Took My Data Privacy Training Today

The European Union is enacting a new policy concerning the way companies treat the personal information of their customers. Today I went through the training to make sure I understood what those rules meant to me.

Spoiler: nothing new. But there are a lot of other companies in this neighborhood that are probably scrambling. I’ll name names later.

The new privacy training was pretty much exactly the same as the previous data privacy training I have gone through, with the exception that there is a new report to fill out to make the decision process on using customer data visible to the outside world. There is also a new portal so people can see all the data my employer has collected on them, and request that that data be deleted.

But overall, the new privacy regulations in Europe might have been written by my company, they match our existing policy so closely.

Remember back when Google was “accidentally” collecting information about open home WiFi networks? Accidentally in this case means accidentally creating database tables and queries to store that information. I mean hey, accidents happen. That was a while ago, but that shit is really not going to fly now.

Hey! So much for “later”. I’m naming names.

The regulations go something like this:

  1. You have to spell out what you will be using the data for BEFORE you collect it.
  2. You have to protect that data.
  3. You have to let people see the data and tell you to delete it.

The Google thing was years ago. (There are plenty of current investigations, however.) But hey, remember last week when an Android user discovered Facebook was recording the recipient and duration of all his phone calls? Yeah, the beat goes on. In the aftermath of that I downloaded my own information and there were only a couple of surprises, none shocking. Hint: I don’t use Android.

At Google they must HATE Facebook for being so damn sloppy and leaking data all over the place, rather than just efficiently selling it. Regulators are swarming! Maybe now Google might consider putting in place basic security measures to prevent apps from rooting through shit that is none of their business.

My Facebook information was mostly unsurprising, but I suppose it’s possible that in the last few days Facebook has decided that fraudulently withholding some of the data they have collected on me is better than confessing to all of their shenanigans. Ironically, the ability for people to download their information was probably implemented by Facebook to comply with the new regulations. Sadly for them, the more people who download their personal info, the more trouble will arise for Facebook.

I encourage everyone to request a data download from Facebook. And from Apple, and from Google, and from Amazon. Probably Ebay, too, and the list goes on.

For the rest of this episode, I am full-on partisan. Just so you know. But there’s nothing I’m going to say that is not easily documented.

Google has a vast amount of data on you. If you use Google Wallet, downloading your data might be downright scary; if you use ApplePay instead you will find a big empty nothin’ concerning your spending habits. Apple built it so that it was not possible for them to learn anything about you from your spending. It was not easy to do.

I work for Apple. I am proud that my company puts privacy over profit — that HomeKit is slow to be adopted because it protects privacy and home-gadget manufacturers want to profit from personal data (and the hacking-resistance of HomeKit is more expensive to implement — something I’m also fine with), and I am proud that ApplePay was first out of the gate but isn’t growing as fast as the competitors because privacy requirements make it harder for banks to join in. Apple is losing money protecting privacy.

Unless protecting privacy becomes law. Then, suddenly, my employer is in the catbird seat, having built its information structure around privacy from the get-go. Apple has put a lot of systems in place to make sure they cannot collect large categories of personal data. Currently that data is an asset that they are failing to exploit. In the future, that data will be an onerous responsibility for any company that holds it. I hope so, anyway.

2

Assembling an iomega Mac Companion Enclosure

One of the big-ass hard drives we use for backup has started to make scary noises. Not the kind of sounds you want to hear from a drive that holds important data for our family and for a few of friends around the country as well. It was time to start looking for a replacement drive. One thing I wanted to do was have a clear upgrade: with the new setup I will not have to fear the catastrophic consequences of a single drive failing.

A note on levels of catastrophe: some might think that losing backup data is an inconvenience. In the same way you could think that losing the co-piolot of an airplane is an inconvenience. But with the backup compromised, risk of disaster has gone up exponentially. At Muddled Ramblings and Half-baked Ideas we take that shit seriously as we skulk in our secret bunker, buried deep beneath a trailer park next to a sprawling cemetery, ready for the Zombie Apocalypse to begin.

There are fancy enclosures that hold several drive units and use a variety of schemes that fall under the general acronym RAID to protect data from the failure of a single drive. Most of those enclosures have loud fans, and all of them cost a lot of money. Where does a cheap bastard go when he wants RAID 5, quiet and cheap? He buys a bunch of inexpensive but high-quality disks, puts them in inexpensive but high-quality quiet enclosures, and uses SoftRaid to turn them into a single virtual disk with reasonable protection from disaster.

After a little research, I found the right drives (Seagate bulletproof datacenter-rated blah blah blah) and the right enclosure: the iomega Mac Companion. What is great about this enclosure is that it has TWO firewire connectors, so you can daisy-chain them and connect many drives to a single firewire port on the host computer. Music to cheap-bastard ears, and not found on other enclosures at any price. Plus, you can buy them cheap on eBay in any quantity you might want, while supplies last.

There’s a catch, of course: iomega is defunct, and never officially sold this enclosure without a drive already installed. The packaging looks as though they might have been planning to sell empty enclosures, but the documentation (and even some of the text on the box) is clearly written with the assumption that the drive is already in there and everything is assembled.

So, you have packaging clearly designed to contain an empty, partially-disassembled hard drive enclosure, and instructions clearly for a pre-assembled unit. Weird. Perhaps some last, desperate attempt to sell an inventory of enclosures the company could no longer afford to fill. The only intern left to handle the packaging had no idea what to do about the instructions. We’ll never know the whole story.

But there’s a glut of quite capable hard drive enclosures out there now, and I bought some of them. As for assembly, there are no instructions. Not in the box, not online. You’re on your own, buddy. Until now! By my third enclosure, assembly was actually pretty easy. As a public service to anyone else who might have jumped on this deal, here are step-by-step instructions. You don’t have to thank me, it’s what I do.

Step 0: Survey the stuff.
When you open the box you will see parts in two groups: the top and the bottom. The bottom section includes the plastic base, the metal housing, and the circuit board, which is attached to the bottom of the aluminum inner shell. The top section has an aluminum inner shell top and the plastic lid for the enclosure.

Let’s take a moment to visualize the final product. A hard drive mechanism, inside a protective metal inner shell, inside a sturdy enclosure with lights on the front. With that in mind, we will be building from the middle out. (Yes, I thought of Silicon Valley when I wrote that.)

Step 1: Start by disassembling the bottom parts even further. Carefully pop the plastic base out of the outer metal housing, then slip the circuit board with inner shell off the plastic base. This is the step that took me three tries to learn. After this, everything is actually pretty obvious.

Step 2: Set the hard drive onto the white shield over the circuit board and slide it forward onto its connector.

Step 3: Slide the top inner shell over the drive unit with the little pigtail cable sticking out the slot in the side. At this point, you have something that looks like this:

IMG_0420

Step 4: If you look at the picture, you will see a screw holding the drive in place. The enclosure does not include the screws, but they are a standard size. I’m not sure what size, because I had some in my hardware collection, but you can figure that part out. In fact, in the first drive I assembled, I didn’t use any screws at all. I resolve to not use that drive as a maraca, and all will be well. But if I had it to do all over again, I’d screw those bad boys down.

Step 5: Slip your well-shielded hard drive assembly back onto the plastic base. Fiddle with things until the connectors line up with the holes in the base.

Step 6: The circuit board on the end of that pigtail cable hanging out the side actually has four LED’s on it. The tiny circuit board fits into a slot in the plastic base. Note that there is a wee indentation in the board at one end; that part goes DOWN, where it seats neatly on a plastic fin:

IMG_0415

Step 7: Now it’s time to put the outer metal housing on. There’s an odd plastic bit you set aside earlier with four little shafts sticking out. Those go into the holes in the front of the housing, and as you put the housing down over the plastic base the odd plastic bit will slide into the holder directly in front of the circuit board from step 6.

IMG_0422

Step 8: At this point, everything is connected and should be functional. Before passing the following Point of Maybe-No Return, I plugged in each unit and made sure it spun up happily.

Step 9: Snap on the lid. You’re finished! Woo!

I have no idea how to remove the lid again; and hopefully I’ll never have to learn. Now I have a lot of room for data. Setting up my poor-man’s RAID will likely have to wait until next weekend, and hopefully will be simple enough that I don’t need to write a how-to. In the meantime, I hope this is helpful to those who find themselves with a question mark hovering over their heads as they stare at the parts they have just received.

7

mmfnuckin?

My spelling correcter just changed m’fuckin’lord to mmfnuckin’lord. It does not change m’fuckin’ to mmfnuckin; the lord part is apparently important. I’m sure there’s something to learn from this.

So close…

About to purge the last of the Windows from the house, and say goodbye to the flimsy crap Asus laptop. The last task: getting it to talk on the network so we can move everything over.

It worked on the network two days ago. It has all sorts of other problems, far too many to enumerate here, but at least we were able to move files.

Now, not so much. Along with this happy message:

A problem is preventing the troubleshooter from starting.

Yay Microsoft!

Will the World Break in 2016?

Well, probably not. The world isn’t likely to break until 2017 at the earliest. Here’s the thing: Our economy relies on secure electronic transactions and hack-proof banks. But if you think of our current cyber security as a mighty castle made of stone, you will be rightly concerned to hear that gunpowder has arrived.

A little background: there’s a specific type of math problem that is the focus of much speculation in computer science these days. It’s a class of problem in which finding the answer is very difficult, but confirming the answer is relatively simple.

Why is this important? Because pretty much all electronic security, from credit card transactions to keeping the FBI from reading your text messages (if you use the right service) depends on it being very difficult to guess the right decoder key, but very easy to read the message if you already have the key. What keeps snoops from reading your stuff is simply that it will take hundreds of years using modern computers to figure out your decoder key.

That may come to a sudden and jarring end in the near future. You see, there’s a new kind of computer in town, and for solving very specific sorts of problems, it’s mind-bogglingly fast. It won’t be cheap, but quantum computers can probably be built in the near future specifically tuned to blow all we know about data encryption out of the water.

Google and NASA got together and made the D-Wave two, which, if you believe their hype, is the first computer that has been proven to use quantum mechanical wackiness to break through the limits imposed by those big, clunky atoms in traditional computing.

Pictures abound of the D-Wave (I stole this one from fortune.com, but the same pic is everywhere), which is a massive refrigerator with a chip in the middle. The chip has to be right down there at damn near absolute zero.

d-wave_exterior

The chip inside D-Wave two was built and tuned to solve a specific problem very, very quickly. And it did. Future generations promise to be far more versatile. But it doesn’t even have to be that versatile if it is focussed on breaking 1024-bit RSA keys.

It is entirely possible that the D-Wave six will be able to bust any crypto we have working today. And let’s not pretend that this is the only quantum computer in development. It’s just the one that enjoys the light of publicity. For a moment imagine that you were building a computer that could decode any encrypted message, including passwords and authentication certificates. You’d be able to crack any computer in the world that was connected to the Internet. You probably wouldn’t mention to anyone that you were able to do that.

At Microsoft, their head security guy is all about quantum-resistant algorithms. Quantum computers are mind-boggling fast at solving certain types of math problems; security experts are scrambling to come up with encryption based on some other type of hard-to-guess, easy-to-confirm algorithm, that is intrinsically outside the realm of quantum mojo. But here’s the rub: it’s not clear that other class of math exists.

(That same Microsoft publicity piece is interesting for many other reasons, and I plan to dig into it more in the future. But to summarize: Google wins.)

So what do we do? There’s not really much we can do, except root for the banks. They have resources, they have motivation. Or, at least, let’s all hope that the banks even know there’s a problem yet, and are trying to do something about it. Because quantum computing could destroy them.

Eventually we’ll all have quantum chips in our phones to generate the encryption, and the balance of power will be restored. In the meantime, we may be beholden to the owners of these major-mojo-machines to handle our security for us. Let’s hope the people with the power to break every code on the planet use that power ethically.

Yeah, sorry. It hurts, but that may be all we have.

A Secure, Undisclosed Location for my Stuff

I take a bunch of pictures. Each image is many megabytes. It adds up. I have a big-ass hard drive or two, but each image should be on multiple hard drives, and not all in one room.

Then there’s DropBox. That’s a service that makes one folder on your computer also exist out there in what the kids are calling the cloud. Which is cool from a redundancy standpoint, but what I’d really like is to not have to keep the files locally at all. I want something that looks to my computer exactly like a hard drive, but is really some gee-whiz redundant storage solution out there somewhere.

There are a couple of requirements:

  • It really does act just like a hard drive
  • It is encrypted with a key that I generate; the provider does not have that key. No one has that key but me.
  • There is a plan and escrowed funds so that if the host goes belly-up, I get my data back.

I don’t even know where to start looking. Suggestions?

Billion-Person Problems vs. Individual People

I read an article today idolizing Larry Page, head honcho at Google. I have to confess, reading Larry’s quotes, I was pretty damn impressed. Some of his goals are downright “holy fuck, that’s awesome”. If even a small percentage work out lots of people will be helped. Larry calls them his billion-person problems. But…

Can you solve billion-person problems while exploiting a billion individuals?

GoogPut another way: here’s a billion-person problem that Google is central to: the erosion of privacy in the modern age. For instance, Google has taken very seriously securing your information as it travels from your computer to their servers. But once that email hits their hard drives, it’s fair game! As long as no one else can get at your info (well, except governments with leverage over the Goog), all is well with the world.

Before I get too deep in this rant, let me say that the Internet would suck a lot more without Google’s search engine. I use Duck-Duck-Go to exploit the power of the search without yielding up my personal info. I realize that’s kind of like getting sushi and not paying; if everyone did that, search engines would have to start charging for their services and people would be faced with putting a monetary value on their privacy.

And, I think there’s a lot to be said for the way Google runs their company, they way they commit to their managers rather than just making the best engineers the bosses of other engineers. I give them big props for that. That comes from the very top and Larry Page deserves credit.

But now, on with the rant!

What Google knows when you use their payment system (Google Wallet):

Google Wallet records information about your purchases, such as merchant, amount, date and time, method of payment, and, optionally, geolocation.

What Apple (my employer) knows when you use their payment system (Apple Pay): Nothing.

Apple Pay was designed from the ground up so that Apple could not get your personal information. This made it way more complicated to implement and added hardship for banks as well, but it was a fundamental tenet of the system. Apple gets enough aggregate information back from the banks so they can get their fees, but none of your personal information is in that data. In contrast, Google (not just their wallet) has been built from the ground up to collect and sell your personal information.

Of course, the banks still know, and the merchant still knows, and Amazon tells advertisers what’s in your wish list… So it’s not just Google here. But Google has access to information you never intended to be known — a lot of it — and they have a unique opportunity to make meaningful change on this front.

Nest, the hot-spit thermostat/smoke detector company was bought by Google. I was discussing it the other day with a co-worker who is a (mostly) satisfied customer. It sounds like a pretty cool system, but I mentioned there was no reason for the damn thing to be in the cloud just to be operated from my phone — it just needed to be part of a personal network that could talk to all my devices. My friend, who has a buddy who works at Nest, shrugged and said, “they have to collect and aggregate data to make the service work right” (or something like that). I accepted that at the moment, but later I realized: NO THEY DON’T. I want my home automation to be based on ME, not some aggregate of other people. And, if they made the data collection voluntary, I might even opt in if it looked like it would help the collective good. It’s something I do.

I voluntarily share personal information all the time. I share my bike rides (but suppress the exact location of my house). I share my image on Facebook. I share biographical data right here on this blog. I probably share more personal information than I should, but I make a big distinction between voluntary sharing (Facebook) and involuntary sharing (having my emails read by a corporation). Even though I don’t use a gmail account, my emails are still read every time I send a message to a gmail user. Does it matter if I’ve agreed to their terms of service or not? No. No, it doesn’t.

Microsoft took a couple of shots at Google a while back, promoting their email and search services as being more privacy-friendly than Google’s. But, amazingly, Microsoft kind of half-assed it (they had a produced-by-local-TV-station look) and they failed to deliver the message effectively, the way Microsoft is wont to do. Still, at least they tried.

If Google would do one thing, a thing that is in their power to do, I will take back everything else I have said about them. If they provide real encryption for their emails — encryption all the way to their servers, encryption they won’t have a key to unlock, so only the intended recipients can read it, I’ll believe that they care about me, and the other billions of people in the world. And it would be a hell of a selling point for gmail.

Calculating Calories is Hard!

I’ve been using both MapMyRide and Strava to track my bicycle rides recently. In addition, I’ve been using the activity app on my slick new Apple Watch. Each estimates how many calories I burned on my ride, but the numbers are very different. For example, on my ride to work yesterday morning:

MapMyRide: 814 Calories
Strava: 643 Calories
Watch: 757 Calories

Dang – those are quite different numbers, especially when you consider that MapMyRide and Strava are using pretty much the same data and coming to very different conclusions. What gives? CAN I EAT THAT DONUT OR NOT?

Strava and MapMyRide use speed and (maybe) elevation change in a formula with the rider’s weight to come out with an estimate of how many calories the rider burned. Strava lets me set the weight of my bike; I don’t know what MapMyRide assumes. I’m pretty confident that neither really uses elevation changes well. And headwinds? Forget it.

Both services can come up with a better wild-ass guess if you use a special crank or pedals that directly measure how hard you are working. They directly measure the output of your muscles, so the only remaining guesswork is how many calories you burned to do that work (some people are more efficient than others). There’s a Garmin setup that will tell you if one leg is doing more work than the other. I have no such device.

The most accurate way available to measure calories burned is to measure how much carbon dioxide one exhales. Rather than measure the work you did, you’re measuring how much exhaust you produced. This is impractical on a bike ride, however.

Which brings me to the gizmo strapped to my wrist. It estimates calories based on my heart rate. I have no idea what formula it uses, but hopefully it incorporates my resting heart rate (which it measures throughout the day) and my weight (which I have to remember to tell it), and maybe even my age. The cool thing is that heart rate is directly related to carbon dioxide production. When I’m riding fifteen mph with a tail wind, I’m barely working at all. When I’m pushing against gale-force breezes at the same speed, I’m huffing and my heart is thumping. To Strava and MapMyRide, the rides look the same. The watch knows the truth.

When WatchOS 2 comes out (the “features we couldn’t get perfect in time for WatchOS 1” release), Strava will be able to access my heart data. I’m interested to see what that does to the numbers.

In the meantime, I’m listening to my watch.

How Secure is Your Smoke Detector?

heartbleedYou probably heard about that HeartBleed thing a few months ago. Essentially, the people who build OpenSSL made a really dumb mistake and created a potentially massive security problem.

HeartBleed made the news, a patch came out, and all the servers and Web browsers out there were quickly updated. But what about your car?

I don’t want to be too hard on the OpenSSL guys; almost everyone uses their code and apparently (almost) no one bothers to pitch in financially to keep it secure. One of the most critical pieces of software in the world is maintained by a handful of dedicated people who don’t have the resources to keep up with the legion of evil crackers out there. (Google keeps their own version, and they pass a lot of security patches back to the OpenSSL guys. Without Google’s help, things would likely be a lot worse.)

For each HeartBleed, there are dozens of other, less-sexy exploits. SSL, the security layer that once protected your e-commerce and other private Internet communications, has been scrapped and replaced with TLS (though it is still generally referred to as SSL), and now TLS 1.0 is looking shaky. TLS 1.1 and 1.2 are still considered secure, and soon all credit card transactions will use TLS 1.2. You probably won’t notice; your browser and the rest of the infrastructure will be updated and you will carry on, confident that no one can hack into your transactions (except many governments, and about a hundred other corporations – but that’s another story).

So it’s a constant march, trying to find the holes before the bad guys do, and shoring them up. There will always be new versions of the security protocols, and for the most part the tools we use will update and we will move on with our lives.

But, I ask again, what about your car?

What version of SSL does OnStar use, especially in older cars? Could someone intercept signals between your car and the mother ship, crack the authentication, and use the “remote unlock” feature and drive away with your fancy GMC Sierra? I’ve heard stories.

You know that fancy home alarm system you have with the app that allows you to disarm it? What version of OpenSSL is installed in the receiver in your home? Can it be updated?

If your thermostat uses outdated SSL, will some punk neighbor kid download a “hijack your neighbor’s house” app and turn your thermostat up to 150? Can someone pull a password from your smoke detector system and try it on all your other stuff (another reason to only use each password once)?

Washer and dryer? The Infamous Internet Toaster? Hey! The screen on my refrigerator is showing ads for porn sites!

Everything that communicates across the Internet/Cloud/Bluetooth/whatever relies on encrypting the data to keep malicious folks away from your stuff. But many of the smaller, cheaper devices (and cars) may lack the ability to update themselves when new vulnerabilities are discovered.

I’m not saying all of these devices suck, but I would not buy any “smart” appliance until I knew exactly how they keep ahead of the bad guys. If the person selling you the car/alarm/refrigerator/whatever can’t answer that question, walk away. If they don’t care about your security and privacy, they don’t deserve your business.

I’ve been told, but I have no direct evidence to back it up, that much of the resistance in the industry to the adoption of Apple’s home automation software protocols (dubbed HomeKit) are because of the over-the-top security and privacy requirements. (Nest will not be supporting HomeKit, for instance.) In my book, for applications like this, there’s no such thing as over-the-top.

1

Another Baby Step Toward Email Privacy

Email is frightfully insecure. Anything you write can and will be read by any number of robots or worse as it bounces across the Internet. Gmail? forget about any shred of privacy. While the Goog champions securing the data as it comes to and from their servers, once it’s there, your private life is fair game.

It doesn’t have to be that way. We can encrypt the contents of our emails so that only the intended recipients can read them. I’m not sure how many more embarrassing corporate, government, and university email hacks will have to happen before people start to take this seriously, but remember, those were only the illegal hacks. Other people are reading your emails all the time already. This bothers me.

Sorting out a solution to this problem has been like having a big jumble of puzzle pieces on my coffee table, and while I’ve pushed the pieces around to get them to fit together, it’s become apparent that there’s a piece missing — until (perhaps) now. To understand the puzzle piece, it’s easiest to start with the hole it needs to fill. Some of this you may have read in posts from days of yore.

Here’s a simplified illustration of how email encryption works. Picture a box with two locks, that take two different keys. When you lock the box with one key, only the other key can open the box again. If you want to send me a message, I give you one of the keys, and you put the message in the box and lock it. Since I’m the only one with the matching key, only I can unlock it. Sorry, Google! You just get gibberish.

Of course, there’s a catch. How do I get your half of the key pair to you? If I put it in an email, any bad guy could switch the key before it got to you, and then your secret message would only be readable by the bad guy. He’d probably pack the message back up and lock it with my key and send it on, so I might not notice right away that that the message had been intercepted.

What’s needed is either a foolproof way to send my public key to you, or a way to confirm that the key you got really came from me.

If there were a foolproof way to send the key, we’d dispense with the whole lockbox thing and just send the original message that way. So until that foolproof way arrives, we are left with the need to authenticate the key I send you, through some trusted, hard-to-fake source. There are competing ways to accomplish this, and they all have flaws. This is the hole in our jigsaw puzzle.

The most common way key-verifying is done is through a series of Certificate Authorities, companies entrusted with issuing and verifying these keys. This works pretty well, as long as every single Certificate Authority can be trusted. The moment one is hacked, the entire system has been compromised. Guess what? CA’s have been hacked. There are also several governments that are CA’s, meaning those governments can listen in on any transaction on the Web today that uses https:// – which is just about all of them. Any of those entities could send a fake key to you and your software would trust it. I don’t know which makes me more nervous, that China is on the list or the United States.

So if you can’t collectively trust a few hundred companies and governments, who can you trust? There are several competing systems now where you and all your friends only have to trust one company. As long as you and I both set up with that company, they will quite effectively safeguard our communications. Your privacy is as good as the security and integrity of a single corporation — unless a jealous government shuts them down, anyway, or they get bought by a less-scrupulous company, or a pissed-off engineer in their IT department decides to drop their corporate pants. Having a single entity hold all the keys is called the “key escrow problem”.

At the far end of the spectrum is crowd-sourcing trust. There exists a large and (alas) floundering network of people who vouch for each other, so if you trust Bob and Bob says my key’s OK, you can choose to trust my key. I’ve tried to participate in the “Web of Trust”, and, well, here I am, still sending emails in the clear.

But now there’s a new kid in town! I just got an invitation to join the alpha-testing stage for a new key-verification service, keybase.io. Let’s say you want to send me a message. You need the public key to my lockbox. You ask keybase for it, and they send you a key. But do you trust that key? No, not at all. Along with the key, the server sends a bunch of links, to things like this blog and my twitter account. The software on your computer automatically checks those links to see if a special code is there, and if it is, invites you to go and look at those links to make sure they point to things I control. You see the special code on Muddled Ramblings or Twitter or whatever that only I could have put there, and you can feel pretty good about the key. You put your own stamp on the key so you don’t have to go through the manual verification again, and away you go!

There are more features to prevent bad guys from other shenanigans like hacking my blog and twitter before giving you a fake key, but you can read about them at http://keybase.io.

The service is still in the pre-pubescent stage; I’m fiddling now to see if I can use keybase-verified keys from my mail software. Failing that, there are other methods to encrypt and decrypt messages you cut and paste from your email. Kinda clunky.

Having set up my keybase identity, I have been given the privilege of inviting four more people aboard. Good thing, too, since otherwise I’d have no one to exchange messages with, to see how it works. I’d be grateful if one (or four!) of y’all out there would like to be a guinea pig with me. Drop me a line if you’re interested. Let’s win one for the little guy!

Note to Pillsbury:

It’s time to revive Space Food Sticks.

1

When Phones and Cars DO Mix

I’d heard whispers about it in the shadows, seen the knowing glances between those in the loop, and recently I’ve become one of them. I’m a Wazer.

I am required to be at an office during what we call ‘normal business hours’. That means I’m driving to my office in the morning and home from the office in the evening, along with all the other NBH drones. Some mornings, the 12-mile trip can take an hour. That’s not good.

Along my route are some key decision points. It’s shortest to turn left at Curtner, but that ramp onto the freeway can get massively backed up, to the tune of fifteen minutes. On those mornings it’s better to stay on the surface streets for an extra mile.

But which mornings? How can I tell in advance whether Curtner is a mess? Enter Waze, the social mapping service. Waze takes real-time data from drivers like me and finds the fastest route to work (and, perhaps more importantly, home again). Sometimes those routes use streets I never would have thought of, but I ignore the advice at my peril. (Monday, I thought I knew better than Waze. Boy was I wrong.)

Waze is a bit quirky; right now it tries to steer me around one intersection at all costs — including cutting through a cemetery as an alternative. I have no idea why it developed an allergy to that right turn, and I suppose a true Wazer would log in and fix the map. Even the maps themselves are crowdsourced. It’s pretty cool.

You should be aware, however, that Google just bought Waze for a cool 1.1 Billion, so as I drive I’m telling the Goog where I am. If you use Google maps you’re already doing that, however, and I think this is a case where a voluntary surrender of personal information (with a very short useful shelf-life) actually makes the world better. Perhaps I just think that way because I really hate traffic. I decline to advertise my location on Facebook, and I hope all you have more common sense than to do so.

Another very useful phone-related product I came across recently is actually a gadget/app combo. You may have read recently that I’ve been tinkering with my car so that it will pass the California emissions test. I made some repairs and pulled the fuse that powers the onboard computer and counted thirty seconds, which should reset it. Even if the Check Engine Light is off when I get to the smog place, if there are old error codes in the computer’s memory, I will fail. Again. I know this because that’s why I failed the first time. The Check Engine Light had been on, and that was enough.

So I cleared the computer. Probably. Maybe. After my first round of repairs the light came back on (I had broken a plastic bit during the first operation) so I made my second repair and pulled the fuse for 30 seconds. Once again, there was no way to tell if I had actually cleared the memory. Just in time, help arrived via the U.S. Mail.

You see, during this whole process I was frustrated that I couldn’t just check the damn computer myself. (Once you fail smog, all except a few specially-designated repair places aren’t even allowed to hook you up. Bah!) Then while reading a Miata forum I found a discussion of which OBD tools worked with 1999 Miatas. A light turned on over my head. I could buy my own damn code reader! That had quite truthfully never occurred to me. I went to Amazon and started looking around. There was one hitch that made me hesitate: Units were either a) really expensive; and/or b) not sure to work on my car. Although there is a standard connector, different cars communicate with different protocols. I didn’t want to spend a bunch of money for something that didn’t know my car’s dialect.

Then I came across one that was both cheaper than any of the others AND low-risk! BAM! For $21 bucks I bought the Elm327 WIFI OBD2 Car Scan Tool. There’s a cheaper BlueTooth version, but there was some indication that it might not work on all iOS devices. Why is this one more likely to work with my car? Here’s the thing: The gizmo doesn’t know diddle about protocols. That’s software. So if one phone or computer app can’t talk to my car, another will. And now the UI can be presented on a sophisticated touch-screen computing device, rather than a cryptic LCD readout with arrow buttons for controls.

When the ELM-327 arrived I splurged and got one of the most expensive apps available to talk to it, based on reviewers saying it worked no problem with their ELM-327’s. Ten bucks. For a total outlay of $31, I had a scan tool that not only worked far better than dedicated devices costing hundreds of dollars, it had a better UI, and could even display a host of real-time data as I drove around! Speed, rpm, air volume, battery voltage, and more. Some modern cars provide a ridiculous amount of information through the OBD port. The app I chose, OBD Fusion, can log data and even superimpose that info onto a map. Racers, apparently, love this stuff.

My smog guy was really impressed as well. He actually laughed when I revved my motor and the virtual tach needle swung upwards. He was excited that he could prescreen customers in the parking lot, quick and easy. I expect he owns one of these now.

And in fact I had not successfully cleared my computer by pulling the fuse, but with my gadget and my app I cleared the old codes and ran the car until all tests had come back green.

This tool is a game-changer for even an unsophisticated home mechanic like me. Knowing the code and being able to look up the repair on the Internet literally saved me hundreds of dollars. (I know because I once paid hundreds of dollars only to have the problem return a few months later.) It also confirmed that my speedometer is a wee bit off.

And next road trip I’m totally going to make a map of engine RPM along my route. Because the world needs to know stuff like that.

3

The Ascendant Science

Medicine, it seems, is always the last science to the dance. While one guy was establishing the principles of electricity, one of his friends was being bled to death in the name of medicine. When radioactivity was discovered, health practitioners killed countless patients with it.

For most of the history of humanity, doctors were quacks. All of them. The discovery of tiny creatures that live inside us revolutionized the medical biz, but compared to the physics industry and its spinoffs, medicine was still mostly chanting and waving rattles.

Early in the last century, physical science went through a boom so loud our ears are still ringing today. The second half of the 20th century saw technology go nuts as those fundamental discoveries reached market.

That wave gave us the machines we needed to finally dig deep into how we work as organisms. Allow me to tell a rather long story to illustrate.

I have been working to lose weight. If you use the Internet, you’ve seen ads that read, “New scientific breakthrough can help you shed pounds!” and shit like that. I have long made a point of ignoring those ads, but I became curious about the scientific breakthrough. One night I clicked one of the ads.

I was presented with a video. Generally, when I want the answer to a specific question, I HATE video. But in this case, I understood that the video existed for the very reason I dislike them: the producer wants me to go through a lot of shit before providing me the nugget I want. From their point of view, video is perfect.

With the sound off, I watched as cartoon people were drawn and erased, showing a variety of body forms. Finally, a word came on the screen: Leptin. I stopped the video and fired up Wikipedia, where I was offered an explanation with lots of words I didn’t know. I knew enough of them, however, to understand that leptin was created by fat cells, and when leptin levels go up enough to be noticed by the brain, you feel full, and your metabolism cranks up. Injecting leptin into obese mice helps them lose weight; it doesn’t work so well in humans. Also, leptin was found in the 1990’s.

Then there’s Ghrelin, identified about ten years ago. Ghrelin makes you feel hungry, and slows your metabolism. The Wikipedia article about ghrelin identifies exactly which gene builds it, how it’s matched with a (perhaps unused) counterpart, and where it binds to receptors in the brain. There are drawings of the damn thing.

I trust the drawings, but it all seems vaguely magic.

I think this is just the beginning. The human organism is the most complex thing in the known universe, but we’re starting to figure out how it works. Next comes how to fix it when it’s broken; how to address the exact problem without mucking with other systems. We will move from drugs to viruses — those that attack specific bacteria and those that give the host the ability to produce a particular protein. It’s pretty cool.

That technology explosion? We’re starting to feel the biology echo, and it’s going to change everything.

Christian Mingle, Random Numbers, and Prayer

I typed the above title into my bloggotool a few days ago, thinking I’d get back to it when I had time. I vaguely remember the point I was going to make. Let’s see how this goes.

Christian Mingle is an online matchmaking service for Christian folks. It makes sense; there are a lot of people for whom a partner must be of the same religion, and it wouldn’t surprise me if same-faith relationships tend to last longer (though there is likely precious little in the way of unbiased data on the subject — it’s one of those simple-sounding propositions that turns out to be a bitch to measure. But I digress…).

Anyway, my memory of the site’s tagline is fuzzy, but it’s something like, “find God’s match for you.” So you see, they are presenting themselves as an agent of God, a conduit that allows the Big Guy to work his subtle magic. I’ve heard crazier things. But then I thought some more (perhaps too much), and I realized that most likely they apply mathematical comparison algorithms to find the best matches, as do the rest of the matchmaking sites. In fact, they are probably a branded front end on one of the other major services. It’s all math, and it’s deterministic. The same data in will produce the same result. If God wants Sally to be with Jorge, but the numbers say she should be with Marcel, what’s He gonna do?

Although random numbers in computers aren’t truly random, they’re unpredictable enough that a deity could jigger them now and then and no one would be the wiser. If Christian Mingle threw a lot of entropy at the problem, they could create the wiggle room God needs to work His will. Clients would fill out a detailed questionnaire, send it in, and Christian Mingle could match them up randomly and bickety-bam, God’s will is done. Sally’s with Jorge.

(Note that God’s will does not necessarily translate to what’s best for the individuals involved.)

Generating the random number is much like prayer, except that now we have a machine to perform that tedious task for us. We are appealing to a higher power for guidance, trusting ourselves to His plan. For marketing, I would suggest to Christian Mingle that they substitute the phrase “Divine Guidance” for “Random Number” in their brochures.

Meanwhile, I’m going to go home and whip up a quick “pray for my soul” script. I have a feeling I’m going to need it.

iTelescope

I was reading up on the big-ass comet (who’s name is not actually ISON) heading our direction, and the article mentioned that the discovery had been confirmed by iTelescope (among others). (REAL QUICK digression: I really like the word “precovery” — Once the discoverers said, “hey, there’s a comet there!” other astronomers were able to use data gathered before the official “discovery” to confirm the finding. Precovery.) So anyway, Since I work at the company that invented put-an-i-on-it product naming, I had no choice but to look into this iTelescope thing. I had this idea that maybe there were a million webcams all pointed at the sky, and with the combined computing power of the participants a useful image could be inferred.

Of course, I was wrong. It was early in the morning and the caffeine hadn’t reached the critical parts of my brain — the parts that would have considered the logistical nightmare my “global fly-eye” idea would entail. Maybe in a few more years…

But what I did find is entirely cool, and has the benefit of actually working. iTelescope is a cooperative that has some 20 pretty-dang-good telescopes, and for a fee you (yes, you) can use them to take pictures of the sky. (The difference between ‘telescope’ and ‘camera’ is all in the lens.) iTelescope has three facilities around the globe (New Mexico, Spain, and Australia), so it’s always night somewhere. You control the telescope over the Internet and download your results. Oh, these times we live in. (In these times, it must also be said: you retain all rights to the photos.)

How much does it cost? That depends on the telescope you choose and the phase of the moon. Prices start in the neighborhood of seventeen bucks an hour and go up from there. That seems like a lot of money, until you consider what it would cost to get these images on your own. Eleven (at least) have even been honored as APOD.

It feels odd to think of it as ‘photography’ when you’re so disconnected from the camera – heck, you’ll probably never even see the telescope you’re using. Many of the other decisions one makes in terrestrial photography are moot as well — there’s no depth of focus to deal with, for instance. Someone else has set up the camera; all you have to do is point it. Except, when you look at the gallery, you see that there are many images that combine dozens of exposures, some with different filters, sometimes with different data coming from different telescopes. Dang. Seriously, how many photographers have access to such a vast array of gear? (Answer: now, we all do.)

There is still an art to getting that spectacular deep-space image, and just as a fashion photographer has assistants to handle the details, iTelescope users have the iTelescope staff and a helpful Web robot. Good times, my friends. Good times.

1