressive regimes is reason enough not to pursue this option.

Just as Americans accept thousands of gun casualties every year as the price for the right to own a gun, we need to be aware that we cannot achieve perfect security from terror, and that we need to accept somewhat less efficient crime and terror prevention as the price for keeping our data safe from criminals and espionage. And honestly, we cannot prevent people having awful plans. We can only work hard to deny them the tools, guns, bombs which enable them to become actually destructive.

We value our freedom of expression, we celebrate those who fought against injustice and made the world a better place. Privacy is important because it allows experimentation without public condemnation, because it prevents totalitarian oversight, because it keeps you safe from extortion. We must not allow fear to rule us, to cause us to limit the freedoms that have enabled so much progress.

  1. Stauffenberg is now celebrated for the failed attempt to kill Hitler in 1944. 
  2. Actually, launch codes are easier to protect, as there is a human receiving them, and doing extra checks. Our devices would happily accept anyone with the right key. 

Hacking into the iPhone

17. February 2016 · Categories: Apple, Politics

Tim Cook has publicly opposed an order to help decrypt a mass shooters phone in an FBI investigation. The court order basically asks Apple to create a special version of iOS which disables security measures, and Rich Mogul suspects that this case is designed to serve as precedent to create backdoors.

On the technical side, Apple has designed its hardware such that it uses an embedded key to prevent stealing data directly from flash memory. So you are forced to use the phone itself unless you are willing to spend probably a few millions to carefully examine the processor itself to read the embedded security fuses, with a fair chance that you permanently destroy your access. So Apple is the most reasonable route to gain access.

The trouble is that this demand is worded in such a way that it can later be extended to encompass more and more cases:

The FBI should get the modified software. This is very problematic because it makes the backdoor widely available, and very cheap once created. Especially there is no incentive for the FBI to properly safeguard this master key to every iPhone on the planet.

Software locked to this iPhone. Sounds great in principle, but this would require an awful lot of engineering to make it impossible to modify.

Apple must provide a backdoor. This could later be extended to force Apple to provide special software for ongoing investigations, or even a general master key for law enforcement.

If you were to ask for this information in a manner that reduces the risk of it being repeated, you would intentionally structure all the steps in such a way to minimize any risks. The software would be created by Apple, and would never be on a networked machine. The cracking would be done on Apples premises, and the FBI would deliver every day a new file with the passcodes to be attempted. Should the right code be found, the code would be noted, and the phone returned with any traces of the special software removed. Also once the cracking starts, all sources and any other copies but the one running on the phone would be destroyed, to reduce the risk of a break-in.

iPad Pro

16. February 2016 · Categories: Apple

The iPad Pro is an amazing computer that is also pretty frustrating because the software is not yet there. In combination with the Pencil, it becomes an incredible tool for sketching out ideas. I love Paper by 53 for this, and it has replaced paper and pencil for me. It is simply so much more convenient to always have multiple colors, intelligent sketching tools (especially the pencil simulation is brilliant), and a perfect eraser with you that it easily trumps the added space of A3 paper.

It continues to be an iPad, and this means it remains very useful for reading data sheets, as well as marking up any texts. In fact, the large screen combined with a still reasonable weight are the best compromise for a working tablet so far: it has almost completely replaced usage of my iPad Air, since you can’t beat the extra screen space, while remaining light enough to be used while walking.

Writing longer texts is more frustrating, though. It starts with the keyboard support: external ones are adding quite a bit of extra weight, and interacting with the screen is easier when you can quickly move on a trackpad instead of having to move your arm to actually touch the screen. If you put a Bluetooth one to the side, you still lose the onscreen keyboard, which would be very handy for adding a few letters for editing. Typing on glass is not a great experience on the iPad Pro, either. The main problem is that it lacks a haptic reference for your fingers to create a muscle memory for typing. Creating a small indentation in the middle of each side would offer a reference for our thumbs to rest, so that our other digits could learn where the letters are. I believe this is also the reason why I am typing faster on an iPhone than the iPad, the fixed reference from holding the iPhone more than making up for the smaller keys.

The frustration results from the high expectations, and the many small ways in which the software is still incomplete: no builtin way to access additional characters in fonts, no control about font features, neither Word nor Pages allow you to define your own styles, you cannot insert a diagram from OmniGraffle into a text document, organizing documents by project is finally possible, but complicated with document providers1. There is already software to cover 90% of your needs2. But those remaining 10% mean that many still have to wait awhile until the software has caught up. While the iPad Pro has already become my most used computer, there are still enough crucial tasks that require me to switch to my Mac from time to time.

The iPad Pro is a computational power house. It is roughly a match for the MacBook, and even the fastest desktop processors are less than twice as fast in single core performance. With the A9X chip, Apple has made the interesting decision to optimize the general processor for single core performance, and spent a lot of resources to include a powerful GPU that can do parallel workloads via compute shaders. I believe this is the correct decision, especially with a shared memory model that allows us to quickly move tasks between CPU and GPU. It also means that it will take some time for software developers to adapt to this paradigm, as well as to finish supporting more functionality in their iOS software. In the end, the hardware is there, powerful enough to support everything you are now doing on a laptop, and I am optimistic that the software will follow within a few years as well.

  1. We lack a project manager that can launch apps to edit documents in place, or document parts. A generalization of what we currently have with Photos extensions providing extra editing options inside this photo project manager. 
  2. The big exception is programming. While Pythonista is powerful, it is incomplete. 

Using Patronage to Finance Apps

25. November 2015 · Categories: Software

When Marco Arment decided to make his podcasting app Overcast free and ask for donations instead, there was some pushback that it would destroy developer pricing. Actually I believe that it is a viable model for popular apps, but that it will have less impact on developer pricing than free-to-play games.

Patronage basically changes the motivation to pay from “I want to use the app, so I pay” to “I am feeling better when I support this app”. Patronage will normally deliver less revenues, as only some of the people with a money surplus will pay, but then often more than what the market price would be. It requires a large base of affluent users that could become patrons to generate a good amount of revenue. So it is a viable business model for apps that deliver good value to a lot of customers. It essentially leaves a lot of money in the table, and when the value delivered is much greater than the cost to provide it, it suffices to have a small percentage of users supporting the development.

As could be already seen in the popularity of Pocket and Instapaper, such markets delivering huge surpluses are an attractive target for Venture Capital. VCs want to make money, so they attempt to corner the entire market so that they can extract money from ancillary services thanks to their market position. This is also why the influence on other software markets is more limited: Patronage only works in markets that are also attractive targets for VC founded companies, and is in my eyes vastly preferable to having a market dominated by a rent extracting startup. I simply trust the users to do better with their saved money than what a rentier would do with his surplus.

« Older articles
Newer articles »