Log in

No account? Create an account

Bloggit's Journal — LiveJournal


Router-Firewalls and WRT Jan. 27th, 2017 @ 05:55 pm

The Problem

I have an IoT nest. And run some servers for some custom applications. And a static I.P. And printers and file servers.
I don't trust those cheap Chinese web-cams, even though I find them cost effective and useful. I'm willing to use them, but want to fence them off from the rest of my network.

So this really started as an effort to isolate devices on the network.  Which I figured I'd do via VLans.  That hasn't fully happened yet, but I did gain more knowledge of routers.


For years I've used the ASUS RT-AC66U and then RT-AC68U as both my home router and firewall, as well as my WiFi access point.  These wonderful little machines have great coverage, impressive speed, work extremely fast in Bridge mode (providing wired connections remotely to, for example, a craptastic Samsung TV that has terrible wireless itself but can use wired fine), and WRT-level features.

(If you're not clear on that, you can use two wireless routers to act as a network cable, giving you wired ports where you otherwise don't have them.  Which is very useful for devices that can take either wired or wireless, but have terrible wireless and aren't near wires.)


WiFi Router Replacement Firmwares

Higher-end consumer-grade WiFi routers can often have an open-source firmware on them replacing the stock firmware.  The top ones are:These largely descended from improvements to the LinkSys WRT54G firmware around 2002-2004, pioneered by the DD-WRT project.  It's probably the best supported of the lot, with more router support (different ones at any rate) than Tomato and a nice GUI.
Open-WRT is  a bit more hard-core; it is CLI (command-line-interface) only, no GUI, so it's lighter weight but perhaps at the sacrifice of ease-of-use and features.  (There is a GUI add-on project, Gargoyle.)
Tomato historically is easier to use than the others, with better monitoring and a nicer GUI, but fewer routers supported.  It's important to ensure you're looking at the latest version/fork/website.  For example, Tomato's original development ended around 2010, but that website is still alive.  The current Tomato site would be http://tomato.groov.pl/, which still has recent updates.

The Asus routers have their own version, ASUSWRT, which started based on Tomato... but, and this matters, a much older version of Tomato. Merlin starts from ASUSWRT.  Asus routers come with ASUSWRT, and it's pretty nice, pretty powerful, well documented and so on.  Plus it's optimized for Asus hardware, so the performance is top-notch.  Where it falls down is in some less consumer-oriented features, such as VLans and monitoring.  Where it excels in in QOS (quality of service), as it has the hardware optimizations for what is a very hardware-intensive task.

To these optimizations, Merlin adds some features and fixes.  But not many.  For example, VLan support is present, but (currently) only via CLI, while Tomato has a nice GUI for it.  And Tomato supports alternative utilities such as DNSMasq, which AsusWRT and Merlin do not.

Basically, WRT (and Tomato) just mean a bit more solid, more features, more capabilities, such as being able to both run a VPN endpoint on the router and also serve as a VPN client for all traffic coming from the router.  And such as better firewall features.  Tomato has VLan support in the GUI, while Merlin only supports it via CLI.

Anyhow, these systems have served me well, but as the IoT (Internet of Things) attacks become more common and we have more devices we don't know much about on our home networks, I decided I wanted to segregate my network better.  One downside of the Asus devices is, they aren't really cheap.  And what they do, they do very well, but they can't stretch.  So I did some additional investigiation to augment my network.


My requirements were:

  • Fast throughput.  I have real 1Gb connectivity to the web, and with the work I do, I use it.

  • Not too hard to set up.  I'm a serious programmer, but GUI interfaces are far faster and more reliable than CLI for most configuration stuff.

  • Not too expensive.

  • Compatible with my devices without too much work.  Which practically rules out, for example, VLans, given the age of some of my devices.

My first looks were at something like a <a target="_blank" href="https://www.amazon.com/gp/product/B016E93IQS/ref=as_li_tl?ie=UTF8&camp=1789&creative=9325&creativeASIN=B016E93IQS&linkCode=as2&tag=tech0b39-20&linkId=4092077114b6e23c2f1b41286bdadf21">Mikrotik RouterBOARD</a?, but they're notoriously slow.  (They do have the best network mapper though.)

Trials and Solutions

In my trials, I got a Qotom quad-lan J1900-based micro-PC.  Unfortunately, it died in less than four hours, and there simply isn't quick affordable support for this device.  Getting a replacement motherboard required $50 in shipping and waiting two months.   Not ideal.  But... it's an amazing box when it's working.  Tiny, cheap, fast, can run Windows 10 no problem.

I also got a Ubiquiti ERL3 (Edge Router Lite 3).  Which can be fast enough, but you really have to pay attention to how you configure it.  For example, just bridging two interfaces drops the simple throughput from around 800Mbps to around 130Mbps.  Seriously.  Nothing else going on.  But

Other tool options were:

  • pfSense firewall, the open-source firewall many other solutions are based on, which the Qotom was going to run.  (There are pre-built Qotom-pfSense boxes too; these are built by a third-party with pfSense configured.)

  • snort intrusion detection/prevention.  (Basically a packet sniffing layer that can retain state and react to packet contents.)

  • UTM (Unified Threat Management) packages, AKA USM ("Security"), generally including the firewall, intrusion detection, anti-spam, anti-virus and VPN.  Very expensive and heavier than I was after.

  • Appliances - These typically serve as firewall and intrusion detection, but have high costs.

    • WatchGuard - firewall appliances with very high annual costs.  I owned one years ago, and they are very powerful.  But very expensive.

    • Fortigate - For example, the FG-60D is $400 on Amazon

    • As an example of annual fees, the Cisco ASA 5505 Security Appliance is $225 to buy, but estimated around $800 (pricing is only through dealers) annually for licenses!

  • Sophos - very expensive software

So, as I mentioned, I got a Qotom to put pfSense on.  And it died.  So I followed up with an Ubiquiti ERL3 , which isn't running pfSense, but rather a customized Vyatta, which is a fork of Debian.  Still a micro-pc, just a different O.S. and lower requirements.
I also wound up installing Tomato (just Tomato, not Advanced, as I didn't want any options/features obscured by an incomplete U.I.) on my older Asus router.

And I attempted to set up VLANs.

What I found out is that VLAN support isn't very mature yet (2017Q1), and that Tomato/WRT cannot prep packets for upstream routers. But, of course, since nobody is using VLANs, this isn't clear.

And that you can filter outgoing packets with Ubiquiti (or pfSense) simply by assigning static IPs/leases and filtering the outgoing port on IP address; it doesn't restrict internal addresses, but that data can't go anywhere.  Which gives me much of my original goal with a much simpler, no-VLAN, design.

I also discovered that the Asus (and Merlin) Media Bridge Mode is much faster, as in it's really significant, than the generic Tomato Media Bridge mode.  If you're going to use a WiFi router as a wired access point extension, stick to Asus and to an Asus WRT-based ROM.

Lessons Learned

AsusWRT (and Merlin) have some huge advantages.  They are much easier to configure for Bridge mode than Tomato is, and they will use the radios more optimally (for pairing two Asus devices at any rate.) It seriously took nearly an hour to get Tomato bridging... on the wrong band... effectively, while AsusWRT was a simple button-and-select process.   But they would not have allowed me to do the VLan stuff I wanted.
Routers don't have on-board batteries, so they lose the time on hard-boot (i.e. unplug-to-boot.)  To get around that, you must configure the NTP server correctly, and the router must both have external access (to the NTP server) and a correct DNS server (to resolve the name.)
But this alone doesn't get you the logs leading up to a crash, because... the logs by default, if any, are generally stored in /tmp/logs, which is reset on each boot.  To keep the logs past a boot, you need to either format some router NVRAM (non volatile - very limited supply in the router) for file storage, a bad idea due to how little there is, or you have to add storage via an external device (USB drive) or external server (less useful for logging when something hasn't started or has broken.)  This really just means add a USB Drive and change the log storage to something like /tmp/mnt/FLASHDRIVE.

Another problem I had, which I'm not fully clear on yet, is that the Asus routers running Tomato were not as good at maintaining a high-speed bridge as they were with the native Asus ASUSWRT.  I'm not clear on why, but with my 1Gb internet, they required regular rebooting to keep up a connection sufficient for streaming 1080p HD (roughly 6Mbps), while I had never had that problem with ASUSWRT.  Restoring the original firmware...

Android Replacement Mail Clients Jun. 25th, 2016 @ 07:49 am
Android has an okay default ASOP (stock) email client.  A bit under-featured, but effective.  And Google's GMail client is pretty good, but you have to give Google the keys to your privacy.

You may recall, faithful reader, that I don't do that.  I ran my own cloud for a long time.  I currently use Office365 via GoDaddy, but it is, at least, not on Google.

I ran into a problem with Android not being able to authenticate against Office365.  Only Outlook could; everything else would say it couldn't reach the server.  This was on Marshmallow just over the last few months.  It turned out to be a known, but under-documented, bug in Lollipop and Marshmallow...

  • If on WiFi

  • With IPV6

  • Office365 cannot be authenticated

I found this by realizing I could authenticate by cellular connection, and working from there.

But this was complicated by the fact that Microsoft's own Outlook (for Android) app could connect.  Outlook for Android would switch to web-based OAuth2 authentication, which very few other Android clients support.  (Most rely on Exchange Services built into the O.S.)

If you have this problem at home, you can simply disable IPV6 on your router; that should solve it.  It did for me.

But that didn't solve why I was looking for another email client.

My desires are:

  • Works well with multiple accounts, including with a Unified InBox

  • Does not require Admin rights on the phone; I don't want the office zapping my entire device should I leave

  • Synchronizes contacts and appointments to the phone "people" and calendar.  (One-way is fine though.)

  • Cleans up emails to be readable.  Fixed width tables and odd font sizes can be stripped out.

  • Is not Cloud-Based, meaning I don't want my emails going first to another company's servers.

  • If support is needed, it can be had.

  • Not a major battery destroyer.

A few of these are non-negotiable.  I'm willing for my emails to live in my appointed clouds - e.g. Office365 - but not to sacrifice the privacy that some of these companies require to near-unknowns.  This eliminated:Another client insisted on encrypting my SDCard as part of adding a corporate account.  That client isn't listed because I couldn't actually test it.

Some of these require a few extra steps to activate synchronization, going into your Settings - Accounts, choosing the specific account and selecting to sync calendar and contacts.

All of these were analyzed in the "Free" versions, but I don't mind paying for programs and didn't hold registration/premium costs against them.  I've registered two of them.

Even with ROM-Based "Exchange Bypass", GMail insists on enforcing the disk encryption portion of my work mail security policy.  That is a particularly useless (and dangerous) policy, as not only has it not been as reliable as you might wish, but the encryption is easily bypassed entirely.  The exploit, ExtractKeyMaster, takes the generated key out of the TEE (trusted execution environment) of the Qualcomm processor the phone runs and uses it to decrypt the disk.  And that exploit is (or at least was, at this writing) online with full source code on github here.

This makes GMail the worst of the bunch in obtrusiveness, as even Nine allowed the mail itself to be the only encrypted portion.

Microsoft Outlook
This was where I started.  The Play Store gives it pretty low reviews, but it was mostly fine.  Administration is done at the app level, calendar and contacts can be sync'd.  Email views were pretty bad on formatted text.  My big gripe was that, roughly every four weeks, it would lose my credentials and I had to re-enter my login data for all Exchange accounts.  And that messages would often be unreadable due to hard-formatted fonts, which can be read (still messy) in other email clients on the phone, and trivially in Outlook on a computer.

On the bright side, support tried to be helpful.  On the dark side, they never figured it out.  However, I determined the OAuth/IPV6 problem later; possibly it was an expiration of the OAuth2 token.

In addition to being easy to configure even with network problems and meeting most of my other requirements, Outlook is very pretty and has a "Focused" inbox that is roughly the opposite of the "Clutter" inbox in Office365 - it learns or guesses which messages are more important to you and puts them in a different list.  It was astonishingly effective at this.  That  doesn't mean I trusted it, but it really is cool.

Cloud Magic
As I mentioned above, Cloud Magic requires your mail go to the cloud.  A non-starter for me.  But I tested it anyhow.  It does clean most mail up nicely, it's quick, has configurable gestures, is easy to use, and did get past server auth problems that thwarted most others.  On the other hand, I suspect it did this by using my login credentials from their servers, not really a secure privacy-oriented model.

If you trust them, though, this is a fantastic client.

HTC Mail
As surprising as it may sound, the HTC mail client is not the standard GMail client.  Some customizations are available for it, allowing it to meet most of my criteria.  It's pretty close to the AOSP (Android stock, non-GMail) email client.  The biggest gripes I have with it are that the old stock Android UI isn't that great and that it doesn't make emails more readable.  While Mail-Wise will not only strip off unnecessary headers and signatures, identify quotes and group conversations, but even (often) improve mobile readability by reformatting tables (when it doesn't screw up the fonts), HTC Mail just ports essentially a desktop view to the phone, meaning you have a narrow window for what is often a wide email.  This despite their claim of " Text Reflow auto adjusts content to fit your screen at different levels of zoom".  It doesn't handle tables at least.  Not really very friendly.

Aqua Mail
(Often seen as "Aqua Mail by Kostya Vasilyev")

Aqua Mail surprised me.  It accomplished the vast majority of what I wanted.  Easy install and auth, great U.I. for my purposes, not cloud based, very fast, no Admin or encryption required on Corporate Exchange accounts.  And that Kostya Vasilyev guy?  When I emailed some questions, he personally responded, helpfully, pretty quickly.

Aqua does have a "shrink to fit" option for reformatting messages, but it's usually worse than nothing; if a message has tables arranged horizontally, Mail-Wise will unformat them into lists that make sense.  Aqua will just squeeze the message horizontally so you get perhaps two characters in each table per line.  It really could use a better reflow option.  (This is the 19-June-2016 version.)

But no contacts sync at all and no Exchange push mode.  If it had those two features, it would be my current email client.

Nine is a big dog in the arena; it wins lots of awards.  And it does a lot right.  It just didn't solve my particular Admin problem well.

Nine does synchronize Calendar and Contacts.  The U.I. is fine; people seem to love it, but I preferred the look of Aqua or Mail-Wise.  It doesn't really have a "clean-up" mode for messages, but since that didn't work well on any of the clients, that's not the killer.

The killer was that Nine does enforce the Exchange Server requirements at either the device or app level.  Which sounds great; that's what Outlook does.  But Nine does it more obtrusively if you choose App level... it will allow no PIN on the device (not an issue for me; I always have a PIN), but even if you have a PIN, you will need a PIN for Nine to get back in after being out for some period you can configure up to 30 minutes.  This turned out to be massively inconvenient.

Mail Wise Email Exchange +
(Usually referred to as "Mail Wise")
Mail Wise handles most of the requirements; it synchronizes contacts and calendar, doesn't force device encryption or admin rights (although you do have to follow a process to enter the 27182 code to bypass that), is not cloud based and does have a unified inbox.

Mail Wise really has just a few flaws... it is a bit ugly, the mail clean up makes some hard-formatted messages much worse, and there is no support.  But it does clean up hard-tables in many emails that some clients (HTC, Outlook) would require horizontal scrolling to read.

Their support is a strange topic. There is a form in the Mail-Wise Help screen for "Contact Support".  I have submitted two queries using that form.  Neither received anything beyond a robo-acknowledgement after two weeks.  Not only does Mail-Wise lack support, but the U.I. sort-of claims to have support.  But on their website and Help screen they also point to a support forum... which requires Google+. I've gotten this far without sacrificing my identity to Google's Facebook-from-hell clone that has sparked privacy concerns, gender identity wars and exposed full names and demographic data on the web.  I don't know if Mail Wise has actual support via Google+, but Uri Hershkovitz at Mail Wise did confirm that they don't offer any support by any other channel.  Which means that, for me, there is no support available from Mail Wise.

But other than that, it's a nice client.

The Winner(s)
I am currently using Mail-Wise.  Their complete lack of support, the ugliness and the uglification of some emails are problems, but it does most things well.  To use it with three or more accounts or change the advertising signature, you must register, but that's reasonable to me.

Aqua Mail would be my choice - I like the U.I best, etc. - but lack of contact sync and Exchange push are killers for me.

And Outlook, surprisingly, actually may wind up back on my phone as it met all my needs just about as well... in a slightly heavy Microsoft way, but well.
Tags: ,

Need a reason to hate Apple? Local Name Resolution! Apr. 4th, 2015 @ 03:36 pm
I party between Mac and Windows pretty equally.  Used to play in Linux-land and BSD also, but the power they brought, the others caught up to, and the usability of Mac/Windows, they never caught up to.

Mostly I use Mac.  But Windows is where the serious power is.  My home PC has two differently-optimized SSDs - one optimized for reads; that's the OS/programs one.  And one optimized for writes - that's the data/development one.  And two 4K monitors, both running 60fps, plus an additional 2560x1650 (or close) monitor.  And something like 8TB of disk, 32GB of RAM, etc.  Can't get that much horsepower on a Mac.  (Keep in mind this is April 2015.  If you read this in 2018, your cellphone could have all that.)

So my serious CAD and dev happen on Windows, but my life mostly on Mac.  I write these entries on MacBooks.  I own, for my own use, two MacBook Airs and have a MacBook Pro provided by my employer.  Live the Mac life.

Yeah, about that...

I run a fancy-shmancy network at home.  Machines talk to each-other, all behind a pretty strict (of course) firewall.   I have surveillance, with this exploit, but it had no impact on me due to the layers it's behind. But... Mac's suck on domain.local.

Assume you have a fancy NAS that can run a small business, just as a waddif.  Applies to your server or another box too.  But that NAS is the big one, because if you don't have one, you need one.  Which I probably should write about, but history shows I'm slow at that, so sub-entry: You can make your own private cloud.  Do it.  Now.

Assume you have your own Windows domain or name servers.  For now, let's call the server 'bloggit'.  So the machines might be "NAS.bloggit.local", and "FastPC.bloggit.local" and "NewMacAir.bloggit.local" and "EvenNewerMacAir.bloggit.local".  Sometimes we don't think four years ahead, huh?

Point is, you create a split-DNS solution, where your SBS or other server box serves the internal addresses and caches the external one, making everything better, and if you also provide DNS (I do, but you probably don't, because you probably don't run servers), you'll want a separate name server for that to avoid redirection loops.  You can, and I am not kidding, use that fancy NAS for that.  But for domain users, set the internal A-D name server first, and all will be well.

Anyhow, under Linux, Windows, BSD, any operating system made for people with more brain cells than tattoos, this will work.  Look up "www.google.com" and you get it.  Look up "FastPC.bloggit.local" and, assuming you're on the bloggit.local domain, you get it.

Not on the friggin Mac.  Macs don't resolve ".local".  At all.  Well, a little bit.  Here's just how disfucktional they are...

  • nslookup FastPC.bloggit.local works

  • ping FastPC.bloggit.local fails with a "cannot resolve" error.  Even though nslookup could!

Gotta love Apple!  Because they're gonna love you as if they paid $100 for an hour of your time in a dark alley.

You could manually edit your /etc/hosts file to add entries, but really, that's the point of the Name Server to begin with.  And that's inconvenient.

Apple's official position is that ".local" is reserved for Bonjour and multicast.  Which Active Directory/Windows beat to market by a decade or so.

Usually, in a battle between Apple and Microsoft, Apple is on the side of standards or first use.  In this case, they're fighting hard to make the second-use the standard.

For the technically curious, this is a TLD (top level domain) question... Microsoft standardized on using .local for stuff that was, well, local, about 18 years ago.  But Microsoft didn't register it.  Because it's a TLD, so they really couldn't.  15 or so years later, Apple, having coopted it also (and run into issues), proposed RFC 6762 to behave as they were doing.  Seriously?!

So what's the solution?  Really, you have to bend to Apple.  You can either create the entries in /etc/hosts or rename the domain (or create another domain) on your nameserver.  Creating a duplicate domain causes the same problems as the /etc/hosts entries, but more centralized at least.  Renaming the domain, to (for example) .home rather than .local, is a little inconvenient but can be done.  Using the rendom.exe, gpfixup and netdom computername commands in Windows Server, there are about 20 steps... plus I had to copy DNS records... but each is simple, and only the rebooting is really time-consuming.  Being Windows, there's a lot of that though.  And, in the end, you still have a problem with Chrome only recognizing a few TLDs and so pushing you to search in the omnibox unless you preface the URI with "http://"... which it promptly strips off.

Strange when the only ones playing nice are Microsoft.

Wow, the Opera Web Browser really sucks! May. 23rd, 2014 @ 04:20 pm
I go way back with Opera.  To the late 1990s.  It was, back then, the fastest bestest browser.
Recently, due to Microsoft incompetence, Google giving up on the whole "don't be evil" thing, and Firefox becoming a tool for anti-American activists out to destroy freedom and re-create McCarthy on the left, I decided to try Opera, on the Mac, again.
Don't.  Do.  It.
It's bad.  Oh sure, it passes the web compatibility tests.  Those aren't run with humans on the web.  Here's the real-world experience.
Lots of sites simply don't work.  Some, like Inkling.com, block Opera entirely.  But even if you "Mask as IE", Opera still fails.  It simply isn't compatible.
Other sites burp in bizarre ways.  I am posting this using Chrome because Live Journal appears in Chinese (what the heck does "アカウント, 表示, 通知, モバイル, プライバシー, 履歴, 拡張機能" mean anyhow?) for no clear reason.
And it gobbles up the CPU like PacMan at a Pez Party.  With Chrome, you can at least get a view into where the processor is going; not so easy with Opera.  Might be possible, but they don't try to document it.
This would be more tolerable if Opera seemed to care.  But while you can report incompatible websites, they don't actually respond.
It pains me to have to surrender on Opera.  But it pains me even more every time I use it.

Traveling to Vegas Oct. 15th, 2013 @ 10:28 am

Recently (last winter) we took a trip to Las Vegas. I booked airfare first.  Because that doesn't get a lot cheaper over time, and has a sell-out risk.

I checked a bunch of travel sites for deals... PriceLine, Orbitz, Kayak, Expedia, Travelocity.

My primary air criteria, beyond not ridiculously priced, was that it be a non-stop and we be able to sit together.  Lack of assigned seating is a deal breaker for me with SouthWest, and I did discover that several airlines aren't on the travel sites or aren't on them correctly.  And… the "low fare guarantee' isn't worth much.  I got the best price directly from Alaska.

Then I booked the hotel.  Again with the travel sites.  But also checked the hotel websites, since I had narrowed it down to a few interesting ones quickly.  It didn't take long to realize, yet again, that the travel sites weren't really discounting the hotel rooms by much.  Kayak often had the lowest price by a bit, compared to the other travel sites, but often the hotel website itself was just as good.

I also had signed up for the player's club (for MGM hotels, this is M-Life), hoping for an email promotion, but that didn't materialize.

But I had trouble with the prices bouncing around for the hotel I wanted, so I telephoned them.  Their answering system starts by stating that the best fares are on the website but the operator then quoted me the same amounts.  Informed of the M-Life number, though, she also said I should talk to the casino.  Their price was 10% lower, which is a LOT less than the travel sites or hotel.

The only downside of this was that I want a specify view room, and that you can book directly from the hotel (for a $20/night upgrade), but can only request from the casino.

Another big problem with booking hotels or comparing rates through the aggregators is that many of the hotels charge a "resort fee", typically $18-$25 per night per room (which proves it's not really for use of the resort, as it's not per guest instead.)  But that is charged separately at check-in.  The hotel may quote it, and some aggregators do, but others don't.  And it's not discountable.  Seems a bit slimy to me, a bit "bait-and-switch" on the price.  But the possibility (though not always the amount)  is disclosed (though sometimes in small buried print) even on the aggregator sites when making the booking.

The Hotel Stay

No point in keeping the suspense. I like the Mirage. It's my favorite hotel. And I know how to play the game. When we got into the non-VIP line at the Mirage, a longish line of course, I casually held my right hand (the side the VIP/special desk is on) hand down with a $20 bill in it. Of course we got called, out-of-order, for special attention. "I can help you right here, sir!"

Putting the bill on the desk discretely, I mentioned my desire for a volcano view (which, unfortunately, was closed for repairs, but it's still a great view) and asked about upgrades. We got a 2nd-from-top Suite room for less than the book price for a cheap non-view room! And, being the Mirage, it's perfectly central and a lot of fun.

The Mirage, it's the only way to fly.

Booking Shows

Educated by this process, we looked at shows and online prices first, to narrow down the options.  My wife's first choice of shows would have been $458 for two tickets… a bit out of our budget.  But we found two shows that we're interested in and can afford.  So step #2, again based on the air and hotel experience, was to start on the web sites for the hotels hosting those shows.

That was a good move.  BestOfVegas.com, for example, claimed to have a $35 discount off of the standard "general seating" price, but their quoted standard price was actually $27 above the hotel's price.  And the hotel offers much better seats.  Even worse, for the other show BestOfVegas wanted $115 for seats (in the second row center) that the hotel only charges $86 for!  The hotel's cheaper section seats are about $20 less per also!

This got trickier.  While the discount code sites didn't help with room prices really (they did point some out, but they were higher than what I wound up paying), one did point out a promo code for a show we were looking at, for 25% off.  But… this could only be used via TicketMaster (the hotel's vendor), not by the discount ticket sites.  So while, even despite their higher "list" prices, the discount sites could save maybe $10 per ticket from the real list price, they couldn't get close to the hotel discount rate.

And remember those "resort fees" for the hotels?  Those non-discountable fees that don't show in the price comparisons (or not reliably?)  They're here in another form.  It worked out this way in one case:

  • Tickets - list $89 less 25% discount == $64

    • About $12 cheaper than the cheapest aggregator

  • Taxes of $6.40 total

  • "Convenience Fee", for the convenience of being allowed to buy a ticket.  This would apply at the door too… because TicketMaster is the only seller.  $12.05-per for $24.10

  • "Print At Home" Fee.  There is a fee for any form of getting the ticket, including Will-Call.  This is the least expensive.

  • "Order Processing Fee" of $5.25

So those $89 tickets, discounted to $64, are really about $90 each.

And that "Resort" fee is now called a "Convenience Fee".  We just paid $24.10+$2.50+$5.25 for the ability to order tickets at all, or about $32 over the listed price of the tickets exclusive of taxes.

Definitely another bait-and-switch.  And completely standard in entertainment and in Vegas.

On the other hand, from experience I budgeted an average of $200/night for shows.  So with the judicious shopping, we're achieving that amount, even though I find how they get there slimy and offensive.

The Shows

The two shows we saw were Absinthe and Zumanity.  Zumanity is a sexed-up Cirque de Solie.  My wife loved it, I found it crass and boring.  Absinthe is more like Cirque meets vaudeville; we both loved it, but I liked that more than my wife did.   Absinthe was in an outdoor tent area near Ceasar's while Zumanity was at NYNY.  The bars are better at Ceasars but there are some fantastic restaurants at NYNY.

Grand Canyon Helicopter Tours

Helicopter Tours go to the West Rim, which is less impressive than the South Rim and technically not really the Grand Canyon.  And they can land in the West Rim, which is not allowed in the South Rim.  And they only stay there maybe 30 minutes.  But they can go over Las Vegas and the Hoover Dam, and even though the  South Rim is out of range, a helicopter ride is cool and faster than a coach ride.

And then there's helicopter tours, many of which charge a $45/ticket "fuel surcharge" at boarding. Not at ticket-buying time.  Just another hidden fee, but a significant one.

Most of the tours have "complimentary hotel pickup".  Typical prices are $300-$460, again plus the $45 fuel surcharge in many cases.

Tours are run by:

Hendersen is about 8 miles from Las Vegas, while Boulder City is quite some distance and about 40 minutes.

My investigations suggest that, while slightly on the expensive side, Maverick is the cream of the crop. They provide the widest variety of options and their fees and charges are included in the big print. They break it down for the small print. That's a really nice difference. Papillon also brags about no hidden fees, and does it about the same way, but in larger print and with a much larger fee. (15% instead of about 5%) And on all reviews I've seen, those are the two highly-regarded players. Maverick for luxury, Papillon for value.

But on the booking page, Maverick claims "Fuel surcharges may apply".

Either way, Maverick only has early (8-9am) and noon departures.  We wanted a bit later in the afternoon, so Papillon it was.

Getting the best price on Maverick and Papillon

Maverick has promotions on their Specials page that you can't otherwise reach.  Same flights, lower prices, but limited to certain departures.  It can save you $70 off a ticket.

Papillon has online specials also, but in addition you can find a promo code online… at their own website http://coupons.papillon.com/index.php?cat=0 or by looking at typical discount sites.  We used one for an additional 5% off.  Which meant that for the package leaving after 9am, we saved $190/ticket over Maverick.  Which is a much bigger discount than the listed prices would have you expect.  I do believe Maverick would do it nicer and better, but the timing of the flights wasn't right, and the huge additional cost, while not a big factor, didn't encourage us to schedule around it.

One other thing to know.  If you purchase tickets for Papillon, you choose the "departure" time early in the order process.  It doesn't appear on the last few order screens, nor do you get it on the final confirmation page or in email.  All you get is the total and a note that within 24 hours it will be confirmed.  In our case, it was 27 hours, but there was a holiday in there.  That confirmation includes the departure time and other notes.  Which include…

That you will be picked up an hour prior to that departure time.  Seriously.  Makes me very glad we didn't schedule an 8am departure, given the Vegas late nights.

The actual tour

Papillon was a good choice.  A limo picked us up, spiriting us to the airport.  They have quite a few tours leaving at about the same time; ours was for a landing and snack plus fly-over Vegas and the dam. Great choice.  The pilot was a hoot, we did land near the bottom (significantly under the rim), the lunch was pretty good, the memories incredible, and even the flight back was fun with the pilot flying low over the desert.  We made some great memories there.

Other Vegas Fun

Our other Vegas fun included:

  • Fremont Street

  • The Pinball Museum

  • Lots of fun bars; I love Margaritaville (having been there many times over the years), but Sammy Hagar's Cabo Wabo and the Mirage Rhum bar were real let-downs.

Since I've been to Vegas many times, this trip was mostly about showing it to my lovely wife.  Judging from her reactions, I accomplished it!
Other entries
» Some recent bug discoveries/fixes
This isn't much of a post, but...

Parallels/Windows Awakens System Nightly

Parallels no longer is sold for Windows.  Recently discontinued.  I purchased it right before their silent discontinuation.  It's better than the Microsoft and Oracle free virtual hosts, and much less expensive than the VMWare version.  But...

Every night at 11pm-ish, my computer would wake up.  It took me a while to track it down; finally got it about six months ago. The powercfg -waketimers command helped me track it down to the prl_disp_service.exe service, which I solved by disabling Wake Timers...

Windows Control Panel, Power Options, Edit Plan Settings, Change Advanced Power Settings, expand "Sleep", expand "Allow wake timers" and set that to "Disable".

This disables all wake timers, but since I don't tend to have such things, this isn't bothering me.

Chrome/Mac can't play media in the background

Despite the need to run Windows (7-32 bit) and Ubuntu (for compiling Android kernels) on my super-duper Windows box, I mostly live on a MacBook Air.  Yes, I run Parallels (with Windows and Ubuntu VMs) on it also.  Usually via ThunderBolt-to-SATA-to-Mushkin Chronos SSD sled, which is, despite the Rube Goldberg nature, much faster than the internal MacAir SSD.

But don't start MS Office (Mac) in this state; it sees the drive and resets the software key, thinking it's been illegally copied.

My biggest Mac gripe for a long time had been that Chrome simply wouldn't play media in a background tab.  Tab away, it stops completely.  Need a page reload to resume.

With some experimentation after I realized this wasn't a common problem, I found it is due to the FlashControl Chrome Extension.  This otherwise-great extension allows you to block Flash you don't want.  Pages load faster, fewer distracting noises and ads.  But apparently it doesn't handle non-Flash background media well. Disabling it allows media, including non-Flash, to play in the background again.  My Synology's Audio Station is alive!
» The Truths of Software Development
Some things that sound like good ideas, aren't.  This isn't about code documentation, or proper object oriented or data driven designs.  But it is about distinguishing, in software development, the good ideas from the bad.  And it's probably not what you think.

Truth #1: Right is Wrong
In the software world, there really is no right.  None.  Everyone has one or more, but they generally don't agree.

We are employed not to design great software, not even to ship product, but to make profits.  Generally making money does require building software and shipping it, but it almost never allows for buildin great software... the market doesn't demand it and the time isn't available... nor does it ever allow for "perfect".

The reason there is no "right" is because that would exclude many "good enough" answers that might actually be better for the company.  There ar wrong answers, but sadly, too good - that is, too right - is wrong.

Unfortunately the pompous over-designing code-philosophers can usually talk a good game, even if they can't ship product, and so the development path is typically...

  • Small nimble team - some shortcuts, but get stuff out.  Good enough.

  • Company gets complacent.  Careers instead of start-up.  People debate for perfect.  No software comes out for years.  Wrong.

  • In a hurry, company make every shortcut to save the customers.  No debate, but also no design.  Crap comes out.  Wrong.

It takes a real focus on the business side to get around this.  The three year time-frame.  Not Scrum - not the one month timeframe; that guarantees technical debt accrues while devs accumulate completion points.  And not design by anyone with a Masters or above, as you'll never get anything.

Truth #2: Good Enough Is... Until It Isn't
What "good enough" buys you isn't the very long term.  It buys you time to get to the long term.  Few companies exist in a vacuum; they are competing with someone.  So you can't just wait five years to release the right product.  But that also means that today's product won't be right in five years.

Too many developers are so focused on the future that they can't get to the present.

You really need to recognize that you may be overlooking long term in, e.g., scalability, flexibility, tomorrow's need for custom components, etc., but by getting to the market without those, you can get that toehold, make the money so you can get those in.

Which brings us to...

Truth #3: Sometimes the only way to get there... is to start walking
When requirements change quickly, or the Product Owners don't even know what they want...
When developers discuss ideas and limitations rather than coding up some tests or prototyping ...
This is the real problem with the debaters and philosophers.  Maybe just maybe, they have a point.  Usually not, because their points require a confluence of unlikely future events, but it could be.  But even then test it.

If the design discussion takes more dev-hours (due to developer count) than coding the tests would, fire one developer.  Generally the one with the fewest code commits recently will be the same one who called the design meetings; that's the one to fire.  Sure, you can replace the now-open head, but you may find a potted plant improves team productivity more.

Truth #4: You can never earn back yesterday
It's business, not art.  Software is business.  And the goal is to make money.  Which means getting the product released and selling, even if it's not perfect. Let's do a thought exercise.

You're building a large app.  You can have, in one year, half the features and a decent app.  In two years you can probably have everything, but the uncertainty is higher due to the changing requirements and the vagaries of developers.  The final product should sell twice as well as the one-year product.  Which should you do?

If you get it out in one year, you make money during that second year.  Perhaps it takes three months longer to get to the second year release but financially you are way ahead... you have recurring revenue from the sales, you have customers, and you have half-a-year's income after allowing for three months slower sales.

Getting it out sooner is always good.  And it also exposes where the direction should really change.  You get market awareness.  You get input for better features.  You steal some of the revenue your competitors might have scooped up.

Windows: It's Good Enough Until It Isn't
Some of this was brought on by an unfortunate cultural fit of a new developer and a senior developer in our team.  But some was due to Windows Server.  Which was really the topic I intended to write about.  Maybe next time.
» Watches: The problem with ChronoShark, Woot and eBay
I'm a techie.  By extrapolation that means that I'm likely to both really like gadgets (which we call "toys" despite the cost and intricacy), have enough money to buy some, and have the ability to ferret out deals.
Although I have known quite a few techie-geeks who simply, for example, ask what something costs and then pay it.  Not my style.  I deal at big box stores (yes, you can get a lower price even at Magnolia Hi-Fi, Best Buy, Sears, etc), I deal at small shops ("Hmmm… she likes two of the knives that are on sale right now.  Tell ya what, knock another 10% off the total and I'll take both."), even at rental car desks.
So I don't take a "deal" at face value.  You shouldn't either.
More than two years ago I point out that Amazon sometimes has terrible prices.  Years before that I regularly saw people paying more han list price for items on eBay.  For example, the Sangean ATS-909 was a fantastic digital shortwave radio not commonly available at, say, Sears.  It "retailed" for $250, but Radio Shack had it (everywhere) as the DX-398 for a bit less.  And you could buy it at internet/mail order sites such as CCrane for about list.  
Or you could bid on one starting at $150 from Asia on eBay, which would commonly top out for $300 plus shipping in eBay bidding wars.
Huh?  People were paying 20% more to buy it from an unknown dealer, plus pay high shipping, because of the adrenaline of bidding on eBay!
Woot isn't that bad.  Most items are a bit below other prices I can find.  But they're often also discontinued or refurbished - after all, Woot is a clearance site. And sometimes they are priced above what a small amount of shopping will find.
But Chronoshark, that site is bad mojo.  
Chronoshark is another deal-a-day site, but one dedicated to watches (Chrono-graphs.)  Unfortunately, mostly to cheap crapola watches.  Brands like Invicta and Swiss Legend, the watches that, while they won't turn your wrist green as the fake Rolexes of yore, are designed to look like good watches for months until bits fall off and they get all scratched up.
In horology (watch obsessives), these are called "Fashion" watches.
There's nothing wrong with fashion watches.  All that term means is that looks come first.  If you don't know anything about watches, this may not even seem like a shocker.  You may think that the difference between a Rolex/Omega and an Invicta/Swiss Legend is just advertising dollars.  Not true.  The difference may not be relevant o you, but there are a bunch of differences. And one should be relevant.  Maybe two.
First, let's divide the watch world into four categories.
At the top are the expensive watches.  Heirloom pieces.  Watches that cost more than your first car, or at least more than your first computer.  These are Rolex, Omega, Brietling, down to some Christopher Ward pieces.  In today's money, generally the sweet spot is $500 to $15,000.  That's a big range, but only a factor of 30.
Common to these are mechanical ovements, sapphire crystals, high quality pinned bracelets and attention to detail.  The mechanicals are often self-winding and usually swiss (but Seiko makes some very high end pieces also.)
The cost of these is about the finish, the longevity and the mechanics.  A Quartz watch is more accurate, but it is not wearable art.
Our next category is work watches.  The Casio line is good at this.  These are inexpensive work horses that may be digital, may be a mix or quartz analog, and are not pretending o be a Rolex.  They usually run under $250 with most under $90, and have mineral or acrylic crystal and rubber or rolled-metal bands.  You don't expect these to last 10 years, and even if they do, they're beat up by then, but they've given you fantastic functionality while they lasted.  
Then we have the pure fashion watches.  Swatch, Skagen, Android, even Mossino (the Target brand) do this well.  They can be bling-to-the-max, or have print on them, or be in bright colors… the point is that they are an accessory like a bracelet and you may own many.  Each one makes a statement (like a bracelet), and it is not a statement of "I'm actually a Rolex."
Pure fashion watches are usually quartz analog (from Japan typically, though not for Swatch), with Tokyo Flash being a fantastic example of contemporary digital ones.  And they almost never have sapphire crystals.
But some pure fashion watches, e.g. Kenneth Cole, are Chinese auto-winders with the movement exposed.  These usually run about $50 in the stores, while claiming o list for much more.  Not great longevity, and closely related to the final category.
Lastly we have the fashion-poseur watches.  A poseur is someone who is essentially a knock-off, someone styling themself after a group he/she isn't really part of.   Invicta and Swiss Legend are examples of this; they look expensive, they claim to be expensive, but they lack the details.  
Okay, that's not a problem.  Yeah, it's a poseur.  You see that all the time in the world.  Wearing a leather jacket doesn't make you cool.  Too many losers buy a German sports-sedan (Audi, BMW) and turn on the fog lights because it's "cool" (these cars have distinctive fogs) but do it (1) in non-fog conditions and (2) get the asymmetrical rear fog light too because they don't think and simply turn on all the switches, resulting in someone that, to us in the know, is a loser who manually chose to try to look cool and failed.  (For those of you with American cars, in these German ones the fogs always start out off when  you turn the ignition on.)  Lot's of poseurs in the world.
The problem isn't that the watch is a poseur.  They can be fine looking near-replicas.  If they made their own statements, they'd be fashion watches (and many in their lines are.)  No, the problem is the other ide of the misrepresentation.
Go to any reputable watch site and you will see that most steel (non-precious-metals, no diamonds) watches over about $700 have all three f the following in common:
  • A mechanical movement
  • Sapphire crystal
  • A very high quality bracelet  (i.e. not folded links prone to grabbing arm hair.)
Not all watches in that range, of course, but that's what the money buys you.  You get craftsmanship in details.  You can even get Casio watches with Sapphire crystals and good bracelets (though with Casio quartz movements, which is what makes them a Casio), in a $700 Casio Oceanus line.  
Now look over the ChronoShark history.  The problem isn't the price they're charging.  $100 or so isn't a bad price for a decently made watch with a quartz movement and mineral crystal.  If the band and case are well designed, it may be worth it.  But when they claim that, for example, the Swiss Legend 20188-GM-01 is a $595 watch despite the mineral crystal and quartz movement and cheap leather strap, but that they'll let you have it for $99, that's misleading.  On that same day, World of Watches had the same watch for $89.99, or 10% less.  Both Swiss Legend and Invicta are a bit like gutters or roofing for your house; nobody pays "MSRP" because that price is a lie
Why do you care?  

A mechanical movement costs more becaus it is far more complex and expensive to produce.
Watch crystals should e Sapphire.  It's virtually unscratchable.  Mineral crystal (and more so plastic) are easily scratched.  Yes, Saphhire is more brittle, but breakage is rare, scratching is common.  And sapphire i far more expensiv than mineral glass.

And a nice bracelet with solid links isn't just more expensive than a folded link one, but is much better looking (especially from the side), feels better, won't grab the arm hair in the folds as the folded links do, and feels heavier.

These is what that $500 difference between $95 and $595 buys you.  When Chronoshark or Invicta or Swiss Legend claims a $600 MSRP, they are trying to scam you, trying to catch you naive, convince you that you're getting a bargain.

You aren't.  You're getting a reasonably decent inexpensive watch, that may look nice, but that anyone who knows even a bit about watches will now look at you with pity for owning, because they realize you're a poseur or a fool.  If you like those looks, get them in a less fake brand.  Mossino, Fossil, etc.  But don't wear a sign saying you're gullibl an cheap.

» Implementing Lock on the Macintosh / Mountain Lion
On Windows, you can lock the computer while leaving it running applications by pressing [Windows]-L, requiring a password to get back in.  On previous Macs, you could do something similar with the Eject button and the screensaver, but my MacBook Airs do not have an Eject.  You can also use hot-corners with the mouse, but I don't use the mouse that way and have a tendency to activate it accidentally when moving the cursor out of the way.  So I looked for a way to get around this limit.

It's simple enough... once you know how.  

On the Mac, there are several ways of scripting or automating actions.  The simplest is to use "Automator" to create a "workflow" (a list of actions - it can be a single action) to run AppleScript, Shell scripts (e.g. bash) or perform a list of predefined tasks.  In the past you could make a call directly to the Screen Saver application to fire off the screen saver, via shell script, but that doesn't seem to work anymore.  So AppleScript it is.

Open "Automator".  File - New for workflow, select "Run AppleScript" from the Library.  Enter:

tell application "ScreenSaverEngine"
end tell

Save this; I called it "LockScreen.workflow".  

Now bind it to a keystroke.  In System Preferences, select [Keyboard] - [Keyboard Shortcuts], and then "Services" in the left list.  Under "General" at the bottom of the right list, you should see your new workflow.  Check it and give it a short-cut.  (I selected Ctrl-Opt-Cmd-L, the closest available keystroke to what Windows uses.)

That's it.  As long as you've set the security to kick in quickly (System Preferences - [Security & Privacy], [General] tab, check the "Require password for sleep and screen saver" option and select a short time such as "5 seconds"), it will behave much like the Windows equivalent.
» Halloween Blacklight Displays
My wife digs Halloween.  Really digs it.  So we dress up the yard and house pretty good.  This year I decided to add blacklight (it is technically one word, though people think of it as "black light") into the mix.  I knew a bit, but added some practical experimentation to the mix. For a blacklight display, you need two things:
  1. A source of blacklight
  2. Fluorescent paint or material to illuminate


You can, of course, simply purchase Blacklight sources. Amazon has them, though Spencer Gifts and, in season, SpiritHalloween are better sources. They fall into:
  • LED
  • Flourescent
  • Incandescent
And, being as I'm a techie type, there is:
  • Build your own


An incandescent blacklight is just a standard light bulb with the addition of a paint the filters out the non-blacklight.   I tried the GE "black light 60", about $5 at a hardware store. The result is... weak purple-like light that isn't very good at fluorescing. My rating: Don't bother.


LED Blacklight bulbs should be great. The technology is there. I tried the Gemmy Industries LED Light Bulb - Black light Effect, which I got from Spirit, about $13.

This bulb is highly directional, but does put out a decent amount of blacklight and fluoresces paint well when pointing directly at it. My rating: Fine if you need a low-heat highly-directional bulb.


Technically, LED and Fluorescent should be equivalent, because LED can be tuned to output only the desired waves and fluorescent phosphors can be chosen to the same end. I tried the Spirit Blacklight 13 Watt, $13 (from Spirit, of course.)  Spirit also carries the Spencer Gifts equivalent, which looks identical except the labelling, for less, but I didn't notice that or they didn't have it when I placed the order.

This was far more effective than the LED bulb, both in direct aim and in general dispersion. Much brighter effect.

My rating: Best of the bunch. But larger.

Roll Your Own: Build It

The big problems with the above solutions are:
  • Cost: You need the bulb and a base... for example, a clamp-light base will run you $8.
  • Power: You need an AC outlet and a cord. So you are tethered.
  • Bulk: These are not tiny to begin with. Add the base and you have something as large as a typical decoration.
But there is a better way. Build it.

For about $5 in parts, you can assemble a tiny blacklight source that can be hidden almost anywhere. All it takes is:

  1. 9V Battery
  2. 9V Battery Snap Connector, $0.39 at Fry's last week.
  3. A 330-ohm resistor (or approximate), about a buck for a 5-pack at Radio Shack or $0.24 each
  4. One two-pack Ultraviolet LEDs, 276-0014, $1.99 from Radio Shack.
  5. A soldering gun or iron and some solder.
Connect the red wire to one end (doesn't matter which end) of the resistor. Connect the other end of the resistor to the long end of one LED. Connect the short end of that LED to the long end of the other LED. Connect the short end of the second LED to the black wire in the 9V battery holder. Connect the battery. You're done.

Yes, you probably will want some wire and tape, to make things go where you want and to seal them. But seriously, that's all there is to it. For less than $5, you have a tiny blacklight source you can hide wherever you want.

How does it work? It blows away the incandescent and equals the LED bulb in fluorescence, without as much directionality. At size-rational ranges (in other words, you can put the tiny one closer than you can put a fluorescent bulb), it's as good as the fluorescent.

And instead of $13 plus an $8 base (for $21) plus a cord, it's under $4 in parts.

The Paint

Regular paints and inks just don't do anything in blacklight. You really have two options, and may want to mix them.
  • Glow in the dark paint - e.g. Americana.
    This is inexpensive, but only in pale green. It doesn't really glow brightly, but will light up when hit with the blacklight... and the blacklight also is very effective for charging it.
    The two other downsides are:
    • Only the one boring color
    • Hard to make good lines with; it needs a certain mass and is runny.
  • Blacklight Paint
    This is sold in neon colors such as blue, green, orange, pink... I got a six pack from Spencers which they call a Neon Paint Set; they don't really mention blacklight, but it is for blacklight. It also draws lines very well, and glows under blacklight much better than the glow-in-the-dark paint does... but it doesn't glow when the light goes off.
So for a few dollars, black light has been added to our Halloween!
Top of Page Powered by LiveJournal.com