My work schedule and intensity often prevents me from focusing enough these days to read books, something I find frustrating, and am working to revise. The flip side is that I read thousands of pages of books online this summer and fall in researching articles, and that was absolutely delightful.
I have completed three books recently, and I'm recommending them all.
Doctor, Doctor, It Hurts When I Read
The first is Get Well Soon: History's Worst Plagues and the Heroes Who Fought Them (2017, end notes, bibliography) by Jennifer Wright. Jen is delightfully funny on Twitter and also a force to be reckoned with in fighting against misogyny and cruelty. Her book on plagues seemed like a funny match to her public personality, but I enjoyed it from beginning to end. I'll say that she tries to ease us in. The book is written in a sometimes aggressively peppy and informal tone, and the book starts out heavily in that style, and then drops down into a more level pace once we understand that the title will be enjoyable and not a recitation of death and blood.
Massively annotated with citations (using end notes, to make the main text readable) and full of bits of history I never knew the full and true story about, Get Well Soon extols a lot of great people, some of whom were forgotten or maligned. She finds mostly heroes and some villains. The chapter on leprosy is particularly moving; on lobotomies, a human plague, a definition I fully agree with after reading it; and on the dancing plague surprising and bizarre. If you wonder how humanity has survived, pick this up. I particularly recommend the subsection in "Bubonic Plague" titled "The Exploding Frog Cure."
Nor the Battle to the Strong
Earlier this year, after discussing with a friend typewriting races—speed competitions for keying in words—I recalled there were words used among typesetters to test speed, too. That led me to the book The Swifts: Printers in the Age of Typesetting Races by Walker Rumble (2003, glossary, end notes, bibliography, index). What the heck?! This monograph helps you understand the life and nature of compositors or typesetters in the 19th century, and led to a number of articles and explorations I made this summer.
Typesetting was a tough job and hadn't changed much since Gutenberg. While everything else in printing sped up, including the manufacture of type, composition largely remained the same, relying on the frailty of humans working as fast as they could. As the century advanced, speed races among typesetters became a fad, and many were held. The fastest compositors were called swifts (and according to one contemporary source I found, fire eaters). But even as these races became popular, the hot-metal Linotype typesetting system became practical and shifted the majority of composition from one-at-a-time hand work to keyboards.
This was an okay change, though: the book notes that in 1850, the average age of death of a printer (including typesetters and pressmen) was 28 years. Horrifying. As the Linotype era started, despite the pots of boiling lead involved, working conditions did, too. The average death age increased year by year until it was about 53 in 1920, the same as other male adults.
It's not all bleak! The swifts had fun, and drank like fish, and had their own typographers' bars, and traveled as journeymen, and led the life of Riley. The book also covers how boys started apprenticing around age 13, the attempt by women to enter the field, and the remarkable anti-union behavior of Susan B. Anthony. The book bogs down into racing statistics at times, but it's generally a rollicking and super-informative slice of life. You understand how typesetters lived and the era that ended.
A Canal Ran Through It
This summer, I went to a talk by David B. Williams, a local author and naturalist who had a co-written book coming out in the fall called Waterway: The Story of Seattle's Locks and Ship Canal (2017, bibliography, index). As a 20-plus-year denizen of Seattle who loves the waterway that winds through the city, and with scattered historical knowledge about how it was fitting together and things cut through—we live near a passage called the Montlake Cut—I enjoyed the heck out of his talk and got the book the moment it was out.
It's lavishly illustrated and beautifully written. He and co-author Jennifer Ott, an environmental historical, trace the massive hydrologic and soil changes carried out by a couple generations of city leaders, local businesspeople, and the Army Corps of Engineers. It's a narrative with relatively little intrigue and corruption, but rather fights among competing visions of restructuring Seattle combined with challenging nature. A river's course is reversed. Another is blocked and effectively removed. A large portion of Elliott Bay is filled—with soil from a canal excavation that was never completed. The one that was lowered Lake Washington by nine feet.
And the book doesn't just look at it from the view of immigrants from the east, but native Americans relationships with the water, and how the reworking affected where they lived, what they ate, and their ability to continue their intertwined lives with salmon.
I think of it as a quintessential Seattle thing to know all the bodies of water and canals between Elliot Bay and Lake Washington, and I see them all with different eyes after reading this book.
(My only quibble is typographic: the book is gorgeously designed and printed in vivid full color, yet the designer opted for a fake (slanted) italic with its body face, which grates on this typographer for its inelegance—why not use a correct, more legible, harmonious italic?)
I’ve just released A Practical Guide to Networking, Privacy, and Security in iOS 11, the latest version of a book about those three topics that I’ve been updating for about seven years in a couple of different versions.
My intent is to give you everything you need to manage networking—Wi-Fi, Bluetooth, cellular, Personal Hotspot, AirPlay, AirDrop, and more—as well as all the ins and outs of what Apple does with your private data and how it controls and restricts access by third-party apps and Web sites to you while you use an iPhone or iPad. I also explain how to pick good passwords, turn on two-factor authentication, use passcodes and Touch ID, and find your missing iPhone or iPad.
It's a reference work—you probably won't want to read it end to end! But whenever you have a question about any of these topics, it’s there to refer to you. You can purchase it directly from me via the link below, and you get a DRM-free ebook in three different formats, so you can read it anywhere you want on any device. The price includes any updates to this iOS 11 edition.
Read more about the book here, including a downloadable excerpt and table of contents.
If you purchased any previous edition, you’re entitled to a low-cost upgrade; contact me if you didn’t receive email or other notification. If you’d like this book in print, you can purchase a print-on-demand edition via Amazon.
Bad password advice from the 1990s continues to be repeated ad nauseam, even though it has been widely disproven and groups ranging from security firms to academic researchers to the National Institute of Standards and Technology (NIST) specifically advise against most of those principles. Below, I take this apart and offer you actual good advice. (My friend Joe Kissell covers this topic in depth in his excellent "Take Control of Your Passwords.")
You might also wonder why encrypted passwords stolen from breached sites can still be cracked and used against you. I can explain that, too.
Everything you’ve been told is wrong
You know the drill. You’re often told, when setting up an account or changing a password, that a good password should:
- Be at least 8 characters long, but often no more than 12.
- Contain at least one uppercase letter, one lowercase letter, one number, and one piece of punctuation (from an approved list).
- Not contain any words found in a dictionary (in any language).
- Change every few months.
If you follow that truly lousy advice — which may even be enforced by the server — you can wind up with dr0wssaP!, a password that passes all those rules with flying colors and can be cracked in seconds. Crackers also know the above rules and optimize their cracking routines to focus on variants of simple words combined with the obvious numbers and pieces of punctuation. This is what leads people to pick Apples1! for an eight-character password.
As NIST’s 2017 standards report notes about memorized passwords, “Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed.”
All of that is bad advice. The best current recommendation is:
- Use a password manager that creates and manages passwords for you. I rely on 1Password.
- Use a different password on each site. A password manager makes that easy.
- Make it longer, which I’ll discuss more below. Passwords are often 8 to 12 characters because they’re so complicated. A longer, easier to type password can be much stronger than a short impossible one.
- For passwords you need to type regularly and can’t paste in, make up passwords from words you know, but use several of them, randomly selected; better, let your password manager do it for you.
- Don’t change your passwords regularly. There is absolutely no reason to create and memorize or store a new password unless a breach has occurred. The only reason to avoid this rule is if you haven’t changed your password in a while and you know it’s short and weak.
You can consult my 2015 Fast Company article, “Everything You Know About Passwords Is Wrong” for more of the research background on why existing rules are bad.
You might be baffled, as I regularly am, as to why a password like Sluggy-Headache-Fedora-Man is much more more secure than KLJf@88!4=Pz9 — should a password made of words be simpler to test and match than one made of totally arbitrary characters? No, and that’s because of the brute force required. Even with crackers using techniques to walk down smarter paths for basic passwords, longer passwords just take vastly longer amounts of times through which to iterate. (I have to go and re-read the background to refresh myself on the details.)
Every character added to a password can increase the difficulty of cracking it by some factor from just a few to thousandsfold, depending on the overall set of characters chosen, repeated characters, whether words are in dictionaries, and more. Add several characters and through the power of exponents, a password could be billions or trillions of times more resistant to brute force. You can trade off a large set of characters used in a password — like mixed case, punctuation, and numbers — against a longer password that’s entirely lowercase or mixed case. (A nice variant is to use a rare punctuation character between words.)
Effectively, the choice is:
- If you never need to type a password, and your password manager can fill it in, picking a super-complicated 20 characters long will probably survive the heat death of the universe.
- If you ever need to type a password, especially on a mobile device, picking a longish one that's three or four words long in an unusual combination (which can be generated by 1Password and other software and algorithms) with a story that reminds you of the words gives you until the sun burns out. Or even with vastly improved computational, the rest of your life and far far beyond.
When passwords are stolen from a Web site, aren't they encrypted? Shouldn't that stop the bad guys?
Yes and no. Account databases almost always use "hashing," a one-way encryption process that transforms any input into something that can’t be reverse-engineered to discover the original information. (It performs a large number of mathematical operations that ensures that two similar pieces of starting text produce vastly different hashed outcomes. This prevents guessing and testing.)
When you log into nearly any Web site, you enter your username and password, and the password is sent through the same hashing algorithm and compared to the stored value in the site’s database. Good so far.
Since hashing is a one-way operation, the only way to crack a hashed entry is through brute force: passing a huge number of passwords through the same hashing algorithm until you find one that matches the stored value.
However, many sites long relied on an outdated hashing algorithm (SHA1) that has run afoul of Moore’s Law combined with flaws discovered later in how the algorithm was designed. Because computational power increases on exponential basis, any algorithm that has a flat level of difficulty, no matter how complex, will eventually fall to faster computers. Plus, GPUs (graphical processing units) in computers and graphics cards vastly speed up and reduce the cost of encryption and similar intensive computational tasks. As a result, criminal crackers can afford hardware that's able to perform tens of billions — maybe hundreds of billions — of passwords checks per second. Flaws in the algorithm further reduced the amount of operations required to crack passwords, providing an effective speed boost.
One simple technique could have protected even many weak passwords. Let's say your password is 123456. That's a terrible password, and could easily be broken by brute force checks that would test billions of possible password against the stored hash value. Even worse, that cracked password is now cracked across all accounts in all breaches because it's identical when passed through the hashing algorithm everywhere.
However, if you add unique random data called "salt" to the one-way hashing algorithm, as little as a couple characters of text, but which can be much longer, the hashed results of otherwise identical weak passwords end up different. Even if one salted password is cracked, others won't be, because the salt will (or at least should be) different for each one. Every password has to be cracked uniquely by combining the salt with the current guess, no matter how weak the password is.
In short, because computing power continues to both increase and drop in cost, crackers continue to break more passwords from older breaches and use them to compromise accounts whose passwords remain unchanged.
Nonetheless, we're still talking about relatively weak passwords. It also turns out that many sites had no rules for password security, and even those that did often gave bad advice for choosing passwords. As a result, a lot of people chose 135792468 or p@ssw0rd for what they thought would be a perfectly unguessable password.
Pick a better password even as sites improve their encryption choices, and you can wind up well protected. Some sites and services that use robust protection have had major breaches and no reported cracked passwords.
I originally wrote this as part of a story where it wound up ballooning out of scale, and too tangential. I revised to share here!
Another large passel of articles I’ve written are out!
- “A T-Shirt Company Tries On A Radical Idea: Tees That Fit Actual Women," about Cotton Bureau’s efforts to make a better T (Fast Company, Sept. 10)
- “Meet The Font Detectives Who Ferret Out Fakery" (Wired, Sept. 13) on the expert typographers who testify in trials about print and type history, sizes, and legibility largely in pursuit of forgery.
- “Where are the flaws in two-factor authentication?” (the Economist, Sept. 13)
- “This 10-Year-Old’s $2 Million Amazon Business Is Leaving Competitors In The Dust" (Fast Company, Sept. 12)
- “Face ID on the iPhone X: Everything you need to know about Apple’s facial recognition” (Macworld, Sept. 15)
- “How Amazon’s Nonstop Growth Is Creating A Brand-New Seattle" (Fast Company, Aug. 24), explaining how Amazon has had a huge impact on Seattle’s downtown, housing, and culture, but is also bringing its dollars and volunteers to local nonprofits that aid those left behind. Pair this with “Amazon’s Quest For An HQ2 Underscores Seattle Growing Pains," which looks at the announcement shortly after my story ran about Amazon wanting to use the clone tool on its Seattle headquarters.
- The first three parts of a six-part series on type and printing revolution for Medium Premium:
Back when I started out in typesetting, production, and graphic design, we used X-Acto knives, wax, and layout boards to put the pieces together for printing. And we all, every one of us and every shop, had a variety of measuring tools that we used all the time. The type gauge and the line gauge were key ones!
As the paste-up era ended, and we moved into full pagination output and then ultimately eliminating most or all intermediate steps between digital design and the press.
But this year, in which I've spent hundreds of hours in a letterpress shop, I remember how useful it is as a designer to always have measurement tools nearby. Also this year, I met the folks at Buttonsmith, a local worker-owned, unionized, made-in-the-U.S. company that produces buttons, magnets, lanyards, and reels both in mass quantities of their own designs and custom one-off or larger orders.
Ah ha! I felt like there was something missing I wanted for myself, and so I designed it. I worked through a few of prototypes and several digital revisions with Buttonsmith to get to the desired results: a type-geek lanyard. It's a silky soft set of rulers (inches marked to 1/8th, picas to 2 points, and centimeters to 5 mm) with some handy type and leading measurement tools as well.
I made a small batch for the School of Visual Concepts' Wayzgoose yesterday—an annual printer and general public meet and greet and marketplace—and have lanyards left to sell. (Don't use these while printing on a letterpress, of course, but they're great for all other times!)
You can order directly from me, and if I sell out, I'll take pre-orders for a new batch: $15 each plus shipping, but contact me if you'd like larger quantities.
Three pieces of printing news.
My friend Jeff Carlson came in to take pictures for his own interest on the first day I started in on printing my book by letterpress in June and then returned on one of the final days. He worked this up into a photo essay that ran at Adobe Create! It was a great pleasure to be photographed by him, as he’s a very fine artist, and neat to be in this feature. It’s really a nice look at aspects of letterpress and the studio in which I’m printing (at the School of Visual Concepts/SVC).
Jenny Wilkson, SVC’s letterpress program head, and I will teach a one-day workshop that explores laser cutting and engraving and letterpress on November 11. The title? “Frikkin Lasers: Letterpress Printing with Laser-Cut Media.”
Finally, if you’d like a piece of my printing, I’ve researched, wrote, designed, and printed a folio—a four-page booklet—with Walt Whitman’s poem “A Font of Type” on the cover and an essay inside that you can purchase! Ships immediately worldwide.
Things I didn’t know my children didn’t know until we went to the Museum of Communications:
- How to dial a rotary phone.
- How to listen for a dial tone.
- What a switchhook was.
- How to hold the switchhook down to hang up and then release to get a dial tone.
- That you had to lift the receiver to dial.
- What a busy signal sounded like.
- Why a busy signal existed.
The New York Times has a remarkable article about the Voyager probe team. A number of people who prepared the mission or become involved as it approached the outer planets still log hours every day!
I’m an unabashed fan of the Voyager team and the probes they made, which have overperformed mission life and expectations by orders of magnitude. Over the years, I’ve written several articles about the history of the spacecraft and the state of the mission. I had the fortune to interview Ed Stone a few years back, and get his insight, plus some follow-up interviews and emails for later articles. Sounds like he’s as crystal sharp now as he was then.
- “Postcards from the Edge” (the Economist): An interview with Ed Stone about the mission.
- “In Praise of Celestial Mechanics” (the Economist): How NASA’s remote hands on Voyager 1 and 2 upgraded its ability to communicate when far from Earth.
- “Building the plane on the way up” (Meh.com): The hope in the heart of the Voyager missions was a piece of encoding hardware that allowed transmitting vastly more data than they could when launched, but which didn’t have a corresponding decoding hardware on Earth when they launched.
- The software running on the Voyager probes is among the longest continuously running software ever written (MIT Technology Review). (With a proviso: it’s not one set of fixed code, and has been revised continuously as well, but it’s still the same hardware running code that governs a limited set of hardware.)
- “Has Voyager 1 left the solar system?” (the Economist): A quick explainer about how the sun’s magnetosphere works, and the scientific disagreement over what boundary Voyager 1 had crossed (if any). Later, the broad scientific consensus is that it left the heliosheath.
- “Where in the Solar System Has Voyager 1 Wound Up?” (Boing Boing): A deeper explanation of the sun’s various magnetic interactions, including the heliosheath, the magnetic bubble that deflects 75 percent of cosmic radiation.