With iOS 11, currently in a developer beta, Apple is enabling more complexity in the triggers for HomeKit scenes and events, making them adaptable to a wider variety of circumstances.
Since we announced Let’s Encrypt we’ve often been asked how we’ll ensure that we don’t issue certificates for phishing and malware sites. The concern most commonly expressed is that having valid HTTPS certificates helps these sites look more legitimate, making people more likely to trust them.
Deciding what to do here has been tough. On the one hand, we don’t like these sites any more than anyone else does, and our mission is to help build a safer and more secure Web. On the other hand, we’re not sure that certificate issuance (at least for Domain Validation) is the right level on which to be policing phishing and malware sites in 2015. This post explains our thinking in order to encourage a conversation about the CA ecosystem’s role in fighting these malicious sites.
Let’s Encrypt is going to be issuing Domain Validation (DV) certificates. On a technical level, a DV certificate asserts that a public key belongs to a domain – it says nothing else about a site’s content or who runs it. DV certificates do not include any information about a website’s reputation, real-world identity, or safety. However, many people believe the mere presence of DV certificate ought to connote at least some of these things.
Treating a DV certificate as a kind of “seal of approval” for a site’s content is problematic for several reasons.
First, CAs are not well positioned to operate anti-phishing and anti-malware operations – or to police content more generally. They simply do not have sufficient ongoing visibility into sites’ content. The best CAs can do is check with organizations that have much greater content awareness, such as Microsoft and Google. Google and Microsoft consume vast quantities of data about the Web from massive crawling and reporting infrastructures. This data allows them to use complex machine learning algorithms (developed and operated by dozens of staff) to identify malicious sites and content.
Even if a CA checks for phishing and malware status with a good API, the CA’s ability to accurately express information regarding phishing and malware is extremely limited. Site content can change much faster than certificate issuance and revocation cycles, phishing and malware status can be page-specific, and certificates and their related browser UIs contain little, if any, information about phishing or malware status. When a CA doesn’t issue a certificate for a site with phishing or malware content, users simply don’t see a lock icon. Users are much better informed and protected when browsers include anti-phishing and anti-malware features, which typically do not suffer from any of these limitations.
Another issue with treating DV certificates as a “seal of approval” for site content is that there is no standard for CA anti-phishing and anti-malware measures beyond a simple blacklist of high-value domains, so enforcement is inconsistent across the thousands of CAs trusted by major browsers. Even if one CA takes extraordinary measures to weed out bad sites, attackers can simply shop around to different CAs. The bad guys will almost always be able to get a certificate and hold onto it long enough to exploit people. It doesn’t matter how sophisticated the best CA anti-phishing and anti-malware programs are, it only matters how good the worst are. It’s a “find the weakest link” scenario, and weak links aren’t hard to find.
Browser makers have realized all of this. That’s why they are pushing phishing and malware protection features, and evolving their UIs to more accurately reflect the assertions that certificates actually make.
When they were first developed in the 1990s, HTTPS and SSL/TLS were considered “special” protections that were only necessary or useful for particular kinds of websites, like online banks and shopping sites accepting credit cards. We’ve since come to realize that HTTPS is important for almost all websites. It’s important for any website that allows people to log in with a password, any website that tracks its users in any way, any website that doesn’t want its content altered, and for any site that offers content people might not want others to know they are consuming. We’ve also learned that any site not secured by HTTPS can be used to attack other sites.
TLS is no longer the exception, nor should it be. That’s why we built Let’s Encrypt. We want TLS to be the default method for communication on the Web. It should just be a fundamental part of the fabric, like TCP or HTTP. When this happens, having a certificate will become an existential issue, rather than a value add, and content policing mistakes will be particularly costly. On a technical level, mistakes will lead to significant down time due to a slow issuance and revocation cycle, and features like HSTS. On a philosophical and moral level, mistakes (innocent or otherwise) will mean censorship, since CAs would be gatekeepers for online speech and presence. This is probably not a good role for CAs.
At least for the time being, Let’s Encrypt is going to check with the Google Safe Browsing API before issuing certificates, and refuse to issue to sites that are flagged as phishing or malware sites. Google’s API is the best source of phishing and malware status information that we have access to, and attempting to do more than query this API before issuance would almost certainly be wasteful and ineffective.
We’re going to implement this phishing and malware status check because many people are not comfortable with CAs entirely abandoning anti-phishing and anti-malware efforts just yet, even for DV certificates. We’d like to continue the conversation for a bit longer before we abandon what many people perceive to be an important CA behavior, even though we disagree.
The fight against phishing and malware content is an important one, but it does not make sense for CAs to be on the front lines, at least when it comes to DV certificates. That said, we’re going to implement checks against the Google Safe Browsing API while we continue the conversation.
We look forward to hearing what you think. Please let us know.
The sun slowly melts into the horizon in a riot of fluorescent streaks—pink and orange flame the sky, while the rippling water of the Bali Sea takes on a delicate lavender hue. The silhouette of a volcano rises gently from the water. And there we are, on a little sailboat from San Francisco called Saltbreaker, barely able to believe that this scene has become a nightly occurrence. We lean back against the mast and raise our drinks for a toast. "This," I say, "this is what sailing is all about."
Saltbreaker belongs to my boyfriend, Alex, and his brother, Nick. They purchased the 32-foot boat in 2011, with the aim of sailing from San Francisco to New Zealand, which they did via Mexico, Central America, French Polynesia, Tonga.* Last summer, Nick sailed her from New Zealand to Bali, where Alex and I got back on board to take our turn adventuring around Indonesian islands. Our destination: wherever the wind blows us (or something like that).
*You can read more about Saltbreaker's adventures here, and my take on dating a wandering sailor here.
When I tell people about our current travel plans and Saltbreaker's past adventures, I always get one of two reactions:
On the one hand, the first group is right, it can be pretty magical. The sunsets barely seem real, and that's not even getting into the occasional dolphin escorts and the pristine beaches hidden in remote coves. But it can also be exhausting, dirty, smelly, and cramped, depending on sailing conditions and where we happen to be anchored. Like almost any travel that takes you outside of your comfort zone, it's worth it about 95% of the time.
As for answering the second group, the truth is that we eat pretty damn well. Sailing as a form of travel is pretty much like taking your house from place to place, kitchen (or galley, in sailor-speak) included. Your house just happens to be the size of a walk-in closet, and more often than not, it's rocking back and forth or hanging out at a 25-degree angle. And the average temperature is 90 degrees.
Still, while it's more difficult than your standard home-cooking experience, cooking on a boat is easier than you'd think. You're usually limited to the supplies you have onboard, with little or no ability to purchase more—that issue isn't much different from when you go camping. But you're generally better equipped and stocked than the average backpacker. And you're constantly inspired by the food cultures of the places you visit, as well as the crazy-fresh fish that, on good days, figures into your meal plan.
Stocking a boat for a multiple-month journey requires serious planning for the most culinarily apathetic of sailors. But for us, it's an even more involved process—we want to be excited about our meals as often as possible. We make eating well a priority, even if all we're doing is doctoring a packet of instant noodles or a jarred pasta sauce. And because we can't run to the grocery store to grab a missing ingredient or satisfy a craving, we do our best to anticipate what will enliven each meal.
Interested in plotting your own ocean-bound journey, or curious about how we fuel ours? Then check out how our boat is equipped for cooking, how we plot our provisions before a long trip, and the little luxuries that we can't live without (hint: Nutella is involved).
Like any respectable New York-style shoebox apartment that happens to be a sailboat, Saltbreaker has a small galley. We've got a three-burner stove and a oven that both run on propane and, generally speaking, work quite well.
This whole setup is gimbaled, meaning the stove and oven can rock counter to the boat's movement, helping to prevent hot pans and spoons from going flying as the boat leans and rocks. There's also a safety strap that wraps behind the chef-of-the-moment, just in case balance is a challenge.
We have a sink that has two faucets, one of which connects to two 40-gallon tanks filled with freshwater. Back in the States, this was filled with tap water pumped at a marina. Now, we purchase gallon jugs of filtered water and pour them in by hand. We save as much as possible for drinking water, but will also use it for cooking soups and, more importantly, making coffee. The faucet is operated by a foot pump—an excellent way to stay aware of exactly how much water you're using. The sink's second faucet pumps saltwater directly from the ocean, which we use for washing dishes (save our knives and cast iron skillet).
Though the boat is relatively small, it has incredible built-in storage capabilities. Every bit of counter space visible in our little galley opens up to become storage for food, cooking supplies, spices, bottles of whiskey, and more. Food can be stored beyond the galley, too, in a large space under the starboard settee (bench on the righthand side), or in baskets in a port cubby. I quickly became accustomed to the fact that, on a boat, it makes perfect sense to have your clothes stored next to a basket of onions and garlic.
What about refrigeration? You might not be able to imagine cooking sans fridge, but we mostly do without. Saltbreaker does have a small mini-fridge, but we don't use it continuously. Many boats do have full-scale refrigeration systems; we've found that it takes more power than it's worth. (Saltbreaker's power runs off batteries, which are charged primarily by three solar panels.) We'll turn the fridge on for truly pressing concerns: say, if we catch a fish that we don't eat all at once, or if we want to drink a cold beer. Saltbreaker didn't have a fridge at all for close to two years; it made everyone get all the more creative with fish preparation (pickling, smoking, trading), and meant that cold beer on shore tasted even better.
Some evenings, as the sun is getting low, Alex can be seen duck-diving a few feet off our boat, outfitted in a snorkel mask and freediving fins, as he plunges into the turquoise depths with a speargun in hand. I peer anxiously over the side, crossing my fingers that he's successful. He emerges once, twice, three times, pacing his breath and slowing his heartrate so he can inhale and dive 20-40 meters down again. Moments later, he pops up, triumphant—a gleaming silver fish flecked with gold cleanly pierced with the tip of his spear. "Sweetlips!" he calls, heaving the gun and fish on board as I ready a knife and a bucket of water for cleaning. "Dinner!" I say in response, watching as the fish's body shudders and is still.
It may sound primitive, but this dive for dinner is one of the biggest highlights of our eating life these days. Fishing excursions from San Francisco across the Pacific yielded tasty prizes like dorado, skipjack, tuna, sierra, and even a six-foot sailfish. Here in Bali, we've been eating a good amount of those gold-spotted sweetlips, and have our eyes on some tasty-looking schools of mackerel.
We'll eat a fish straight out of the water pan-fried whole; if it's a firm, meaty fish (like tuna), we might eat it raw as sashimi, on seasoned sushi rice, or as ceviche. We'll turn filets and heads into curry (making use of a solid store-bought green curry paste and boxes of coconut milk) or soup, laced with lemongrass, garlic, and peppercorns.
Fishing doesn't always pan out, though, despite Alex's prowess with a speargun. Sometimes, the surrounding reefs are packed with snorkelers, or the fish are too small. We'll often leave a fishing line behind our boat when we're underway (a practice known as trolling), only to stare at it wistfully for hours on end, resigning ourselves to eating canned tuna instead. Since we can't rely on catching fish every single day, we have to be well-stocked t o ensure that we remain well-fed.
Provisioning for a sailing trip requires that you anticipate what might taste good weeks or even months out, and to realistically consider what you'll be willing to cook when you're too tired to even think about food. On the other hand, it's also worth considering bigger cooking projects (say, making fresh bread or pasta) for when you find yourself with a lot of time to think about your daily meals, and can spend much of your day prepping for them.
Provisions can be divided into two major categories: long-lasting and fresh. The first category includes a whole mess of pantry staples—dried goods like rice, beans, lentils, pasta, and couscous; canned tomatoes, beans, vegetables, and condiments; and fun snack items that hit the spot when we're mid-sail, like chips, nuts, dried fruits, and chocolate (and at least three jars of Nutella). After a long, tiring sail, you'll crave the same sorts of foods you'd want as a tasty reward after a hike. Our quick-and-easy meals often draw heavily from this provisioning category: things like instant noodles and ready-made packs of curry sauce, which can be thrown together in minutes and eaten just as quickly.
I almost cried with happiness at the sight of a towering salad of freshly-grown leafy greens
Fresh food requires a little more strategy. I remember a strenuous, four-day journey down the coast of Nicaragua with no green vegetables and no trips to shore. When we finally made our way to land, I almost cried with happiness at the sight of a towering salad of freshly-grown leafy greens. These days, whenever we're on shore I'm eyeing the local stores and stands like a hawk—when I spy a pile of vegetables, it's all I can do not to start jumping up and down.
Part of the fun is experimenting with local goods that we don't necessarily recognize. Lately, we've had some great meals of kang kung, a type of earthy, spinach-like greens that are wonderful simply sautéed with garlic and coconut oil.
Our meal planning is based around what we have that's fresh and what's likely to go bad first. We make a point to stock up on long-lasting vegetables—onions, garlic, potatoes, and cabbage (which we've seen last for five to six weeks!) all fall under that umbrella—but we don't hesitate to get more fleeting goods like dark leafy greens, local fruit, tomatoes, and eggplants. We keep the produce that is most likely to turn in a basket hanging right over the galley as a reminder to use it up in good time.
Produce isn't the only fresh provision near and dear to my heart and stomach. When stored and sold unrefrigerated (as they are in most places outside of the U.S.) eggs last a long, long time—even multiple weeks—without going bad. They're an easy source of protein with rice, on pasta, or in soup, and I've yet to get sick of eggs simply scrambled or fried with some salt and spice.
traveling to delicious and exotic places has allowed us the opportunity to round out our pantry selection
A well-stocked spice stash is essential for our cooking purposes, too. Saltbreaker left the US with a healthy supply of all of the essentials (cumin, coriander, oregano, thyme, rosemary, and many more), but traveling to delicious and exotic places has allowed us the opportunity to round out our pantry selection with additions like flaky chili powder and vanilla from Mexico, and cardamom, star anise, and tingly peppercorns here in Bali. The other week, I was delighted to find a hidden bottle of Lizano's hot sauce from Nicaragua buried under a mess of cans—the vinegary, spicy sauce was one of my favorite flavor discoveries in Central America, and tastes just as good here in Indonesia.
If there's one truly essential tool in our galley, it's the pressure cooker, where we regularly prepare things like stews and sauces, not to mention dried beans and brown rice. Our stove runs on precious propane, and the pressure cooker allows us to regularly plan on slow-cooked favorites without completely depleting our fuel supply (or causing the cabin temperature to spike to 100 degrees). I've whipped up some seriously good lentil stew in around 15 minutes, and Alex threw together a pasta sauce using a batch of must-use tomatoes and chili peppers in 20 that tasted like they'd spent all day simmering on the stovetop.
When you're living on a boat, you may have food-supply surprises. A normally long-lasting cabbage may rot in two days, while a delicate-seeming eggplant will last for a week and a half. The only thing you can plan is that you need to check on your vegetables every day, and should probably be checking in on your canned and dried goods every couple of weeks, too. Our rule: if it smells okay, it probably is. If it's attracting bugs, get rid of it ASAP.
Because our living space is on the small end, it's usually quite evident when something has gone bad. The smell is inescapable; as are the fruit flies. Fortunately, our removal method is a lot more cathartic than your average refrigerator clean-out at home—we get to toss our bad veggies overboard.
One way to slow the rapid pace of vegetable rotting is to intentionally get underripe vegetables which will be ready to eat in a week or so. We expected the worst when we bought a bag of green tomatoes and two massive green avocados, but we kept them as wrapped up and protected as possible, and were rewarded with two magical days of guacamole.
Dried goods are much less likely to go bad, but it happens. Bugs will infest bags of rice and beans that have been opened and left for too long. Cans may rust, rendering their contents inedible. Keeping things as cool and dry as possible helps us avoid a lot, if not all spoilage.
A silver lining to this much-accelerated pace of food rotting is that you're forced to think of ways to preserve what you've got. I dried a huge bunch of Balinese peppers by threading them with fishing line and hanging them in the sun, while a hefty head of cauliflower made a fine jar of lemony, peppery pickles.
We may be traveling with our home in tow, but that doesn't make us totally immune from homesickness. My favorite remedy: Recreating our favorite flavors from California. (Tacos, obviously.) Remember our massive, underripe Balinese avocados? The morning we discovered that they'd softened we had new plans for the day: a frenzy of fish taco preparations, which included making fresh flour tortillas, guacamole, and glaring at every and all snorkeler who came within twenty feet of our boat, delaying our ability to spearfish for taco fillings. Finally, we had an opening: Alex promptly speared a sweetlips, we slapped tortillas into shape, and we were gloriously rewarded in the form of two guacamole-laden fish tacos apiece.
And then there are the foods we often cook at home. Alex and I make a lot of fresh pasta in our San Francisco kitchen, and, thanks to a crank-operated pasta maker onboard, can do the same here. Alex is a skilled bread baker, and while baking in the tropics is definitely different from the cooler climes of San Francisco, the fresh bread might taste even better (particularly topped with a healthy smear of Nutella).
But we're not traveling to live on tacos and pasta alone—we draw inspiration from the foods and flavors we're finding on land. I've been making batch after batch of Balinese-style sambal—coconut oil laced with chilies, shallots, and fresh lemongrass—it's the perfect accompaniment to a whole fried or grilled fish, and a killer cooking base for eggs, fried rice, and quick-sautéed vegetables. Our soups are inspired by cap cay (pronounced chap-chay), a garlic-heavy soup loaded with vegetables and a fried egg. It's hard to get too bored when we're constantly trying foods that are so delicious that we pretty much have to recreate them... though beef rendang might have to wait until we get home (unless we find a reliable butcher onshore, that is).
Still, you can't have it all. I miss cheese like crazy, not to mention good wine, strong beer, and kale salads (yep, I'm one of those). There are days that we're eating fresh fish curry when I'd kill for a good cheeseburger topped with bacon.
But we make do. More than that—because every meal takes a little more thought and effort, it tastes a little better, too. Or maybe that's just the salty air talking.
It’s a weird situation.
We created an app for bookmarking places, called Rego, in response to the surprising lack of decent bookmark management in Google and Apple Maps. We thought Rego would be a success, since keeping track of and doing interesting things with places seemed like something relevant to most people who carry iPhones. And with a billion people in the App Store, we’d do fine just selling to a small portion of those.
Turns out, a very—very—small portion have bought the app.
People who buy Rego love it, and discover all sorts of interesting ways to use its versatility. One guy journals his travels. Another tracks her photo shoots. And yet another tracks drilling locations in Kuwait!
But if I divide our development time by the revenue we’ve made, it works out to an hourly rate of about 1/4 of minimum wage. That’s right, we’d do better financially—much better—flipping burgers at McDonalds. And since we pay our software engineer a bit more than minimum wage, Rego is quite a money loser.
So why do we continue? That’s a good question, and one I myself ask a lot.
I guess we do it for a couple of reasons. There’s the feeling of commitment to those who have bought the app. There’s the joy in seeing how happy people get when we add features they like. And there’s the fact that we use Rego ourselves.
But it’s clear to most developers by now, that just putting an app in the App Store rarely leads to much. Rego was featured on the App Store front-page—supposedly equivalent to winning the lottery—but that only led to a week’s worth of decent revenue. After that, incoming purchases went from flowing, to something better described as dripping.
Perhaps we shot ourselves in the foot by making it so generic. That was actually a design goal, but it turns out a similar product focused on “places where you’ve pooped” has sold thousands more than Rego.
Another problem is that Rego addresses a need many people don’t realize they have. As geeks, we always thought, “Wouldn’t it make sense that you could manage a database of places on your iPhone?” But that’s never occurred to my mom, or any of her iPhone-toting friends. They never search for “location bookmarking” in the App Store.
And we probably didn’t do ourselves any commercial favors by focusing on privacy. Foursquare, which can do similar things as Rego, went social and benefitted from the network effect. But, dammit, I don’t want the world seeing most of my places, and so privacy was a fundamental objective of Rego.
So at the end of the day, we’ve put a lot of effort into a product that we, and many customers love. But it doesn’t earn enough to pay the bills, and leaves us in a situation in which improving it becomes a labor of love, and economically limited to incremental enhancements. And even then, it can be hard to justify the effort. We’re soon going to add GPS track support, which will require about a week’s worth of effort, and I consciously avoid thinking about what that’s going cost.
Major features like iCloud syncing, whose effort would be measured in months, instead of days, can only be considered on the very long-term roadmap, and performed as activities on which we chip away slowly, as from necessity we spend the majority of our time in consulting and product work that can generate enough income to keep the lights on.
I decided to post these thoughts as something I can refer to in the future, after having repeated myself so often to people asking about our pace of development, or urging us to add complicated features. Hopefully it’ll shed a little light on the situation.
PS: For those reading this article because I sent you here: Before getting upset that Rego doesn’t do a particular thing you want, please remember that there’s an infinite number of things Rego could do, and every one of those possible features would have a cost associated to it. You exchanged the financial equivalent of about 5 minutes of your time, for something that has taken us years to develop. If you wrote down every feature Rego supports today, that list would run into the hundreds. It’d be hard to argue you didn’t get your money’s worth.
The post Making apps is fun, but flipping burgers pays better appeared first on Dafacto.
Dear Twitter,
I hear you want to build a “relevance engine” to stay competitive. I can help you. I know an amazing simple and under appreciated relevance algorithm. Here it is:
There’s no step 3.
Sincerely, Isaiah
One more follow-up regarding the connection between clear thinking and clear writing: Orwell’s famous essay, Politics and the English Language:
A scrupulous writer, in every sentence that he writes, will ask himself at least four questions, thus: What am I trying to say? What words will express it? What image or idiom will make it clearer? Is this image fresh enough to have an effect? And he will probably ask himself two more: Could I put it more shortly? Have I said anything that is avoidably ugly? But you are not obliged to go to all this trouble. You can shirk it by simply throwing your mind open and letting the ready-made phrases come crowding in. They will construct your sentences for you — even think your thoughts for you, to a certain extent — and at need they will perform the important service of partially concealing your meaning even from yourself. It is at this point that the special connection between politics and the debasement of language becomes clear.
I’ve read this essay numerous times, and it never gets old.