Skip to content
September 10, 2017 / Jim Fenton

Colorado Road Trip Day 3: Utah

Sunday, August 20, 2017
Trip Odometer: 685

SaltFlats

Bonneville Salt Flats

After breakfast, we continued east on I-80. Our first stop was after only about 10 miles at the rest area adjacent to the Bonneville Salt Flats, where many land speed records have been set. We stopped there on an earlier trip (2006), but it’s striking to see the very white landscape, very much like snow.

After passing through the deserted western part of Utah, civilization returned. We stopped again at the Great Salt Lake state marina to have a look around and our morning snack. The snack was quickly cancelled because of the thousands of tiny bugs in the parking lot. They weren’t actually all that annoying but we didn’t want to let a bunch of them into the car. The marina was worth a look around, even with the $3 parking fee.

We then drove into downtown Salt Lake City, passing by the Mormon Temple and Tabernacle and then up to the State Capitol, high on a hill. There were an unusual number of motorcycles, which we found out were there for the annual Ride for Fallen Officers.

GreatSaltLake

The Great Salt Lake

Continuing east on our winding climb out of SLC, we decided to stop at Park City for lunch. This took us a few miles off the road, but we loved breathing the mountain air and enjoyed our lunch at a local cafe.

After a few more miles of winding road, things straightened out somewhat and the speed limit again went up to 80.

Soon after crossing into Wyoming, we came to Evanston, Wyoming, where we thought we would find a good place for ice cream. We checked out a couple of possibilities, and one was closed (it’s Sunday) and another looked like it had gone out of business. We decided to stop by Wendy’s for their Frosty (sort of a cross between soft serve ice cream and a milkshake), and were pleased to see that they were on sale: a small Frosty was only 50 cents. They weren’t all that small, either. $1.58 for three Frosties (including tax) will undoubtedly be the most economical ice cream stop of the trip.

Continuing from Evanston, we passed through some picturesque rock formations to the way to our destination for the night, Rock Springs. It’s striking how much the scenery changes each day.

This article is part of a series about our recent road trip to Colorado and back. To see the introductory article in the series, click here.

September 9, 2017 / Jim Fenton

Colorado Road Trip Day 2: Nevada

Saturday, August 19, 2017
Trip Odometer: 287

Outdoor climbing wall at the Whitney Peak Hotel

This is the day of the trip that we were least looking forward to: 400 miles across Nevada, with presumably little to see along the way.

Before checking out from the Whitney Peak Hotel, we decided to visit the second floor, where a notable rock climbing facility is located. Coming out of the elevator, we were there: many rock climbing walls that took up most of the second floor, except for a fitness center and small gift shop. Stepping onto the balcony, we got a better look at the outdoor rock climbing facility we saw in last night’s darkness: two large walls perhaps 50 feet tall, above which was a landing and two more narrow walls extending up several more floors. Climbing any of those would be an impressive achievement.

After checking out, we drove a short distance east to Sparks, and had breakfast at a Starbucks there. Then after filling up the tank we began our long drive. The first part of the drive, along the Truckee River, was quite scenic, much more so than I had expected (or remembered). Soon after leaving town, the speed limit increased to 80 mph and the surroundings changed to drier brush.

I-80 Scenery

Although the road seemed to be in excellent condition, a couple of road paving operations were underway that narrowed the road to a single lane and a speed limit of 55, which somewhat countered the benefit of the 80 mph sections. We stopped for lunch at a Subway in Winnemucca. We continued to Elko for our afternoon ice cream break (a tradition on some of our road trips), and then on through picturesque clouds and a few showers to Wendover, Utah, our stop for the night. Wendover is on the border between Nevada and Utah, with casinos on the Nevada side and considerably more staid surroundings on the Utah side. The Utah border is also the time zone boundary, causing us to “lose” an hour.

We took a short stroll back into Nevada, then returned to Utah for dinner at a nearby cafe.

This article is part of a series about our recent road trip to Colorado and back. To see the introductory article in the series, click here.

September 8, 2017 / Jim Fenton

Colorado Road Trip Day 1: Departure

As I have done for the past several years, I kept a journal on our summer vacation for publication on this blog following our return. This year the publication of the journal is delayed by three weeks from real time, and I intend to post one installment every day or so over the next two weeks or so. The recurring characters in our story are myself (Jim), my wife Kenna, and our daughter Celeste, who is on her way to college.


Friday, August 18, 2017

While we have done considerable travel this summer, we thought the most interesting trip to blog about would be our road trip to Colorado. Celeste begins at University of Colorado Boulder at the end of August, and we thought we would drive her (and her stuff) out to begin her freshman year.

We managed to fit almost everything she needs into our Volvo XC60, with roof box attached. The packing itself was notable. For example, Celeste found some clothing bags that allowed her to vacuum pack her winter clothing, so they didn’t take up so much room. It didn’t make them any lighter, though!

Amazingly, we left almost exactly on plan: 10 AM today. Our first stop was Stockton, to visit and have lunch with Kenna’s folks (Celeste’s grandparents, of course). We left mid-afternoon; our plan was to go via a scenic route, especially since much of the trip will probably not be all that scenic. So we took Highway 88, which also seemed to be the fastest route to Lake Tahoe. We haven’t driven 88 many times, and it was a very pleasant change of scenery.

Descending to Lake Tahoe, we stopped at a Scottish pub, MacDuffs Pub, for an enjoyable dinner and some nice banter with people at the adjacent table. We stopped by the lake just after sunset, and continued to our destination for the night, Reno.

It had been quite a long time since any of us had been to Reno. Probably because it was a Friday night, the downtown area was bustling with cars and pedestrians. Our hotel, the Whitney Peak Hotel, was centrally located, a former Fitzgerald’s casino and hotel that had been extensively renovated and now contains a large event space in place of the casino. Tonight the space featured an event with an impressive amount of deep bass (perhaps dubstep), making walls shake in the lobby area. But our room was completely quiet.

Kenna and I took a little walk around, admiring the famous Reno arch (just outside) and their new river walk area, an example of another city celebrating rather than turning its back on its river. Although there was quite a bit of foot traffic when we arrived, it seemed to taper off substantially later in the evening (like about 10 pm), very much unlike Las Vegas.

August 1, 2017 / Jim Fenton

The gaping hole allowing email spoofing

Bogus email messageIn today’s news there was a report that Anthony Scaramucci, the outgoing White House communications director, got “punked” by an email he thought was from Reince Priebus, the former chief of staff and his apparent rival. The messages actually came from a mail.com account.

Although not nearly as consequential, This sort of thing is commonplace. I have gotten several messages claiming to come from Facebook and other social media contacts, but actually from impostors using their names. Presumably the impostors mined the names from social media.

The email industry bears some responsibility for making this possible. Despite the enormous effort put into development and deployment of email authentication and anti-phishing technologies such as SPF, DKIM, and DMARC, there is a gaping hole: it isn’t readily possible to distinguish a message from someone at their expected email address from a message posing as them from a different email address entirely.

Email clients used to routinely display the email address as well as the “friendly name” when they displayed a message. They used to typically display:

From: John Doe <john.doe@example.com>

That isn’t all that pretty, and in this case a little redundant. It also takes more precious space on mobile devices. So today many clients simply display:

From: John Doe

But suppose someone wanted to pose as Mr. Doe? They could very easily send a message with a From header field like this (of course, substituting example.org with their own email domain):

From: John Doe <impostor@example.org>

On many email clients, this will display exactly like an actual message from the real John Doe.

What could be done about it? Obviously, this is an area that warrants some real usability research and a lot of users will need to be trained. But here are a few possibilities:

  1. Verify the address against the user’s address book. If it doesn’t match, display the sender’s name in a distinctive way, e.g. in red, with a big X, etc. Obviously there would be issues with someone in the address book as John Doe sending a message as Johnny Doe, but that can be handled too.
  2. Do the same as #1 but do something like the blue checkmark on Twitter: display something distinctive saying the message came from an address you recognize. The problem here is that meaning of the checkmark would be different: not verified by some central authority, but by one’s own address book.
  3. Display the email address, either with or instead of the friendly name, if it doesn’t match.

There is some risk of just “kicking the problem down the road”, however. If this becomes really effective, address book attacks would become useful. Attackers would try to trick you into accept address book entries (typically .vcf files) from them, and these might enable them to more plausibly pose as a trusted (or at least known) contact.

No matter what we do, some users will ignore it, and we can’t fix that. But we can, and should, give users the tools to easily spot messages that they should treat with more suspicion.

June 20, 2017 / Jim Fenton

Twitter threads: wrong medium

Spool of threadSince Twitter’s inception, users have been bumping up against the 140-character limit on tweet length. With support for images in tweets came images of text blocks — pictures of media articles (OK), but also pictures of text written for the tweet, which misses the point of Twitter as a short-form medium. These images also defeat the ability to search for the text, which limits its distribution and the ability to find it again when you want to cite it.

Twitter has been relatively faithful to the 140-character limit. Early rumors that Twitter might offer a paid premium service allowing longer tweets has not materialized. They have budged a bit, however, by shortening URLs and hostnames (which of course is useful to Twitter as a way to collect analytics) and recently by allowing reply tweets not to count the Twitter handles of the user(s) being replied to in the character count.

The current fad is Twitter threads; most Twitter users have seen these. These usually start with “Thread” and a series of numbered tweets immediately following. These are often one sentence, or one idea, per tweet that fit together. Sometimes, but not always, these are arranged as a string of replies to the initial tweet, so that a reader can follow them by following the replies.

Some composers of threads create them skillfully: they put each idea in its own tweet and it reads like very short installments of a serial. There is value in this; it’s a way of organizing thoughts, keeping points concise, and so forth. Others just write something and break it up into <140 character chunks. There’s even an site (pork.io) that will do this for you. The result is a tweet thread that has to be read together to make any sense and doesn’t require any particular composition effort.

Regardless of the composition of the thread, they can be hard to use. Perhaps I’m using the wrong tools, but when I encounter a thread that looks interesting (usually as a result of a retweet of either the thread header or some tweet in the middle), I usually have to go find the account of the writer of the thread and scroll back through their tweets so I can see the entire thread. This requires considerable effort, and limits their audience to people having the patience and time to do this.

There’s a better answer: use a long-form medium like this (remember blogs?). Tweet a link to the post. It’s much easier to read, it’s easy to add pictures, links, and other media if desired, and is much easier to read. It also respects Twitter’s value as a short-form medium, by not requiring one’s followers to scroll through a long tweet thread that they’re not interested in.

November 17, 2016 / Jim Fenton

Facebook is not a news source

NewspapersThere has been a lot of press about fake news stories appearing on Facebook and other social media. But what really shocks me is that, according to Pew Research Center, 44% of the US population gets its news from Facebook.

Read more…

August 21, 2016 / Jim Fenton

DNSSEC Signing Revisited

signingA couple of years ago, I signed the DNS records of my personal domain with DNSSEC, and wrote a blog post on the experience. Since then, life has been generally good, although there have been a couple of hiccups where the signatures expired and my domain became briefly unavailable to resolvers that verify DNSSEC. I figured out how to make the re-signing of the domain happen automatically, and those problems for the most part went away.

I recently upgraded my DNS server from the Debian “squeeze” release to the “jessie” release to ensure that I continue to get security updates. A month or so later, I got a notification that my DNS was broken again. I figured that the process that re-signed and published my DNS records had failed to start; quite a few things like that broke in the upgrade.

But it was worse than that: the dnssec-tools package that I have been using for signing (described in that blog post) is no longer available from Debian for jessie, apparently because of some unresolved bugs. I needed to quickly find another way to sign my domain.

BIND to the rescue

Looking around for alternatives, I found out that BIND 9.9, which is available as a jessie package, supports inline signing. I have always used BIND as my DNS server, and I welcome the prospect of signing without a lot of external dependencies. ISC provides a good (but incomplete – see below) how-to guide on turning on DNSSEC signing, so I followed those instructions.

My first problem was the keys themselves. Dnssec-tools seems to have used a different format for the public/private keypairs used by DNSSEC than BIND, so I needed to generate new keys. I started to do this, but it was taking forever! It turns out that dnssec-keygen needs a fair amount of cryptographic entropy to generate a keypair, and I was running it on a virtual private server that doesn’t get much entropy. So, despite my aversion to transferring private keys, I generated keys on my home Linux (Ubuntu) machine. This took long enough, even with me banging on keys and doing every other random thing I could think of.

Having transferred the keys (two keypairs, a Zone Signing Key and a Key Signing Key) back to the name server, I went ahead and signed the zone. But I realized something was missing: the ISC how-to guide doesn’t talk about publishing the DS records at the parent domain that are necessary to link my keys to the global DNS trust chain.

Fortunately, I found the instructions for this in a different ISC how-to guide. The dnssec-dsfromkey utility converts the public keys into the necessary format for the DS records. I then logged into my domain registrar’s website and added the necessary DS records.

Everything looked pretty good, and I was able to look up my records using my verifying resolver. But I also checked an online utility to see if it saw any errors. It said my DNSSEC was still broken. I thought maybe there were some old records in a cache somewhere so I waited a day or two.

Time didn’t help here, and I couldn’t figure out why it was still reporting an error. So I consulted a very knowledgeable friend – thank you Patrik! – who introduced me to a different tool, DNSViz, that showed that my slave DNS server, running on a different host, was returning different data. Specifically, it was showing several DNSKEY records from my old configuration that shouldn’t have been there.

I looked at the primary zone file, both the unsigned one I maintain and the one signed by BIND (using the named-checkzone utility, since the file is in a binary format). Everything looked fine; the extra DNSKEY records weren’t there. I re-transferred the zone to the secondary, but the extra records remained.

Finally, somewhat in desperation, I deleted the zone file and the associated .jnl file (not sure where the latter came from). Restarted BIND and everything was fine. I’m guessing that the .jnl (journal) file was telling BIND to make only incremental changes to the zone, and therefore the old DNSKEY records were untouched.

I will, of course, need to continue to watch to make sure that the signatures don’t expire since I don’t understand the key rollover methodology yet. But module a couple of problems getting started here, I’m optimistic that inline signing with BIND will be much easier than what I had been doing.

August 13, 2016 / Jim Fenton

Home is where you don’t have to accept the Wi-Fi terms and conditions

2445601775_958aa5afbf_mYou arrive at your hotel after a long day of travel. Hungry and tired, you pick up the phone to call room service. There’s no dial tone, but after about 10 seconds, a recorded announcement starts to play:

Important! Please listen carefully before using. Your use of this telephone is your acknowledgement and agreement that you agree with the terms set forth as follows: By using this telephone, you agree to all terms, conditions, and notices contained herein. The Hotel reserves the right, in its sole discretion, to terminate your access to all or part of the telephone system, with or without notice.

All materials, information, and services available through this telephone are provided “as is”. The Hotel accepts no liability for your use of the telephone, including but not limited to damage to your ears, hearing assistance devices, or other equipment. Under no circumstances shall the hotel, its subsidiaries, affiliates, owner, or representatives be liable for any direct, indirect, punitive, incidental, special, or consequential damages that result from the use of, or inability to use, the telephone.

Press 1 to indicate your acceptance of these terms and conditions.

Silly? Infuriating? Yes. But this is exactly what the vast majority of hotel and other quasi-public Wi-Fi networks put us through.

What’s the justification for this? A frequently cited reason is that it’s important to make the acceptable use policy for the use of the network clear: you must not use the network to send spam, spread malware, and such. But don’t many of the same concerns apply to telephones, where you similarly must not use the phone to make telephone threats, harass people, and so forth? We don’t seem to need an explicit display of the acceptable use policy there.

Much of the language in these agreements doesn’t have to do with acceptable use so much as protecting the operator of the network if, for some reason, the network doesn’t perform as desired. This might be of some concern if the user is paying for the service, but increasingly Wi-Fi service is provided for free. Are there any documented cases where the operator of a Wi-Fi network has been sued for damages over the use of the network?

There are other user experience issues as well. These networks often spontaneously forget that you have accepted the terms and conditions. Having to re-accept the terms once each day is typical, but it can happen as often as each time a device connects. Moving from one location to another, such as from a hotel room to the lobby or convention area, or from one Starbucks location to another, often requires reacceptance of the terms as well.

For some reason the systems that implement this operate very slowly. Often the enforcement is done centrally (in the cloud), and perhaps there isn’t a business justification for providing enough capacity to handle requests quickly enough. Regardless, this makes the user experience worse yet.

Requiring acceptance of Wi-Fi terms and conditions causes other problems as well: it prevents some functions from working as intended. If one loses a Wi-Fi-only Apple iPad, that iPad’s Find Device feature may not work at all, even if it had been previously connected to the network. Acceptance requirements can also interfere with cellular/Wi-Fi devices that connect to a Wi-Fi network, making that the preferred route for data traffic, even though communication is blocked via that route.

We’re wasting lots of time trying to get connected to Wi-Fi networks. What does it take to get Wi-Fi connections to work the way they’re supposed to, other than on our home networks?

Skaneanteles_Hotel_room” by Skaneanteles Suites is licensed under CC BY-SA 2.0

July 24, 2016 / Jim Fenton

Great Lakes Day 15: Home from Toronto

July 3, 2016

Our ride home

Our flight home was again at a “civilized” time, 12:25 pm. We were told to expect long lines at customs, so we checked in early, but were rewarded with very short lines everywhere. We had hoped to do some last minute shopping, but unfortunately there wasn’t a great deal to shop for after customs. The selection of stores was limited and we’re just not into the typical “duty free” merchandise, such as liquor, perfume, and oversized Toblerone bars. So we had coffee and tea and grabbed sandwiches to take on the flight.

This article is the final installment in a series about our recent vacation in the Great Lakes area. To see the introductory article in the series, click here.

July 23, 2016 / Jim Fenton

Great Lakes Day 14: Fenelon Falls to Toronto

July 2, 2016

Kenna, with Doug driving, on Cameron Lake

Kenna, with Doug driving, on Cameron Lake

The weather is beautiful again, so we began with some things we weren’t able to do yesterday. Cousin Stan and his son Doug took us for a short boat ride on Cameron Lake. The lake was quite a bit smoother than it had looked from the shore. Everything was so serene, and as we had remembered it, that we hated to leave. On our way out of town, we stopped to pay our respects to my grandparents and many other relatives at the Fenelon Falls cemetery.

Our next stop was in Oshawa, where a cousin (Mom’s cousin’s daughter Jill) and her husband live. We had a nice visit with them, traded many stories, and collected a little more information on the family genealogy. We then drove to Mississauga, on the other side of Toronto and close to Pearson International Airport, where we are staying for the night in preparation for our flight home tomorrow.

 This article is part of a series about our recent vacation in the Great Lakes area. To see the introductory article in the series, click here.