Thursday, September 21, 2017

A Symbolic Look at Equifax

Here’s a video that symbolizes my interactions when enrolling in Equifax's credit monitoring service (audio is a must with this video). Nothing like a happy-go-lucky bear caught in a bear trap. 


video


Details


1. I checked to see if my data was compromised. (Some people reported yes, some reported “We believe that your personal information was not impacted by this incident.”) Fortunately, mine was the latter: https://www.equifaxsecurity2017.com/potential-impact/

2. I clicked “Enroll,” and I provided my information. Then, I waited several days for a confirmation e-mail for the next step. (http://trustedidpremier.com)

3. I clicked on the link in the confirmation e-mail. I provided a little more info and got redirected to a web page asking for me to login, but I never set up a password. (https://www.trustedid.com/premier/myaccount.php) 

4. I clicked “Forgot password” and received a reset-password e-mail to set up my first time password.

5. I set up a new password and clicked login after confirming my info.

6. I repeatedly received a “Server is down” error message.

7. I waited (hours/days) and kept trying while continuously receiving “The server unexpectedly dropped the connection” error messages.

To be fair to Equifax, it’s virtually impossible to standup a website in a matter of days/weeks that could handle a load of this magnitude. (Remember when Twitter used to go down – “Fail Whale” – in the early years? Facebook avoided this problem by managing their rollout over college campuses to control their growth and server load.)

In the Equifax case, server downtime works in their favor since less people will enroll. And it gets very confusing for consumers when dealing with so many different domain names (equifax.com, equifaxsecurity2017.com, trustedidpremier.com, trustedid.com, etc).

I’ll report back when I’m able to successfully enroll. I'm still getting a "server is busy" error message.

Anyone else have luck enrolling?



Wednesday, September 13, 2017

iPhone X Form Factor and Security [u]

Perhaps. One solution is to turn off
the phone at LEO encounters
Over the past two days, a surprising number of friends and colleagues have asked for my opinion on the iPhone X. This new smartphone seems to have received a lot of attention.

While I love the new features, I'm concerned about the form factor. Initially, it seemed to be as big as the iPhone 6/7 Plus models, which is too big for me. (I've been using the iPhone 6 & 7.) 

It turns out I was wrong about the size. Compared to the iPhone 7, the iPhone X is about about one tenth of an inch higher and about 0.15" wider. So, it's slightly bigger than the iPhone 7. And, compared to the iPhone 7 Plus, the iPhone X is about half an inch shorter and quarter of inch narrower, making the X significantly smaller than the 7+. The beauty of the iPhone X is that the screen is more than a quarter of an inch larger than the screen on the iPhone Plus models (6, 7, and 8). That's a bigger screen on a smaller phone due to the X's edge-to-edge design.

So, the bottom line is I'm considering getting the iPhone X. 


Face ID

Instead of using Touch ID's fingerprint recognition feature for authentication, the iPhone X uses Face ID, which recognizes a person the same way humans do, by their face. Apple claims that Face ID is 20x more accurate than Touch ID, which is great. But, some people have raised alarms that law enforcement officers (LEOs) could take you into custody and simply unlock your phone by pointing the screen at your face. Could that really happen? Perhaps. But, I've seen alarmist headlines before ("Apple Crosses The Line With New iPhone Feature"). One way to protect against this is to simply not enable this feature for people who are deeply concerned. Another option, if Face ID is turned on, would be to simply turn off your phone before a LEO encounter (i.e. crossing international borders, etc). 

Each time the iPhone is turned on, the secure enclave, which processes your Touch ID or Face ID credentials, remains inactive until a person manually enters their PIN to decrypt this information. It appears, during Craig Federighi's demonstration of Face ID, that his demo phone had been restarted but not unlocked with the PIN, prior to his demo. This prevented Face ID from working. While that's the correct technical behavior, it happened at the wrong time – but he seemed to recover well during the demo.

Update: Apple's Craig Federighi details Face ID and how to quickly disable it.

Monday, August 28, 2017

My Favorite Technical Hacks

Hacks are simple shortcuts that increase productivity. They can be inelegant, but they solve a problem quickly. Hacks may be brittle, solving a problem under specific conditions, or they can require a few extra steps to realize the effective solution. An ideal hack is an innovation or design pattern that works so well it becomes a feature. My favorite non-technical hack (life hack) is one I use after hunting for a parking spot when they're scarce. In the past, I've parked my car and rushed off to my destination without paying attention to where I parked. This has happened to me a couple time in La Jolla and Pacific Beach. So, one life hack I use to remember where I've parked is to open up the Maps app on my iPhone and take a screen shot as soon as I am parked.

I've come across a few computer hacks that stick out in my mind. Computer hacks are harder to explain than life hacks because one has to have an interest in software engineering. But, here goes...


1. Preventing JPG "Theft"

Java was the hot new language when I first started working at Apple. In order to get up to speed I coded as much Java as I could, especially applets since that seemed to be the future of the Web. (It turns out that Java became everything Ada wanted to be, and JavaScript became everything that Java applets wanted to be.)

One area that I focused on was coming up with a way to prevent JPG images from being "stolen" from a webpage. Once an image is displayed on a screen (computer, smartphone, etc), there's no simple way to keep someone from taking a screen shot. My Java applet solution got around this by taking the thumbnail of the image and blowing it up to the full size image so that it was pixelated (blurry). Then, as the user moused over the image in the applet, a small portion would come into focus. This allowed the user to see the entire image at full resolution, but only in parts (one-sixteenth, to be exact). While it was possible to take 16 screen shots and piece them together into a single, full resolution image, that was far from practical.

The full size image was encrypted on the web server to keep a user from downloading it directly from the server. The encrypted image was then sent to the user's web browser and decrypted in pieces, while in memory, inside the client's applet as they moused over the image. 


2. Facebook encrypted UDP

Awhile back, I heard about a brilliantly simple trick that Facebook uses to speed up their site. When a Facebook user logs into their account, their data is fetched from a database. While fetching the data, the user has to wait. The amount of wait time could be imperceptible to the user, or it could be a noticeably long time if the website is under a heavy load. "Heavy load" is a relative term, but Facebook serves more than two billion active users per month, so saving any amount of time makes a noticeable difference at that scale.

Wouldn't it be great if Facebook's servers knew what data a user needed before the user formally requested it? Well, that's effectively what Facebook's done with their little trick that simply involves sending an encrypted UDP (datagram) ahead of the formal TCP/IP request. UDP requests are fire-and-forget, meaning there's a small chance they might not arrive at their destination, but, if they do arrive (and they usually do) then they'll reach Facebook's servers sooner than a TCP/IP request. There's more overhead with TCP/IP since it guarantees delivery (or notice of a failed delivery). TCP/IP is the reason that webpages render perfectly compared to the BBS's of the 1980s that used unreliable dial-up modems where static and interference would be misinterpreted as data and displayed as garbled text.

So, the UDP datagram arrives ahead of the TCP/IP request which enables Facebook's servers to pre-fetch the data and load it in its cache before the formal TCP/IP request arrives. This hack is a simple, yet elegant, way to optimize a website for speed simply by "priming the pump."

3. Safari DNS and Pre-loading

DNS: Safari speeds up webpage load times by looking at all the host names on a webpage, once it's loaded, and then performing a DNS lookup. This saves time, later, when a user clicks on a link since the DNS lookup has already been completed. The time savings might go unnoticed or it can save a few seconds. (There's even an HTML tag to help DNS prefetching.)

Pre-loading: Although I haven't read about this hack, I noticed it when I was monitoring my web server's logs in real-time. As I started typing my own domain name in Safari it came up with an autocomplete suggestion before I finished typing. At the exact moment that the autocomplete suggestion came up in Safari, I noticed an http request for that autocomplete suggestion hitting my web server and showing up in my web server logs. In other words, Safari was loading a webpage before I hit enter. There's not much harm in doing this even if I never formally requested that URL. This is why some webpages load in a flash, especially when I'm on a fast Internet connection and the web server is using a content deliver network (CDN) like Akamai or CloudFront.


4. Keeping iOS Apps Running in the Background

For nearly four years I lead the San Diego Kickstarter Meetup where I mentored entrepreneurs on crowdfunding their products. (At one point, we had six live crowdfunding campaigns.) A couple of the entrepreneurs had iOS apps that accompanied their product which needed to continue running in the background; but iOS doesn't like to keep an app running in the background because it drains the battery. One of the most interesting hacks to keep an app running in the background was to simply play a silent MP3 file which kept the app "alive," even when it was in the background. The downside was that you couldn't play music from another app, but for some situations that was fine. 


5. Timestamping Race Photos

In the late 1990s, I started going to races (5Ks, 10Ks, marathons, etc), snapping race photos at the finish line, and then selling them either at the race or online. The challenge was finding a runner's photo among thousands – bib numbers had to be entered manually, which would take many hours. I came up with a solution that worked great which, to my surprise, no other race photography had implemented. (Nowadays, RFID chips attached to the racer's running shoes solves this problem.)

My solution was to simply synchronize the time on my digital camera to the race clock where midnight (00:00 on a 24 hour clock) was the start of the race. If a runner finished a race in 23 minutes and 30 seconds then they could simply start looking for their race photo around 00:23:15 (23 minutes and 15 seconds after midnight) since the photos were taken about ten seconds before the runner crossed the finish line.

Not all hacking is bad. 🖥

Thursday, August 17, 2017

A Perfect Total Eclipse

With all the news about next week's solar eclipse, I was thinking about why we always see the same side of the moon.

The answer is simply because the time it takes the moon to orbit the earth is the same amount of time it takes to rotate on its axis (about 27 days).

That got me thinking... 

Why does the moon nearly perfectly block out the sun during a solar eclipse?

My conclusion, after running some calculations, is that the sun is 400x wider than the moon but it's also nearly 400x farther away.

Feel free to peer review my calculations.

Friday, August 4, 2017

Air Traffic Control Center Tour

I took a tour of an air traffic control facility, this afternoon, and learned a few things from a controller's perspective. We couldn't take photos as we toured the actual floor of the air traffic control center, but we were allowed to snap pictures in the training center; they look almost identical.
1. There are three basic types of air traffic controllers, each of which is highly specialized: those who work in the towers at the airport, those who work in the "centers" that handle en route traffic, and approach/departure terminal controllers who handle traffic arriving and leaving the airspace outside of an airport. So, a center controller hands traffic over to a terminal controller who would then hand traffic off to a tower controller for landing at an airport. Simple concept, tricky execution, especially when there's a VFR pilot flying close to controlled airspace (like Class B) and not talking to any controllers, which is perfectly legal when flying VFR (i.e. not on a flight plan).
2. Air traffic controllers jokingly refer to jumpers (parachutists) as "meat rockets." (Parachutists don't show up on radar.)
3. For IFR pilots: It's rare that a controller will ask a private pilot to fly an "unpublished hold," especially on a VOR. In other words, it would be rare for a controller to tell a pilot, "Hold east of the Oceanside VORTAC on the 090 radial, left turns, maintain 5,000', expect further clearance 0+50." The controllers probably wouldn't know the exact phraseology, either, and VORs are going away in lieu of GPS. For private pilots in small (slow) planes, controllers would rather simply give a pilot vectors to fly a box rather than a racetrack (see last photo).
4. Everyone knows "Mayday. Mayday. Mayday," but no one seems to know or use "Pan-pan, pan-pan, pan-pan." Mayday: Emergency (from the French, "m'aider" meaning "help me"). Pan: Urgent problem (from the French, "panne" meaning "breakdown" – think of it as Mayday lite). 🛬

Today, I turn 0x32 Years Old

Today, I turn 0x32 years old (0b110010 for you binary nerds). That's half a century of life experiences for me.

Now, I am officially old. I have that old-man smell like mothballs and Aqua Velva. As a matter of fact, when I had a question earlier today, instead of looking up the answer on the Internet, I e-mailed a buddy asking him to explain it to me.

Some say that age is a state of mind, but there are absolute signs of “old age” and I clearly received one of those, this week: My membership offer for AARP. If I pay $16 to join in the next ten days then I’ll also receive a FREE Sport Tote. 

So, hit me up if any of you young whippersnappers need to know how to use Compuserve, Prodigy, MySpace, pogs, carbon paper, a fax, or 8-track. I'm your (old) man. (Sorry, I can’t help you with computer punchcards… I’m not that "experienced.")

You can e-mail me at my AOL e-mail address and I'll respond as soon as my secretary prints out your e-mail for me to read. (I jot down my response on the bottom of the page and then she types up my reply.)

More importantly, I’m currently looking for work as a Y2K consultant, so keep me in mind if you spot any job openings. 

Also, I have a bottle of witch hazel in the valise on my Davenport, in case you need any. #groovy #swell

Now please excuse me while I chase some kids off my front lawn and then head to the beach with my metal detector after going for a ride on my recumbent bike.

AOL Keyword: Birthday

Happy 25th anniversary of my 25th birthday. 

#generationX

Tuesday, August 1, 2017

How to Stop Google From Storing Your Voice to Text Recordings

Today, I ran across an article pointing out that Google is storing your searches and queries, including your voice to text dictation data.

I forgot that, many years ago, I had turned off all of these features, so Google doesn't report to me any history of my activity on any of their websites. But, I surprised some friends when I showed them how Google was storing their info. It is relatively easy to see what personal data they're recording. Simply visit the following webpage when you're logged into one of your Google accounts:
https://history.google.com

All clear - there's nothing to see here.


The following link will take you, step by step, through a Google privacy checkup where you can tell them what personal data you want them to record:
https://myaccount.google.com/privacycheckup




Friday, July 28, 2017

USMC Order of Battle: How it's Budgeted

Second Battalion, First Marines Supply Section
I joined the Marines when I was a naive teenager. I didn't know an officer from an enlisted person and I had no idea of how the military operated. Of course, I began learning all that on Parris Island. But, it wasn't until nearly ten years later, when I was a supply and fiscal officer for an infantry battalion (1/9 and 2/1) where I learned how military budgets worked. One supply chief I worked with used to tell me, "Sir, just take last year's budget and add 10%." While that was a great estimate, I still had to submit detailed calculations to support our budget requests.


Order of Battle

In our infantry battalion, we had close to 1,000 people, nearly all Marines except for about 70 U.S. Navy personnel for medical and religious support. Unlike the other services of the U.S. Armed Forces, every Marine is a combatant, so the Navy would support us with non-combat specialties. (There is one case that comes to mind of when a Marine would be considered a non-combatant and that's if they are captured and classified as prisoner of war.)

The Marine Corps likes to organize maneuver elements into groups of three:
Three Marines form a fireteam (plus a fireteam leader).
Three fireteams form a squad.
Three squads form a platoon.
Three platoons form a company.
Three companies form a battalion.
Three battalions form a regiment.
Three regiments form a division.

In practice, each unit requires leadership and support. A squad has a squad leader. A platoon has platoon commander, a platoon sergeant, and a guide (the guide marches at the front of the platoon carrying the guidon). The larger the unit, the more leadership and support is required.

Our infantry battalion had the typical five companies. Three were line companies used as maneuver elements, meaning that they'd engage in combat as a single unit on the front lines. The other two companies were support units. One was the weapons company, which is a maneuver support unit that provides organic fire support to the three line companies. The weapons company wouldn't see action as an entire company. Rather, they'd be split up into smaller elements (detachments) and attached to the line companies (as reinforcements) with their crew-served weapons (weapons requiring more than one person to operate such as a heavy machine gun or mortar).


Supply Support

H&S Company organizational chart (c. 2017)
As a supply officer, I was a part of the other support unit, Headquarters and Service Company (H&S). This company is where the commanding officer and his staff, which I was a part of, were organized. Supply officers are sometimes referred to as secondary staff officers since they usually report to the logistics officer who was considered primary staff. (For details on staff work see #Leading vs Staff Work.)

As a supply officer, I typically had one to two dozen Marines reporting up to me. On the battlefield, moving supplies around requires coordination via a trained logistics expert. Whereas, on a ship in the Navy the reverse is typically the case; a naval supply officer oversees logistics operations since it's not as challenging to move supplies from one part of a ship to another.

In addition to the commanding officer's staff and the supply section that I previously mentioned, an H&S company is also comprised of communications, motor transport, maintenance, armory, and cook sections that are administrative or technical. H&S does have one tactical unit, the scout sniper platoon, used for organic reconnaissance and engaging select targets.

The beauty of the Marine Corps is that every Marine's a rifleman. So, it's fairly common for cooks or communications Marines to go on patrol or be used to provide security around a base.

So, how is all of this budgeted and paid for?


Paying for War

As a second lieutenant, I learned, on the job, how budgets work but my knowledge was limited to the scope of my experiences.

There are two basic forms of military budgeting that I was involved with. Baseline budgeting, for training during peacetime, and contingency budgeting for wartime.


Contingency Budgeting

4th LAR Supply Section
Contingency budgeting is simple. Simply buy what you need, regardless of cost. It's like throwing out the checkbook register. Since it's war, money is not a big concern, especially at the battalion level. I experienced this when I served with 4th Light Armored Reconnaissance Battalion (4th LAR) after their return from the "March to Baghdad" in support of Operation Iraqi Freedom. We simply ordered all the repair parts we needed to refit our battalion. I don't recall how much that totaled, but the division headquarters was keen to let us know that we ran up the highest bill of any other unit in 4th Marine Division. But, that was expected since we were the only "heavy" (mechanized) battalion that was entirely mobilized from the Marine Corp Reserves.


Baseline Budgeting

Baseline budgeting is a bit more tedious than contingency budgeting since we had to figure out how much our training was going to cost, ahead of time. Luckily, we had the Redbook. The Redbook is a manual of cost factors used to "cost out" training events. There is a lot of paperwork involved when repairing anything in the military, and for a good reason. Maintenance Marines typically don't realize it when they're filling out the repair forms, but the paperwork they submit captures specific details of the maintenance costs for every item repaired, from an M-16 to a tank. All of these costs are captures and averaged across the First Marine Division. The Redbook would give me, as the supply and fiscal officer, a reference to know that, on average, for every day an M-16 is used, we should plan to spend 2¢ on maintenance (not counting the ammunition) or for each day an M-1 Abrams tank is used it would cost $185.

With the Redbook, I would simply layout our peacetime training plan and figure out which units and equipment would participate in each event. Unfortunately, I had create the spreadsheets from scratch and keypunch the data, myself; this would typically take about ten days to complete. Luckily, I didn't have to budget for payroll and food since that was a fixed cost managed by the Marine Corps, at the highest level (there's no overtime in the military). Ammunition was budgeted for in terms of numbers of rounds, but not dollars, so that, too, wasn't a concern of mine.

Although baseline budgeting was tedious, it was a rewarding document to send up the chain of command. If we were short funds, we had hard data to make our case for additional money. Since Marines change billets every two to four years, most everyone is new to their current job position, including the commanding officer. Presenting this level of detail to my commanding officers made them keenly aware, if they were asked to participate in an unscheduled exercise or task force, that their first question should always be, "Who's paying for this?" Even in the Marines, it was pay-to-play. Semper Fi.

Monday, July 24, 2017

How Not to Answer a Press Question

Erik Prince: Founder of Blackwater
This morning, I heard an NPR interview, "Blackwater Founder Backs Outsourcing Afghan War-Fighting to Contractors," with Erik Prince. Although Prince quit the Naval Academy, I completely respect his reason: He loved the Navy but disliked the Academy. I also had thoughts about quitting the Academy to return to the Fleet as a corporal. It's an oppressive place where we joked that all of your human rights were taken away and slowly returned to you over the course of four years, and called privileges. The fact that Prince went on to earn a commission, became a Navy SEAL, and is now a multi-billionaire earns my respect as a professional.

In this morning's interview he sounded like he had a well-thought-out solution to the U.S. presence in Afghanistan. He wasn't the most eloquent speaker, but that's OK since eloquence can sometimes be fluff that makes a bad idea sound good.

Prince's solution to the U.S. involvement in Afghanistan seemed viable until the last question, "Does your company... want any part of this business?" It was a simple yes or no question and he tried to be deceitful while speaking the truth in his convoluted answer (answered in a style that he probably would not accept from one of his operators). He wasn't deceitful on his facts or opinions, rather he was deceitful as to the motivation for his idea. There are times when it's OK to lie or be deceitful, but this wasn't one of them. His answer sounded more like a politician. Great politicians are some of the the smartest people, in the context in which they operate. A typical politician will take the question they are asked and not directly answer it – instead, they answer the question which they wished they had been asked. This is called spin, which, at it's most extreme, is the ability to highlight the truth in a lie, or the lie in a truth.

The problem with Prince's answer to the final NPR question was that he was caught off guard, without a prepared answer, and threw out some distractions; all of which were facts describing what kind of work his company, Frontier Resource Group, does and what he wants for his sons. His first response to the question was so off-topic that the NPR interviewer had to re-ask the question, specifically pinning him down and making him appear to lose credibility on this topic. The last word he spoke was, "Absolutely." That should have been the first word he spoke.

This is how the final question should have been answered...
NPR: "Does your company... want any part of this business [in Afghanistan]?"
Prince: Absolutely! I want our company, Frontier Resource Group, which excels at the logistical support needed in Afghanistan, to be a part of a better and cheaper solution to save money and lives. Especially as a taxpayer and as a father of sons, I don't want my sons going abroad into what has been a poorly conducted war, so far.

Sure, it's easy for me write this blog post after I've had time to think about it and tweak my words to say exactly what I want to convey. However, his answer might go deeper into the personality of a person, whom I've never met; it might be a tell that he'll dodge an unpleasant truth by burying it under facts and emotions. But, I could be wrong.

Monday, July 17, 2017

Me, Apple, and the Marines

Podcast interview: I’m always excited to talk about Apple, WebObjects, my time in the Marines, and working with Guy Kawasaki, Dave Winer, and It's Borrowed:

TMO Background Mode Interview with the CTO of It’s Borrowed Joe Moreno