Technology news briefs

There were three events last week that I thought didn’t get enough news coverage:

1. Good news: Proposed restrictions on warrantless electronic device border searches

Bills were proposed in the Senate and House to require a probable cause warrant before searching the digital devices of US citizens and legal permanent residents at the border. This is great. Customs and Border Protection have been asserting that they’re allowed to search travelers’ digital devices because they fall under the “border search exception” to the Fourth Amendment. However, digital devices contain vast amounts of personal information. It’s unreasonable to expect a person to reveal everything about themselves just to get back into their own country. Thank you Senators Wyden and Paul and Representatives Polis, Smith, and Farenthold! More info.

2. Bad news: Hacking into a smart TV by sending it radio signals

Apparently some guy got full access to a smart TV by sending it specially crafted radio signals. Some new smart TVs have built in video cameras. This means a hacker could turn on your TV’s video camera and watch you. This should terrify you. More info

3. More bad news: Remote execution bug in embedded Wi-Fi code in a tremendous number of mobile devices

It’s not clear how severe this is. In the worst case an attacker could execute code on your phone just by being near it. Or maybe it’s only possible if the attacker is connected to the same Wi-Fi network as your phone. In any case, you should apply software updates ASAP, and as always, avoid connecting to random Wi-Fi networks. Only use Wi-Fi at your house and your office. According to Google’s blog post, potentially affected phones are, at a minimum: all iPhones since the iPhone 4, Google Nexus 5, 6, and 6P, and “most Samsung flagship devices.” That’s a shit ton of phones and that’s not even a complete list.

More info: Google’s blog post, Ars Technica main article, Ars Technica iOS article, April 2017 Android Security Bulletin link 1 and link 2, and Samsung security update announcement.

A few takeaways:

  • Always update your software/firmware/OS as soon as possible.
  • Don’t connect to untrusted or non-password protected Wi-Fi networks. You’re putting yourself at risk.
  • Google Project Zero should try harder for coordinated and responsible disclosure. I’m using a Nexus 5X, one of Google’s own phones, and I don’t even have the fix yet. The latest security patch level available to me is March 5, 2017. Imagine how screwed all the normal people are whose mobile providers really suck at providing software updates. Also, maybe don’t provide attack code immediately? I understand the rationale for wide disclosure once one vendor makes the issue public (Apple released their security update on April 3rd), but you don’t need to give the attack tools to the entire world. Edit: I want to add that I’m extremely grateful to Google and the Project Zero researchers. They’re doing fantastic work and we’re absolutely better off because of them (unrelated to this issue, but by all accounts Tavis Ormandy is absolutely crushing it). I just wish this specific issue was a little more coordinated.
  • This feels like it’s only the beginning. Vulnerability testing of this type of code is difficult (read Google’s disclosure blog post if you don’t believe me). I suspect embedded code like this hasn’t gotten a lot of eyeballs and we’ll see an increase in these types of discoveries in the future.
Posted in All | Leave a comment

Two years with a Retrospec Mantra

I commuted a few miles a day for two years on a black Retrospec Mantra single-speed bike. I bought it from Amazon for $256 in October 2014.

Retrospec Mantra

(more photos)

It’s nothing special. Fairly low quality, but appropriately priced. The steel is heavy and the ride is dull. The plastic pedals are clunky and don’t spin particularly freely. The wheels are sturdy. The Kenda KWest K193 tires have been fine. I put ~1200 miles on them and had 2 or 3 flats. Not amazing, but not terrible considering the roads I was on.

I added front and rear fenders, a seat lock, and front and rear lights. Total weight including fenders, lights, tires, pedals, and saddle is 27 lbs 11 oz.

It comes with a flip-flop hub, which means it can be ridden as a fixed-gear or freewheel by swapping the rear wheel around. It arrived as fixed-gear. I rode it this way for a few weeks and didn’t like it. I found it inconvenient to not be able to coast and freely position the pedals when stopping. So I switched to freewheel. I added a rear brake for redundancy.

The original brake pads were awful. Poor braking power and they shredded to nothingness after less than 100 miles. I switched to Shimano BR-6700 Ultegra brake pads and holders and they’ve been great. The brake levers have some wiggle in them, but they work fine.

I’ve been happy with it. I don’t worry about it getting beat up on Caltrain. I don’t worry too much when locking it outside. Total cost of ownership has been low. I’ve done no maintenance other than replacing the brake pads and changing punctured tubes. I wish the gear was lower to make going uphill less annoying, but it’s been fine. Buying a single-speed for this commute was a good choice.

Posted in Cycling | Leave a comment

USS Hornet

On Saturday, Emily, Ruby and I visited the USS Hornet, a decommissioned Essex Class Navy aircraft carrier moored in Alameda, California. You get free reign to wander the flight deck, hanger deck, and a deck or two below. The passageways are cold metal, strewn with gauges, levers and knobs. Ceilings are low and stairs are steep. In addition to wandering, we also took a loosely-guided tour of the island, which I enjoyed.

Overall I thought it was great. Would recommend. A+++. Great shipping. Not stroller or wheelchair friendly. I think kids would like it, though they should be young enough to be worn or old enough to climb a ladder on their own safely.

You can see all our pictures on Flickr. Here’s a sampling:

USS Hornet (CV-12)

USS Hornet (CV-12) island

USS Hornet (CV-12) Primary Flight Control

Gauges

Posted in All | Leave a comment

Trump vs. Clinton

I voted for Clinton/Kaine. Clinton is the only qualified presidential candidate on the ballot. There are things I don’t like about Clinton, but…

Donald Trump is a worthless piece of shit. A lying [1][2][3], impulsive, megalomaniac, garbage excuse for a human being. The leader of a country should be: Intelligent. Thoughtful. Measured. Patient. Respectable. Sympathetic to opposing viewpoints. Credible. Trump is none of these. He regularly insults[4] huge portions of the population. No one benefits from these things, he’s just being an asshole. This does not engender collaboration.

It’s great that people are unhappy with our legislature. I respect that. The Senate and House function poorly because of over-adherence to party lines and pandering to corporate and wealthy interests (and spending absurd amounts of time raising money[5][6][7][8]). I’d love for members of the legislature to vote based on the best interests of their constituents rather than following party lines. These things suck and it would be great if they could change, but Trump is not the solution.

Would you want to work at a company where Trump was in charge? What if he was your immediate boss? Or a coworker? Do you think he would make sound, fair decisions?

There are reasonable ideas on Trump’s policies page, but I have no confidence he’d follow through on any of them. Everyone can agree that supporting the VA[9] is great, but increasing the size of the military [10] and aggressively pursuing ISIS [11] puts more of our soldiers in harm’s way. ISIS is a problem with no easy solution. I believe the benefit of building a 2,000 mile long wall on the Mexican border does not justify the cost (I’m skeptical of getting Mexico to pay for the wall). Also let’s not forget that it’s pretty easy to get over a wall with, you know, a ladder. Reducing government spending[12][13] is a noble cause, but it’s easier said than done.

Sure, there are things I don’t like about Clinton. I wish she’d own her mistakes instead of denying, hiding, and trivializing them[14]. I’m not at all confident that she doesn’t return favors for people who donate money to The Clinton Foundation, or her campaign, or who do favors for her. But these negative traits are trivial compared to Trump’s pattern of abuse and incivility.

Posted in All | Leave a comment

Safari invalid certificate handling sucks

Last week I filed three bugs with Apple regarding how Safari handles invalid certificates.

Bug #1 (Mac OS and iOS): It’s way too easy for a user to bypass a certificate warning. There’s a bunch of text no one will read and a big friendly “Continue” button. Invalid certificates are serious and should not be ignored lightly. Your average user doesn’t know this. It’s the responsibility of the browser to treat invalid certificates with appropriate gravitas. Safari fails here.

Screenshot of Safari's invalid certificate warning on Mac OS

Screenshot of Safari’s invalid certificate warning on Mac OS

Screenshot of Safari's invalid certificate warning on iOS

Screenshot of Safari’s invalid certificate warning on iOS

Bug #2 (iOS): After continuing through a certificate warning, the address bar displays a closed padlock icon. This falsely indicates to the user that their interactions with the page are secure.

Screenshot of Safari after continuing through an invalid certificate warning

Screenshot of Safari after continuing through an invalid certificate warning

Bug #3 (iOS): If a user continues through a certificate warning, this decision should expire at some point. Maybe if the user visits the site in a new browser window. Maybe after a certain amount of time has gone by. As far as I can tell the cert bypass is remembered indefinitely.

Combined, these three issues greatly undermine the effectiveness of https on iOS. I’d wager that it’s significantly easier to perform a man-in-the-middle attack of an https site on an iOS Safari user than an iOS Chrome user.

Apple: You’re one of the biggest companies in the world. You command huge shares of the consumer computer and mobile device markets. Fix your shit.

Posted in Computers | 2 Comments

Nighttime music

When Ruby was a little younger, before we started sleep training, the three of us would sometimes sit in her room at the end of the day and listen to music. I tried to pick music that was soft and calming. Here’s the list of albums we listened to, one each night:

  • Sarah Harmer, You Were Here
  • David Gray, Greatest Hits
  • Gary Peacock Trio, Now This
  • Dave Matthews Band, Under the Table and Dreaming
  • Erlend Øye, Unrest
  • Hooverphonic, Sit Down and Listen to Hooverphonic
  • Marvin Gaye, What’s Going On
  • Rilo Kiley, Take Offs and Landings
  • Natalie Merchant, Ophelia
  • Marvin Gaye, Here, My Dear
  • Sade, Lovers Rock
  • Sting, Fields of Gold: The Best of Sting 1984-1994
Posted in All | Leave a comment

Tips for Caltrain riders, or: “We’re all in this together”

I’ve been commuting on Caltrain five days a week for eighteen months, usually taking my bike on board. To San Francisco from either Sunnyvale or San Mateo.

These are suggestions for how to be courteous to other riders. They’re more important on busy rush hour trains, and even then they’re not strict rules—use common sense (e.g. standing in an aisle is obviously fine if you’re waiting in line to detrain).

General tips

If you’ll be riding more than a few times, use a Clipper card. It’s way easier than buying paper tickets. Just be sure to tag off. Set a countdown timer or alarm on your phone if you’re afraid you’ll forget.

When standing on the platform preparing to board, leave a generous amount of room for people detraining, especially when boarding a bike car.

Avoid standing in the entrance/exit area if you’re not getting off at the next stop. This blocks the way for other people which slows the boarding process which delays the train. This is especially true for the bike car.

Rush hour trains are busy—be ready. Make your way toward the door before the train arrives at your station.

Avoid sitting on the steps or any other walkway or on the floor of the bike car. Especially true for the gallery cars because the walkways are narrower. This blocks the way for other people which slows the boarding process which delays the train. No one should ever have to ask you to allow them to get by.

If the train is standing room only and you’re standing, move all the way to the back of the car. Otherwise there will not be enough room for people to board which slows the boarding process which delays the train. In extreme cases this might prevent someone from boarding. No one wants to get bumped to the next train—we’ve all got somewhere to be.

Avoid sitting in a bike car if you don’t have a bike. Cyclists should be allowed to sit near their bikes. Why, you ask? So they can keep an eye on them as a theft deterrent. So they don’t have to go as far to find a seat or retrieve their bike when getting off. So they can help organize bikes, if needed.

Talking on a phone is officially allowed, but please speak softly.

Don’t put your feet, shoes, or socks on seats. Shoes are filthy—they step in streets where animals pee and poop. No one wants to sit in pee and poop.

If the train is crowded, don’t put your bag in a seat. Seats are for people.

Be kind. If the train is full, you have a seat, someone looks uncomfortable standing, and you’re a strapping young buck or doe, consider standing.

For cyclists on busy trains

All rush hour trains are busy, especially in spring, summer and fall. The train might be empty when you board, but it’s going to be standing room only by the time it gets to SF. Be respectful to people boarding after you. The following suggestions are more important for Gallery cars. Many of the busier rush hour trains have switched to Bombardier trains with three bike cars and congestion is greatly improved.

If you’ll be taking your bike on the train more than a few times, ask a conductor for a yellow bike tag, label it in large, clear, writing, and attach it to your bike.

When deciding which rack to put your bike on, check the yellow bike tags and avoid blocking in a bike that will be getting off before you.

Don’t stop and leave your bike at the first rack when boarding if there’s a line of cyclists behind you waiting to board. Move further into the car to allow those behind you to board.

Be conscientious when putting your bike on a rack. If you need to, flip your bike around so the handlebars fit better. Rotate the pedals so they fit through a gap in the frame of the bike they’re leaning against instead of the spokes. Avoid smashing other people’s derailleurs (they’re somewhat delicate). Don’t be sloppy. Neat racks can fit more bikes. Messy bike racks mean someone else is going to get bumped to the next train, and no one wants to get bumped to the next train—we’ve all got somewhere to be.

If you’re getting off soon (other than the last stop), make your way to your bike early because you might need to shuffle some bikes around or navigate your bike out of a crowded car.

If you’re sitting upstairs and detraining at the last stop and your bike is against a window, please stay upstairs until most people downstairs have gotten off. Otherwise you’ll just get in the way and slow the process for everyone.

If you’re sitting upstairs and detraining at the last stop and your bike is blocking other bikes, consider making your way downstairs early so you can move your bike out of the way. Use your best judgement based on how many bikes you’re blocking and how crowded it already is downstairs.

When detraining at the last stop, avoid shuffling bikes around to get to yours if another bike is on top of it. This slows the detraining process for everyone. Just wait a few minutes for the owner of the other bike to come get it.

When there’s an incident

If a train breaks down, sometimes two trains will be combined into one. It’s a disaster when this happens during rush hour. Especially for cyclists. Rush hour trains are already standing room only—doubling the number of people just isn’t possible. If you have an alternate form of transportation, consider taking it.

If there was a fatality, due to a pedestrian or a car being struck by a train, trains tend to be delayed for one to two hours. It’s a slow process. A coroner must go to the scene, investigate, and decide when it’s OK to start allowing trains through again. Typically only a single track will be opened initially, which means trains can only pass through in one direction at a time. And typically they’re only allowed to move through the area slowly. When there are four trains waiting to pass from each direction it can take a while before your train gets through.

From past experience conductors tend to say things like, “we’re hoping it will be just 10 more minutes.” Sometimes they’re correct, sometime they aren’t. Sometimes it will take significantly longer.

Another thing that happens is northbound trains get blocked south of the accident and can’t make it to SF, then later there won’t be enough trains or conductors or engineers to fill the schedule, so they’ll delay leaving SF until trains arrive. Or they’ll combine trains. Or both. I imagine the same scenario plays out in reverse in San Jose, depending on where the accident is.

You can check Twitter for potentially useful status updates. My public Caltrain twitter list follows the relevant accounts. You can also subscribe to alerts on the Caltrain website.

If your train gets stopped and you’re close to your destination, consider getting off and taking another form of transportation (Uber, Lyft, have someone pick you up, bike the last few miles, etc).

If there are delays and you’re not on a train yet, consider staying where you are. Work from home. Stay at work longer. Grab dinner before heading home. There are many better uses of your time than sitting on a train.

Terminology

Conductors sometimes state that Caltrain is a “proof of payment system.” This means that you must purchase a ticket before boarding, and you must keep the ticket with you while on the train.

Clipper – A convenient card-based payment system used by Caltrain. Clipper cards can also be used for BART, SF buses, and a few other public transit systems.

When paying for a ride with Clipper, you must “tag on” before boarding and “tag off” after detraining. “Tagging” is done by holding your card against a Clipper card reader for a second. There are a few Clipper card readers at each station.

A “protected” crossing – Trains must go through a road or sidewalk crossing slowly, possibly because a crossing gate is broken.

Limited service – The train doesn’t stop at all stations—check the schedule.

Baby bullet – A train operating on the most express schedule (fewest stops) between San Jose and San Francisco.

This train will express to [some station] – The train will skip at least one station before stopping at the named station. Though conductors occasionally accidentally say this out of habit even when it isn’t true.

Gallery – The shiny metal train cars. One door per car per side. Two narrow walkways upstairs each with a row of single seats.

Bombardier – The light gray and red train cars. Two doors per car per side. Many pods of four seats, some with tables. Smoother suspension.

Consist – The type of train car making up a given train. For example, “#SB370 is running with a 5-car gallery consist instead of a 6-car Bombardier consist. #Caltrain.

Rolling stock – The cars and engines used on the tracks.

Posted in All | Leave a comment

Commuter bikes

Popular attributes

Around eighteen months ago I replaced my commuter bike and have been bringing it onboard Caltrain and to my office in San Francisco. Since then I’ve kept my eyes out for decent commuter bikes. Popular commuter bike attributes:

  • Inexpensive. Could get stolen or banged around. City streets tend to have poor quality pavement, potholes, etc., and it’s harder to avoid rough road when riding in traffic, so you want sturdy wheels rather than light and delicate wheels.
  • Single speed. Lower maintenance. No need to spend any brain power thinking about gears while focusing on avoiding cars. Note: If you get a single speed and ride it with a freewheel rather than a fixed gear, I recommend two brakes (front and rear) for redundancy in case one fails. Watch out here—some bikes sold as fixies only have a front brake.
  • Internal gearing. Cleaner, lower maintenance, and more reliable than traditional derailleur due to being enclosed and protected from dirt and impacts. If you want to read more the Wikipedia article has a great list of advantages and disadvantages.
  • Belt drive instead of chain. Cleaner and lower maintenance.
  • Chain guard. Keeps your pants from getting dirty.
  • Fenders. Keep your clothes clean when biking through puddles.
  • Weight. Depending on your usage this may or may not matter to you. Lighter bikes are always nice but they generally cost more. I carry my bike up and down a few steps at home, at my office, and getting on and off of the train. That’s a lot of lifting, so for me 20 lbs vs 25 lbs is a huge difference. But if you’re a heavy guy biking from your home garage to a local shopping center with not many hills in between then a few extra pounds on the bike won’t matter much. Also, lighter weight generally means better quality steel and better quality steel generally means a more pleasant ride.

Brands

You could of course use any bike. There’s no shortage of great entry level city bikes from the major brands (Trek, Fuji, Specialized, Cannondale, Novara, Scattante, Marin, etc.). But if you’re looking for something with more personality you might want to consider a smaller brand. Here are a few options sorted from least to most expensive. Asterisks next to the brands that are a little more appealing to me.

  • Brilliant Bicycle Co. They’re pretty. One, three, or seven speeds. Frames are made of cheap steel (SAE 1020 aka “hi-ten”) and too heavy for my taste (25.5 lbs and up). $300 and up.
  • State* – Single speed. Choose your preferred handlebar style, seat, and pedals. Frame steel is SAE 4130 (aka chromoly) and a decent weight (22 lbs). A coworker bought one and it seemed to be poorly assembled (guy at the local bike shop said there was no grease in the bottom bracket and maybe a screw somewhere had been cross threaded, but take this with a grain of salt—this is second hand info and it sounded like the guy was very anti mail-order bicycle to begin with). $390 and up. They also have an aluminum single speed and some mountain bikes.
  • Bigshot* – Custom fixies and single speeds. Frame steel is SAE 4130 (aka chromoly) and their bikes nudge into the heavy end of the spectrum (23 to 25 lbs). $400 for a custom build. As low as $300 for one of the pre-chosen builds.
  • Priority Bicycles – Belt drives. Three or eight speeds. Aluminum frame. Casual geometry and handlebars (which isn’t my style, but this is a matter of taste). $400 and up.
  • Wabi Cycles* – Quality steel (Reynolds 725 and Columbus Spirit). A few single speed options. Lighter than many other bikes on this list (the Wabi Lightning single speed is only 17.5 lbs!). Can choose your gear ratio, which is nice if you plan to bike up hills. Classically pretty. $750 and up. My personal favorite on this list. If I had to get another commuter I’d absolutely go with a Wabi Classic, and I’d be heartbroken if it got stolen. I love the understated and elegant style. I get the impression the builder is experienced and cares about the bikes he makes. (Edit: Wabi Cycles changed ownership in May 2015. It gives me a little pause, but as far as I can tell the new owners have kept the same bike lineup and price. As of January 2016 they’d still be my top pick.)
  • Spot Brand Bicycles – Belt drives. A lot of options. Hubs with various numbers of internal gears. Step through and non step through frames. Steel and aluminum. Too expensive for me to choose as a commuter bike but a decent option if gears are important to you. $1,200 and up.
  • Vanhawks – Belt drives. Single or variable speed. Carbon fiber. Lots of technology. Too expensive for me to choose as a commuter bike and the tech doesn’t particularly interest me. $1,550 and up.

The above are just brands I’ve seen with my own eyes. There are many more. Some brands that I’ve stumbled across and know nothing about:

And you can find many more digging through the archives of Momentum Mag.

Edit 2017-03-15: Aventon bikes look decent. Good steel at a reasonable price.

Posted in All, Cycling | Leave a comment