Jumping Ship

I’ve been running Apple computers for more than a decade now. While I really like macOS, anybody who knows me knows that I’ve been less than enthusiastic with the direction Apple has taken on the hardware front. My biggest gripe with Apple hardware is that it can no longer be serviced. My 2012 MacBook Pro is probably one of the easiest laptops that I’ve ever worked on. The entire back pops off and all of the frequently replaced parts are readily accessible. Part of the reason that I have been able to run that computer since 2012 is because I’ve been able to repair or upgrade components when necessary.

I usually run my laptops between four or five years. I’ve been running that MacBook Pro for six years. I was ready to upgrade last year but Apple had no laptops that appealed to me so I decided to wait a year to see if the situation would improve. When Apple announced its 2018 MacBook Pro line, it had everything I hated. All of the components, including the RAM and SSD, are soldered to the main board. Since the MacBook Pro line can no longer be upgraded, I’d have to order the hardware that I’d want to use for the next four or five years, which would cost about $3,2000. Worse yet, when something broke (all components will fail eventually), I’d have to pay Apple an exorbitant fee to fix it. And if that weren’t bad enough, the 2018 MacBook Pro still has that god awful slim keyboard. While Apple has attempted to improve the reliability of that keyboard by included a rubber membrane under the keys, typing on it is, at least in my opinion, a subpar experience.

I also have some concerns about Apple’s future plans. One of my biggest worries are the rumors of Apple transitioning its Macs to ARM processors. ARM processors are nice but I rely on virtualized x86 environments in my day to day work. If Apple transitioned to ARM processors, I wouldn’t be able to utilize my x86 virtual environments (virtualization turns into emulation when the guest and host architectures differ and emulation always involves a performance hit and usually a lot of glitches), which means I wouldn’t be able to do my work. I’m also a bit nervous about the rumors that Apple is planning to make app notarization mandatory in a future macOS release. Much of the software I rely on isn’t signed and probably never will be. Additionally, building and testing iOS software is a pain in the ass because even test builds need to be signed before they’ll work on an iOS device (anybody who has ran into code signing problems with Xcode will tell you that resolving those problems is often a huge pain in the ass) and I don’t want to bring that “experience” to my other development work. While I would never jump ship over rumors, when there are already reasons I want to jump ship, rumors act as additional low level incentives.

Since Apple didn’t have an upgrade that appealed to me and I’m not entirely comfortable with the rumors of the directions the company maybe going, I decided to look elsewhere. I’ve been running Linux in some capacity for longer than I’ve been running Apple computers. Part of my motivation for adopting macOS in the first place was because I wanted a UNIX system on my laptop (Linux on laptops back then was a dumpster fire). So when I decided to jump ship Linux became the obvious choice, which meant I was looking at laptops with solid Linux support. I also wanted a laptop that was serviceable. I found several solid options and narrowed it down to a Lenovo ThinkPad P52s because it was certified by both Red Hat and Ubuntu, sanely priced, and serviceable (in fact Lenovo publishes material that explains how to service it).

Every platform involves trade-offs. With the exception of Apple’s trackpad, every trackpad that I’ve used has been disappointing. The ThinkPad trackpad is no different in this regard. However, the ThinkPad line includes a TrackPoint, which I’ve always preferred as a mobile mouse solution to trackpads (I still miss Apple’s trackpad gestures though). There also isn’t a decent to do application on Linux (I use 2Do on both iOS and macOS and nothing on Linux is comparable) and setting up Linux isn’t anywhere near as streamlined as setting up a Mac (which involves almost no setup). With that said, I usually use an external trackball so the quality of the trackpad isn’t a big deal. My to do information syncs with my Nextcloud server so I can use its web interface when on my laptop (and continue to use 2Do on my iPhone). And since I chose a certified laptop, setting up Linux wasn’t too difficult (the hardest part was setting up nVidia’s craptastic Linux driver).

The upside to the transition, besides gaining serviceability, is first and foremost the cost. The ThinkPad P52s is a pretty cost effective laptop and I found a 20 percent off coupon code, which knocked the already reasonable price down further. Since neither the RAM nor the SSD in the P52s are soldered to the main board, I was able to save money by buying both separately and installing them when the computer arrived (which is exactly what I did with all of my Macs). In addition to the hardware being cheaper, I was also able to save money on virtualization software. I use virtualization software everyday and on macOS the only decent solution for me was VMWare Fusion (Parallels has better Windows support than Fusion but no serious Linux support, which I also require). Fedora, the Linux distribution I settled on (I run CentOS on my servers so I opted for the closest thing the included more cutting edge software), comes with libvirt installed. After spending a short while familiarizing myself with the differences between VMWare and libvirt, I can say that I’m satisfied with libvirt. It’s better in some regards, worse in others, and pretty much the same otherwise (as far as a user experience, underneath it’s far different).

I also gained a few things on the hardware side. The P52s has two USB-C and two USB-A (all USB 3) ports. My MacBook Pro only had two USB-A ports and the new MacBook Pros only have USB-C ports. All of my USB devices use USB-A so I’d need a bunch of dongles if I didn’t have USB-A ports (not a deal breaker but annoying nonetheless). In addition to being a very good mobile keyboard, the P52s keyboard also has a 10-digit keypad, which no Mac laptop currently has. Like USB-A ports, the lack of a 10 digit keypad isn’t a deal breaker in my world but its inclusion is always welcomed. If that weren’t enough, the keyboard also includes honest to god function keys instead of a TouchBar (as somebody who uses Vim a lot, the lack of a physical escape key is annoying).

My transition was relatively painless because I keep all of my data on my own servers. I didn’t have to spend hours trying to figure out how to pull data off of iCloud so I could use it on Linux. All I had to do was log into my Nextcloud instance and all of my calendar, contact, and to do information was synced to the laptop. The same was true of my e-mail. In anticipation for my move I also changed password managers from 1Password to a self-hosted instance of Bitwarden (1Password is overall a better experience but it lacks a native Linux app so I’d have been stuck with moving to a subscription plan to utilize a browser plugin that would deliver the same experience as Bitwarden). Keeping your data off of proprietary platforms makes moving between platforms easier. Likewise, keeping your data in open standards makes moving easier. I primarily rely on text files instead of word processor files (I used Markdown or LaTeX for most formatting) and most of my other data is stored in standardized formats (PNG or JPEG for images, ePub or PDF for documents, etc.).

Although I won’t give a final verdict until I’ve used this setup for a few months, my initial impressions of moving from macOS to Linux are positive. The transitions has been relatively painless and I’ve remained just as productive as I was on macOS.

Have Some Privileges Back, Plebs

When the federal government passed the Digital Millennium Copyright Act (DMCA) into law it handed manufacturers a fantastic tool to make repairing or servicing their products illegal. Since bypassing Digital Rights Management (DRM) schemes became illegal, tying hardware to software protected by DRM became a convenient way to criminalized repairing products. John Deere was quick to jump on this legal opportunity but certainly hasn’t been alone. Fortunately, after a great deal of begging, our overlords have decided to favor us by proposing to restore a pre-DMCA privilege:

The Librarian of Congress and US Copyright Office just proposed new rules that will give consumers and independent repair experts wide latitude to legally hack embedded software on their devices in order to repair or maintain them. This exemption to copyright law will apply to smartphones, tractors, cars, smart home appliances, and many other devices.

It almost makes you feel as though you can legally own the goods you pay for… almost.

What gets me about this story and all others like it are the people celebrating the decision as if we’re being granted a new legal privilege by the government rather than having a previously existing privilege returned to us by the very government that took it away. Had the DMCA never been passed into law, this decisions by the Librarian of Congress would never have been necessary.

Meet Voluntary Association

The big social media sites have been clamping down on, well, pretty much any content that doesn’t advocate for something left of center. In response to this people whose personal ideology lies to the right of the center have been fleeing to other platforms. Those who fall towards the fascist side of the political spectrum have been fleeing to Gab, a social media site that advertises itself as a free speech platform. But hard times have befallen Gab because most of the services it relies on have decided to disassociate with it:

Gab, a “free speech” alternative to Twitter that’s popular with the far right, has been shut down after losing service from a number of mainstream technology platforms, including PayPal, Joyent, Medium, and GoDaddy.

“Gab is under attack,” the company’s home page now reads. “We have been systematically no-platformed by App Stores, multiple hosting providers, and several payment processors.” Gab is working to get back online using new service providers.

Of course the language that “Gab is under attack” is hyperbole. Nobody is attacking Gab. Service providers who disagree with much of the speech that Gab hosts have decided to stop doing business with the social media site. Since Gab’s administrators have made themselves dependent on these service providers, they have found themselves in a rather awkward position.

I can’t say that I blame these service providers. If I administered a social media site, I wouldn’t let fascists use it to post their nonsense (I also wouldn’t let communists, Republicans, Democrats, or any other politically focused individuals use it) nor would I want to associate it with any service that did. However, if I was planning to setup a site to host, to put it politely, controversial content, I would ensure that I owned the infrastructure from top to bottom. The servers would be mine. I’d accept payment in cryptocurrencies so I wouldn’t be dependent on third-party payment processors. If it wasn’t the primary way to access the site, I’d at least publish a Tor Hidden Service address to protect against censorship from Internet service providers and domain registrars.

What gets me most about sites like Gab is that they advertise themselves as being willing to host controversial content but still make themselves dependent on third-parties that don’t want to associate with anybody who hosts such content. Setting up a website that is resistant to third-party censorship isn’t terribly difficult (and doesn’t require anywhere near the same level of care as hosting outright illegal content) but none of these sites bother to do it. It’s as if they want to be censored just so they have something to bitch about and can feed some kind of persecution complex.

Everybody, Regardless of Personal Political Beliefs, Should Vote!

There are a lot of people who plea for everybody, regardless of personal political beliefs, to go out and vote. Because they add the part “regardless of personal political beliefs” their plea appears magnanimous and unbiased because it doesn’t appear to be pushing their political agenda (They want everybody’s voice to be heard!).

But whether they’re conscious of the fact or not, if everybody who heard or read their plea complied, it would skew the vote in their political favor. Why? Because most people surround themselves primarily with like-minded individuals. So the majority of the people hearing or reading their plea will likely align politically with them.

Thus what appears to be magnanimous and unbiased is really personal agenda pushing.

Good News from the Arms Race

Security is a constant arms race. When people celebrate good security news, I caution them from getting too excited because bad news is almost certainly soon to follow. Likewise, when people are demoralized by bad security news, I tell them not to lose hope because good news is almost certainly soon to follow.

Earlier this year news about a new smartphone cracking device called GrayKey broke. The device was advertised as being able to bypass the full-disk encryption utilized by iOS. But now it appears that iOS 12 renders GrayKey mostly useless again:

Now, though, Apple has put up what may be an insurmountable wall. Multiple sources familiar with the GrayKey tech tell Forbes the device can no longer break the passcodes of any iPhone running iOS 12 or above. On those devices, GrayKey can only do what’s called a “partial extraction,” sources from the forensic community said. That means police using the tool can only draw out unencrypted files and some metadata, such as file sizes and folder structures.

Within a few months I expect the manufacturer of the GrayKey device to announce an update that gets around iOS’s new protections and within a few months of that announcement I expect Apple to announce an update to iOS that renders GrayKey mostly useless again. But for the time being it appears that law enforcers’ resources for acquiring data from a properly secured iOS device are limited.

Crowdsourcing Healthcare

A lot of statists have been pointing out the prevalence of healthcare-related fundraisers on crowdsourcing sites like GoFundMe as an argument for implementing government monopolized healthcare (usually sold under the euphemism “universal healthcare”). On the one hand, there are quite a few healthcare-related fundraisers on crowdsourcing sites. One the other hand, a lot of them are for bullshit treatments that no government monopolized healthcare system would cover anyways:

They focused on five treatments that were showing up a lot in their results, searching the sites systematically for US- and Canada-based campaigns from the last three years that were specifically for those five. They found 1,059 campaigns that fit the bill, with the collective goal of raising more than $27 million, and hitting about a quarter of that target.

Just less than half of the campaigns were for an obvious culprit: homeopathic or naturopathic treatments for cancer, which raised $3.5 million across 474 campaigns. Around 200 campaigns were raising funds for hyberbaric oxygen therapy for brain injury, which supposedly “enhances the body’s natural healing process by inhalation of 100 percent oxygen in a total body chamber.” Much like homeopathy, it’s ineffective for anything other than efficiently emptying people’s pockets. While these treatments themselves might not do any direct harm, the harms of untreated cancer are glaring. (And we probably don’t want to be funneling funds towards the people offering these therapies.)

The other treatments on the list were less popular, but offer more direct dangers. Stem cell therapy for brain injury or spinal cord injury carries substantial risks, while unproven claims of benefits are oversold. And long-term antibiotic therapy for so-called “chronic Lyme disease” can damage the body’s microbial partners, as well as causing antibiotic resistance and heightened risk of life-threatening infections. Together, these made up around 400 campaigns, raising $2.5 million.

Isn’t it annoying when somebody performs more than a cursory glance of your shoddy argument?

Most crowdfunding sites have little oversight of fundraisers. Obviously illegal fundraisers, such as people trying to crowdsource money to buy illegal drugs, usually get pulled quickly but if somebody managed to write a solid sob story about how they’re going to lose their house or die of cancer, it seems very little investigative effort is put into verifying the claims. Does the person who setup the fundraiser even live in a house? Does the treatment being sought by the cancer patient who setup the fundraiser have any medical validity? Who knows!

If you’re going to point to the number of healthcare-related fundraisers on crowdsourcing sites, you should take the time to investigate how many of those fundraisers are legitimate.

Trade-offs

I frequently recommend Signal as a secure messaging platform because it strikes a good balance between security and usability. Unfortunately, as is always the case with security, the balance between security and usability involves trade-offs. One of the trade-offs made by Signal has recently become the subject of some controversy:

When Signal Desktop is installed, it will create an encrypted SQLite database called db.sqlite, which is used to store the user’s messages. The encryption key for this database is automatically generated by the program when it is installed without any interaction by the user.

As the encryption key will be required each time Signal Desktop opens the database, it will store it in plain text to a local file called %AppData%\Signal\config.json on PCs and on a Mac at ~/Library/Application Support/Signal/config.json.

When you open the config.json file, the decryption key is readily available to anyone who wants it.

How could the developers of Signal make such an amateurish mistake? I believe the answer lies in the alternative:

Encrypting a database is a good way to secure a user’s personal messages, but it breaks down when the key is readily accessible to anyone. According to Suchy, this problem could easily be fixed by requiring users to enter a password that would be used to generate an encryption key that is never stored locally.

In order to mitigate this issue the user would be required to do more work. If the user is required to do more work, they’ll likely abandon Signal. Since Signal provides very good transport security (the messages are secure during the trip from one user to another) abandoning it could result in the user opting for an easier to use tool that didn’t provide as effective or any transport security, which would make them less secure overall.

iOS and many modern Android devices have an advantage in that they often have dedicated hardware that encryption keys can be written to but not read from. Once a key is written to the hardware data can be sent to it to be either encrypted or decrypted with that key. Many desktops and laptops have similar functionality thanks to Trusted Platform Modules (TPM) but those tend to require user setup first whereas the smartphone option tends to be seamless to the user.

There is another mitigation option here, which is to utilize full-disk encryption to encrypt all of the contents on your hard drive. While full-disk encryption won’t prevent resident malware from accessing Signal’s database, it will prevent the database from being copied from the computer by a thief or law enforcers (assuming they seized the computer when it was off instead of when the operating system was booted up and thus the decryption key for the drive was resident in memory).