Demarc 3.0

Back in the days of land-line phones, your demarc, or demarcation point, was the part of your house where the public utility phone network entered your home. Each outlet in your home connected here in what was called a POTS (Plain Old Telephone Service) network, and connected to one or more lines going out of the house. Frequently this was located near where power entered your home, and later, cable TV. This makes it an excellent point to retro-fit tech into a house that maybe wasn’t designed with nerds in mind.

I know this looks a little crazy, but in version 3.0 of my setup, its much, much cleaner than its ever been. To quote Morpheus, this is the core where we broadcast our pirate signal and hack into the Matrix! This diagram might be a little easier to read:

There’s some really cool stuff in this architecture that I’m pretty proud of. On one hand, its a modern 1gbps network, with distributed 802.11N WiFi, that can filter out ads and pornography, and support remote connections via VPN. On the other, it can also connect any device from the early 1980s to other devices, or to the Internet.

For the very oldest machines, a Raspberry Pi Zero, running the DreamPi image, connects to our home’s POTS network (long since disconnected from the public phone network), inducing the correct voltage, and playing back a dial-tone sound. A Python script on the the Pi listens for an old-school modem trying to dial out, then plays back the handshake sounds of an ISP, then continues to pretend to be a modem, bridging the device onto our network (and thus the Internet.)

For 90s and 2000s era Macs, either physical Ethernet or an old Airport Classic, provide an on-ramp onto our network. The Airport is configured with a whitelist of allowed machine IDs, so that it can run with only WEP security (since that’s the best it can do!) A Performa provides an EtherTalk to LocalTalk bridge, and a PhoneNet ring running around the basement networks the earliest of Apple and Mac computers.

For newer devices, that have always-on Internet connections, another Raspberry Pi runs PiHole DNS, which filters out ads, with OpenDNS upstream, configured to filter adult content. Dubbed the NetPi, it also runs an OpenVPN server, giving us the same safety when we’re away from home. The NetPi, and a little media PC next to it, also host Plex Media servers that share our content with our devices, no matter where we are.

With more of the Internet abandoning HTTP for HTTPS (whether its needed or not) and newer SSL cryptography ruling out connections from machines with lesser cryptography libraries, the NetPi will probably be pressed into service again running a SSL-stripping Proxy. I haven’t quite figured out how to do this yet, but I do have a RSS+Site Scraper utility running, which means I can still read a lot of content on older devices.

Although this one wall in the house is a little complex, the tech is effectively invisible throughout the rest of the house. Ben and I are working on a Raspberry Pi project using a PowerBook from 1999 as the programming terminal, but the 2019 home theater can also stream 4k content — all without touching or re-configuring anything. I can literally start a document on a Mac Plus, revise it on a Performa, print it from there, or pick it up off a combined AppleTalk/SMB share on the NetPi and publish it to the web from my 2019 Surface Laptop. In fact, I sort of just did…

Update: Squid SSL Bump Proxy running!

So I Tied An Onion To My Belt – 2019 Edition

The start of 2019 required patience — sticking to the same patterns for nearly 4 years doesn’t come easy for me, but sometimes that’s best. Fortunately, we had our first escape in March: a couple’s vacation to Mexico with some great friends from college. Going somewhere just to relax is a relatively new experience, but it went well — aside for a couple days of Montezuma’s Revenge near the end!

When we got back, we started putting things in place for some needed changes. First, Nic got a new car, to keep us in shape for road trips to Canada. Then, after finally getting some clarity on professional transitions, we were able to nail down our summer plans. A July start for a new job meant that we got one more trip to Florida from my previous employer — and allowed me to stick around long enough to launch my second product.

After Nic and the kids were done with Universal Studios, I handed in my two-weeks notice, and we went off to Family Camp — during which I signed the final papers for my new job. We squeezed in one more little get-away with some friends at Darien Lake, then the kids were back to school and I was thrust into almost non-stop business travel. As a result, the fall was necessarily a little more quiet on the home front. Simpler things like tinkering with projects, going on Girl Scout trips, horse-back riding, and kayaking in our beautiful State parks provided small escapes from responsibility.

The best escape had to wait until the end of the year. Ben pushed through another challenging half school year, on the brink of becoming a teenager. To celebrate his 13th birthday, we planned a surprise trip to Disney’s Hollywood Studios, where he and I got to explore the new Galaxy’s Edge Star Wars land. An early morning got us into the brand new Rise of the Resistance ride, and let us see most of the rest of the park as well. Ben built a droid, we drank blue milk, and got to nerd out together on this, the last of his Star Wars birthdays.

We flew out, via Atlanta, where we met up with the girls, en route to Grand Cayman. There we spent a wonderful week with my parents, enjoying their sunny paradise. Nic and I got to try a scuba diving lesson, she and the kids got to play with some dolphins, and we all got to explore the coral reef as we snorkeled around 7 mile beach.

It was a wonderful cap on a pretty great year. 2020 will be an interesting one. Of course, we have some travel planned, having ended up in sort of an every-other-year pattern for some of our favorite adventures. But there will have to be new ones too. Our new teenager starts high school (a year early here) and we’ll have to figure out what makes the most sense for him — as well as thinking hard about what kinds of family experiences are important for our kids in the few years we have left with them.

For now, though, we’re happy and healthy in Ohio, and looking forward to what God leads us through in the next year. Family Photos have been updated — find the link and password hint on the home page.

Einstein Newton Emulator on Android Oreo through 10

I recently brought my Newton MessagePad 120 back to life — for a brief window of time. It died again after less than 48 hours, but it was fun to play with while it lasted.

In lieu of finding more old hardware, I started playing with the Einstein Emulator. I’ve had it running on my Mac for awhile, but since the Newton was portable, it sure would be nice to have the emulator be in my pocket.

Unfortunately, Einstein hasn’t been updated in awhile and didn’t work on my Pixel 3a, nor would the source build in Android Studio on my Mac. A little hacking at it identified two issues:

  • The project had an undocumented dependency on a tool called ninja. Reported here, running this from the command line resolved: brew install ninja
  • Android notifications have changed since the project was created. I found how to update the notification, and implemented it as a work-around. I’m not sure its 100% backward compatible, so I’ve built and signed an APK of the original code and one with my updated code.

These updated bits, plus the necessary dependencies are assembled here.

Sometimes I can hear my bones straining under the weight of all the lives I’m not living

September had no business travel, so of course October had to make up for it. Combined with a 3-stop speaking tour, I had a trip to our LA headquarters and another to Seattle for a meeting on the Microsoft campus. Sprinkled in-between were some wonderful personal trips in Ontario and Pennsylvania. I’ve lost track of how many miles were spent in the air, but 2,226 miles were spent in a car. Tonite will be the first night in my own bed in 3 weeks.

Travel creates lots of time for reflection — especially when it has you re-treading old paths. In Seattle, I got an afternoon to visit the sweet spot we used to call home in the foothills of the Cascade Mountains. The event I spoke at in New York was 20 minutes from the apartment where our oldest two kids were born. I also circumnavigated Lake Ontario for the first time ever, and got to enjoy breath-takingly beautiful views of the Thousand Islands — a place I am resolved to visit again with the family.

A particularly interesting stop was at a conference in Pennsylvania with ABWE, a missions organization with a long history of enabling incredible good, and briefer history of hiding incredible evil. We were interested to see what had become of the folks that sent my family to Bangladesh in my youth, and after reading many books on the topic, learn a little more about what’s happening in that still-troubled country. Some things have definitely changed: their website and missionary training now contains clear and unequivocal information on the safety and protection of children, and they’ve launched a tech ministry that has the stated purpose of partnering with, and enabling, nationals to reach their own people. Some things have not changed: I spoke to a missionary who felt over-worked on the field and that his family suffered as a result, and we heard from an executive team that is still 90% old white American dudes — not exactly a diverse crew. Still, even the white dudes were espousing some progress: that our families are our most important work, and that Americans might not always be God’s premier messengers in some parts of the world.

Each of the stops had a certain percentage of “what if” to them. We’d probably be a good deal more wealthy if we still lived in Seattle. Things might be easier if we lived somewhere in Ontario. I spoke at a really cool college in New York, maybe I could have made a career path out of that, if we’d stayed there. And of course an organization like ABWE could launch us almost anywhere in the world. We don’t really have any data to suggest that any other option would be better than the one we’ve selected, but the weight of other possibilities is sometimes overwhelming. We turn 40 next year — have we done everything we should have by this point? Our oldest becomes a teenager in just a couple months — are we doing a disservice to our kids by giving them such an easy, comfortable life?

Travel is expensive with a family of five. Banking miles on business travel takes me far away from my kids, but buys us opportunities to take them on little adventures. The next few we have planned will be fun and easy ones, but I wonder if its time to show them a little more of the world.

Housekeeping – on HTTPS

Related to my previous rant on Internet security, the latest trend is to force a move to HTTPS — the encrypted version of the web’s primary protocol. In my opinion, this is largely silly: its security theater, since most scam sites can easily provide a certificate, and it gives browser makers even more leverage over little content developers.

I find it offensive in a different way, too: it breaks compatibility on the Internet. A whole generation of devices that have older versions of SSL, that can’t easily be upgraded, get cut off from today’s web.

There’s a place for HTTPS — namely, anywhere you submit data to a server. I don’t argue the importance of that. But lots of content is just there to be consumed, and the whole transaction with the server is “give me the content.” For a browser to claim that transaction is unsafe, just because the request and response weren’t encrypted, is dumb. Its perfectly safe to read this website without encryption — and there’s millions of sites where that is true.

That said, it irks me to see my own website marked as insecure, so I did what probably every other “little guy” should do, just to keep up with the times, and added a SSL cert for free through Lets Encrypt. However, my implementation does not break compatibility with older devices: you can still access this site without HTTPS by sending an uncommon user-agent. This will happen automatically if you’re, say, in Netscape Navigator on an old Performa, or visiting from a HP TouchPad. Only if a modern OS is detected will my main site meta-redirect to the HTTPS version, and you can over-ride through your browser’s Developer Tools. Otherwise, if you visit via HTTP, you’ll see a brief flash while the content re-loads over an encrypted connection.

Utility and classic sub-domains will remain on HTTP until all these young hippies get off my lawn…

Apple 2 Forever…

AtariComputerAlthough our first family computer, and my first attempt at programming, was an Atari 800XL (for which I collected every peripheral and game I could find), my first computer was a Macintosh 512k — which I rescued from a garbage can outside our church. Its display had collapsed to a thin vertical line, but that didn’t stop me from turning it on, and pretending to type on its keyboard or explore with its mouse. Eventually my parents found someone who could repair it, and it became a useful, slightly more modern family computer. At some point, long after it was obsolete, we traded it in for an also-obsolete Mac Plus, and added a hard drive. After a few years in service, we got a Compaq Presario 486, and the Mac Plus got relegated to storage.

Software was always my main skill set (most attempts at hardware hacking led to cut fingers — I’ve left my blood stains on many a motherboard) and after 20 years in the industry, I no longer feel like too much of an imposter when I call myself a software professional. On hardware, though, I remain a novice — it’s a hobby, not a profession.

I’ve carried that Mac Plus with me from job-to-job, keeping it setup on my desk, or a bookshelf, to remind me where I started and, on the rough days, how much I love what I do. I fired it up occasionally, but the display was beginning to degrade, and it was trending toward a thin vertical line. Recently I decided I was ready to try the same repair my parents had funded so many years before. A PDF copy of the Dead Mac Scrolls revealed the secrets that had eluded my 12-year old self: common failure points in solder and weak or aged capacitors made for an accomplish-able project. With a healthy respect for high voltages, a few YouTube tutorials, and more than a little trepidation, I put the old Mac Plus under the knife, and restored it.

Shortly afterward, I got a handful of other dead Macs, and found there was something of a market for vintage machines that have been lovingly restored. I managed to repair, clean and flip another Mac Plus, in beautiful platinum gray, a Mac SE, and an original 128k. I did not turn a profit, but I did manage to almost break even. In trade for one of those, I was given a couple other retro gems.

Apple ComputerThe Apple //c was the 10-year old computer my dad had in his classroom in Germany in the mid-90s, and the Apple ][gs was the last of the Apple 2 line up, and something of a unicorn that I never really had the chance to play with. The C lacks a power supply and may need some other repairs, but the GS booted up, and I couldn’t resist the challenge of figuring out how to connect it to my home network. Here’s the MacPlus and the IIgs talking to a range of newer devices — including a very new Raspberry Pi.

Here’s what was needed to pull that off:

  • LocalTalk PhoneNet is an adaptation of Apple’s old serial networking protocol, expanding its range using 4 pin phone cabling —- which was cheap and common at the time. I ringed the basement rec room with phone line to connect my Mac Plus, so adding an extension to the IIGS was easy.
  • The LocalTalk Bridge control panel was an unsupported Apple offering that allowed mid-90s Macs with a serial port and an Ethernet port to connect LocalTalk to EtherTalk. Technically both these networks are AppleTalk, with different names for the different connection types. A middling Macintosh Performa serves bridge duty.
  • A Raspberry Pi running a modified Netatalk install, thanks to the A2SERVER installer (and a lot of tinkering) talks AppleTalk over WiFi, and is reachable by the bridge, providing a modern file share for very old computers. The topology looks like this:

I’ll do a full-write up and post it on our vintage-computer friendly companion site: http://classic.jonandnic.com for those who want more details.

Internet Safety – a moving target

When you visit a webpage, you might think of its address, like www.cnn.com. That address isn’t really an Internet address though. It’s a domain name — a friendly and memorable shortcut for an Internet Protocol (IP) address. That kind of address is made up of four groups of numbers, called octets. CNN’s actual address (today) is 151.101.1.67. That’s what your browser really goes to.

The mechanism the browser uses to look up the number from the shortcut is called DNS, or Domain Name System. One of the most resilient and important parts of the Internet, DNS is often provided by your Internet service, whose own servers sync with other DNS servers around the world, providing a distributed system of record — a phone book, if you’d like, for instant address look-ups.

Importantly, DNS is first provided by your computer (or mobile device) that forwards DNS requests from the browser, to your router or modem, which forwards the request to your Internet provider, etc… If you don’t like your Internet provider’s answers (or the speed with which they answer), you can choose a different DNS provider by making a configuration change downstream (eg: on your router, or on your computer.)

This “chain of trust” allows organizations to filter the Internet within the network they provide internally. If an organization doesn’t want its members to visit a website (like pornography) they can insert DNS records locally that prevent the request from actually finding that website.

This is also the basis of many parental controls systems. They keep a list of addresses kids probably shouldn’t go to, and all you have to do is configure your local environment to use the parental controls DNS server, rather than a public unfiltered one. This chain, and the ability for administrators to control the chain, is a part of how the Internet was designed: the browser asks the computer, the computer asks the router, the router asks the network provider, the network provider asks the rest of the Internet.

Last year, Mozilla (makers of the FireFox browser) decided to experiment with breaking that chain of trust. Instead of the browser asking the PC (and so on), they decided maybe the browser could go around the chain, and just ask someone that Mozilla decided to trust. They claim this makes people safer, since they can encrypt that request, using a non-standard approach called DNS over HTTPS (DoH). The effect is that intentionally crafted trust chains will be broken. Fine as an experiment, but this month they decided this behavior would be the default for all FireFox users. If you don’t know how to work around it, your parental controls are effectively disabled.

And working around it is possible — but not easy. Because this is not a standard, or even an accepted RFC (the process by which the Internet is evolved through review and consensus), Mozilla gets to impose arbitrary hoops you have to jump through to disable it. The easier they are for you to implement, the easier they are for someone to defeat.

And Mozilla isn’t the only browser maker messing with trust on the Internet. I’ve written before about Google’s attempts to re-make the ‘Net in their own image.

So, how can you filter the Internet at home while bigger groups than you and me are hard at work funneling all traffic through bastardized versions of the Internet where they can monetize your queries? As of late 2019, here’s what still works — and my best guess about how long it will continue to work…

Circle with Disney – another 1-2 years
Circle is a device that you put on your WiFi network that filters actual traffic. Below DNS is the actual routing of data from a website to a device. This path is managed via ARP (Address Resolution Protocol) tables, which tell your router how to get traffic to a given device. Circle needs to know which devices on your network belong to a child (which is a bit of a pain to setup), then it can stop traffic that’s not appropriate.

Unfortunately, Circle is abandoning the one-time purchase device, in favor of a device+service model that will cost you more. If you can still find them, the original Circle is less than $100, and really works well. It also lets you set time limits and curfews from a reasonably friendly app on your phone.

PiHole + OpenDNS – 3-5 years
PiHole is a tiny service that runs on a Raspberry Pi. In total it’ll cost you about $50 to set this up on your network. Once the Pi is built and running, you can install PiHole in a couple seconds, and tell it to use OpenDNS as your upstream DNS provider (instead of your Internet provider.) Then tell your router to use the Pi as a DNS server — your own chain of trust. You can then use the OpenDNS website to determine what kinds of web pages should be allowed within your home network.

It sounds complicated, but its really not too hard, and because its actively being developed, they’ve been able to stay on top of changes, like Mozilla just made. As of today, they’ve implemented one of the work-arounds for DoH, that tells the browser not to trust any other DNS provider. Eventually Google is going to realise there’s an untapped data source here, and move to eliminate competition from parents who want to protect their kids. But for the near future, this works well.

Mobile Device Parental Controls – constantly changing
The best phones for parental controls are iPhones… personal preference aside. The Screen Time feature lets you set a PIN and access control for many things on the device. Unfortunately, you need regular physical access to configure and change these settings, which appear and disappear through different OS versions. This obviously requires parents to keep a certain amount of hands-on with their kids devices.

Apple has an app called Apple Configurator that allows you to setup a number of Supervision controls over the device remotely — but they’ve intentionally limited that capability so only organizations (schools or businesses) can use it. They actually research you to determine if you should be allowed to Supervise users before you can use the feature with kid’s devices — presumably they’re monetizing this somehow, because there’s no reason this shouldn’t be free to everyone.

Amazon has a number of features for parental control and monitoring on their tablet devices (yours truly was responsible for some of them), but with each version of their OS, they make those harder to find and use.

Our kids don’t have their own phones…yet. We have one “kid phone” that they can check out if they’re going to an event where we’re not with them — but its locked down tight. Still, their friends all have phones, and the pressure is on. Soon enough, I guess I’ll be trying out some parental control apps, to see what works best outside the home. Any suggestions?

Summer 2019

Summer did not unfold as planned. We’d originally talked about spending some time in Europe, but as discussions about a job change progressed, we thought it best to stay closer to home base. So we modified our travel plans to those that could be tackled by road trip. We had dreams of taking our new SUV east across the U.S, then up to the Maritimes. But immigration considerations for the new job suggested it was wise not to leave the country — at least not for long. In the end, our range was limited to trips that could be tackled by car in a day (or less, if the need arose.)

Still even with that limit, we managed to pack a fair bit in. A result of the job change delay was that I got to spend another couple weeks at a company that holds a customer event in Orlando every other year. Last time the kids enjoyed Disney World, so this time, Nic and the kids did Universal Studios. This lined up well, since my employer put us up at a Universal hotel property, affording us easy trips to the parks, and Express Passes through the lines. I performed my close-to-final duties, with our plans still mostly unannounced, while the family enjoyed the rides — especially the Harry Potter themed ones! On the final day, I got to join them and visit some of their favorites.

A week later I submitted my two-weeks notice, at the end of which, we headed to Family Camp at Beulah Beach — a newer tradition now in its 3rd year. We enjoyed Lake Erie, some solid teaching, and the many activities that the Christian Missionary Alliance provides there. The giant rope swing, zip line and Seadoos are recurring favorites. But we especially enjoyed the time with some friends.

The end of Family Camp kicked off 6 weeks of near non-stop travel for me (and 4 unexpected weeks without a pay check) in my new job. The new leadership title carries with it a new level of responsibility — both within the relatively small organization, and with the membership. Partner companies provide much of the technology, but aren’t necessarily set-up to integrate or work together. Charting that ambiguity, against some fairly intimidating deadlines, has provided sufficient challenge for the near future.

Once the Visa paperwork was done, we were free to visit with family in Canada. Nic and the kids were fortunately able to stay a bit longer in Ontario than I was, so got some extra cousin time, while I hopped around the continent. We met up again in New York, where we went “glamping” with some old friends from Canada at a Six Flags amusement park and campground — a mid-point of the summer for them, but almost the end of ours.

The final days of freedom were spent around home, kayaks, bike rides and enjoying our pool membership at a nearby swim club, as well as some activities for the kids: horse-back riding for Abi, and robotics camp for Ben. Eli had a sports camp earlier in the summer. We even made it to a re-creation of Noah’s Ark, in Kentucky!

School starts early in Ohio, so supplies were purchased, back-packs were packed, and new teachers were met. The first two weeks of 3rd, 6th and 7th grades have started well, and all the teachers seem nice. Labor Day weekend brings the Great Geauga County fair, and a little time to relax after the stress of a new school year.

More photos in the usual location…

So long, and thanks for all the fish!

Four years is the longest I’ve worked anywhere. Usually, I follow a rule of three: one year to learn a job, a second year to rock it, and third to hand off to someone else and start looking for the next growth opportunity. I’m proud of what got accomplished my first 2 years at this job, and I re-upped long enough to see the sequel through, but personal growth has slowed, opportunities have been constrained, and as has happened in the past, there’s nothing on offer that would make it worth sticking around any longer. I accomplished what I set out to do, so its time to move on.

In those four years, with the expert help of two tiny but amazing teams, we launched two products unlike anything anyone in our space has ever seen before. Shelby is the “Onboard Diagnostics Scanner” for industrial automation, with a friendly UI and an astoundingly simple setup experience. Sherlock is a legitimate artificial intelligence for manufacturing, invented by some of the nicest PHDs you’ll ever meet, who trusted us to bring it to market. Along the way, I got to form and help lead teams, invent and develop new ideas, and communicate cutting edge technology at the highest levels within my company and without. It was a good run. Worth the extra year, despite occasional emotional trauma.

Up next is my first experience in senior management. I’ve accepted the role of Chief Technology Architect, for an Institute within UCLA’s Office of Information Technology. In that capacity I’ll be working with some old friends, and some new ones, on a platform that has lots in common with Shelby — only at a larger, more impactful scale. Our goal is to plumb entire manufacturing enterprises for automatic information retrieval, while simultaneously funding and enabling academic research to create new value atop that data source.

Although the organization is based in Los Angeles, the Wises will remain stationed in Ohio, where I’ll be in close proximity to important partners and potential users. After nearly 6 months without significant work travel, I’ll be flexing my SkyMiles again with frequent trips to California — and where ever else potential partnerships can be developed.

Update: Press Release for the new gig.