We had a scary basement

When I was a kid, my parents had a horror movie basement. It was unfinished, poorly lit, and apparently designed to terrorize kids. It was divided into three approximately equally sized rooms:

The wooden, backless staircase from upstairs dropped you into the first. It was mostly OK, but the only light switch was on the far wall away from the base of the stairs, so you had to feel around in the dark to turn on the lights. This is where my parents put the piano I had to practice every day.

The second was separated from the first by a long wall with two large cutout “doors”. One of the doors let into a storage room where we kept canned foods, the furnace, and an opening toward the third portion of the basement. The second was mostly storage. For reasons never told to me, this door was covered with a blue velvet curtain you had to push through, and once inside you had to feel around in the dark for the pull string bulb. The far side of it also opened into the farthest section.

The back part was somehow the least creepy, even though it’s where we stored antiques and my dad’s wood shop. It still had those stupid pullstring lights, though, until you got to the far-far wall where there were switches for the fluorescents over the table saw and lathe.

Digression: my dad’s favorite game was “let the kids watch scary movies, then send them to the basement on errands”. It played out like this: little Kirk is watching The Shining on TV. It’s over and his dad says, “hey, I need to fix this remote. Go get my screwdriver, would you?” He gulps and goes down the basement stairs — the ones without backs so a bathtub woman could reach through them and pull him down to hell. He leaves the pool of light at the bottom, walks across the concrete, and gropes in panic for the switch. He finds it, then pushes through the velvet curtain which immediately falls shut behind him and leaves him in pitch black. Heart racing, he finds the pullstring. Light. He sort of sees the next pullstring farther back, so he sprints to it and yanks it. He yanks too hard and it fails to light, bouncing back upward and landing on top of a chest of drawers. He jumps until he can pull the string back down and yank it again. The light comes on and the demons withdraw back to the shadows. He more cautiously slinks over to the back wall, turns on the overheads, finds the screwdriver, and rests in relative safety for a few breaths. OK, time to retreat. He sets himself in a sprinter’s pose, reaches back to hit the switches, and darts back to the drawstring. Makes it. Does the same setup-switch-sprint combo to make it to the next pullstring safely. Tugs it and darts through the velvety cloak into light again. Pants. Goes to the wall switch, steels himself, and flicks it off. Leaps toward the stairs to hear his laughing dad turn off the light at the top and close the basement door. Climbs a flight in approximately .2 seconds, opening the door and bounding through it in one practiced motion. Sees Dad who examines the screwdriver carefully:

“I needed a Phillips. Go get it.”

My dad was really a great guy, but he’d been through a war and ended up as a mortician. His good intentions were that his kids would get desensitized to their own internal fears and live as carefree adults, free of the dumb little phobias that nag us all. Did it work? You bet it didn’t! But he tried.

Anyway.

So the basement was a horror story set, and yet it’s the one we had so we went with it. During daylight, you could start at the stairs, rollerskate past the furnace into Dad’s shop, loop back around and shoot through the velvet curtain, and go again for another lap around. That was pretty cool.

One un-daylit evening I was downstairs practicing the piano with my little dog sleeping on the rug next to me. I was plinking away until she stood up and stared into the black maw of the furnace room, hackles raising. I stopped. She didn’t. She crept an inch forward, then another, growling, then exploded into barking fury and raced into the back.

I sat on the bench, petrified.

Still barking furiously, she followed my skating path, dashed back into the room with me, rounded the corner, and tore back off into the back.

My breath and heart had stopped. I was frozen in space and time.

My protective pup ran two more laps and raced one last time into the back.

And then “it” growled, low, guttural, and loud. She screamed in pain, reversed course to shoot past me, and flew up the stairs to safety.

I sat there, in the same dark basement with the thing that drove my dog into a frenzy before hurting her into abandoning me. My heart beat once, then twice. I erupted into a panicked explosion of terrified kid and somehow made it upstairs and locked the door in a single motion. I found my little dog, two long clawmarks across her face.

My parents came home and I told my dad what happened. He was afraid an animal had gotten in, but we went around with a flashlight and a shotgun. All of the windows were locked shut as usual, and there were no signs that anything could have gnawed through the concrete walls. Something hurt my doggy, though, and I didn’t have to practice piano after sunset for a while after that until Dad forgot the whole thing and we fell back into the old routines.

You think your basement was creepy? You don’t know what that word means. I have stories.

My phone was Lyfted

My son needed a ride to a Boy Scout campout yesterday and neither Jen nor I were home to take him. I had the idea to call a Lyft driver for him. My son accidentally left his phone in the Lyft car and this is the timeline of what happened as we tried to get it back. I’ll call the driver “Joe”:

5:09PM: I book a ride through the Lyft app. Joe picks up my son.

5:21PM: Joe drops off my son at the destination.

5:25PM: Jen calls me to say that my son left his phone in Joe’s car. She is home now.

5:29PM: I use the “Lose something?” link in the Lyft app to report this to Joe. Joe never replies.

For the next 45 minutes, we watch my son’s iPhone on “Find My Friends” and see Joe’s car parked right across from where my son was dropped off (but my son had already left again so he couldn’t go get it). I don’t worry yet because I’ve already reported the loss and I assume Joe will be a decent person and return the phone. I try a couple of times to request another Lyft ride, hoping that Joe will come back to my house so we could get the phone. Other drivers accept the requests but I cancel them because I only wanted Joe, not another ride.

6:13PM: My wife calls the phone but it goes straight to voicemail.

6:23PM: Starting to get nervous, I take a screenshot of “Find My Friends” to have a record of its last known location. (This comes up later.) Shortly after this, the phone disappears from “Find My Friends”.

6:56PM: Worried now, after much frantic search I find that I can contact Lyft through Twitter. I do so. We have a slow, agonizing conversation because it takes the Twitter person many minutes to reply after each of my messages. They tell me I can’t call Lyft’s contact phone number because that’s only for emergencies.

7:56PM: I use Lyft’s website to file two missing item reports: one to the Lost & Found department, and another one to the “Lose something?” link. Lyft explains that they only get messages explicitly sent to the Lost & Found department, that the “Lose something?” link goes directly to the driver, and that Lyft’s customer service doesn’t have access to those messages.

7:58PM: Joe texts me. He miraculously got this message, just not the one I sent at 5:29PM. He tells me he looked for the phone but didn’t find it. I reply that I watched it drive around Alameda. He said he got another request from my home address for a Lyft. I reply that I was trying to get him to come back to my house so I could recover the phone. I also told him where I last saw my son’s phone on “Find My Friends”. Joe replies that this is where he lives.

8:06PM: Joe calls me and we talk. He says he looked but couldn’t find it. I ask him to look under the seats. He says it’s not there. I said I will have to call the police to make a report for insurance and ask if he will be willing to talk to them to help me. He gets very agitated and defensive. I assure him that I’m not blaming him but might need his help. Suddenly he changes his story to say he has taken two rides since my son. I say, “oh man, that’s too bad. Now I’ll definitely have to make a police report.” Then he changes the story again to say he’s taken “several” rides, including one to the airport, and that one of those people must have it.

8:13PM: I call the Alameda police department to report it stolen. An officer cames out a little later and I give her all this information. She’ll be contacting him if she hasn’t already.

I like to believe the best of people and I kept reassuring myself and my wife by saying, “oh, it’s wedged up under his seat or something”. But this paints a really, really bad picture for Joe:

  • Why didn’t he reply to the 5:29PM message I sent through Lyft? We’d already texted my son’s phone several times by then and Joe had to have heard it. By the time I first reported it as lost, Joe knew the phone was still in his car. There’s no way he didn’t.
  • The phone’s last known location was at Joe’s house, which was only a few blocks away from where he took my son. That’s by Joe’s own words. That’s where the phone was when it went offline — not off cruising through the city. I watched “Find My Friends” the whole time and it was only two places before it stopped responding: my son’s destination and Joe’s house. It certainly wasn’t at any airport.
  • Why did the phone go offline a couple of minutes after my wife called it while it was sitting at Joe’s house?

The police will draw their own conclusions and they may or may not get it back. I don’t know. All I know is that my son is out his Christmas present, it disappeared from Joe’s possession, Joe ignored my first attempts to recover it, and it was turned off while it was parked at Joe’s house right after Jen called it. The only plausible explanation I can come up with is that Lyft’s driver is a lying thief and I’m out $600 because I chose to use their service. I can’t conclusively prove what happened, but I’m 100% convinced I’m right. There’s just no other answer that fits the evidence.

The worst part is that I gave Joe a 5 star review and a 20% tip before I knew what happened. That’s just adding insult to injury.

Information I gave the police

By the time the police officer visited, I had gathered up:

  • Joe’s picture from the Lyft receipt
  • A transcript of my text chat with Joe
  • A screenshot of “Find My Friends” showing the phone at Joe’s house
  • A transcript of my Twitter chat with Lyft
  • The phone’s serial number
  • This timeline

I have a stack of paperwork proving my side of the story. It’s not something I just made up.

Lyft through all this

For their part, Lyft’s support people have been very pleasant and as helpful as they could reasonably be. There are a few things I believe directly contributed to this outcome, though:

  • According to Lyft, the “Lost something?” link in the app and in email receipts goes directly to the driver. It does not go to Lyft. They had no record that I’d attempted to contact the driver.
  • They only offer phone support for emergency accident situations. The only other form of interactive help I found was via Twitter. In this situation, every minute counted and it took a long time to get the conversation started.
  • Once engaged with Twitter, the average response time between when I sent them a message and they replied to it was 7.5 minutes. Again, when time is of the essence those silent minutes stretched out long.
  • Lyft’s privacy policy reasonably and fairly prevents them from sharing information about Joe’s other rides without a court order. I stand behind that policy. It’s good. However, I wish they could confirm whether Joe actually drove to the airport last night. I don’t believe that would be a violation of Lyft’s riders’ privacy because it could only reveal that some person in this part of the city went to the airport. Statistically, that’s a certainty anyway. It would also not be a violation of Joe’s privacy because he volunteered the information; Lyft would only be confirming what he had already stated.

I think they could make changes that would help resolve such situations more quickly and satisfactorily:

  • Provide a non-emergency customer service phone number so that riders can engage Lyft support more quickly when necessary.
  • Log “Lost something?” messages to riders’ accounts so that support is more quickly aware of urgent situations.
  • Provide additional online communications channels like web chat. I love Twitter and use it often but that’s a poor primary support method. I can imagine how frustrating it would have been to have had to sign up for a Twitter account before I could start a conversation with Lyft.
  • Hire more support employees. The support staff I spoke with was very polite and helpful but I got the mental image of three well-meaning but overworked employees trying to help 40 people at once.
  • Mostly importantly, stop offering ride requests to drivers as soon as something is reported missing. When I first used the “Lost something?” link, Joe was still parked within a short distance of where he’d dropped my son off. If Lyft had a “take the driver offline until they respond” policy, this whole episode could have ended 8 minutes after it began. There would have been no question of what happened because no one else would have been in the car, and Joe would have had an incentive to reply because he would have stopped earning money.

These changes would go a long way toward making a highly stressful situation a little more bearable. I would have felt I was working with Lyft instead of in spite of them.

Update

Day two

10:12AM: Lyft contacts me to explain their privacy policy. They also inform me that it’s against Lyft’s policies for unaccompanied minors to use the service. I didn’t know that. As a driver, though, I presume Joe knew Lyft’s rules. I guess he’s OK with breaking all sorts of rules when he can benefit.

Christmases Past

How I imagined the backstory of the dad from “A Christmas Story”:

I’ve seen things. Lots of us have: it was a long war. Terrible things, like Anzio ’44. Wonderful things, like summer in liberated Paris. I’ve seen these, and I’ve remembered them.

I wasn’t supposed to be home very long, just a while to relax a bit and then join my buddies on our way to Asia, maybe Africa. I’ve heard Brazil is lovely. Smitty changed his mind after Kimbal got lost to a land mine, though, and anyway I’d met her by then. She’d never been outside her Midwest town along the rail line to San Francisco, but I guess after a couple of beers we both found something to like. I needed her all-Americanness. She enjoyed my stories — at least, the ones I dared tell her. I never planned to stay. No matter. The days faded into months, and her idea for me to use my G.I. Bill to get a degree in accounting was solid. The boys wouldn’t have believed it. Me, in an office! But why not. We all settle down eventually, right?

My wife will never go with me. I’ve accepted that. We have a good life, even if this town gets a little small. We won’t dance the night away in Milan but there’s a warm bed and dinner on the table every night. That counts for a lot. I just wish… they understood. That I need a little escape sometimes. That I need to be outside this town every now and then, running with the bulls or racing to victory. I can read and I can imagine and that works for me. I’ve earned that, haven’t I? I know I can’t be a bush pilot now, so don’t remind me that it’s only my silly fantasy. I know this. I need a few minutes to pretend, that’s all.

One boy takes after my wife. He’s a good kid. He’ll be a solid office man too one day. Perhaps a tradesman. Yeah, I could see that. I know he won’t leave the state — God willing, he won’t have to like I did. He’s home and that’s big enough for him. I’m not sure about the other son. I think I see a spark in him. I think he might take after me, for better or for worse. He wonders about things. He dreams. I can see it. This isn’t a great place for wonderers and dreamers, don’t I know, but maybe I can fan that spark into something wonderful. Something to get him out of here. Something to help him see things, terrible and wonderful things that he can remember. He can have his own silly fantasies, and if my Ralphie wants to be Red Ryder and have his own BB gun with a compass in the stock, then that’s what Santa is going to bring him.

Adventures in Comcast support

We live outside San Francisco, and Comcast is our cable provider. We wanted to watch college football on TV so I visited Comcast’s website to add the “Sports Entertainment Package” for $10 per month. Immediately after turning on the big game, we found that the BTN channel was in old-style “standard definition” (SD), not HD. On top of that, Comcast’s channel feed was so terrible that it was almost unwatchable: we couldn’t always see the football.

I contact Comcast’s tech support to help find the HD version of the channel. This is the transcript of that conversation:

Problem: Can’t find BTN HD CHAT ID: 9244E213-3F78-4690-87BA-6A69C55B7A90 Comcast tech: Hello Kirk, Thank you for contacting Comcast Live Chat Support. My name is [TECH]. Please give me one moment to review your information. Comcast tech: How’s your day going? Me: My Issue: Can’t find BTN HD Me: Hi [TECH] Comcast tech: Hello Kirk. Me: I added a sports package to my account so I could watch football on BTN. Me: But I can only find the SD channel, not the HD version. Comcast tech: I am glad that you have brought this concern to our attention. Comcast tech: I am glad that you have brought this concern to our attention. Comcast tech: Rest assured that I can definitely help you to ressolve your issue today and I’ll be more than happy to assist you. Comcast tech: But before we start, may I ask you a few questions please? Me: Sure! Comcast tech: Thank you. Comcast tech: For account verification, may I have your account number please?

Note: the web page I’d been looking at when I started the chat showed this information. Comcast’s own systems apparently don’t communicate with each other. I logged into the website in another browser tab so I could copy and paste my account number.

Me: Umm, let me look. Comcast tech: Sure. Me: [long number] Comcast tech: Much appreciated, thank you so much. Comcast tech: Kirk, may I place you on hold for 2-3 minutes while I am reviewing your account and checking the BTN HD channel for you please? Me: Sure. Comcast tech: Much appreciated, thank you so much. Comcast tech: Thank you for patiently waiting. Me: Certainly. Comcast tech: Kirk, upon reviewing your account, I see that your current package is the Preferred Double Play and you added the Sports Entertainment Package for you to access this Big Ten Network. However, youcan’t access the BTN HD, Right? Me: That is correct. Comcast tech: Thank you. Comcast tech: Would you mind my asking what channel is the BTN SD on your end please? Me: 403

Appropriate.

Comcast tech: Thank you for that information. Comcast tech: One moment please? Me: Sure. Comcast tech: Much appreciated, thank you so much. Comcast tech: Thank you for waiting. Comcast tech: Kirk, I am seeing here that you added the Sports Entertainment Package just today. Right? Me: Correct. Comcast tech: You were able to access this BTN in SD channel and not in HD. Right? Me: Correct. Comcast tech: Thank you. Comcast tech: May I have the serial number of your box please? It is located at the back/bottom of the cable box with HOST S/M or MCARD SN and it starts with M1, MA, PA, PK, SA or GI. Me: This will take a moment as I tear my living room apart.

I was being a little sarcastic. Our cable box is installed in an entertainment center and I had to disconnect several cables to get at the box. I’ve worked tech support before, though, so I understand that the tech had a procedure to follow and I went along with it.

Comcast tech: Sure. Comcast tech: o problem. Comcast tech: No* Comcast tech: I’ll wait for the serial. Me: [another long number] Comcast tech: Thanks for the serial. Comcast tech: Just hold on please? Comcast tech: Thank you for waiting. Comcast tech: Kirk, I am still on the process of troubleshooting your box. Comcast tech: I will also send a signal directly to your box. Me: It just rebooted (or something very much like it). Comcast tech: The signal I sent will turn off the cable box, you may need to turn the cable box manually using remote or by pressing Power on the box. Comcast tech: Signal fully sent to your box. Me: It’s showing a “ONE MOMENT PLEASE” message. Comcast tech: No worries, that is normal. We just need to allow the box now to load all its data. Comcast tech: Kirk, are you still getting the One Moment Please message? Me: Now it says: INTERACTIVE SERVICE – XOD, To activate service, press OK Comcast tech: Just follow the instructions please.

I’ve been following the instructions. Don’t get snippy.

Comcast tech: Press ok. Me: Now I’m in XFinity on demand. Comcast tech: Okay. Comcast tech: Hold on please? Me: For the record, my house guests are about to revolt against me. We’ve missed two touchdowns. Comcast tech: I certainly understand that, Kirk. I am sincerely sorry for the inconvenience. Comcast tech: Just hold on please? Me: Holding. Comcast tech: Thank you. Comcast tech: Kirk, upon double checking here, the Big Ten Network in HD channel is not available in your area. Comcast tech: What available is the BTN SD only in your area. Comcast tech: I am sorry for that, Kirk. Comcast tech: I hope you understand.

What? First, that’s ridiculous. Who wants to watch football — on a premium channel, no less — when they can’t physically see the ball? Second, it would’ve been nice had the tech checked this before resetting my cable box.

Me: I do not wish to be rude to you, [TECH], because you have been very helpful. Me: But no, I don’t understand. Is that a joke? Me: I would pay $10 a month to watch football with horrible picture quality? Me: That’s unacceptable. Comcast tech: I perfectly understand you, Kirk. I understand the frustration that you have right know. However, as much I love to give you this BTN HD but Comcast doesn’t have an agreement yet for BTN HD in your location. Comcast tech: I hope you understand. Me: No, but whatever. My cable box is still rebooting. My guests are leaving to go to a local restaurant. Comcast tech: I already exhausted all my resources to address your concern today. I found out that this BTN HD is not yet available in your area. Me: You did that after rebooting my cable box, which still hasn’t started back up. I wish you had checked first. Comcast tech: I am sorry to know that your guest went out to a local restaurant. Me: Because you broke my TV. Comcast tech: My sincere apologies for the inconvenience. Me: How long is this expected to take to restart? Comcast tech: We need to allow the box now to load all its data. This may take 45-60 minutes for the box to download all its settings. You may see an error on your On Demand, To Be Announced on your Guide and One Moment Please on your channels. Me: AN HOUR?!? ON GAME DAY?!? ARE YOU KIDDING ME?

Our guests are not amused at this revelation.

Comcast tech: Nope. The regular channels will only take 10-15 minutes to restart. Me: OK, I think we’re done here. Comcast tech: Kirk, again, I do apologize for the inconvenience. I know how important for you to watch the football game. Comcast tech: Thank you. Comcast tech: Is there anything else that I can help you with? Me: For the love of all that is holy, please don’t help with anything else. No.

It’s been well over an hour now and our cable box is still unusable.

Comcast, this is why people are cutting the cord. I expect to do so later this week.

What I Tell My Kids About The Internet

Hi kid! You don’t know me, but I’m one of those “Internet expert” kind of guys they interview when something bad happens. I won’t bore you with the details, but let’s just say that I make big computer systems for a living and I know how they work.

I’m not your mom or dad, or a teacher, or your church leader, or your coach, or a cop. I don’t know you, either, and honestly, I don’t care about you personally so much that I’d want to scare you or exaggerate things or otherwise lie to you.

I love the Internet, and I’m pretty proud of this amazing place that my friends and I have built. There’s a lot of great stuff on it, and I truly think it’s one of the best things that people from all over the world have ever come together to create. I think we did a pretty good job, for the most part.

The thing is, it’s also easy for bad things to happen on the Internet. I’m not talking about stuff like child predators or terrorists or hackers trying to steal your iTunes credits. Yeah, those things exist. But yes, the news exaggerates them a lot to scare you and to make you want to watch more of the news (see how that works?). I don’t want to do that. The truth is, you’re way more likely to have trouble from the wrong people seeing things you’ve written or pictures you’ve sent than you are from any Stranger Danger.

Social networks are awesome. I use the same ones you do - and some that you don’t even know about yet - to talk to my friends the same way you talk to yours. I think they’re great. However. Every single one of them tells the same lie: that you can click a “keep all my stuff private!” checkbox and all your stuff will stay private. If you only hear one thing I’ve said today, let it be this:

They. Are. Lying.

Oh, they don’t mean to. The people who made Facebook and Twitter and WhatsApp are smart people who try awfully hard to do a good job. However, making giant computer systems like that is super difficult and it only takes one itty bitty mistake in a giant tangle of a million moving pieces for it all to break. When you see a setting like “only share this with my friends”, what it really means is “should we try to keep this private and hope that we did everything 100% correct and didn’t screw something up somewhere?”

But none of that really matters anyway, not when your “friend” can take a screenshot of your messages on their phone. Say you just told your BFF about your crush. You checked the little “don’t share this!” box and the computer guys did their job and the privacy stuff works just like it’s supposed to. And because they think it’s funny, your BFF clicks the buttons to take a screenshot so they can tease you about it later. Guess what: now there’s another copy of your message, but this one doesn’t have that little “don’t share this!” box next to it.

The rule in computing is “if you can read it, you can copy it”. There are some smart people who waste their time trying to break that rule so that you can’t make copies of movies or music or video games, but, well… did you pay for every one of those songs on your iPhone? Yeah, thought so. That’s what I mean, though. If it’s easy to copy songs and movies and video games, how hard is it to copy a screenshot of your text message conversation or - ahem - one of “those” pictures?

So after all that, here’s what I tell my own kids:

  • If it’s on the Internet, everyone can see it. No exceptions. Everyone. I’m saying this as one of the guys who helped make the Internet. Trust me on this one.
  • Do not put stuff on the Internet if you don’t want everyone to see it.
  • Before you put stuff on the Internet, imagine who the worst possible person to see it in the entire world would be. What if your teacher read it? What if your mom or dad saw the picture? If the answer is “oh, wow, that would really suck”, then don’t put it on the Internet.
  • If it’s on a computer or cell phone or iPad, it’s on the Internet. You wouldn’t believe how many ways there are for a note or photo to get automatically backed up or copied around to some computer somewhere that you don’t have any control over.
  • This one is mainly (but not only) for girls: odds are, some day he won’t be your boyfriend anymore. Do you want a pissed off ex-boyfriend to have “those” pictures to share at school?
  • Don’t. Reuse. Your passwords. I read the news stories you don’t, the ones about how some instant messaging company had their password database hacked into and stolen. That means someone has a whole list like “CoolKid23 uses the password MyDogStinks”, and then they go around to other websites and try to log in with those same usernames and passwords. Make up different passwords for each website and chat program you use. Write them down on a piece of paper and leave it at home if you have to, or use a “password manager” program to do it for you. Yes, I know this sounds paranoid and geeky. But I’m telling you this with my hand on my heart: this is important. It’s something you have to do. It’s a pain in the butt, but that’s just the way it is.

Have I scared you? If I did, I’m sorry. There are people who want to scare you because that’s how they think they can get you to listen. I’m not one of them. But I do want to tell you the truth about how things on the Internet actually work. This is important stuff, and it’s only going to get more important as we share more of our lives with our friends on the Internet.

I’m still proud of this great big network we’ve built, and I use it every day of my life. The Internet has a lot of exciting things to offer. Use them and have fun! Just be smart, and be a little suspicious before you send a message or a picture. Don’t share the things you don’t want the whole world to see.

OK? OK. Glad we had this talk. Now do your homework.

My FCC Net Neutrality Letter

This is my letter to the FCC on September 12, 2014 regarding the upcoming net neutrality decision making process:

I am a Comcast customer, and I am paying them for a 100 million bit per second connection. Comcast has a monthly data cap of 300 billion bytes (or about 3 trillion bits) per month. At the speeds I’m paying full price for, I can use up my entire monthly data allotment in about 8 hours.

More simply, my monthly Comcast payment entitles me to use my Internet connection at full speed for one third of one day per month.

Esteemed colleagues, I find it disingenuous that Comcast and their peers claim that they need to charge more to carry the services I want to use, all while constricting my paid usage to one ninetieth of my connection’s capacity and raking in record profits. There is simply no fiscal credibility to their claims and I urge you to look upon them with due skepticism.

The FCC has received millions of letters supporting net neutrality rules against Internet slow lanes. Most of these have been form letters written by various citizen-friendly organizations and submitted by casual site visitors. Most of the individually written letters are various restatements of why net neutrality is important. All of those are good, but it’s also important to remind readers of these letters that anti-free-market groups like NCTA and its constituents have no legitimate counterarguments. They claim to need Internet slow and fast lanes to make money, but the industry makes huge amounts of money while delivering some of the worst Internet service in the developed world.

Comcast earned 3.3 billion dollars in net income in the second quarter of 2014, all while allowing customers to use only one ninetieth of the utility they’ve paid for. The only valid explanation for their strident opposition to net neutrality is sheer greed.

Cut Hoodies Some Slack

No good article about the Bay Area misses jokes at hipsters in their hoodies, whether biking through The Mission or chairing board meetings in The Valley. It’s an easy laugh and a nodding wink to your audience to assure them that you’re on their side, that you know how silly grown adults look in their kiddie jackets. But consider:

  • San Francisco is walkable, and people take advantage of it. My stroll from the bus terminal to my office is about a mile, and the sidewalks teem the whole way.
  • Layering is crucial. The weather changes rapidly from warm to cold, gray and windy and then back. Clothes have to adapt from comfortably light to guarding from the elements quickly and easily.
  • The city is humid. A light sweat from walking stays on you, and nylon clothes become waterlogged and sticky within blocks.
  • The city is windy. Synthetic fleece jackets are great, until a breeze picks up and cuts through the coarse cloth. I’ve never been so cold as when I was near the shore in a thick fleece.
  • Sun gives way to drizzle in minutes. Between the rain and the wind, it’s always smart to pack a hat.

Distilled, that means the ideal outerwear is of natural fiber to let sweat through while keeping wind out. It has a zipper and can go from breezy to windproof. It has a hat.

You know: a hoodie.

The humble jacket is a perfect fit for the local climate, where the weather is rarely great but is never bad. They’re warm in the winter and protective in the summer. You can buy one for a few dollars from street vendors, or spend more for a handmade work of urban art.

Making fun of a San Franciscan for wearing a hoodie is like teasing a Minnesotan for wearing a coat and scarf. Yes, we love our hooded jackets. Why shouldn’t we?

Scaling with Eventual Consistency

Originally published on the Crittercism Engineering Blog and reprinted with permission.

by Kirk Strauser on April 8, 2014

CAP theorem hates you and wants you to be unhappy

Some guy who isn’t fun at parties came up with the CAP theorem, which basically says it’s impossible to be consistent and available at the same time. In short, things will break and clients will lose access to a storage backend, or units in a storage cluster will lose the ability to talk to their peers. Maybe those servers are crashed. Even worse, maybe they’re up and running but a network outage means they can’t reach each other, and each part is still accepting writes from clients. Our enemy, CAP theorem, says we have to choose between:

  • Keeping our data consistent, at the price of not being able to make progress when parts of the database cluster are unavailable.
  • Keeping the database cluster available, at the price of some parts of it being out of sync with others and resolving any conflicts later.

Consistency brings pain

In any case, we have to decide what happens when we want to write to a record. Let’s assume for demonstration sake that a record is a bag of opaque data that the backing store doesn’t really understand; imagine a JSON blob, or a bit of XML, or whatever other datatype your favorite database doesn’t natively support.

Let’s also assume we have a consistent database. Either it’s a single server that’s running or not running, or it’s a cluster that only accepts requests if all nodes are online and synchronized. In short, we can always trust our database to Do The Right Thing.

Here’s how consistent workflows evolve from the most innocent of intentions.

First attempt: blind writes

We want to write a record, so we write it! Easy-peasy.

  1. Write out an entire record
  2. Profit

Second attempt: read-update-write

Ouch! Two requests want to update the same record. Both of them write out its entire contents, but only the last one wins.

  1. Request A writes out {"foo": "bar"}
  2. Request B writes out {"baz": "qux"}
  3. Request A cries salty tears
  4. Request B gloats and gets punched

That’s not good. The answer, then, is surely to read what’s there, update it, and write the results back out:

  1. Request A fetches the record with its initial value of {}
  2. Request A updates the record to {"foo": "bar"}
  3. Request A writes the record with the its new value
  4. Request B fetches the record with A’s value of {"foo": "bar"}
  5. Request B updates the record to {"foo": "bar", "baz": "qux"}
  6. Request B writes the record with the combined value

They shake hands and go home. And at 2AM, the Ops pager goes off because every write requires a read to get the pre-existing value. But let’s pretend IO is free and infinite. This algorithm is chock-full of race conditions. At our scale, here’s what’s going to happen many times per second:

  1. Request A fetches the record with its initial value of {}
  2. Request B fetches the record with its initial value of {}
  3. Request A updates the record to {"foo": "bar"}
  4. Request B updates the record to {"baz": "qux"}
  5. Request A writes the record with only its new value
  6. Request B writes the record with only its new value, overwriting A’s

And now we’re right back where we started.

Third attempt: locks everywhere!

Looks like we’ll need to lock each record before updating it so that only one request can mutate it at a time. We care about uptime so we have a highly available distributed locking system (ZooKeeper, Redis, a highly motivated Amazon Mechanical Turk, etc.). Now our workflow looks like:

  1. Request A acquires a lock on the record
  2. Request B attempts to acquire the same lock, but fails
  3. Request A fetches the record with its initial value of {}
  4. Request A updates the record to {"foo": "bar"}
  5. Request A writes the record with only its new value
  6. Request A releases the lock
  7. Request B attempts to acquire the same lock, and succeeds this time
  8. Request B fetches the record with A’s value of {"foo": "bar"}
  9. Request B updates the record to {"foo": "bar", "baz": "qux"}
  10. Request B writes the record with the combined value
  11. Request B releases the lock

That actually worked! Of course, it took two reads and two writes of the database and fives calls to the lock manager and Ops wants to set fire to your cubicle because their call duty phone won’t stop buzzing.

But let’s assume that we have a free and infinite lock manager. What happens if Request A never completes the transaction and releases its lock, maybe because of network problems, or the node it was on died, or it couldn’t write to the database, or [insert your own pet scenario here]. Now we can’t make progress on B’s request until the lock expires, or until we break the lock and potentially overwrite A’s updates. For all our efforts, we’re still not in a much better place than we started.

Side note about the locking manager

Any distributed lock manager has to solve all of the same problems we’re listing here. Even if we use this pattern, we haven’t made the root problem go away: we’ve just shifted it to another piece of software. The CAP theorem means that a lock manager optimized for consistency has to sacrifice availability, so in the event of a network outage or failed locking manager node we still can’t get any work done.

But eventual consistency brings joy and unicorns!

Consistency is critical for many reasons. I’d much rather queries to my bank be slow or unavailable than incorrect! There are times and places when we want the properties that consistency buys, regardless of its price.

But there aren’t many of them at our scale.

What we want is eventual consistency, or a promise that the database will make its best effort to make its records return their current values. This pattern extends to both the database we use to store our records, to the way in which we generate and process those records.

Solution: journaled updates

Instead of treating our record like an atomic chunk of data, we’ll treat it like a list of atomic chunks of data representing updates that clients want to make.

  1. Request A appends its update of {"foo": "bar"} to whatever happens to already be in the record
  2. Request B appends its update of {"baz": "qux"} to the record
  3. Much later, if ever, Request C fetches all the values from the record and combines them into a final data structure. In pseudocode:
def materialize(query):
    result = dict()
    for key, value in query.records():
        result[key] = value
    return result

In our example, that would fetch the list of updates [{"foo": "bar"}, {"baz": "qux"}] and combine them into a single record like {"foo": "bar", "baz": "qux"}. This is a very fast operation for any sane amount of updates.

Our primary usage pattern is “write many, read rarely”. Most of the events recorded by our system will never be viewed individually, but might be used to calculate trends. This solution allows us to trade a small (but fast and easy) bit of post-processing for a huge bit of not having to worry about requests clobbering each other, locking semantics, or mixing reads with writes.

Ordering is still hard

This solution isn’t magic, though. It doesn’t define how to reconcile conflicts between updates, and we still have to make those decisions.

Time and time again

The simplest method is to store each record’s timestamp and replay them in order. However, it’s impossible to guarantee ordering between timestamps generated across more than one host. Two database servers might be off from each other by a few seconds, and NTP only seems like a solution until you’ve actually tried to count on it. The one situation where this is feasible is when requests to update a given record are all generated by the same client. In this case, we can use the client-generated timestamp to reasonably represent the correct ordering of updates.

Understand our data

Another approach is to make smart decisions about the data we’re storing. Suppose a certain key, foo, may only ever increase. Given a set of updates like [{"foo": 23, "foo": 42, "foo": 17}], the correct resolution would be {"foo": 42}. This requires an understanding of the data, though, and isn’t something we’d want to pursue for customer-generated inputs.

TL;DR

Math says you can’t have both consistency and availability. At our scale, availability wins the argument and eventual consistency carries the day.

Wet Shaving: A Year Later

I’m a sucker for the idea of ritual. When I learn about a traditional, labor-intensive practice like shining shoes, oiling boots, or a complicated car washing regimen, I’m always drawn to try it myself. I imagine having the same meditative experience as the person convincing me to try their routine: feeling a connection to my ancestors, appreciating the finer things, tasting the rewards of patience, and such. So when I read an article about wet shaving a year ago, I could hardly wait to get started.

My Merkur 34C razor

In practice, though, I hate ritual. I’ll pay a few bucks to have someone else shine my shoes. San Francisco Bay Area climate isn’t very hard on boots, whether I’ve diligently oiled them or not. Automatic car washes are popular for a reason. Basically, I run out of patience for things that take too long just for the sake of taking too long.

One recent morning, I found myself wondering if I actually enjoyed wet shaving or if I’d be better off going back to a can of foam and an 8-bladed disposable razor. Millions of guys do it the new way, after all - should I rejoin them?

No. For me, wet shaving is clearly better for two specific reasons:

  • It’s way cheaper. It’s like the laser printer business model of charging more up front but offering dirt cheap supplies. After the initial purchase, consumables cost less than $10 a year.
  • I haven’t had a single ingrown hair since I started. Modern razors always leave me with a few bumps on my neck and cheekbones, but that problem has completely disappeared.

Yes, it takes longer than I’d like and still carries more trappings of ritual than I care to think about. Still, it’s a little luxury that’s measurably nicer and I don’t think I’ll give it up.

I use and happily recommend:

Update:

Garrick Dee wrote another nice introduction to the subject at the Grooming Essentials blog.

Great Expectations

I probably sound like I gripe all the time, but that’s really not what I’m like. I’m an optimist and happy by nature. It’s just that I have high expectations for how things could be and I’m disappointed when I see people fall short of their potential. I don’t complain about companies that are trying their best but fall short. I call out the ones that could be so much better but don’t seem to have the desire to see it through.

Making Devonthink Sync Between Computers

Update: 2021-05-27

This is still getting traffic for unknown reasons. Today, in 2021, the problem is long solved. DEVONthink 3 syncs perfectly with itself and with DEVONthink To Go. Again, this is purely historical and not a reflection of the state of things today.

Also, I have no idea why this post is suddenly so popular again. Help me out and let me know how you found this page? I’d sure appreciate it!

Update: 2016-09-17

In July 2016, DEVONtechnologies released DEVONthink 2.9 with an entirely new sync engine. It’s like a brand new program and synchronization has been flawless. Although I’ve only been using the new version for a couple of months now, it feels better, faster, and deterministic in a way the older ones never did.

At this point, I’m cautiously optimistic that all of the problems I wrote about below are fixed and obsolete. My fingers are crossed!

I’m keeping this post up for historical reasons but I don’t think that it’s relevant anymore.

Q: I have DEVONthink Pro Office and I want to sync my home and work computers so that I can access documents in both locations. How can I do that?

A: You can’t. Give up. It won’t work reliably.

Q: No, really. How do I do that?

Longer A: Seriously, give up. It doesn’t work and you’ll just get angry and frustrated. Trust me.

I use and love DEVONthink Pro Office as a document manager. Pretty much every piece of information I come across goes into it, whether scans of utilities bills, PDFs of software manuals, Twitter messages I starred, or the complete collection of RFCs. If there’s any chance I might ever want to find something again, DTPO stores it. Its most important feature is the uncanny ability to return exactly the search results I want when I need to find something. Second only to that is its AI-powered “see also” feature: “you seem to be reading up on an obscure technical subject. You might also be interested in the author’s blog posts about it, some guy’s master’s thesis on the main algorithm, and the popular alternative version written by a teen living in a favela in São Paulo.”

It’s that good. And I’m still desperate to find anything else to replace it.

The main problem is that DTPO refuses - just flat-out digs its heels in and resists - syncing reliably for more than a few days at a time. The pattern always goes like this:

  • I start off optimistic, determined that this time will be different.
  • At home, I add a sync connection to Dropbox, or to my own WebDAV server which has been syncing OmniFocus and other apps successfully for years.
  • I sync one of my medium-sized (2GB or so) databases to that connection.
  • I select the Synchronize menu option and wait several hours as my data gets pushed up to the server.
  • At work, I set up the same connection and import the database. Then I select Synchronize and wait a few hours as all my data comes back from the cloud.
  • I use it for a couple of weeks until I start getting random sync errors that cause it to stop halfway through without copying across all my new documents.
  • After going through all the troubleshooting tips on their forum (of which there are many because this seems to happen to a lot of people), I give up and resign myself to the dreaded “Clean Location…” button which deletes all documents off the remote server.
  • I walk away from it for a few weeks so that I don’t throw my laptop out the window.

So I exaggerated a little. It is possible to reliably sync two machines running DTPO:

  • Pick one to be the primary machine.
  • Pick the other to be the secondary.
  • Do all your editing work on the primary. When you’re happy with it, use rsync or some other file copier to nuke what’s on the secondary and make it identical to the primary, losing any changes you might’ve made there.
  • If you’re at work and want to add a document, just email to yourself at home and import it into DTPO there later when you’d rather be playing with your kids, washing the dog, or doing anything else in the entire world.

That’s how you reliably sync DTPO. Anything else is just a ticking time bomb.

More Shoe Fails

I had a wonderful experience buying new Rockport shoes from Brown Brothers Shoes in Alameda a couple of months ago, to the point that I wrote a gushing Yelp review and told all my friends to go there.

Oops.

My two-month-old Rockport shoes (which I wear only to work at my desk job) already need to be re-soled. The hard rubber heels have worn through so that now I’m walking on the soft foam cushion, and that can’t possibly last too long. I took them back to the same store and found that they’re a lot better at selling shoes than at helping customers.

First, the salesman said that it was probably because I wear arch supports in them. That would seem ridiculous even if they weren’t the insoles that I bought from their own store at their own suggestion. Next, he recommended a local shoe shop and sent me packing. I asked if they sold other, more durable walking shoes, like some I could wear from my bus stop to the office and still have them last more than two months. The salesman said that no, these are the best.

My shoes are in the shop now and I should have an estimate for fixing them by Monday. Hopefully it’ll be cheap enough that I can have them to wear for a few weeks while I shop for replacements. I don’t know what they will be, but they won’t be Rockports and I won’t be getting them at Brown Brothers.

To Sell A Car

In the process of moving to another state, we decided to sell my car to some friends. This turned out to be much harder than anticipated.

I admit that this is entirely my fault and I deserve to be made fun of for it, but we couldn’t find the title. It could be that the bank which financed the loan never sent it to us. It could be that it’s in our safe deposit box in our last city and that I’ll find it next month when I go back for the rest of our stuff. Or maybe I’m just a bad document caretaker and I lost it along the way. I don’t know. But the end result is that we don’t have the title and needed to have a duplicate issued before we can sell the car.

Late May

I called the county clerk’s office to ask how to apply for a duplicate title. The clerk was very helpful and friendly, and offered to look up the necessary information while I was on the phone. I gave her my car’s VIN and my personal information, and she came back with the unwelcome news that the bank still had a collateral lien on the car. I pointed out that I bought it used in 2000 and didn’t have a 12-year loan on a used Oldsmobile, and that I hadn’t been arrested for chronic non-payment of the loan. She laughingly agreed that I’d clearly paid it off, but needed a notarized lien release from the financing bank before she could issue a new title.

When I tried to find contact information for that bank, I discovered they had been acquired by another bank in 2004 and no longer existed.

OK. So.

Early June

I called the new bank, Regions, and explained the situation. They were more pleasant and easier to work with than I’d feared, but couldn’t find any information about my paid-off-9-years-ago loan from their subsidiary. They took all my information, though, and agreed to send a lien release if they couldn’t find proof that I still owed them money. That seemed perfectly fair and reasonable — from a bank! — and I sat back to wait for the letter to arrive.

It didn’t arrive.

Late June

I called Regions again. They were missing some information from the lien release application form (but weren’t sure exactly which information) and needed to re-file it. Given how nice they were and that I wasn’t even their customer any more, I didn’t protest or complain too much.

July

A couple of week later, the official, notarized lien release came in the mail. The VIN wasn’t quite identical to the one I gave them, but I hoped the county clerk would call it “good enough” and accept the note.

Now we were ready to apply for the replacement title. The state’s form required that Jen and I both have our signatures notarized, so on a sunny Saturday, we drove to a nearby UPS Store and paid up. We stuffed the lien release letter, the application, and a check for $14 in an envelope and mailed it to the county clerk’s office.

August

Not a peep from the county clerk. I didn’t rush things because, well, government office… But after a few weeks of silence, I called to check on the application.

The county clerk never received it.

The notarized application? The check? The necessary, certified original copy of the lien release? Lost forever to the mail system.

I asked the clerk if I could just take the car out back and burn it, as that might be the easiest way to dispose of it. She asked me to please not to.

I sheepishly called Regions again to explain the situation, apologize profusely, and to ask them to please send me yet another copy of the lien release. They cheerfully agreed to and collected all my information to fill out the request form.

I called US Bank to cancel my lost check and they told me there was a $30 change to stop payment on a $14 note. I told them not to bother and that I’d take my chances.

Now

And that’s where it stands. All I wanted to do is sell my car, and it’s involved the county clerk, three banks (one of them out of business), a UPS Store, and the post office. As of today, I’m no closer to the goal than I was two months ago.

As a side note: yeah, it was my fault for losing the original title (if I ever even had it). But I wouldn’t have been able to transfer the title to the new owners without the lien release anyway, so this was destined to be a pain in the butt in any case.

Applecareless

While I almost never buy extended warranties, conventional wisdom is that you should always buy AppleCare for an Apple laptop. You have up to a year after buying your laptop to purchase the extended coverage. At a high level, you’re basically buying an insurance policy for a piece of hardware with a specific serial number. Why does Apple make this so difficult?

I bought my MacBook Pro directly from Apple’s website. Here’s how AppleCare purchase should work:

  • I log in to their store website.
  • I view my order history and find my laptop.
  • Apple has my MacBook Pro’s serial number on file with this order, and they also have a list of equipment covered by AppleCare. Since my laptop isn’t already covered, the site displays a “Buy AppleCare” button next to it.
  • I click the “Buy AppleCare” button, choose to use my billing information that Apple already has on file, and click “Buy it now”.
  • I get a confirmation email and move on to other things.

A lot of people bought their laptops through other sources, like local dealers, chain retail stores, and so on. Since Apple might not have any record of their purchase, here’s how that process should work:

  • A customer visits Apple’s store website.
  • Under “Mac Accessories”, they click “AppleCare”.
  • They see a new form titled “What’s your Mac’s serial number?” and a link to how to find that information.
  • When the user enters their serial number, the website looks up that part information and selects the appropriate AppleCare plan for their hardware.
  • They add the plan to their cart and check out normally.
  • The user gets a confirmation email and moves on to other things.

In reality, the process is far less polished and, well, un-Apple-like:

  • I logged into their store website and looked for a process like the one I described above.
  • When that failed to materialize, I browsed around until I found the AppleCare plans in the store.
  • After some rooting around, I found the correct plan and added it to my cart.
  • I was given the option of picking my plan up in an Apple Store or having it mailed to me. Wait, what? Pickup? Mail? For a warranty? Fine — mail it.
  • After a couple of days, my AppleCare plan arrived in the mail. It came in a large cardboard box with a tiny cardboard box inside it. The tiny box contained some printed material and a registration number, but no Apple stickers or anything else I’d actually want.
  • Per instructions, I went to a separate section of the Apple website and entered my laptop’s serial number (which they already have on file from when I bought it last year!) and the AppleCare registration number (which they already have on file from when I bought it a few days earlier!).
  • I agreed to the Terms of Service, which were identical to the now-completely-unnecessary printed copy that came in the box.
  • After submitting those numbers, Apple asked if I wanted my coverage certificate sent by email or by postal service. “Telegraph” and “carrier pigeon” were not available options, so I chose email.
  • Apple informed me that I’d successfully completed my application, that my registration was now in progress, and that I would receive my certificate when they had finished verifying my registration.
  • That was over 12 hours ago. I didn’t get any kind of confirmation email, but my browser history helped me find the status page so I could check in on it today. It’s still stuck at “Registration in progress”, presumably while Gertrude from Accounts finds my punchcard in the filing cabinet.

I’d probably shrug the ordeal off if I were dealing with Best Buy, Microsoft, or some other company not known for their customer service. But Apple? This was the opposite of the kind of experience they usually provide and I’m disappointed that the process was so clumsy.

Omaha World Herald Makes School Remove Christmas Message

The Omaha World-Herald published a story about a Lincoln public high school who wrote “Remember the Reason for the Season” on their electronic bulletin board in front of the building. The ACLU contacted the school’s principal to request that the message be removed, and the school complied.

I can understand why some parents might not want that sign above the school. While I don’t personally have a problem with it, I’d feel uncomfortable if my kids’ school ran a similar sign that appeared to endorse Islam, Hinduism, or other religions. And as it turns out, the high school in question does have Jewish and Muslim students whose parents probably weren’t thrilled with the message.

Buried in the article, though, was an interesting nugget:

The ACLU was alerted to the sign by a World-Herald reporter who called to ask if anybody had complained about it. The marquee is along a well-traveled city street near the school.

Although many travelers had seen the sign in their daily commute, there were no complaints or any other evidence of offense until OWH’s own reporter triggered the investigation and created the story. I think the school did the right thing in not choosing one religion over another, but I think the newspaper was completely wrong to spark a controversy where none apparently existed.

On Generated Versus Random Passwords

I was reading a story about a hacked password database and saw this comment where the poster wanted to make a little program to generate non-random passwords for every site he visits:

I was thinking of something simpler such as “echo MyPassword69! slashdot.org|md5sum” and then “aaa53a64cbb02f01d79e6aa05f0027ba” using that as my password since many sites will take 32-character long passwords or they will truncate for you. More generalized than PasswordMaker and easier to access but no alpha-num+symbol translation and only (32) 0-9af characters but that should be random enough, or you can do sha1sum instead for a little longer hash string.

I posted a reply but I wanted to repeat it here for the sake of my friends who don’t read Slashdot. If you’ve ever cooked up your own scheme for coming up with passwords or if you’ve used the PasswordMaker system (or ones like it), you need to read this:

DO NOT DO THIS. I don’t mean this disrespectfully, but you don’t know what you’re doing. That’s OK! People not named Bruce generally suck at secure algorithms. Crypto is hard and has unexpected implications until you’re much more knowledgeable on the subject than you (or I) currently are. For example, suppose that hypothetical site helpfully truncates your password to 8 chars. By storing only 8 hex digits, you’ve reduced your password’s keyspace to just 32 bits. If you used an algorithm with base64 encoding instead, you’d get the same complexity in only 5.3 chars.

Despite what you claim, you’re really much better off using a secure storage app that creates truly random passwords for you and stores them in a securely encrypted file. In another post here I mention that I use 1Password, but really any reputable app will get you the same protections. Your algorithm is a “security by obscurity” system; if someone knows your algorithm, gaining your master password gives them full access to every account you have. Contrast with a password locker where you can change your master password before the attacker gets access to the secret store (which they may never be able to do if you’ve kept it secure!), and in the worst case scenario provides you with a list of accounts you need to change.

I haven’t used PasswordMaker but I’d apply the same criticisms to them. If an attacker knows that you use PasswordMaker, they can narrow down the search space based on the very few things you can vary:

  • URL (the attacker will have this)
  • character set (dropdown gives you 6 choices)
  • which of nine hash algorithms was used (actually 13 — the FAQ is outdated)
  • modifier (algorithmically, part of your password)
  • username (attacker will have this or can likely guess it easily)
  • password length (let’s say, likely to be between 8 and 20 chars, so 13 options)
  • password prefix (stupid idea that reduces your password’s complexity)
  • password suffix (stupid idea that reduces your password’s complexity)
  • which of nine l33t-speak levels was used
  • when l33t-speak was applied (total of 28 options: 9 levels each at three different “Use l33t” times, plus “not at all”)

My comments about the modifier being part of your password? Basically you’re concatenating those strings together to create a longer password in some manner. There’s not really a difference, and that’s assuming you actually use the modifier.

So, back to our attack scenario where a hacker has your master password, username, and a URL they want to visit: disregarding the prefix and suffix options, they have 6 * 13 * 13 * 28 = 28,392 possible output passwords to test. That should keep them busy for at least a minute or two. And once they’ve guessed your combination, they can probably use the same settings on every other website you visit. Oh, and when you’ve found out that your password is compromised? Hope you remember every website you’ve ever used PasswordMaker on!

Finally, if you’ve ever used the online version of PasswordMaker, even once, then you have to assume that your password is compromised. If their site has ever been compromised — and it’s hosted on a content delivery network with a lot of other websites — the attacker could easily have placed a script on the page to submit everything you type into the password generation form to a server in a distant country. Security demands that you have to assume this has happened.

Seriously, please don’t do this stuff. I’d much rather see you using pwgen to create truly random passwords and then using something like GnuPG to store them all in a strongly-encrypted file.

The summary version is this: use a password manager like 1Password to use a different hard-to-guess password on every website you visit. Don’t use some invented system to come up with passwords on your own because there’s a very poor chance that we mere mortals will get it right.

Stop The E Parasite Act

This is the letter I just sent to my representative, urging him to vote against Hollywood’s E-PARASITE Act:

Congressman Fortenberry, please vote against the appropriately-named “E-PARASITE Act” being proposed by Rep. Smith, TX. It’s the counterpart of Senate Bill S.968, the “PROTECT IP Act”.

This flawed legislation seeks to criminalize civil offenses and reverse our Constitutional presumption of innocence for the benefit of a tiny — but very vocal — coalition of Hollywood special interest groups. The Internet has brought untold billions of dollars to our economy and democracy to distant shores. Let’s not discard these advances for the benefit of a few CEOs who haven’t figured out how to do business in the new economy. Given technology legislation that’s supported by the AFL-CIO and opposed by Google, I’ll side with Google every time.

Please stop these parasites from destroying the Internet we built just so they can make a few more dollars before their obsolete business plans finish them off.

Thank you for your time,
Kirk Strauser
Norfolk, NE

Please let your own representatives know that we don’t want this terrible legislation.

Making DOS USB Images On A Mac

I needed to run a BIOS flash utility that was only available for DOS. To complicate matters, the server I needed to run it on doesn’t have a floppy or CD-ROM drive. I figured I’d hop on the Internet and download a bootable USB flash drive image. Right? Wrong.

I found a lot of instructions for how to make such an image if you already have a running Windows or Linux desktop, but they weren’t very helpful for me and my Mac. After some trial and error, I managed to create my own homemade bootable USB flash drive image. It’s available at http://www.mediafire.com/?aoa8u1k1fedf4yq" if you just want a premade ready-to-download file.

If you want a custom version, or you don’t trust the one I’ve made — and who’d blame you? I’m some random stranger on the Internet! — here’s how you can make your own bootable image under OS X:

Relax!

There are a lot of steps, but they’re easy! I wanted to err on the side of being more detailed than necessary, rather than skipping “obvious” steps that might not be quite so easy for people who haven’t done this before.

Download VirtualBox and install it

  1. Download VirtualBox. I used version 4.1.4. The version available to you today might look different but should work mostly the same way.
  2. Open the “VirtualBox-[some-long-number]-OSX.dmg” disk image.
  3. Double-click the “VirtualBox.mpkg” icon to run the installer.
  4. Click “Continue”.
  5. Click “Continue”.
  6. Click “Install”.
  7. Enter your password and click “Install Software”.
  8. When it’s finished copying files, etc., click “Close”.

Download FreeDOS and create a virtual machine for it

  1. Download the FreeDOS “Base CD” called “fdbasecd.iso”. Note: the first mirror I tried to download from didn’t work. If that happens, look around on the other mirrors until you find one that does.
  2. Open your “Applications” folder and run the “VirtualBox” program.
  3. Click the “New” button to create a new virtual machine. This launches the “New Virtual Machine Wizard”. Click “Continue” to get past the introduction.
  4. Name your new VM something reasonable. I used “FreeDOS”, and whatever name you enter here will appear throughout all the following steps so you probably should, too.
  5. Set your “Operating System” to “Other”, and “Version” to “DOS”. (If you typed “FreeDOS” in the last step, this will already be done for you.) Continue.
  6. Leave the “Base Memory Size” slider at 32MB and continue.
  7. Make sure “Start-up Disk” is selected, choose “Create new hard disk”, and continue.
  8. Select “File type” of “VDI (VirtualBox Disk Image)” and continue.
  9. Select “Dynamically allocated” and continue.
  10. Keep the default “Location” of “FreeDOS”.
  11. Decision time: how big do you want to make your image? The full install of FreeDOS will take about 7MB, and you’ll want to leave a little room for your own files. On the other hand, the larger you make this image, the longer it’ll take to copy onto your USB flash drive. You certainly don’t want to make it so large that it won’t actually fit on your USB flash drive. An 8GB nearly-entirely-empty image will be worthless if you only have a 2GB drive. I splurged a little and made my image 32MB (by clicking in the “Size” textbox and typing “32MB”. I hate size sliders.). Click “Continue”.
  12. Click “Create”.
  13. Make sure your new “FreeDOS” virtual machine is highlighted on the left side of the VirtualBox window.
  14. On the right-hand side, look for the section labeled “Storage” and click on the word “Storage” in that title bar.
  15. Click the word “Empty” next to the CD-ROM icon.
  16. Under “Attributes”, click the CD-ROM icon to open a file chooser, select “Choose a virtual CD/DVD disk file…”, and select the FreeDOS Base CD image you downloaded at the beginning. It’ll probably be in your “Downloads” folder. When you’ve selected it, click “Open”.
  17. Back on the “FreeDOS — Storage” window, click “OK”.

Install FreeDOS

  1. Back on the main VirtualBox window, near the top, click “Start” to launch the virtual machine you just made.
  2. A note about VirtualBox: when you click the VM window or start typing, VirtualBox will “capture” your mouse cursor and keyboard so that all key presses will go straight to the VM and not your OS X desktop. To get them back, press the left [command] key on your keyboard.
  3. At the FreeDOS boot screen, press “1” and [return] to boot from the CD-ROM image.
  4. Hit [return] to “Install to harddisk”.
  5. Hit [return] to select English, or the up and down keyboard arrow keys to choose another language and then [return].
  6. Hit [return] to “Prepare the harddisk”.
  7. Hit [return] in the “XFDisk Options” window.
  8. Hit [return] to open the “Options” menu. “New Partition” will be selected. Hit [return] again. “Primary Partition” will be selected. Again, [return]. The maximum drive size should appear in the “Partition Size” box. If not, change that value to the largest number it will allow. Hit [return].
  9. Do you want to initialize the Partition Area? Yes. Hit [return].
  10. Do you want to initialize the whole Partition Area? Oh, sure. Press the left arrow key to select “YES”, then hit [return].
  11. Hit [return] to open the “Options” menu again. Use the arrow keys to scroll down to “Install Bootmanager” and hit [return].
  12. Press [F3] to leave XFDisk.
  13. Do you want to write the Partition Table? Yep. Press the left arrow to select “YES” and hit [return]. A “Writing Changes” window will open and a progress bar will scroll across to 100%.
  14. Hit [return] to reboot the virtual machine.
  15. This doesn’t actually seem to reboot the virtual machine. That’s OK. Press the left [command] key to give the mouse and keyboard back to OS X, then click the red “close window” button on the “FreeDOS [running]” window to shut it down. Choose “Power off the machine” and click “OK”.
  16. Back at the main VirtualBox window, click “Start” to re-launch the VM.
  17. Press “1” and [return] to “Continue to boot FreeDOS from CD-ROM”, just like you did before.
  18. Press [return] to select “Install to harddisk” again. This will take you to a different part of the installation process this time.
  19. Select your language and hit [return].
  20. Make sure “Yes” is selected, and hit [return] to let FreeDOS format your virtual disk image.
  21. Proceed with format? Type “YES” and hit [return]. The format process will probably finish too quickly for you to actually watch it.
  22. Now you should be at the “FreeDOS 1.0 Final Distribution” screen with “Continue with FreeDOS installation” already selected. Hit [return] to start the installer.
  23. Make sure “1) Start installation of FreeDOS 1.0 Final” is selected and hit [return].
  24. You’ll see the GNU General Public License, version 2 text. Follow that link and read it sometime; it’s pretty brilliant. Hit [return] to accept it.
  25. Ready to install the FreeDOS software? You bet. Hit [return].
  26. Hit [return] to accep the default installation location.
  27. “YES”, the above directories are correct. Hit [return].
  28. Hit [return] again to accept the selection of programs to install.
  29. Proceed with installation? Yes. Hit [return].
  30. Watch in amazement and how quickly the OS is copied over to your virtual disk image. Hit [return] to continue when it’s done.
  31. The VM will reboot. At the boot screen, press “h” and [return] to boot your new disk image. In a few seconds, you’ll see an old familiar “C:" prompt.
  32. Press the left [command] key to release your keyboard and mouse again, then click the red “close window” icon to shut down the VM. Make sure “Power off the machine” is selected and click “OK”.

Convert the VirtualBox disk image into a “raw” image

  1. Open a Terminal.app window by clicking the Finder icon in your dock, then “Applications”, then opening the “Utilies” folder, then double-clicking “Terminal”.
  2. Copy this command, paste it into the terminal window, then hit [return]:
/Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VBoxManage internalcommands converttoraw ~/"VirtualBox VMs/FreeDOS/FreeDOS.vdi" ~/Desktop/freedos.img

This will turn your VirtualBox disk image file into a “raw” image file on your desktop named “freedos.img”. It won’t alter your original disk image in any way, so if you accidentally delete or badly damage your “raw” image, you can re-run this command to get a fresh, new one.

Prepare your USB flash drive

  1. Plug your USB flash drive into your Mac.
  2. If your Mac can’t the drive, a new dialog window will open saying “The disk you inserted was not readable by this computer.” Follow these instructions:
    1. Click “Ignore”.
    2. Go back into your terminal window and run this command: diskutil list
    3. You’ll see a list of disk devices (like “/dev/disk2”), their contents, and their sizes. Look for the one you think is your USB flash drive. Run this command to make sure, after replacing “/dev/disk2” with the actual name of the device you picked in the last step: diskutil info /dev/disk2
  3. Make sure the “Device / Media Name:” and “Total Size:” fields look right. If not, look at the output of diskutil list again to pick another likely candidate and repeat the step until you’re sure you’ve picked the correct drive to complete eradicate, erase, destroy, and otherwise render completely 100% unrecoverable. OS X will attempt to prevent you from overwriting the contents of drives that are currently in use — like, say, your main system disk — but don’t chance it. Remember the name of this drive!
  4. If your Mac did read the drive, it will have automatically mounted it and you’ll see its desktop icon. Follow these instructions:
    1. Go back into your terminal window and run this command: diskutil list
    2. Look for the drive name in the output of that command. It will have the same name as the desktop icon.
    3. Look for the name of the disk device (like “/dev/disk2”) for that drive and remember it (with the same warnings as in the section above that you got to skip).
    4. Unmount the drive by running this command: diskutil unmount "/Volumes/[whatever the desktop icon is called]"
    5. This is not the same as dragging the drive into the trash, so don’t attempt to eject it that way.

Copy your drive image onto the USB flash drive

  1. Go back to your terminal window.
  2. Run these commands, but substitute “/dev/fakediskname” with the device name you discovered on the previous section: cd ~/Desktop; sudo dd if=freedos.img of=/dev/fakediskname bs=1m
  3. After the last command finishes, OS X will automatically mount your USB flash drive and you’ll see a new “FREEDOS” drive icon on your desktop.

Add your own apps to the image

  1. Drag your BIOS flasher utility, game, or other program onto the “FREEDOS” icon to copy it onto the USB flash drive.
  2. When finished, drag the “FREEDOS” drive icon onto the trashcan to unmount it.

Done.

  1. You’re finished. Use your USB flash drive to update your computer’s BIOS, play old DOS games, or do whatever else you had in mind.
  2. Keep the “freedos.img” file around. If you ever need it again, start over from the “Prepare your USB flash drive” section which is entirely self-contained. That is, it doesn’t require any software that doesn’t come pre-installed on a Mac, so even if you’ve uninstalled VirtualBox you can still re-use your handy drive image.

Taken To The Cleaners By Abe's Detailing

I read a nice newspaper story a while ago about Abe’s Detailing in Norfolk, NE. When I wanted to have Jen’s minivan detailed as a present, I thought I’d give Abe’s a try and made an appointment for the $45.99 “express detail”. When we picked it up later, the van looked nice, but they wanted to charge us for the $159.99 “presidential detail” that they performed instead.

I told the employee that I’d ordered the cheaper package. He said I must have talked to his brother and that his brother wrote it down wrong, and still wanted me to pay the full price for the wrong job.

I will never darken the doorsteps of Abe’s Detailing in Norfolk again. If you choose to do so, I highly recommend you get a written estimate in advance.

Guest Post By Gabby It Snowed

It snowed!I went outside today and played! bet I would have stayed out there if it had snowed more and if my feet didn’t freeze, I would have stayed there longer!