Paul E. Jones' Blog

One of my favorite companies is Dell. I’ve been using Dell computers now about 20 years and love the computers Dell makes. Unfortunately, my love for Dell certainly did not translate into enough money to help the company this quarter. For that matter, I can safely report that not one penny of my money went to help the company this quarter. However, I did buy some nice tablets! They just were not Dell brand devices.

For its part, Dell still has a solid business. Even so, it is seeing sales decline and it’s not only because we are in a “post-PC”era. Dell seems to be ignoring its non-enterprise customers entirely. Briefly, Dell has issues in a number of areas:

• The order system is not very flexible and it is virtually impossible to customize machines
• The order system does not provide accurate descriptions for some options it does offer
• I cannot figure out how to order physical media for Windows!
• Customer support people are clueless or just read scripts
• Dell has no cool laptops to rival the Macbook Air or Asus Zenbook

While the enterprise customers make up a large percentage of Dell’s revenue, I assume, I also know many, many people who buy machines for use at home and have some influence over the purchase of machines in SMBs.

For its part, Dell has tried to bring some innovative tablets to the market and they now have an ultrabook. Still, they apparently cannot match the engineering of Asus and Apple in terms of building some really thin machines that look really good.

I really do wish Dell the best of luck. I like the company. It still makes good computers. However, when I can go to Best Buy (yuck!) and get a machine that looks better and has more-or-less the same configuration, that means Dell has dropped the ball. Dell, I bought my last laptop at Office Depot! Why was I forced to buy my laptop off-the-shelf at Best Buy? Your quarterly results do reflect your inability to execute in areas that matter.

That was the email I received today from Buckyballs. I suppose they sent that message to me since I have purchased products from them before. This is truly sad for a number of reasons.

And, in case you are not familiar with what Buckyballs are, they are magnetic desk toys. Basically, they're a bunch of little high-powered magnets in the shape of little balls about 5 millimeters across. They are designed to be a desk toy much like many of the other geeky toys many of us engineers tend to buy and have sitting around our offices. The difference with these, though, is that they are high-powered magnets and, if swallowed, they can cause serious internal injury and require surgery. Because of that, Buckyballs labels their products with some very strong warnings. They tell you not to put them in your nose or mouth or to swallow them. I think there are about five such warnings on their packages, including the outside package and the container they provide to house the balls.

Even though these warnings exist and in spite of the fact that these desk toys are not marketed to children, the US Consumer Product Safety Commission decided in its infinite wisdom to force the company to stop selling the products. However, the reason I felt compelled to blog about this was the way they went about it. Buckyballs had been working with the CPSC to do whatever they could to address concerns. But, the CSPC really did not care to work with them. They had already made up their minds and within about 4 hours after Buckyballs submitted a safety plan at the request of the Commission, the Commission sent out a notice that they were suing the company and they reached out to retailers to urge them to stop selling the “dangerous” product. And, nearly every retailer complied.

Buckyballs had this to say:

In 2010, The Consumer Product Safety Commission approved the safety program we currently have in place. Now, after more than two years, they're saying our extensive measures aren't enough and we should be put out of business. Out of more than half a billion magnets sold, the CPSC reports less than two-dozen incidents with our products. While even one incident is too many, we stand by our comprehensive safety program and believe responsible adults should still be able to enjoy Buckyballs® and Buckycubes™.

With their sales channels effectively shut down, the looming threat of legal action, etc., Buckyballs decided to stop selling the magnetic balls and cubes at the center of the CPSC’s complaint. What this will likely mean for the company is that it will go out of business. This was, after all, their primary product. Without it, their revenue stream is gone. We can thank the Commission for putting those people on the street.

And while product safety is important, I personally feel the Commission went too far on this one. There are many hazardous things that can hurt children. Out of the billions of products sold, a few incidents are truly a low percentage. Most importantly, it does not reflect a flaw in the product. Rather, it demonstrates that the purchasers were irresponsible. Children get hurt seriously every year from all kinds of things that adults should keep out of the reach of children.

To think a company can be put out of business at the hand of a 4-person panel without the due process of law is hardly the American way.

I received an email from one of my domain registrars advertising with great fanfare a new "service" from Verisign called "Domain Hashlink". I don't know exactly how they expect to make money with this, but they said this about the service:

A new navigation tool from Verisign that lets you replace long and difficult-to-remember URLs with shorter, more consumer-friendly vanity URLs; e.g. example.com#keyword

They call it a tool, but also call it a service. They even have retailers who will sell the service! I get the idea of having something like "keywords" to take visitors to specific pages on your own site, but to call this a service and have people selling it? Who would pay for this?

It took me just a very few minutes to get this working:

https://www.packetizer.com#h323

There is a very small JavaScript program I wrote called hashlink.js. This queries the server to see if there is a link that matches a known value. If it matches, the page is replaced with the associated URL.

I'm not even sure why Verisign wants to use the hash character. This character has a specific purpose in URLs, and this is really not within the spirit of the original purpose.

It also seems somewhat unreliable. The JavaScript code only runs when the page is initially loaded. I noted in Chrome that if I load a page without using a HashLink and then add one, Chrome will not reload or execute the JavaScript code. If I hit refresh it will.

So in replicating the "service", what I did was create something very similar that uses the @ character. Here's an example:

http://www.packetizer.com/@h323

This is much more reliable, because this always results in a redirection or a 404. You cannot return a 404 when using the hash character, because there might actually be something in the web page itself that needs that hash. Besides, what would one return in a 404? Suggest the main page is not found? That's horrific.

As I said, the HashLink idea is a bit odd and does not work perfectly well. I wish they had used something like the "@" approach. Any number of characters would have worked.

This past week, a jury of nine people convicted Samsung of infringing the patents of Apple. There were a number of patents that Apple claimed were infringed. Per CNET, the devices and patents were numerous. In a nutshell:

• ‘381: “rubber band” effect when reaching the bottom of a document (“look and feel”)
• ‘915: ability to differentiate between single-touch and multi-touch, just like Microsoft’s older surface computing table (how Apple got this patent in the face of prior art, I do not know) (“look and feel”)
• ‘163: double tap on screen to enlarge and center portions of the screen (“look and feel”)
• D ‘677: related to the front face of the iPhone (“design”)
• D ‘087: related to the general outline (“design”)
• D ‘305: the icon arrangement in a grid with round corners (“look and feel”), like the Palm Pilot, Windows Mobile, and Apple Newton from years ago

It is impossible for me to say which of these “inventions” are truly inventions. That said, I largely do not agree with “look and feel” patents. Often, “look and feel” is a matter of current fashion. It’s what’s in vogue. I certainly feel that way about icon arrangement and the look of icons, scrolling, etc.

The “rubber band” effect is an interesting effect, but that’s what it is: an effect. It is not an invention, really. Computer graphics students have for years been creating programs with bouncing balls and such that behave in a similar way. So what was “invented” was not the bouncing effect, but the application of that effect to scrolling. So is that an invention?

I think similar arguments can be made for most, if not all of these patents. Apple has truly created a revolutionary platform, but what was revolutionary was bringing together a powerful operating system, applications, and an app store, all while making it as simple to use as possible. Apple did not create the first mobile phone. Apple did not create most of the graphical user interface elements and concepts. Apple did not create the first operating system, and certainly not the first powerful mobile operating system. What Apple did was package it well and market it extremely well.

One has to wonder whether these user interface and design patents are even valid. Consider where the U.S. patent system originated. It came about due to Article I §8 of the U.S. Constitution which says, “Congress shall have the power … to promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries.”

Exactly where does a user interface design fit into writings or discoveries? I would agree with a design patent that describes the process of creating a particular kind of material or shape through a complex manufacturing process, the process for which had to be discovered through scientific research. However, a “rubber band” effect, icon arrangement, and aluminum edge around a glass screen hardly falls into that category.

Exactly how does the patent system that allows for such patents in any way “promote the progress of science or useful arts”? The answer is that it does not.

Apple’s bold entrance into the mobile communication space has significantly impacted the market and I applaud them for leading the revolution. At the same time, awarding these kinds of patents to Apple does not help to “promote the progress of science”. Rather, it serves just the opposite. Apple did not need those patents to become the wealthiest company in the world. However, it can use those patents to prevent anyone else from attempting to create competitive products. In so doing, it is the consumers – the public – that suffers. We want Apple to continue to innovate and we want Samsung and others to push the envelope. That is how technology progresses in all industries.

In any case, it is very interesting to see how the basic concepts of promoting science and useful arts has mushroomed into the complex copyright and patent system we have today. Now, we have cartoon characters like Mickey Mouse protected for some 70 years beyond the death of the inventor, copyright assigned to things other than writing or useful arts (the latter including music and movies), and patents awarded on the arrangement of icons in a grid pattern.

Perhaps the title is a bit strong, but I was frustrated when trying to order an item on Amazon tonight only to be greeted with a message that the item I wanted to order was an "add-on" item and that Amazon would not ship that item unless I ordered at least $25.

What are "add-on" items? They are items that, per Amazon, "would be cost-prohibitive to ship on their own". For those who are not Amazon Prime members and normally pay for shipping on items, these "add-on" items cannot be ordered separately, but will ship for free with your $25 or more order. Sounds good? Perhaps, except that you cannot even pay Amazon whatever the "cost-prohibitive" amount to ship it. Amazon simply will not sell those items by themselves, unless you buy $25 worth of the "add-on" items or something that cost $25 total.

What about Amazon Prime members? For those who do not know what Amazon Prime is, "Amazon Prime is a membership program that gives you and your family unlimited fast shipping, such as FREE Two-Day shipping to street addresses in the contiguous U.S. on all eligible purchases for an annual membership fee". But what are "eligible purchases"? Those are:

• Millions of items sold by Amazon.com
• Over 100,000 eligible items on AmazonSupply.com
• Many items that are fulfilled by Amazon

It's a great program, but what are the items that are not eligible? Well, Amazon lists those and they are:

• Items fulfilled by Amazon Marketplace sellers
• Magazine subscriptions
• Personalized gift cards
• Any item that doesn't have a message indicating that it's eligible for Prime on its product page

I visited Amazon today to purchase a short HDMI cable. I had purchased this same cable a couple of years ago. It was Prime Eligible then. Now, though, Amazon will not let me buy just the 0.9 meter cable for $4.99, because it's classified as an "add-on". I can't offer to pay for shipping, either. Amazon also tells me "FREE Two-Day Shipping for Prime members when buying this Add-on Item", but that's of no comfort since I cannot order it.

Just to show how dumb Amazon's "add-on" item idea is, while I cannot order the 0.9 meter cable for $4.99, I can order the 6 meter cable for $5.49 and get free 2-day shipping. Amazon: I'd gladly pay the extra 50 cents and get the shorter cable!

I appreciate the fact that some items might cost more to ship than Amazon would earn, but to offer absolutely no option to pay the cost it would take to get it out of the "cost-prohibitive" bucket is silly.

Is Amazon losing its touch?

Everyone is familiar with the padlock that appears on the address bar in the web browser indicating that the communication session is secure. However, few people understand the technology behind that padlock, namely the Transport Layer Security protocol (TLS), or what a digital certificate is. It is those digital certificates that is the subject of this blog post.

For years, a small group of companies have served in the capacity of Certificate Authorities (CAs). The companies, along with makes of web browser, form the Certificate Authority / Browser Forum. It’s a fairly exclusive club, really. They purposely limit the number of certificate authorities so as to ensure that the price people pay for digital certificates is at a price that allows them to make money. Oh, and of course, to provide “trust” in some way. Gaining membership into this exclusive club is hard. Suppose you want to establish a new business to be a root certificate authority. In order to do that, you must “actively issue certificates to Web servers that are openly accessible from the Internet using any one of the mainstream browsers”, as in you must be in the business already. It’s a bit of a chicken and egg problem. One cannot actively issue certificates if the web browser makers do not “trust” you and you cannot gain their trust unless you are a root certificate authority.

Not only is the CA/Browser Forum mostly a club that tightly controls who can trust whom on the Internet, largely for the financial benefit of the members of the Forum, the whole system is, in fact, flawed. If you visit a web site that claims it is secure, can you really trust the certificate presented? The fact is, there has been more than one casewhere a digital certificate was issued by a certificate authority in error. How can this happen? It’s possible because, until recently, DNS has had no security applied in practice, for one. Second, people are able to get into corporate email accounts. Anyone can create create a public/private key pair for the certificate. A hacker just needs to trick a certificate authority into signing it. Usually, this requires only that the person verify that they own an email address at the domain, usually one of the few the certificate authority believes to be an administrative address.

Now that DNSSEC is here, a better way exists to secure browser communication or other communication that utilizes TLS. Rather than create a certificate and have it signed by a certificate authority, a domain owner can create a certificate and place a signature of that certificate into the domain’s DNS. Since all DNS records are signed by the domain owner and DS records created by the domain owner are inserted into the registrar’s DNS servers, it is possible to trust those records. RFC 6698 defines precisely how to do that. Essentially, one creates a self-signed certificate and inserts a signature of that certificate in DNS as a TLSA record. For example, suppose one creates a certificate for www.example.com on port 443 (standard TLS port) and wishes that to be trusted by browsers. One would create a signature of that certificate and insert a TLSA record like this:

_443._tcp.www.example.com. IN TLSA 1 1 \
    C3E2885170FB937E45FCE92CCEE01904A3EE3248156FCD7B945F38994A1F9496

It will take a few years before browsers and other TLS clients start using DNSSEC and TLSA records, but the technology now exists. This is significantly more secure than today’s certificates, since domain owners are in complete control of certificates. No longer is there a risk of a certificate authority issuing a bogus certificate. Domain owners can easily cancel certificates by simply removing the associated TLSA records in DNS.

DNSSEC is the standard for providing security for your domain name in order to protect it from attackers who want to intercept communications by directing web browsers, email servers, etc. to destinations other than the correct destination. Enabling DNSSEC is actually very straight forward. I’ll explain the steps for those who use BIND to provide DNS services, as that’s one of the most popular DNS servers on the Internet.

The first step is to generate a pair of keys. The first key is called the “Zone Signing Key” (ZSK) and it can be created using this command (replace “example.com” with your domain name):

dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com

Next, you need to create a key called the “Key Signing Key” (KSK). It is created using the following command:

dnssec-keygen -a RSASHA1 -b 4096 -n ZONE -f KSK example.com

Note that the -b flag indicates the number of bits of security.

These two commands will produce four files:

• Kexample.com.+005+30578.key
• Kexample.com.+005+30578.private
• Kexample.com.+005+13262.key
• Kexample.com.+005+13262.private

The format of the filenames is “Knnnn+aaa+iiiii.{key|public}”. The value “nnnn” refers to the domain name you are securing. The value “aaa” refers to the cryptographic algorithm used. In the example above, 005 refers to RSA/SHA-1 (per RFC 4034). The “iiiii” is a key identifier, which is just a 16-bit value that identifies this particular key for this particular domain.

Next, you concatenate the .key files to the end of your zone file, like this:

cat Kexample.com.+005+30578.key Kexample.com.+005+13262.key >>example.com.zone

Now, you have to “sign” your zone file like this. To do that, you need to identify which of the keys refers to your KSK and ZSK. If you took notice of the file names created after executing the key creation commands above, you’d know. Otherwise, just look at the file in a text editor and you’ll see which one. In our example, we’ll assume that “Kexample.com.+005+30578” is the ZSK and “Kexample.com.+005+13262” is the KSK. You’ll then execute this command:

/usr/sbin/dnssec-signzone –o example.com -N keep -k Kexample.com.+005+13262 example.com.zone Kexample.com.+005+30578

This will result in the creation of a file called “example.com.zone.signed”.

Now, you just have to make a few small adjustments to the /etc/resolv.conf file. Here are the important changes:

options {

    ...

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";

    ...

}

...

include "/etc/named.root.key";

...

zone "example.com" IN {
    type master;
    file "example.com.zone.signed";
    allow-update { "none"; };
};

...

Place both the example.com.zone and example.com.zone.signed into the directory where BIND keeps its zone files. Restart named and/or issue these commands:

/usr/sbin/rndc reload
/usr/sbin/rndc flush

At this point, your DNS server is ready to go. However, your registrar must have an appropriate “glue” records in place. Usually, these records are DS records. Fortunately, those records are generated for you automatically by the “dnssec-signzone” command. You will see a file called “dsset-example.com.” with the DS records inside. All you have to do is insert those into your registrar’s DNS, much like you might assign your name servers. The procedures for doing this vary by registrar, so I cannot explain the procedure. However, it’s not so hard once you find the right place. The registrar should validate that everything is working properly before activating the DS records. One would not want an incorrect record in place, as that would break the trust chain established via DNSSEC and thereby “break” the domain resolution.

ICANN has list of registrars now supporting DNSSEC. Not all of them do and they certainly do not support DNSSEC for all TLDs. So, it is best to check with your registrar before going through all of the steps and being disappointed.

If you wish to validate that DNSSEC is working properly, you can use the “dig” command on Linux machines like this:

dig +topdown +sigchase example.com

That command will report success or failure in the trust chain. Alternatively, visit DNSSECReport.com and perform a basic test via the web.

One last point to make is that it is recommended that you re-sign your domain at least every 30 days. It's not necessary to generate new keys, but merely re-sign the zone file. (Note that if you did decide to change the key used to sign the domain that you need to ensure that you properly handle the key rollover. Otherwise, for a period of time some DNS servers might assume your domain's signature is invalid. DNSSEC Key rollover is a whole other topic.)

AT&T announced today that it will be offering shared data plans called "AT&T Mobile Share" so that people with multiple devices can share data across those devices. Quite often, it's families that would benefit from sharing data, which was the case when "family plans" were introduced in order to share voice minutes.

Voice minutes and text messaging are unlimited with these news plans. This suggests that AT&T realizes that lower-cost VoIP alternatives exist, so there's no point trying to compete in the voice space. So rather than compete, AT&T will force customers to pay for the voice/text by charging a flat fee per phone, regardless of usage.

The new data sharing plan allows families to pool bandwidth as they did voice before, but the prices are not really cheaper than paying for individual plans. For example, if one has a 3-phone family plan at $70 with unlimited text and 2GB of data per phone, the total price is $70 + $30 (text) + $25 * 3 (data) = $175. Under the new pricing, the unlimited voice/text + 6GB of data would cost $195. But voice is unlimited, right? Who cares? The subscriber was probably OK with the limited voice minutes.

Anyway, here is the price breakdown:

How many people will actually save money with these new plans?

Less than a year ago, I bought an Acer Iconia A500 tablet. It's a great tablet and has worked really well, but in April Acer sent out the Android 4.0 update and, in so doing, broke an important feature on the tablet: screen rotation. I learned that if I reset the tablet and let it reboot a few times, it will eventually start working. There appears to be a race condition where the gyroscope is not being initialized properly.

Anyway, I waited a couple of months and contacted Acer about it. Here is what they said:

I understand that the screen of the tablet is not rotating. ... This issue is caused because the G-sensor on the tablet is not properly initializing. ... A new OS image was created to resolve this issue but there currently is no plan to release this image as a FOTA update. ... I have verified your product serial number and found that the unit is not covered under standard limited warranty. In order to resolve this issue, we can schedule the unit for repair.

Schedule it for repair? And what will they do? Install the firmware that should be released to fix the known problem?

This was my first and last Acer device. That's pretty rotten service, in my opinion. There is a world of difference between a broken device and a known defect introduced by the manufacturer through a software update!

Update: As required by Acer to fix the "broken" Acer Iconia A500 (by way of installing a new firmware load), I mailed the tablet to them. They returned it to me and, indeed, it had a new firmware load on it. Whether they had to open the tablet or not, I do not know. One thing that scared me was the service order stuffed in the box that said there were "surface scratches". I was afraid that perhaps the tablet got damaged in shipping. Alas, there were no scratches. The tablet was in perfect shape. Now, why would they have said that? I bet they say that on EVERY service order just in case somebody complains that Acer damaged their device they could say they observed surface scratches when they received the tablet. In any case, they were not entirely honest with this statement, as there are no scratches on the screen or elsewhere.

In case you're unaware, the United States Government seizes domain names of people and businesses all the time. They do it arguing those people are breaking the law, but take the domain names away even before there is a trial and before there is a guilty verdict. Three such domain seizures in recent months have been extremely questionable and, in my opinion, totally wrong. Worse, one guy is risk of being dragged to the United States to be thrown in jail for nothing more than links on his web site.

There was a gambling web site in Canada operating the domain name bodog.com. It's a Canadian company operating a business in Canada with the domain name registered in Canada. The federal government does not want you or me to gamble, so they took away the domain name by hijacking it. They did not have the authority to go to Canada to do their evil work, so they basically forced Verisign, the U.S. company that manages the .com names, to hand over the name. Along with that, the U.S. federal government indicted the man who owned the company.

The next case is a web site reportedly used to pirate movies and music called MegaUpload.com. Federal law allows service providers to be exempt from what users post on the Internet, as long as they comply with the Digital Millennium Copyright Act (DMCA). This company did that, even though they are a foreign company. They are a Hong Kong-based company, with the owner/founder living in New Zealand. The U.S. worked with local authorities to raid the owner's house and take his money and property. They took away their servers and many users are complaining that they want their files back. One many even filed a lawsuit against the U.S. Government to get his files back and the U.S. argued that it would "set a bad precedent". Meanwhile, the company is closed, the 40+ employees are out of work, and there is no evidence that I can see that they were not in compliance with the law that, remember, they’re not even obligated to follow since they are not a US company. Perhaps they did thrive on exchange of illegal content, but they followed the law, it seems.

The last case if even more difficult for me to understand. A college student in the UK named Richard O'Dwyer ran a web site called TVShack.net. On the site, users posted links to TV shows and movies around the Internet. This guy has never been to the U.S., did not do business in the U.S. (outside of the minority of users who were from the U.S.), did not have servers in the U.S., and had no copyrighted works on his web site, etc. Even so, the U.S. government is trying to force him to come to the U.S. to face trial and go to jail. Did you know that it is illegal to post a link on a web site to copyrighted works? It is not illegal in most countries, but it is here in the oppressive U.S. These kinds of laws rank right up there with taxing Americans on income they earn anywhere in the world, even if they don’t live in the U.S. or taxing people to give up their American citizenship.

The U.S. is nuts sometimes, and I don’t mind saying so. I love my country, but the politicians sometimes create laws to cater to big media companies and they stomp all over us little people. Just to put this into perspective, can you imagine facing jail time over something you say on the Internet that in your country is perfectly legal? If we follow America’s lead, then if any one of us were to say something negative about the Chinese government, for example, then we should all be picked up, carried to China, and put in jail or put to death. Sound reasonable to you? This is the real danger the U.S. is putting us all in by doing these things it is doing.

Jimmy Wales, founder of Wikipedia, is trying to stop the U.S. from bringing Richard O'Dwyer here to face trial over links on his web site. I encourage all of you to sign the petition to stop the U.S. Government. If you are American, I would also encourage you to write to your senators and congressmen to have them put an end to trying to force the world to comply with American laws. No country should ever be able to apply its laws to a person or business in another country, using a person’s words or a service they provide on the Internet as justification.