davidb dives in

Over the past few days I’ve read not one, but two articles expressing the hate toward bluetooth headsets. And for both articles, I realized that it was misplaced hate. The authors (and commenters) actually hate the way that some people use them. That is, the whole standing around and talking to yourself thing.

Fair enough, but some of us just want bluetooth headsets so we don’t have to keep buying special, vendor specific headsets, and yet also don’t want to hold the phone up to our ear for the whole hour-long conference call.

Since I was thwarted in my one lame attempt to get an iPhone, I ended up getting a standard-ish Nokia flip phone. This was supposed to be my “backup phone”. I’m not sure when I would have used the backup phone (when I sent my iPhone in for service? When I didn’t want to take the iPhone with me to a dangerous neighborhood?), but it didn’t seem too wasteful to have a unit to use when the primary phone wasn’t working.

Of course, now that I’ve had this Nokia for a few days, I keep liking it more. It fits in my pocket. I can sync it with the Mac via bluetooth. It gets decent reception. It sounds fine. I can use a custom ringtone. (I’m not at the moment, however). It ain’t perfect, but it is working for me.

I do miss the calendaring, password safe, and games from the Treo. But, I never did really use that thing to its full potential, so stepping down from the smartphone is working out fine.

Yesterday, my trusty Treo 650 decided to go crazy. OK, I think, I had it for two years, time for something new. Time for an iPhone! Alas, today is a day when the iPhone appears to be mostly out of stock.

So, let me describe the particular form of crazy that my Treo has become. I first noticed it last night. I was outside, and it was raining (although not directly on me). I look at the Treo, and it is, for some reason, trying to sync via cable. Cancel. It tries to sync again. It is in an endless loop of syncing. It is acting like it has the sync cable plugged in, and the sync button permanently pressed. After several resets to no avail, I give up and remove the battery for a few hours. Now it doesn’t try to sync all the time (although, it still tries sometimes), but it also doesn’t turn on when asked, either.

I’ve tried everything up to and including the data-erasing hard reset with no change. Hopefully, I’ll be able to get an iPhone soonish. I don’t want one bad enough to get it from ebay…

Update: instead of getting an iPhone, I’ve gotten a Nokia 6102i with no contract. Nothing at all like an iPhone, but it is a credible phone. I may change my mind if I’ve got to take it overseas, though. By paying for the phone and not getting a new contract, I do still reserve the right to get an iPhone in the not-too-distant future.

Step…

1. Discover Black Ink. It has a 30-day trial period
2. Try for 30 days. Like in the beginning, like at the end.
3. Buy it. I go the the online store and pay via paypal.
4. Wait for 3 days. See credit card charge go through.
5. During this time, fail to check the spam traps.
6. Wait for 4 more days. Nothing from Red Sweater Software.
7. Send email to support@red-sweater.com asking for actual registration code.
8. Wait 3 more days. Silence.
9. Discover that somehow, searching for “red-sweater” in Mail.app doesn’t find mail in the spam folders.
10. Eventually find 3 emails from Daniel Jalkut with your registration code.

Hmm.. The online store page says “…usually within a few minutes”. Is two weeks to wait long enough? I guess after that I’ll be reversing the charges. Or something.

Update: All fixed now. I am somewhat amazed that posting to my blog was an effective means of communication. I’m guessing this reflects more on Red Sweater Software’s customer service diligence than anything else.

Update[2]: So my friend Sean summed this whole event up as: “You posted to your blog, Daniel Jalkut read it, said ‘check your spam box, dumbass’, and now you look like an idiot.” Yep.

Late last year, Mike StJohns transcribed one of his DNSSEC-related rants into Internet-Draft form (recently expired). The name of his proposal, “Signature Only DNSSEC” has been referred to as “DNSSEC SO” in shorthand.

Mike’s idea was soundly rejected by the IETF working group that it was presented to, DNSEXT. I’ll outline some theories why in a bit. But, its rejection was not because it was a horrible idea. In fact, from some points of view, it is a pretty good idea. In a nutshell, DNSSEC SO says:

• Drop the NSEC (née NXT) or NSEC3 records, and just concentrate on being able to positively verify records, and
• because successful chains of trust through zones don’t actually involve NSEC records, this can coexist with standard DNSSEC.

The draft certainly talks about other things (like off-tree chains of trust) which are interesting too, but this is the main thrust. By eliminating the NSEC records (what MSJ calls “Provable Non-Existence”, or PNE), you’ve simplified DNSSEC and, in one fell swoop, eliminated all of the angst generated by the NSEC records (leading to things like NSEC3 and on-line NSEC generation). This isn’t to say that DNSSEC SO removes all of the Hard from DNSSEC, but it does go a long way.

However, let’s take a look at the main purposes of DNSSEC:

1. Protect legacy and security-unaware Internet applications from DNS spoofing attacks, and
2. Enable new applications to use DNS as security scaffolding.

Purpose #1 is why (I believe) that DNSSEC was pursued in the first place. Purpose #2 was thought of later as a compelling reason to continue. Or rather, #2 is the reason why we would have wide-scale deployment of DNS in the absence of a highly publicized attack on the DNS.

And now we can see why DNSSEC SO was rejected: it is utterly useless for purpose #1. And, since most new applications have to live an world without universal DNSSEC deployment (SO or otherwise), DNSSEC SO isn’t as useful for purpose #2 as it might be. Let me explain.

Standard DNSSEC (including things like NSEC3) says that DNS responses, after being validated, fall into one of three states (actually four, but never mind): SECURE, INSECURE, and BOGUS. That is: it validated and was signed; it wasn’t signed, but that was proven to be OK; and it failed to validated (for any reason). When a response is BOGUS, the response is withheld from the application. Thus, an unaware application is spared from the effects of the spoofing attack.

DNSSEC SO says that responses, after validation, only fall into two states: SECURE and NOT SECURE. That is: it validated and it was signed; or it wasn’t signed or didn’t validate. So spoofing attacks just get passed on the unaware client, which can’t distinguish them from normal DNS responses.

OK, so what about purpose #2? Imagine an application that might be aware of DNSSEC and might really want to use it for security scaffolding. Let’s call it DKIM, an application that looks up cryptographic keys in DNS for the purpose of deciding to accept or reject email. It might decide that it is only going to use DKIM keys that have been signed and verified by DNSSEC. This is great, and, in fact, DNSSEC SO works here just fine.

However, at this point in time, DKIM cannot afford to restrict itself to only using keys signed with DNSSEC. Even with DNSSEC SO, it is going to take a while to get enough infrastructure in place so that any zone that wants to can be signed and trusted. And DKIM needs as many email senders and receivers to use it as possible.

…

So why was DNSSEC SO rejected by the IETF? I suppose that everyone who spoke up saying “No” has his/her own reason, but my belief was that it was because DNSSEC SO rejects the initial requirement for DNSSEC, and that the initial requirement (purpose #1, above) is still valid. Also, the working group was obviously tired of working on DNSSEC, and DNSSEC SO represented another 6 to 12 month round of effort for what seemed like little gain. In other words, “too little, too late”.

That is, if you consider looking up crossword puzzle clues on oneacross.com to be cheating. Or even if you think that looking up stuff in imdb and wikipedia is cheating.

I haven’t spend a whole lot of time on crossword puzzles before, mostly because I sort of suck at them. But a few days ago, I discovered Black Ink. I never tried the previous (java-based) version, but this version is pretty good. But it makes looking up stuff in oneacross (which I didn’t even know about before) ridiculously easy. And you are one command-tab stroke away from your browser and the crosswordy goodness of wikipedia, google, and imdb.

I haven’t laid down the cash-money for this application yet, but if I keep going I’m going to have to.

After an afternoon of painting trim, I headed over to the nearby Chinese restaurant, Fortune of Reston. I can walk to it, and as I approached it, I realized that the sign for it was gone. Indeed, the whole restaurant was gone, stripped to the concrete floor. A little Google research later, I discover that is has actually been closed since January 7th. I guess it says something that it took me until March to notice its absence. Ah, Fortune, you will be (somewhat) missed.

On my way back, I noticed that the bagel shop in the same shopping center (Manhattan Bagel) was also gone. The same Google research indicated that it had been gone for over a year. Clearly, my powers of observation need work.

I finally noticed that my TiVo was in the “Pending Restart” state. I restarted it, and bang! new version of the TiVo software (8.1.1-something!).

And this version (among other things) fixes the sound issue that I was having with Comcast SportsNet DC. Of course, this happens exactly one day after the last thing I wanted to see on this channel was aired. Figures.

Now my current issue (which I hope resolves itself) is that Verizon is in the process of moving all the channels around, and I’m currently in the state where some of the channel changes have been applied by TiVo, but not yet by Verizon. And (I think) some changes have been applied by Verizon but not yet by TiVo.

The new TiVo software adds a bunch of features, the most interesting which are “TivoCast” and the “Recently Deleted” folder that now shows up. TivoCast is (I think) the broadband video download service that Tivo is rolling out. I can’t tell how to use it yet. If I ever visited tivo.com, I would have found it obvious how to use it. However, I guess I’m on the cutting edge of this software update, since Tivo Central Online doesn’t seem to realize that the S3 now supports TivoCast.

A few months ago, I switched to Verizon FiOS TV, using two CableCARDs in my S3 TiVO. Mostly just because it was an option, and the FiOS service was at least $10 less than my other option, Comcast. Sorry, Comcast, competition prevails!

Overall, I’ve been pretty happy with this setup. However, I have this strange problem: two channels in my lineup don’t have any sound. They look OK, but no audio, ever. Now digital cable in general, and FiOS is no exception, comes with so damn many channels that there is a significant chance that these two channels might go completely unwatched, thus, no problem. And, in fact, this is largely the case. However, it turns out that one of these channels, there are basketball games that I want to watch. Of course, sound is not strictly necessary for watching a basketball game, and, sometimes, is a hinderance. Nevertheless, it sort of bugged me that I couldn’t, even if I wanted to, listen to the audio. Enough of the mystery, the two channels (for me) are Comcast SportsNet DC (CSNDC) and Mid-Atlantic Sports Net (MASN). They are consecutive, and, suspiciously, both channels from a different cable operator (Comcast, duh).

So, I called FiOS tech support. The friendly tech on the other end of the line tried resetting my CableCARDs (which also apparently had the strange side-effect of disconnection my phone call), but nothing changed. After some more internal kibitzing, she decides to send a tech out my way the next day (that being MLK day). I agree to meet the tech in the afternoon.

The idea is that CableCARDs are so weird and crappy, that this might be because of bad cards. This seemed unlikely to me, since both cards exhibited the problem. What are the chances that two cards fail in the exact same bizarre way? Nonetheless, I was game.

The tech, Mike, is basically on time, and pretty friendly and helpful. He swaps out my cards, and we spend a terribly long time on the phone getting a remote tech to activate the cards. Eventually, this gets done, but: no dice. No surprise there, but what now? Mike calls in to see if they can test this in the CO — Nope, no S3 TiVO there (yet, I think). Eventually the remote FiOS people blame the TiVO. Mike leaves promising to look into it further.

After he leaves, I call TiVO (I wanted to confirm my service level anyway), and report the problem. The TiVO support person has never ever heard of this problem, but promises to move it up the chain.

The next day (this would be…yesterday), TiVO tech support calls me and own up to the problem. It actually is a TiVO problem, that, reportedly, will be address in the next software update. No promises on when that will be, however.

Check the new home page at blacka.com! Up until now, this page was about as boring as possible. In fact, I don’t know if anyone ever went there intentionally. But now it has a snazzy new look, designed by my sister.

All of the photos are mine (well, taken with my camera, anyway). They represent a somewhat random sample of my meager photo collection. Mmmm, I should take more photos…