Mea Vita: Carpe Diem

1. Java became what Ada wanted to be. Write once, run everywhere. 


2. Javascript became what Java applets wanted to be. Mobile code in a web browser.


3. REST became what SOAP wanted to be. Remote procedure calls with data over the Web.


4. JSON became what XML wanted to be. Human readable, machine to machine data exchange.

I was recently reminded of the unpleasant limitation of consumer appliances, such as Kindles or HomePods, on shared (public or semi-public) WiFi networks.

These shared networks typically don’t require a network password (WPA - WiFi Protection Access). Instead, these shared networks show up with the label, “Unsecured Network,” under the network name (SSID). The priority of these coffee shops and hotels is to limit access to the general public ahead of the security of hackers who are guests at their venue. It’s a better user experience, albeit less secure, for a hotel to authenticate by asking each guest to enter their last name and room number than it is to manage and promulgate a WiFi password like consumers do at home.

Unfortunately, there’s no simple solution for a venue guest other than to access the shared WiFi network using their own personal hotspot, if their appliance doesn’t have a Web browser. For guests of the venue, it’s very prudent to use their own VPN client to ensure their unencrypted network traffic is not being sniffed.

Restarting the iPhone

Force Restarting the iPhone

The heart of the Timer class.

I left out a simple tip from my "Tricks I Learned At Apple: Steve Jobs Load Testing" piece about timer objects. Below, is a complete, yet simple, Timer object class I wrote shortly after leaving Apple when I was working with SMS Hayes AT commands and RESTful APIs.

Exponential Notification

Timer objects do nothing more than measure the time it takes for a server's request/response loop to complete. Since this type of call is made over a network, it might finish very quickly (as expected) or, if the network is down or congested, it could take along time. If it takes a long time, the system admins will want to know. A good notification method is not to send an e-mail update or text message every single minute, or so – that ends up flooding people's inboxes. Instead, an exponential notification would be a much better idea. For example, notify the system administrators immediately, then wait one minute before the next notification, then wait two minutes, four minutes, eight minutes, etc. Finally, send a last notification once the issue's fixed.

Initiating the timer is simple...


And, lastly, the complete Java timer class is anticlimactic.

This is surprising and it doesn't make me feel good.

HTML Injection in the bottom right.

This morning I received an e-mail from my ISP (Cox) stating that I'm getting close to my 1 TB monthly bandwidth limit. This is the first time I've received any type of warning from Cox. I clicked the link in the e-mail which gave me daily and monthly bandwidth usage stats for the previous two months. Everything quickly seemed to make sense. This month, I ran several upgrades for my laptop and iPhone plus I began storing my 100,000+ photos and videos in iCloud, so the extra bandwidth usage all seemed correct.

But then Cox went one step further.

HTML injections by Cox into a random website I was viewing.

Later in the day, as I was surfing the Web, I was surprised to see an HTML injection ("Cox Browser Alert") into an online article I was reading on a non-SSL/TLS news website. Again, Cox was reminding me that I was approaching my bandwidth limit. While this is clever, HTML injections feel a bit like a personal violation.

Unorthodox

Having an ISP inject HTML into a webpage is analogous to the USPS opening a third party envelope that's addressed to me and placing a note, inside the envelope, that I have some business to conduct with the USPS (i.e. a registered letter to pick up, an unpaid USPS bill, etc). It's great that they went above and beyond to let me know. But, it's also a scary reminder that man-in-the-middle attacks... or at least interference... is very simple for ISPs to do; and this is much worse than when they highjack a 404 page.

Why are they called cookies?

Good question... no one really knows.

A cookie was originally designed to store small amounts of information in your web browser which was sent back to a server to provide information such as your username or login ID; this helped to make things more convenient. Think of a cookie as a token or ticket. 

But, how did cookies get that name? The answer isn't exactly known other than it might be related to what was organically called a "magic cookie." Some believe that a cookie goes back to the Hansel and Gretel fairy tale where the siblings used cookie crumbs to mark their trail through the forest. However, if that's the case, then I would have expected them to be called crumbs, not cookies.

My personal theory of choice is that cookie is short for "fortune cookie," in that it contains a small message similar to a fortune cookie. 

I recently had a slew of unauthorized attempted logins on my iCloud account which kept locking me out, requiring a password reset. I called AppleCare and the CSR asked me if had turned on two-factor authentication. I told him that I did and, after looking at my account details, he told me that I didn't have two-factor authentication turned on. Instead, he said that I had two-step authentication enabled. Hmm, I didn't know there was a difference.

The key difference is that Apple's two-factor authentication is more secure than two-step authentication. Two-factor authentication is built into iOS. However, if you have an Apple ID for, say, the iTunes Store, but you don't have any Apple devices then you can't take advantage of two-factor authentication; instead, you can use two-step authentication.

Throughout history, people have authenticated themselves in one of three ways (knows, has, is):
1. Something a person knows (a combination to a lock).
2. Something a person has (a key to a house).
3. Something a person is (I walk though the front door of my house and my family recognizes me).

With two-factor authentication, a person needs two things to prove who they are. We experience this when we withdraw money from an ATM since we need our ATM card (first factor) plus our PIN (second factor). With a two-factor Apple ID login, I need to know both my password and I need to have my iPhone handy so I can see a verification code sent to me when I log in.

Without realizing it, we might use three-factor authentication to get into our home by entering a code to drive into an apartment complex, followed by using a key to open our front door, and finally being recognized by another family member or roommate once we enter our home.
Once I switched over to two-factor authentication, which the CSR at AppleCare walked me through, the password resets immediately ended.

I have a DNS hijacking theory.

Route 53 is Amazon's elegant DNS web service. DNS is the part of the Internet that converts domain names, like apple.com, into IP addresses such as 17.172.224.47. This is how humans contact computers on the Internet. While DNS is robust, resilient, and redundant, it is the Internet's single point of failure.

So, here's my theory. Websites, like adweek.com, use Route 53:

returns:

This means the first time you visit adweek.com, your web browser/ISP will ask one of the Internet's root servers for adweek.com's registrar (i.e., where is the domain name, adweek.com, registered). The root servers will tell your web browsers that adweek.com is hosted at moniker.com (Moniker is a domain name registrar, similar the well-known GoDaddy). The next step is that your web browser will ask Moniker where adweek.com's DNS servers are located. These are referred to as the DNS name servers, or NS for short. As seen above, the response will point your browser to Route 53 which answers with four different servers for redundancy. The final step is that your web browser will query any one of these four servers for the physical IP address of adweek.com. All of these steps happen in the blink of an eye.

Now here's the hijacking part. What if I go to my own Route 53 account, create an entry for adweek.com, and start adding records? When I did this, Route 53 assigned the following four NS servers to me:

ns-715.awsdns-25.net.
ns-1787.awsdns-31.co.uk.
ns-396.awsdns-49.com.
ns-1263.awsdns-29.org.

There should be no hijacking problem since Route 53 assigned four NS servers to me that are different than adweek.com's NS servers. In other words, I cannot hijack adweek.com's Internet traffic in this case. But what if Route 53 had assigned to me an NS server that was the same as adweek.com's NS server? Then, I'm speculating, I could redirect at least a small portion of adweek.com's traffic to wherever I wanted to.

Perhaps this isn't an issue because Route 53 ensures that it never duplicates NS servers names. That would be an expensive proposition, but certainly doable. From there, if my theory holds true, then what about simpler DNS hosts, such as GoDaddy whose DNS servers seem to be limited to nsXX.domaincontrol.com, where XX appears to be a double digit number? This means that many different domain names are using the same DNS server names. Would that make it possible to hijack some traffic from websites sharing the same DNS server? I'm sure that DNS implementations are robust enough that this isn't an issue, otherwise it would have occurred by now. But, with my understanding of the DNS RFC, I don't know how this hijacking issue has been avoided.

So, how has this DNS hijacking scenario been prevented? I'd love to know.

Speedtest: 94 Mb/s on LAN vs. 314 Mb/s on WiFi

This week, I bought a new TV and hooked it up at home. The key differences between this model and the previous ones are changes to the remote control and the new tvOS App Store. I figured hardwiring it, on my LAN, would be better than WiFi. My thinking was two fold. First, I expected less of a chance of interference on a LAN connection, than wireless, and more importantly, I also thought the LAN connection would be faster.

I was half right. Of course there's less of a chance of RF interference, since wired is better than wireless. But my TV sits less than six inches away from my wireless router. Interference is unlikely.

I was also half wrong. Surprisingly, the new TV's LAN connection is Fast Ethernet, not Gigabit Ethernet. That means the LAN connection to the TV tops out at 100 Mb/s. But the Internet pipe into my living room is several times zippier than Fast Ethernet.

As I said nearly two years ago, Common Sense Can Be Misleading. Even simple theories need to be tested.

I recently befriended a guy who used to work in the mayor's office. During his tenure he oversaw several key transportation initiatives related to making the city more green and efficient. After speaking with him an idea came to mind regarding the importance of opening up government data to third parties via APIs. This is, by no means, a new idea, but it became obvious to me what can be gained once that happens.

Currently, if I want to access my DMV information, I have to visit a website developed by the government. Government websites are notorious for their poor design. Yesterday, I visited an FAA website to make an affirmation and this is what I saw...

Click to enlarge

I spent a couple minutes looking up and down the webpage wondering where to click to register my affirmation. I finally discovered that the entire green shaded area was a "button" to click on for affirmation. Although spelling out "click here" is usually a poor design choice, this is clearly a case where that would have been helpful. Even better would have been a simple button reading "I Affirm." If you look closer at the screen shot, you'll see there's actually a second button (the mauve shaded area) below the green one.

Data Wants to be Free

The reason I harp on poorly designed government websites is it would be simpler for governments to mind the data and let third parties design the websites and apps to disseminate it. Much of this data should be in the public domain, such as where a bus, train, or letter carrier is at any given time. Private government data, like my DMV information, can just as easily be accessed without compromise in much the same way that third parties access your Facebook or Twitter account.

The private company, Car2Go, does a great job at sharing data. Car2Go has their own free app and they publish their car data APIs for third parties to access and develop against. Car2Go doesn't make any more or less money if a customer uses their app or a third party app. Third parties are incentivized since they can sell their apps. Car2Go makes their money on the car rentals while third parties make their money selling their own apps.

The next time you find yourself on a marginal government website think about how great it would be if a professional web design firm got a hold of it.

Ten years ago, I signed up for AT&T's top of the line business class DSL in Carlsbad. It's worked very well with five static IPs and 5 Mbps up / 600 Kbps down. With proper optimization, the servers on this circuit could handle 75,000 unique visitors each day. All of my professional and personal needs we met.

Last fall, I signed up for Optimum's residential service in New Jersey which is amazingly fast as you can see in the graphic. Faster than FiOS and "faster than 95% of the US."

The problem is that we keep needing more bandwidth and slowing down feels like going back in time. It feels so "dial up."

In the past, I've optimized the Carlsbad business servers by pushing static resources into Amazon's cloud. But, I've noticed a recent problem with only 600 Kbps up. When I'd get home, after taking photos with my iPhone, they'd sync to iCloud. Surfing the web, during the automatic iCloud sync, is painfully slow and there's no way to optimize this process. I think it's time to find a faster connection for Carlsbad, unfortunately, there are only a couple choices.

Have you ever taken a look at all the personal wireless networks around your home? If you live in a house, you might notice a couple of your neighbors' networks. But, if you live in an apartment or condo, you could easily be within range of ten or more wireless networks.

Each wireless network can be given a specific name to identify it. For security reasons, wireless networks can also be configured to not broadcast their name, but people rarely do this on home networks.

Since your network is broadcasting its name, people can see it. If your network requires a password, then they can attempt to join it by repeatedly trying different passwords.

To avoid this, I've given my home wireless networks names to dissuade people from joining them by naming them with financial rates to look as if they're metered: $4.95/minute is the name of my Airport Express network, and my two home base station networks are named $9.95/minute and $12.95/minute.

Over the years I've had a number of guests over to my house who would try to join my neighbor's wireless networks before asking me the name of my network. They've always had a good laugh when I told them the name. They usually comment that they were trying to access all of the other networks and stayed away from the $12.95/minute network just in case it could some how run up a bill on their device.

After the spectacular LinkedIn IPO a lot of people have been asking if this social media company is really worth almost $8 billion or could this be another bubble? For that matter, what, exactly, is social media?

While participating in a strategic planning meeting, recently, I was asked, "What will communications look like in 2020?" After some thought, my answer was, "social media." Social communications, just like mass communications, has been around since the dawn of civilization, however, the media used to convey social communications is very new.

Mass media (the medium, not the industry) began with the printing press which was invented in the 1400s. As a result of technological advances, mass media exploded in the first half of the Twentieth Century with radio and T.V. and it continued growing with the adoption of the Internet.

Social media, however, is truly a new media. Whereas mass media is a one-to-many method of communications that is one way, social media is a two way, many-to-many, communications channel.

Social media, like many new, unexpected, forms of communication, was first looked upon with skepticism. We saw skepticism like this in the mid 1990s as cell phones became popular. The first few times I noticed people talking on cell phones in public, even when polite etiquette was followed, my reaction was, "What's so important that you have to talk now?" Yet, today, talking on a cell phone in public is not a big deal. However, in the case of new media, many still have the same reaction when everyday-people blog, tweet, and use Facebook on a daily basis.

Why does someone need to "tell the world" what they're doing when it's as mundane as, "My cat just rolled over?" In the case of social media, this could easily lead to a conversation between cat lovers who didn't know each other. Everyone enjoys spending some time engaging likeminded people. Social media simply extends the social conversations that we have at the water cooler, on the phone, or during dinner, and moves them into cyberspace.

While specific media and technologies may come and go, such as the 8-track, telegram, or the fax; other, more fundamental forms of communication are here to stay. However, new forms of media do not quickly replace the old ones any more than the telephone has replaced radio communications, or that e-mail has replaced "snail mail".

In the 1960's and early 1970's, my father worked for JC Penney's quality assurance (QA) department. In those days, JC Penney used to evaluate and test the products they sold.

After we moved from New York City out to Suffolk County, Long Island, my father decided to forgo the commute on the Long Island Rail Road and he went to work locally at Underwriters Laboratories (UL) which specializes in independent safety certification.

Growing up, I learned a lot about the importance of QA in manufacturing. After all, you can't know everything about everything, so it's nice to have a professional looking out for your safety.

The Emergence of Consumerism
As new industries emerged during the Twentieth Century, there arose a need for independent organizations to evaluate the suitability of third party products. A similar requirement now exists for the software industry where third parties need to evaluate software for security. However, these organizations cannot also sell the solution to the problems they discover.

These third parities would evaluate software in ways similar to how current private (Consumer Reports, BBB, UL, etc) and public (FDA, EPA, FAA, etc) organizations evaluate cars, planes, businesses, drugs, etc.

Regulating Innovation
But, software is too innovative to regulate.

socalTECH.com picked up this article for publication.

Net neutrality is a complicated and controversial subject. The principle states that if a given user pays for a certain level of Internet access, and another user pays for the same level of access, then the two users should be able to connect to each other at the subscribed level of access.

Basically, net neutrality calls for an open and non-tiered network. The world's systems of roads is a great metaphor for the Internet. Just like there's no simple way to shut down all the roads in the world, there's no simple way to turn off the Internet.

By imagining the Internet as roads, we can envision each packet of data as a car or truck traveling the highways and byways. Just as a car or a truck carries a "payload", a network packet carries a payload of data.

Using this metaphor, net neutrality means that cars get to drive on the roads with the same priority (speed) that the surrounding traffic will allow. No one's allowed to travel faster than the speed limit simply by paying more.

Openness is also a huge part of net neutrality. The biggest difference between a public toll booth on a road and an outlaw warlord collecting a bribe at a roadblock is openness. We all know that the police and the fire department get to break the speed limit in the line of duty because it makes sense and it's done openly; but it's not OK for a police officer to speed, when off duty, in order to make it to a personal appointment.

Being open also means that a network's owner cannot secretly block, filter, or divert packets because it suits them.

Image what the U.S. road system would be like if large corporations could pay for faster, shorter, and better "Lexus Lanes", while private citizens were forced to use lower quality roads.

Flash is great in that it is ubiquitous. There is not a single, decent, desktop web browser that doesn't have Flash installed.

But, the problem is that Flash is a CPU/memory hog.

The Java VM, which runs applets inside web browsers is also a hog, but few websites that run Java applets will run more than a single instance. Flash, on the other hand, is everywhere.

Nearly every single ad on a professional website is Flash so there are multiple instances of the Flash plug-in running on a single page and they're all sucking up CPU cycles to process video which can result in your web browser crashing. This can render a web page painful to load and watch on a web browser that's more than a few years old.

Flash was originally designed to provide an interactive user experience, similar to Java, and it later became the de facto standard for displaying video. Unfortunately, it can only display video, effectively, on the newest of desktop web browsers.

Are you tired of seeing attacks against port 22 (SSH) on your public servers?

The attacks generally look like the following log snippet which is a simple dictionary attack (usually against root or admin).


Nov 15 07:41:58 static-171-163-154-171 sshd[5470]: Failed password for rootfrom 68.152.76.202 port 50818 ssh2
Nov 15 07:41:58 static-171-163-154-171 sshd[5472]: Invalid user password from 68.152.76.202
Nov 15 07:41:58 static-171-163-154-171 com.apple.SecurityServer: authinternal failed to authenticate user password.
Nov 15 07:41:58 static-171-163-154-171 com.apple.SecurityServer: Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.


You could try reporting the offending IP address, but the attacking computer will frequently turn out to be a compromised Windows machine owned by grandma and grandpa.

Solution
Your best bet, after ensuring that you're using a strong password, is to have SSH listen on a port other than 22, such as 8080. Since port 8080 is usually used as an alternative to port 80, attackers will try using the http protocol to exploit it, which will fail before the attack even has a chance to begin. At this point, script kiddies will move along since there are so many other servers, with vulnerabilities, to choose from.

Overview
The Domain Name System, better known as DNS, is probably the most critical part of the Internet. DNS converts domain names, such as google.com, into IP addresses like 74.125.45.100. Since it's so important it's also the most robust and redundant Internet infrastructure in place. Attacks against this system usually go unnoticed by the public. If an attack were to successfully bring down all 13 root name servers then Internet traffic would, for all practical purposes, be unroutable - and the Internet would stop working. Luckily, each root server is actually a farm of servers which appear, from the outside world, as a single server.

Taking Down the Internet
Taking down all 13 root servers at the same time would have the effect of removing every street sign on every road in the world. Unless you know where you're going, and you've been there very recently, then your network packets used for web browsing, e-mail, etc, won't know how to reach their destination.

The Root
Top Level Domains (TLDs) are the last portion of a fully qualified domain name (i.e. .com, .net, .us, etc). To be completely correct, all TLDs end with the same character ("." pronounced "dot"). If you have a decent web browser then the following link should work: http://www.cnn.com./ (include the ending .) If this example doesn't work, then try pinging it from the command line. Think of the . as the root of DNS.

Domain Name Registration
When you purchase a domain name the registrar usually configures your DNS with some default settings. Generally, it'll point your domain to a generic landing page until you either upload your own web page or reconfigure the DNS to point to either another DNS server or web site. Once you've changed a DNS record, it can take some time until ISPs are updated. How long these updates take to propagate is configurable when creating a DNS record - the typical range is from an hour to a day.

DNS Configuration
You have two options when configuring DNS. Either you can configure it through your registrar or you can run your own DNS server. Over the past decade I've tried both methods, extensively.

DNS Self-hosting: QuickDNS Manager
In the beginning, domain registrars did not have sophisticated DNS management tools so I ran my own DNS server using QuickDNS Manager from Men & Mice (They no longer sell this great product, under this name, anymore). QuickDNS made it extremely simple to configure DNS using the QuickDNS Manager's GUI.

Click to enlarge

In this example, the TTL (time to live) column sets how long, in seconds, third party DNS servers (i.e. ISPs) should cache this information before going back to the the registrar. The defaults in the upper right are used when the TTL column is blank for a particular record. Therefore, this DNS configuration tells third party DNS servers to cache the www.example.com and example.com records for 300 seconds (five minutes).

Although self-hosting my own DNS server gave me a huge amount of flexibility the biggest draw back was that it requires a dedicated server machine. Since running a DNS server doesn't require heavy lifting by the server's CPU, I was successful in running my own DNS server for business purposes on an old 233 MHz (Wall Street) and then later a 500 MHz PPC G3 (Pismo) PowerBook with no problem at all. The beauty of using an old laptop as a server is that its battery acts like an internal UPS. As a matter of fact, about five years ago, I used to run e-commerce web servers, mail servers, DNS servers, etc., "on the cheap" using a farm of laptop servers.

There are other many other DNS server software options, but I particularly liked QuickDNS due to its ease of use.

GoDaddy's DNS in the Cloud
These days, it's hard to beat using a DNS service that's hosted in the cloud - especially when, in the case of GoDaddy, it's free. For the cost of registering your domain name (about $10/year), you can configure your domain's DNS either through a web browser or through a text file that can be uploaded and downloaded to/from GoDaddy.

GoDaddy UIs
GoDaddy's DNS notations deviate slightly from the DNS BIND standard, but it still works as expected. Specifically, they have eliminated the need for each domain to end with a dot - after all, it's implicit. Also, when you want to reference the domain's root name (i.e. example.com) you use the @ symbol.

Here's a screenshot of how I've configured AdjixSucks.com to be a static web site hosted on Amazon's S3 (more about hosting websites on S3 can be found here):



Here's the text file, from GoDaddy, which can be downloaded, edited, and then uploaded (Be sure not to upload duplicated DNS records. If there's a duplicate record then GoDaddy will not apply any changes and return an error. This is a great safety mechanism to prevent accidents which could bring down a website.)


Using GoDaddy's web interface, you can configure your DNS record's TTL for 30 minutes, one hour, 12 hours, one day, or one week. To configure with a finer level of granularity, i.e. 300 seconds, you'll have to upload the updates to GoDaddy via a text file.

Out Source or In-house?
While there are other DNS hosting options, and some cost a small amount of money, it makes a lot of sense to use a professional DNS hosting solution instead of running your own DNS server. If you don't own the hardware then you don't have to support it. (While software may have bugs, it never fails in the manner that hardware can.) Due to the critical nature of DNS, third party hosting solutions do an excellent job at supporting this service.