Download: Episode 62.
This week Audrey and I chat about Ticketmaster and facial recognition, Google employees quitting in protest over the company’s participation in project Maven, Twitter’s latest attempt to clean up its platform, EFAIL PGP vulnerability, and more. Enjoy!
- [01:02] The Responsible Communication Style Guide is headed back to the printers! – The Responsible Communication Style Guide
- [01:45] Kickstarter for Community Event Planning, Second Edition
- [04:04] DevOps Days Portland – RECOMPILERFRIENDS for 20% discount!
- [05:50] Open Source Bridge – 10th and Final Year
- [07:57] Brave New World: Ticketmaster to Roll Out Facial Recognition, Sparking Privacy Concerns
- [21:06] Twitter Will Begin Hiding All Tweets From Suspect Accounts | WIRED
- [14:14] Google Employees Resign in Protest Against Pentagon Contract
- [28:21] EFAIL
- [34:57] No, PGP is not broken, not even with the Efail vulnerabilities – ProtonMail Blog
- [41:42] Pride Check!: Pride Dice Enamel Pins by Becca Farrow — Kickstarter
Community Event Planning, 2nd Edition
We’ve launched our Kickstarter for the 2nd edition of Community Event Planning!
We’re publishing an expanded and updated version of our guide to running community-focused conferences, with new material on diversity. In addition to writing from our own expertise, we’ll be interviewing other event organizers from our technology community to share their best practices. Creating community events is a an ongoing conversation, and we all learn from each other. The Kickstarter runs through end of day on May 31st. Please back us if you are able!
The Responsible Communication Style Guide is headed back to the printers!
When we sold out of print copies of The Responsible Communication Style Guide last fall, we promised to do another print run in early 2018. We’re happy to announce that we’re ready.
If you’ve been waiting to pick up a printed book (or enough for the rest of the office so they stop filching your copy), this is your chance. Order now!
Issue 9: Hard Problems is now shipping!
You can still get your copy in the Recompiler Shop.
Now Broadcasting LIVE most Fridays
We broadcast our episode recordings LIVE on most Fridays at 10am PST. Mark your calendars and visit recompilermag.live to tune-in.
We love hearing from you! Feedback, comments, questions…
We’d love hearing from you, so get in touch!
You can leave a comment on this post, tweet to @recompilermag or our host @christi3k, or send an email to firstname.lastname@example.org.
CHRISTIE: Hello and welcome to The Recompiler, a feminist hacker podcast where we talk about technology in a fun and playful way. I’m your host, Christie Koehler.
CHRISTIE: Hey, Audrey.
AUDREY: Hi, Christie.
CHRISTIE: It’s recording day.
CHRISTIE: Live broadcasting day. It’s May 18th, just before 10:30 Pacific Time. This is the live broadcast for Episode 62 of The Recompiler podcast. We’re going to talk about Ticketmaster, Google, Twitter, some EFAIL, some encrypted messaging stuff in general, and then things we love on the internet. But first, some announcements.
AUDREY: All right. First up, we are still taking pre-orders for our second printing of The Responsible Communications Style Guide. We got a couple of shoutouts at PyCon that I was really happy to hear about. I love hearing that people are using it in their work.
AUDREY: But I think we’re halfway to our minimum now. It’s just taken a little bit to get the word out. So again, tell people about it, get a full set for your office if you’ve got folks that you think could make use of it. And we’ll be sending that to the printer as soon as we can.
CHRISTIE: RCStyleGuide.com. And, of course, link in the show notes.
AUDREY: We are also doing a Kickstarter for our next book, a second edition of Community Event Planning.
CHRISTIE: Yey! Any cowbell here?
AUDREY: Ding…ding…ding…ding. So Christie, what is this book?
CHRISTIE: This book, the first edition came from a series of workshops and talks we gave basically that had coalesced and shared all what we had learned during our event planning for all things including Open Source Bridge to hacking sprints to unconferences. And we’ve learned a lot since we put that first book together and we want to share that. And we also want to highlight some of the awesome things that other organizers are doing and learning in their communities.
AUDREY: I think it’s really amazing how community events have just grown and grown throughout the tech industry. And there’s just a lot that we can pull together for people to learn from.
CHRISTIE: And part of the cool thing is that if you back our Kickstarter, you can really be part of creating the book and you’ll get preview chapters which you can give feedback on and that will really help us. So not only will your financial support help us, but your input will help us make this second edition a really great resource.
AUDREY: Yeah, for sure.
CHRISTIE: And we’re running that through the end of May. I encourage you not to wait. If you’ve got it in the budget to support it, please go to Kickstarter and do so. And we’ll include a link in the show notes. I’m really looking forward to that project.
AUDREY: I think that we’ve been talking about it…it’s funny. What? It took us for five years to get to the first book and five years to get ready for the second edition. But I think you asked me if we could do a follow-up maybe two years ago now.
AUDREY: It’s been stewing a while. And again, I just think that the community has grown so much that it’s really great that we’re doing it now. And so speaking about community events…
CHRISTIE: Indeed. There’s another good one you want to tell us about.
AUDREY: The Recompiler is…we really enjoy being a media sponsor for events. We get to learn about what’s going on there, we get to share it with our listeners and readers. So there’s two events coming up that we’re involved with. One of them is DevOps Days Portland. I forgot to put the dates on the show notes. I believe it’s in early August. We’ll verify that. But DevOps Days Portland is a conference, a community conference about DevOps that is really as multi-disciplinary as DevOps can be, and really focused on how people do the work, the human aspect of it not just scripting and automation and the tools but the sort of community of effort that goes into DevOps. I went to the Portland event a couple of years ago, I really enjoyed it. So, we’re sponsoring again. We have a ticket code, a 20% off discount code and they do sell out. So, don’t wait too long to get your ticket. We’re also going to be doing a ticket give away a little bit later, in a couple of weeks. So, you’ll have a chance to win a free ticket.
CHRISTIE: Awesome. And that’s September 11th to the 13th here in Portland.
AUDREY: I was off by a month. Thank you for looking that up.
CHRISTIE: Yeah, that’s what I’m here for. I might be there as part of my day job now. I’m kind of excited about that.
CHRISTIE: Did you already say the discount code?
AUDREY: I did not read off the discount code. It’s RECOMPILERFRIENDS, all one word.
CHRISTIE: If you go to DevOpsDays.org, you can find the Portland event and we’ll have a link directly to it in the show notes as well.
AUDREY: Then our other event.
CHRISTIE: Yes. Audrey and I are organizing the 10th and final iteration of Open Source Bridge. It will be a bit shorter than previous iterations. And Audrey, do you want to explain that a little bit?
AUDREY: Open Source Bridge, that was not our first entry into community tech events but definitely the biggest one that I’ve ever been involved with. It’s been running for 10 years now. We’ve done a lot to bring people together across different kinds of open source technologies. It’s not like a single developer conference or a single language. It’s not even DevOps conference focused on just a single kind of work. Open Source Bridge has been just this big umbrella event that we’ve been able to bring people to share how they do their work, what they know, to expose ourselves to different technologies too. So as we are coming onto the 10th year, we’ve had a chance to reflect on how this has impacted us and our community. And it feels like the right time to sort of wrap up and to celebrate what we’ve done, and so that’s what we’re going to be doing in June.
CHRISTIE: Awesome. And OpenSourceBridge.org is where you can get more information about that. We have ticket sales running.
AUDREY: And we have a much smaller number of tickets available than we have in previous years. It’s just a one-day event this year. So again, don’t wait.
CHRISTIE: And if you are usually a travel-in from outside the area to attend and this year with it being more limited, it just doesn’t make sense. We have an option where you can register for a ticket either in a sliding scale and share your memory, share your gratitude about the conference in the community and we’ll have that up in the hacker lounge. So, it’s a way to participate remotely. All right, I think that wraps up our announcements.
AUDREY: Yeah, I think so.
CHRISTIE: So, TicketMaster our favorite, favorite ticket venue.
AUDREY: You mean the most expensive way to ever get concert tickets?
CHRISTIE: It does seem like there’s more options now but I could be wrong.
AUDREY: There are a lot more options now. But some venues, I think, have an exclusive contract. So you get kind of stuck.
CHRISTIE: I did like using the…and maybe a lot of platforms have this now, but we used to like buy a resell or like buy a ticket from somebody else through Ticketmaster. I guess that is expensive though and then they take another cut of that.
AUDREY: There’s a platform for sporting events that’s like that. I forget what it’s called.
CHRISTIE: So Ticketmaster’s rolling out a new feature. Tell us about this, Audrey.
AUDREY: Much like you can unlock your phone with your face now, Ticketmaster is testing out the idea of using facial recognition for ticket validation. And there’s just sort of a general theme that we’ve had about facial recognition and both where the technology comes from and what it can be used for. Obviously, there’s a lot of convenience that it can have. In Ticketmaster’s case, they’re sort of saying, “Well, just register and show up.” But people don’t have a lot of visibility into how that data is going to be used. Once you’re official…I don’t even know if there’s got to be a technical term for this, but like your face map. Once that information’s been stored by Ticketmaster, people don’t necessarily know how that’s going to be used. There isn’t a lot of regulation around the privacy of that. And the company that’s providing this technology is involved in military contracts. So there’s the additional aspect of whether your face is being used for research for military.
CHRISTIE: And then also I know you said the article on this was pretty scant on details but it brings to mind also private companies that share this data. Do they share it with other companies or law enforcement?
AUDREY: If there’s a warrant out for you and you go to a concert, you know. It’s not necessarily a good thing that the software can flag that for law enforcement or to be used to create a database of everybody who goes to a certain kind of event. There’s a lot of…okay, what I started thinking about was with scalping and most of my experience with this is around sporting events. But because scalping takes money away from the original ticket vendor, they’ve gone to some pretty extensive lengths to cut that off, both creating their own resell platforms and making it so that it’s not enough just to have a pair of tickets in your hand. But there is some other way that those tickets are validated. And I think the article doesn’t get into this but I think that what they’re talking about really ties into that idea that you won’t be able to transfer your tickets outside of a system that they’ve created that can be used to monitor you.
CHRISTIE: I understand the sort of “convenience factors” but I’ve done a thing where I’m en route to the venue and I realize I don’t have my freaking tickets because I left them at home. And then I have to track down somewhere to print them again or go back. But sometimes, I just want to go to a show or movie anonymously. I don’t know. I do wonder if some of that is generational and if younger folks who are…I just wonder how much this is going to be normalized so that it doesn’t even seem unusual.
AUDREY: There’s a completely legitimate reasons to want that anonymity. It’s about being tracked, being marketed to the corporate uses of our actions. And yeah, I don’t know. I guess it’s really good that we aren’t taking it for granted. It’s good that we’re asking questions about it. There’s just so many ways that, again, because of a very marginal regulation, there’s a couple of states that have started to take this on and the article does get into that a little bit. Again, we don’t have the visibility. We don’t have a way to understand what’s going on here in the level of detail that would let us make a good decision.
CHRISTIE: And we already know that we’re at a significant disadvantage when it comes to not owning our data and not having any kind of concept of consent around how our data is used. That’s the place from which we’re starting.
AUDREY: And just having ongoing concerns about that. And with facial recognition, you can’t exactly go swap your face.
CHRISTIE: Not easily.
AUDREY: It’s just something you’re going to do an hour before the show. The makeup techniques for preventing facial recognition are pretty noticeable. A lot of the things you can do are pretty noticeable. I don’t know. I don’t like this kind of stuff being tested because I think it creates a potential barrier that we won’t see yet but we could see in the future. And the overlapping use of military research, which is something that we’re going to talk about a little bit more.
CHRISTIE: That’s a good segue into our next topic. I’m pretty sure we talked about…well, it’s sort of a general theme of the podcast where some of these invasive technologies start off as military research. And we have mentioned before Project Maven which is a DOD-funded activity that Google’s participated in.
AUDREY: Around image recognition.
CHRISTIE: And so there’s a piece in Gizmodo from Kate Conger talking about a handful of Google employees who have resigned, specifically because of Google’s participation in this. About a dozen, it says. What were your thoughts on this, Audrey?
AUDREY: Finally. No, I mean there’s a couple of really good quotes in here from the employees who resigned that they finally realized that this was the leverage that they had. And the article points out that Google employees really have the best standing to do something here and have the most privilege not just to speak out. And the article does talk about some of the things that they had tried before that, the ways that they had tried to make use of internal communication. But the best thing you can do when your company is pulling you into something that you find extremely unethical or immoral, the best thing you can do is to leave and to explain why.
CHRISTIE: I don’t think the article talked about what level these employees were at. I wish it didn’t matter but I think it does.
AUDREY: I think it’s implied that they aren’t new employees anyhow because one of them is talking about feeling unable to refer people to work there, and why would you work someplace where you don’t feel like you can make a referral to anybody you know. And to me, that implied that they maybe had been there a little bit longer and found that their feelings on that had changed.
CHRISTIE: I’ve just looked it up. Google has 85,000 employees as of Q1, that does not include Alphabet.
AUDREY: The parent company.
CHRISTIE: Right. Which is 0.014% of their employee base.
AUDREY: It’s not really about…obviously, they’re not stopping the company from working on it by leaving. It’s about how much noise they can make on their way out and how embarrassing it is to say, “Well, you’re losing some really great engineers because of what you’re doing here.” That’s the leverage and that’s the pressure.
CHRISTIE: Twelve is enough to get a Gizmodo article.
AUDREY: And it’s unusual. How many walkouts can you think of that have happened at tech companies like this?
CHRISTIE: Not a lot. I guess, it’s positive on the one hand because it’s anomalous but also it’s still not a lot of people. And I really think it’s complicated. I don’t know that I can just walk off a job..
AUDREY: I just feel like this is a really good example that they’re doing the right thing and that I hope people will take inspiration from this and see this as an option, again, for employees that have a lot more privilege and a lot more leverage.
CHRISTIE: So, it could start or inspire more further resignations.
AUDREY: Yeah, I think so. Not just Google but other places that have really ignored people’s concerns about what they’re doing with their technology.
CHRISTIE: There was a bit…did you catch this bit about Project Maven is open source? So, it doesn’t matter whether or not Google is involved because DOD can do whatever they want with it.
AUDREY: This kind of goes back to us having an open source conference that certainly my understanding of open source has changed a whole lot in the last 10 years, and the good and bad aspects of it. And there isn’t a standard open source license that says you can do all of those things except not if it’s for the military.
CHRISTIE: In fact, such a license would not be open source trademark.
AUDREY: OSI, open source.
CHRISTIE: So it could potentially have an action against you if you called it an open source license. I don’t think that’s an excuse. I mean, certainly if you’re contributing to a whole bunch of labor, you still have a role in it. But I do think it’s something that we should talk about more in the open source community.
AUDREY: It can be a kind of unexpected consequence, if we are unaware of it and we’re not calling it out. Like you said, that the open source guidelines under its trademark, a registered trademark, the guidelines for that to call your project open source require that you don’t restrict who can use your software, even for moral reasons, even for personal and moral reasons.
CHRISTIE: And that’s not an accident. That was an intentional thing that they did, as part of that definition.
AUDREY: And so, the result is this. And I think there are a lot of people working with them, working in open source who probably haven’t thought about this. Because of the ways that these technologies have grown, and open source has really become the default for a lot of kinds of technology, we’re just getting a lot more exposure to that.
CHRISTIE: So Twitter is making some changes. They announced some changes to their API but we’re specifically talking about how they’re going to use some sort of behavioral signals to reduce the visibility of tweets from people “behaving badly”.
AUDREY: It’s a further kind of content moderation, automated content moderation that they’re trying.
CHRISTIE: And they’re going to look at things like how much are you responding to accounts that don’t follow you back, how much do you associate with other people who are behaving badly, things like that. What do you think of this, Audrey?
AUDREY: Well, I often think that Twitter moderating content better is a nice idea. I’m really, really aware of the false positives that they’re having in their current efforts. Even just to the extent that I keep seeing friends reply to other friends with emphatic enthusiasm using certain words and Twitter hides the replies.
CHRISTIE: So like, “F yeah! That’s great!” Or something? Do you mean sort of like that?
AUDREY: Yeah, like that. I’m seeing daily examples of that. And I think some of these can have the same behavioral triggers. We can be friends-ish, friendly acquaintance with people and not follow them and vice versa. But you might still converse with them on Twitter. I appreciate that there’s a whole lot of bots out there and a whole lot of just junk. But I think that the false positives are really problematic. And I appreciated it that Wired, I think it’s a Wired article talked about shadow banning a little bit too.
CHRISTIE: That’s the general term for when you reduce the visibility of someone’s content on a social network without really telling them.
AUDREY: Right. People aren’t seeing what they post but they don’t necessarily know about that, until possibly somebody tells them. And the problem with this is the false positives combined with the lack of notification and the lack of ability to do anything about it.
CHRISTIE: There’s no system.
AUDREY: Right. I mean, there are legitimate reasons to have, I don’t know, what they consider a lot of accounts from the same IP address. But there are legitimate reasons to have multiple accounts. Even a social media manager might fall into that. And just every piece of this, there can be another reason for it. So when you don’t have a way to do anything or to know that you’re being affected, I don’t know, it just feels like such an incomplete solution and I’m tired of Twitter telling us, “Well, look! We’re going to fix it now.” I don’t know. Are you?
CHRISTIE: Right. Trust is low.
AUDREY: Very low.
CHRISTIE: Yeah, I think I concur.
AUDREY: It’s frustrating because many, many people pointed out Twitter is capable of identifying actual Nazis on the platform because they’re legally required to in certain countries. And Twitter is capable of reducing abusive behavior. And anybody who’s gotten flipped to verified account can tell you that because suddenly the amount of abuse that they experience goes down quite a bit. And again, I just see regular examples of people being shadow banned and not knowing why. The false — not false, but like malicious reporting. Malicious abuse reporting happens and it can happen at scale, not just a little bit of somebody clicking report, report, report on you, but people can organize much larger efforts to do that. There’s fundamentally some things wrong with the platform and this is just another little, little effort.
CHRISTIE: And the people that are most likely going to be disproportionately caught up in this false positive are those who are already marginalized in one way or another.
CHRISTIE: Like we’ve seen on YouTube with LGBT content, getting fired or deprioritized.
AUDREY: Or on Twitter, I see it around anti-police sentiment, anti-police activism, people of color, trans people of color. It’s just not good to kind of tie in our code of conduct work and the development of not just code of conduct policies but good response plans. You need a system that can be examined. And so, if you were algorithmically deciding that people are behaving badly, you still need a way to have insight into that and to respond to the result. You can’t just start hiding things and not be able to go back to it. Look at what’s happening for somebody to find out that it’s happening. Maybe you don’t want to tell them everything but people should at least be able to know that their content is affected by these rules.
CHRISTIE: All right. We’ll see how it plays out. You don’t know how they’ve rolled these things out either. You don’t know, is it 10% of users, is it 80?
AUDREY: They said that they’re testing but that could be anything. I assume that I’ll see somebody screen-cap it when it starts affecting them negatively, affecting the conversations that they’re trying to have negatively.
CHRISTIE: You remember when the most…I don’t know what the right word is…thing we had to talk about with Twitter was a fail whale. I remember their biggest challenge was like scalability.
AUDREY: Just flat out [inaudible]. Yeah, I do remember that.
CHRISTIE: Good old days. I miss that fail whale.
AUDREY: Now, when Twitter goes down, people are like, “Oh, okay. I got to get a break.”
CHRISTIE: Has it gone down recently?
AUDREY: No. They’ve been affected by some of the DDoS things, I think. It hasn’t gone down like fail whale style.
CHRISTIE: If nothing else, Twitter gave us that great…I still use that, fail whale.
AUDREY: It was a good illustration.
CHRISTIE: Oh, boy! EFAIL.
AUDREY: It’s e-failure.
CHRISTIE: Yeah. These researchers definitely don’t have the same UI support like Heartbleed and other groups did. That was actually the first thing I thought of when I went to the EFAIL website. You know what I mean?
AUDREY: That they did have a snazzy name but not the other stuff.
CHRISTIE: They have a snazzy name and I’m not sure what to say about this logo.
AUDREY: Wait, I have to open it because I don’t even remember.
CHRISTIE: It looks like an envelope is sneezing out its contents.
AUDREY: It’s kind of cute.
CHRISTIE: It’s kind of cute in like a Clippy sort of way. This is not probably the right things to do. But it did set a tone for me, whether or not I wanted it to.
AUDREY: Communication around security vulnerabilities is really important, and this is why we’ve talked about the aesthetic of that a little bit, that people without detailed understanding of the security problem need to have a way to understand how it affects them. So all of this communication is important that way.
CHRISTIE: If you go back and you compare it to something like Heartbleed, there’s a market difference. Also, there seemed to be some back and forth about the way this was disclosed which I didn’t have a chance to dive into.
AUDREY: Oh, there was a press announcement by the press embargo and somebody broke it. And so, they ended up announcing it a day early.
CHRISTIE: I saw some back and forth from one of the clients that seemed like, “Oh, we were never told.” But it sounds like they were. They just were confused or something. So basically, this is not a vulnerability in PGP itself exactly, but in implementation within client email.
AUDREY: Like the specific plugins that people use to access PGP-encrypted emails.
CHRISTIE: Right. And the heart of it seems to be that there is a way…basically if you’ve used PGP email, you’ll probably recall that once you set it up and you have your private key in there, that you can set the email client to just decrypt messages you get sent without you having to do anything.
AUDREY: I’ll take your word for it. I haven’t tried this myself.
CHRISTIE: I don’t know if that’s a thing…I have it configured. I don’t know what most people do. It’s certainly the most convenient thing. And so basically, the vulnerability requires that you have intercepted some of…
AUDREY: That the attacker has intercepted a previous message.
CHRISTIE: Right. And that you resend that to your target basically inside some broken HTML. And then because the client is not only decrypting automatically but rendering HTML directly, it can make a server call and the server call would make it your server the attacker which would then be sent the decrypted text. There was another part of it that I didn’t quite understand involving altering the content, altering a portion of the content and then having the whole thing be decrypted. I didn’t quite understand that part of it.
AUDREY: The first thing you’re talking about is the direct exfiltration.
AUDREY: Okay. And then they have this other thing called a CBC/CFB gadget attack?
CHRISTIE: Yeah, that was the thing that was having…
AUDREY: With a much more complicated diagram.
AUDREY: I think there’s a thing implied in this which is that…tell me if I’m misreading this…but it’s not that the direct exfiltration allows them to get the key. It’s just that it allows them to get information that can be used to eventually determine the key?
CHRISTIE: The key is never determined in any of these.
AUDREY: So what I mean is it’s attacking the cryptography in that once you have both encrypted and unencrypted messages copies of those, you can start to deduct the private key.
CHRISTIE: I don’t know, maybe. Is that how it works?
AUDREY: I’m trying to understand if that’s the case because I don’t see anything here that explicitly…
CHRISTIE: I will have to…we’re starting to get in that territory of where it’s like there’d be dragons we don’t fully understand the cryptography. In general, my understanding is that the more you know about the bits and pieces, the more you can deduce. But how far you could take that with this, I’m not sure.
I guess what I’m trying to say is I find that really frustrating about these announcements that they’re explaining the technology of it, they’ve given it a logo but it doesn’t…it’s an important distinction. Like if somebody completes this attack, do they then have the ability to decrypt all of your email or do they just have one step closer to starting to decrypt all of your emails?
CHRISTIE: One step closer, if that even…
AUDREY: Yeah. Oops, sorry. I don’t want to hit my microphone stand. I’m gesturing.
CHRISTIE: I saw a lot of criticism that this was like overblown. The reporting on it made it seem a lot worse than it was.
AUDREY: I mean, if only that you don’t have to use an email plugin and you certainly don’t have to automatically decrypt your emails, it’s not a problem with PGP itself. It’s with the way that it’s integrated into a mail client.
CHRISTIE: ProtonMail had a post on it. Oh, here it is, which I did not…I was collecting these when I was traveling. I did not put them in our show notes, Audrey. How do you get a link from Instapaper? Here we go.
AUDREY: You click on the thing with the name of the publication.
CHRISTIE: Okay, I’ll put this in the show notes and then also…because there was a bit in here. It says, “No, PGP is not broken, not even with the Efail vulnerabilities.” And a big part of this is explaining whether or not ProtonMail is vulnerable to this, which it’s mostly not. They basically said that the biggest part of it is that there’s not a vulnerability in PGP but that there is an aspect of the spec that was not as specific as it could have been. And so, that some implementations shows that when a modification was detected in the ciphertext that they didn’t consider that a failure and they decrypted it despite the content anyway.
AUDREY: Oh, okay.
CHRISTIE: So they maintain OpenPGPjs as part of their mitigation. They’re dropping support of the obsolete Symmetrically Encrypted packet type and they’re going to continue to push forward authenticated encryption.
AUDREY: That makes sense.
CHRISTIE: I think I needed a little more studying on this symmetrical encrypted packet type because I think that…It says, “The third method is for the attacker to change an SEIP packet into a Symmetrically Encrypted packet.” It’s like there’s some way of tampering with the content that will cause some clients to decrypt the ciphertext when [inaudible].
AUDREY: This is reminding me of why I’m not using PGP email because it is down to these. I mean, the mail client I use doesn’t have a built in. It’s down to these plugins for mail clients. I don’t know.
CHRISTIE: Well, for usability, yes. I mean, you can always save a mail on the decrypt on the command line.
AUDREY: Oh yeah, yeah. What I mean is like it hasn’t made sense for me to make regular use of this because, I don’t know, I haven’t felt a lot of trust around the plugins, the support, the integration. I can’t even do it on my phone, so I don’t know. One, it’s overblown to say that this is destroying encrypted email or that it’s even maybe a significant problem with encrypted email. But there is a problem with encrypted email.
CHRISTIE: It’s a pain in the butt.
AUDREY: Yeah, it’s the usability. And if it’s not usable, then it doesn’t get used. And it doesn’t get used correctly, consistently.
CHRISTIE: I’ve tried really hard to maintain work in encrypted email and there’s approximately one other person that ever sends me encrypted email. And when they do, I have to time them on my phone and then I’ll message them and Signal would be like. “I can’t read your email right now because I won’t be home until tomorrow.”
AUDREY: I’ve received exactly one email asking if I had a PGP key. And the person had created a throwaway Google account anyhow to do it. They just wanted to ask something anonymously. And it was fine. So I gave them as much generalized information as I could. And I guess if I were regularly getting emails like that with that request, then I would at least publish a key. I can’t imagine a situation right now where this would be a regular part of my email because again, the integration is just terrible.
CHRISTIE: It’s never felt more than super hacky to me. And then there’s the issue of…I mean, the curmudgeon in me just want to be like grumble, grumble, HTML, email.
AUDREY: Which, at least for the time being, you’re stuck with until Google makes it so proprietary that those of us that want to communicate in uncorporate ways are stuck using plain text.
CHRISTIE: Works for me.
AUDREY: But again, we’ll have to find specialized email clients.
CHRISTIE: I think Apple has a vested interest in maintaining there. I just wish their mail and calendar options were a little more robust.
AUDREY: Sure. There’s been back and forth pushes about encrypted email in general. Yahoo looking at it. I’m sure that there are folks at Google that have looked at it as a general thing that they could do. If Apple were to decide that they’d like to integrate PGP both in the mobile clients and the desktop clients, that would happen really fast. That was spread really fast.
CHRISTIE: And I think that they’re choosing to spend their resources in other ways, like secure enclave in the wallet and things like that.
AUDREY: Plus it doesn’t improve the spam problem. That’s the other aspect of this. If people can encrypt spam to you then they can’t be detected on the server level and email becomes less useful that way.
CHRISTIE: Okey-dokey. Things we love on the internet this week.
AUDREY: I forgot to write one down.
CHRISTIE: Oh, I forgot to look for one too.
AUDREY: Oh no, wait. I had something in mind. Let me see if I can go find it. There was another Kickstarter that I backed that I liked.
CHRISTIE: Oh, and this is to remind people there is another Signal vulnerability update. So make sure to update your desktop clients.
AUDREY: In general, if there’s a security update for something you use for communication, do it. So, this is just kind of nerdy but there’s a Kickstarter called Pride Check!: Pride Dice Enamel Pins. And they are these really cute little…I’ll paste it in and you can see.
CHRISTIE: Like gay pride? Because we got June next month. Oh, nice! So, they’re enamel pins that look like the 20-sided dye and they’re in the different pride colors. Which apparently I don’t know all the pride colors. I don’t know what all these palettes are. I know one of these is trans, one of these is…
AUDREY: They have a key.
CHRISTIE: Well, they have a key.
AUDREY: Yes, scroll down.
CHRISTIE: Why am I struggling with this so much. LGBTQA+. Okay, bi, trans, ace, pan, lesbian. Lesbians have their own color? I missed that. How can that be the case?
AUDREY: I just learned how to sign in ASL lesbian yesterday. We had a great conversation in class actually about…
CHRISTIE: I can make some signs for that. Sorry.
AUDREY: No, but we had a really good conversation in class about inclusive language, inclusive personal language. And so, we all learned how to sign lesbian. It’s good.
AUDREY: So because this Kickstarter did really well, you can definitely expect to get a pin if you back it. It’s got five more days left and because they hit some of their stretch goals, they were able to add more colors.
AUDREY: More types. For example, non-binary and agender pins in here now and genderqueer and hats and backpacks. It’s just gone on really well. So I thought these were super cute and probably to some of our listeners’ tastes.
CHRISTIE: Cool. All right. Well yeah, there’s all kinds of stuff. And it’s running until, we’ve got five days to go at the time we record this. So hopefully, I will publish this soon.
AUDREY: On day 5?
AUDREY: So people will have just enough time.
CHRISTIE: Yes, I’ll do my best. Okey-dokey. I guess this is just a little bit of a stretch. But I started a new job recently so I’ve been super busy and not paying a whole lot of attention to the internet. There was some tweet that went around that was basically like by the age of 35, you should have some ridiculous portion of your salary saved, like three times your salary?
CHRISTIE: And I just really appreciate it. So people, of course, mocked it and also had critical responses. But a lot of people did their own take and I’ve just been really appreciating. I stopped favoring them all but FakeLibStat says, “By 35, you should have collected enough books to be able to stare at your shelves and say, ‘Well, I guess I can never move again’.” And there’s much more.
AUDREY: At 35, I started draining all of my savings to start The Recompiler. I feel like that was a good tradeoff.
CHRISTIE: Yeah. Well, 35 is also the median age at which women leave tech.
AUDREY: I was pretty conscious about…
CHRISTIE: Or average? One of those.
AUDREY: Save as much as you can but also it’s okay to be where you are.
CHRISTIE: Those things are always just guidelines and they always have a bias and a context.
AUDREY: Sure. And this should imply like you’re going to retire at a certain age and you’re going to live a certain number of years. And we’re making some big guesses about buying power, like what money will be worth when you get to that point.
CHRISTIE: I don’t remember if that person in the US or not. But in the US, we have…our retirement savings are not…they’re linked to the stock market for the most part. And that’s a lot not in your control. Even if you are in a position where you have spare income to save and you save diligently, like the people that wanted to retire at the beginning of the housing crisis, uh-uh.
AUDREY: I guess a thing to like is that we can all recognize that we’re in this together in terms of meeting a different kind of support and not just personal savings twice or annual income which after having seen responses, I don’t think I know anybody who’s achieved that.
CHRISTIE: I was maybe half that when I quit Mozilla and then I promptly used it all till I figure out what I was going to do next. Okay, that’s our show. Thanks everyone for listening. Thanks for hosting with me another episode, Audrey.
AUDREY: Thank you.
CHRISTIE: Signing off.
And that’s a wrap. You’ve been listening to The Recompiler Podcast. You can find this and all previous episodes at recompilermag.com/podcast. There you’ll find links to individual episodes as well as the show notes. You’ll also find links to subscribe to The Recompiler Podcast using iTunes or your favorite podcatcher. If you’re already subscribed via iTunes, please take a moment to leave us a review. It really helps us out. Speaking of which, we love your feedback. What do you like? What do you not like? What do you want to hear more of? Let us know. You can send email feedback to email@example.com or send feedback via Twitter to @RecompilerMag or directly to me, @Christi3k. You can also leave us an audio comment by calling 503 489 9083 and leave in a message.
The Recompiler podcast is a project of Recompiler Media, founded and led by Audrey Eschright and is hosted and produced by yours truly, Christie Koehler. Thanks for listening.