There’s a common complaint about apps on mobile platforms (namely iOS and Android): you have to download an app. This has led to calls for websites to stop pushing their app equivalent and just let people browse. (We’re looking at you, newspapers.) Why pull a beefy application every month or so when you can just pull the UI, content, and behaviour all at once, on demand, when you need it?

This observation is correct, and, I think, not the main reason why the web’s usability will always triumph over apps.

When I need to do something on my phone, I first think, “which app do I need to use?” For example, when I need to get directions to a restaurant, Food Place (I miss restaurants; they were lovely), I first open the Ostentatious Maps application, and then I start to search.

Doing the same thing on my computer, the app question is already answered. It’s the web browser. It’s always the web browser. (Alright, not always… sometimes it’s the terminal.) So the first question becomes, “where do I navigate to?” And then I open https://ostentatious.maps/, which is the same Ostentatious Maps application, except it’s in a browser tab.

These are the same thing, right!?

We are not the same

The app and the tab might look the same (assuming you ignore that fucking cookie “consent” notice), but they represent very different ways of thinking.

Let’s take this example a step further. I’ve found the restaurant but I want to check my reservation time. On a mobile device, I first open the Superchill Email app, and then search for “Food Place”. On my computer, I open a new tab and head to https://superchill.email/.

While I’m searching, I remember that my friend Susan recommended a specific dish, again, over email. On the mobile device, I go back and search for “Susan” instead. On the browser… I open a new tab, and conduct the search in parallel. It was baked cheese. Susan knows me well.

Here’s where they diverge. In the browser, I can use the same application twice. It doesn’t need to do anything special; it’s just a new tab.

We leave our mess everywhere.

The demise of LastPass, or at least the beginning of the end

In August, LastPass notified its customers, including me, that there had been a breach in it systems, and some data was leaked. I didn’t worry. After all, “We have no evidence that this incident involved any access to customer data or encrypted password vaults.” The keys to the kingdom were safe.

On 1st December, it got a little murkier. It turns out someone “was able to gain access to certain elements of our customers’ information”. Still, I didn’t worry.

Then, on 22nd December, we were notified that “an unauthorized party gained access to a third-party cloud-based storage service”. Specifically:

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Well, this was a surprise.

I was furious. And I wasn’t the only one. Not because the vaults had been stolen—after all, LastPass is a very high-profile target—but because they were apparently not treated with the care that any of its customers expected. (There have been those in the security industry blowing the whistle on LastPass for a while, but I hadn’t seen anything close to this damning.)

Specifically, website URLs were not encrypted. This meant that:

1. Without any password cracking, the attacker had a decent profile of whose password was more valuable to crack.
2. As LastPass often stores the full URL of where you set your password, it could include sensitive data such as a reset token. A poorly-designed password reset workflow might mean that all the attacker would need to do is visit that URL and set a new password.

Long story short, a URL is sensitive data and LastPass haven’t done their job. Later, some more information came to light regarding their mishandling of password iteration strength, which I won’t go into. If you’re interested, Steve Gibson dedicated a podcast to the topic.

Shortly afterwards, I (and many, many of their other customers) decided to jump ship. I went for 1Password, based mostly on their reputation among security-savvy friends of mine, but also because of their decent UX. I have no particular affinity to them, and would probably be just as happy (or unhappy) with another provider. But still, so far, so good, and I love the integration with Fastmail’s “masked email” service, which means I can quickly generate a new email per service. (I decided to take the opportunity to move away from Gmail at the same time; gotta get myself disconnected from the big bad Goog.)

And so, I began the long, long process of changing my password (and email address) on every single website.

The long, slow migration

I really wish I’d kept detailed statistics on this, but rough guesses from memory will have to do.

When I started, I had over 600 passwords stored in LastPass.

I’m now pretty much done, with the exceptions of some shared passwords, and I have 170 passwords in 1Password—roughly 25% of what I had saved a month and a bit ago.

This was virtual spring cleaning, for me. I hadn’t seriously looked at my LastPass vault in years. Some of the passwords there were saved in 2010, or perhaps even earlier. A lot of the sites were completely defunct; some had been gone for so long that the domain had been snapped up and repurposed, leaving me very confused about why I would have ever signed up for a place that delivers sandwiches to my New York apartment. Fortunately, the password simply didn’t work, and I moved on.

In other places, it worked, but I had zero interest in preserving the account. I would hunt for a “delete my account” button. Sometimes it was easy, sometimes it was hard, sometimes it required arcane incantations and a trip to my favourite search engine to figure out. I was pleasantly surprised at the number of websites that provided an easy way to delete my account. If I had to guess from memory, I’d say that around 50% of the sites I was registered made it automatic. Some made it too easy—I felt like I’d cheated, but most required me to re-enter my password or at least my username.

I can only imagine I have the GDPR to thank for this. 10 years ago, I expect most websites provided no option to delete your data, or at least your account credentials, and no one would even think of asking. Alas, we do not live in such innocent times, and our privacy is something we must all consider. Even the expectation of no privacy (for example, if you still have a Facebook account for some reason) is a choice, and a conscious one for many of us.

Many other sites weren’t quite so helpful. That said, there’s a magic trick: again, due to the GDPR, every website now has a privacy policy that actually means something. This means that it includes an email address or other contact mechanism which goes not to customer support, but (typically) directly to a privacy officer, who will take your request to delete your data seriously. Now, most of the time, I just wanted to close my account, and didn’t particularly care about my “right to be forgotten”, but those are the magic words that make sure your account definitely gets closed.

Technically, they’re only the magic words if you live in Europe, but most of the time, they don’t seem to care—it’s easier not to bother asking and just process the request.

And so, I have sent approximately a hundred emails asking various website owners to delete my account, sometimes with the magic words attached so they take it seriously. Of those, about half have actually dealt with my request; at the time of writing, I still have 40-odd websites in my “not deleted yet” folder. I’ve had some contact from some of them, but I don’t really understand why it takes a month of emails back and forth to make it clear that yes, I really really really don’t want the account I haven’t used since 2014.

And here, I guess, lies the flaw in GDPR: if they never, ever reply, will I bother making a formal complaint to whatever authority I need to complain to? I don’t even know who that is, so no, I will not bother. The website owners know this. I’m surprised half of them actually did process the request manually—it seems like such a lot of work.

So what’s your point?

Oh, are articles supposed to have a point now? I’m just rambling.

Perhaps I’m just bitter at spending so much time on an endeavour which was, quite possibly, totally pointless. No one is hacking my passwords, no one cares about my defunct account with a shop in the UK that only sells coffee equipment and doesn’t have my credit card stored anyway. I’m a little paranoid, and I guess I was looking for an excuse to do some early spring cleaning.

You could, if you were so inclined, piece together enough of my life from the various websites to perform some low-level identity theft, I guess, but that’d be a lot of effort. I am small fry, in the grand scheme of things. I know this, and yet I still went through the exercise, sending far too many emails for no good reason.

I think I may be feeling guilty about not writing. This process took up my attention, and I didn’t feel like I had enough juice to both change a lot of passwords and produce anything creatively. This combined with the fact that I tend to write more in January, probably due to some inner monologue telling me that even if I didn’t make a New Year’s resolution to write more, I should, and so skipping the whole month feels like I did something wrong.

I didn’t, of course. I promise nothing, and often deliver it.

If you made it this far, I am pleasantly surprised. I highly recommend pruning your list of random accounts in random places once in a while. Don’t let it get to 75% utter crap, like I did.

Here’s an incomplete list of projects I’m working on right now in my “spare time”, in order from least abandoned to most.

1. This very blog you’re reading
2. Migrating everything off LastPass, because it seems it’s very overdue
3. Setting up NixOS on a new hard drive (this time it will stick, goddamnit)
4. Advent of Code 2022 (I’m about half-way through; turns out it’s a lot harder to keep up when you have a tiny child)
5. Improvements to my personal Mastodon instance
6. Migrating my email and calendar from Google to Fastmail, in my quest to de-Googlify myself
7. Shipping regular expression support in Smoke
8. A build system as a DSL embedded in Haskell, called The Bakery
9. A Firefox extension which automatically deletes cookies over a certain age, called Memory Loss
10. Merging my other personal website, which is hopelessly out of date and therefore does not deserve a link, into this one

That seems to be about, I don’t know, seven or eight too many.

So my new year’s resolution for 2023 is: I shall finish more than I start.

Here’s to a shorter list this time next year.

I think I’m coming to terms with my procrastination.

A lot of the time, it looks like I’m fucking about, but I’m really just internalising the problem at hand, and clearing space for it in my brain.

It might look like I’m doing 8 other things. I need to do those 8 other things first, because they’re in the way. They’re taking valuable computation power and memory. Once they’re done, I have space to breathe, and then time to really get excited about the task at hand.

And meanwhile, there’s a background thread going on the whole time, musing over the problem, trying to understand it from a few different directions, decomposing and recomposing it while I answer an email.

Sometimes you have to go make a sandwich before you even start.

Of course, the other half of the time I really am just fucking about.

Which one is it this time? WHO KNOWS.

Last week, Twitter got new management.

Now, I’m not a fan of the new management. But then, I wasn’t a fan of the old management either. Nevertheless, this presented an opportunity to reflect on how I engage with Twitter.

About a year ago, I decided I was spending far too much time doomscrolling, and I deleted the app from my phone. I’ve done this before, but this time it stuck. I keep the browser signed out, too. If I want to check what’s going on on the timeline right now, I have to go to a computer. This means that I rarely check out the timeline. And I do not miss it.

So where’s the value? The value is in the conversations, the mutuals, the shared context we build over years. But at least for me, it’s been diminishing: the value I get out of Twitter now (or even a year ago, pre-deletion) is almost zero. I almost never receive a message from a friend that wouldn’t have been more personal somewhere more private. I see a lot of awful global news, but very rarely do I get some personal news that improves my relationship with someone.

This past weekend, I toyed with the idea of switching on Mastodon (with my own server, because what’s the point of joining someone else’s?) and trying to find my place in a community. I didn’t bother, in the end.

It’s not 2008 any more. The world has changed. It’s become more connected, for better or for worse, and I don’t think the evolution of communication platforms looks like Twitter. I think it’ll be very different.

As for me, I think I’ll keep my Twitter account around, mostly checking in occasionally to see if I have messages, but I’m done with the service. I don’t need it any more.

Perhaps I’ll join Mastodon, somewhere. Perhaps I’ll start my own server with microblog.pub. Mastodon uses the ActivityPub protocol under the hood, and it’s open. You can even write your own software if you want.

But for now, well, I have this blog. It’s not going anywhere. Maybe I’ll write more often. I enjoy it. You can subscribe, you know. The web isn’t going anywhere, and RSS will work until the apocalypse.

And if I want some conversation, perhaps I’ll add some server-side support and implement a Webmention endpoint (which is even simpler than ActivityPub), so your blog can talk to my blog. The way Twitter was meant to be, over a decade ago.

If you want to contact me, I’m sure you can find my email address. No doomscrolling required.