The Flag's a Plus

Last year was our first year in Switzerland. Christmas fell on a Sunday. Everything closed early on Saturday (Christmas Eve) and everything was closed on Monday, but I assumed that they were just giving people an alternate day off. This year, Christmas fell on Monday, and everything was closed on Sunday, Monday, and Tuesday. Hmm. It turns out that some parts of Switzerland, including Zürich, celebrate Saint Stephen's Day (Stephanstag) on the day after Christmas. It's a bit odd for a Protestant Canton to be celebrating a saint's day, but Saint Stephen was a bit of an odd saint. I suspect that it's celebrated more as an extension to Christmas than as its own holiday, but a day off is a day off.

People who work in security, particularly in computer security, get a bad reputation for paranoia and for always saying no. Some of those reasons are deserved, and some aren't. Security people tend to be more aware than most of the people around them of the potential consequences of omitting some security controls. They also tend to be more aware of how often security problems cause bigger problems like lost money, lost customer information, etc. But, the accusations against security people are also often true. Security people do have a paranoid streak. Sometimes, they get so caught up in what could go wrong that they neglect the advantages if things go right. "This could cost us a million dollars!" is a concern, but if it's something that will make billions of dollars, that might just be okay. To deal with this conflict, most organizations have come to rely on some sort of threat modeling. I've talked about it before, but in a nutshell, you think about way

So, the US Congress is talking about taxes again, and as always, everybody's trying to cut taxes for their donors without pissing off everyone else too much. I was curious about the effects on the bottom line of a tax increase, so I went looking for some data. I should be clear here. I'm not an expert in any of the relevant subjects: economics, statistics, policy, etc. I just wanted to understand what it means when they talk about cutting taxes for one group by a few percent. How much does that affect everyone else. We know that poor people don't have money to spare. Rich people do. On the other hand, there are a lot more poor people than there are rich people. Put another way, 1% of Bill Gates' income could pay off a lot of debt, but there's only one of him. 1% of an ordinary person's income wouldn't pay off much debt, but there are lots more normal people. So, how does it balance out? I found this really useful Wikipedia link showing the number of

I'm publishing this as an unfinished draft because it came up in conversation. Hopefully, I'll go back and rework this later. If you're not a technical person, just skip this one. In technology circles, there's been a lot of talk about encryption lately. It's regarded as A Good Thing. If you take away one thing from this post, it's that encrypting your data is almost always a good idea. And, if you're not a technical person, you can just shorten that to "Always Encrypt". But, for the techncal people, there are edge cases. There are always @#$!@% edge cases. There are two primary reasons to encrypt: privacy and verification. Unfortunately, when it comes to TLS, they're mixed together. Verification is always a good thing, but there are times when the privacy is either unnecessary or actively harmful. For example: Waste. If you're downloading a public file, and you have another way to verify it, then encryption is just wasted memo

I've had a Gmail account since they were introduced. I have an easy to remember account name, and Gmail includes a lot of nice features like checking other accounts via POP3, mail forwarding, and mail filters. They also have the best spam filter I've been able to find. As a result, a few years ago, I started sending all of my email through Gmail just to deal with the spam. To their credit, Google offers really great security for Google accounts. They came out with Google Authenticator a while ago, and they support U2F and other common two-factor authentication. They make it easy to see which applications have access to different parts of your google account and what bits of data have been accessed. It's all well thought out and quite secure. Except... Google makes Android available to anyone. The core portion is Open Source, and they license a lot of the add-ons under a pretty open license. As a result, lots of companies make Android devices. Unfortunately, those compa

There's no real pattern here. Just a few ideas for new websites that have been rolling around in my head. 1. Website idea: Central, shared contact information. I'd like to have a place where I can post my name, address, website, social media accounts (and a way to indicate whether I'm a regular user or I have an account but never use it), etc. for friends. Then, I'd like to show a slightly different profile to family. A third profile for prospective employers. Maybe a fourth or fifth for different clubs or hobbies that I participate in. Ideally, friends and family would create their own profiles, and they'd be able to subscribe to updates from mine. If I move or get a new phone number, I could update it there, and all of the right people would see it or be notified. 2. A "verifying" link shortening service. There are a bunch of services out there like https://tinyurl.com/ or https://is.gd/ . I'd like to see one that rates the honesty of the article

Last night, yet again, America saw a terrible gun tragedy. This keeps happening, and we keep doing nothing. A few shootings ago (and isn't it terrible that this happens often enough to make that a valid unit of measure), John Scalzi wrote something in his blog that covered most of what I want to say, and he said it better than I can. However, there's another side to this and to so many other social and political issues that's been bothering me a lot lately: We're talking about the wrong things. So, here's my prediction on how the next few days of the news cycle will go: Lots of tentative finger pointing. "I'll bet that the shooter was a member of a race/religion/political party that I don't like!" As details unfold, a whole lot of "I told you so" from whoever was right in that random guessing game. Some knee-jerk reactions about "what we need to do". OBVIOUSLY, we need to either stop selling guns or buy more of them an

I frequently use voice recognition on my phone. It's faster than thumb typing. When I moved to Zürich, the voice recognition had a terrible time with local place names. It's improved over time, but I'm pretty sure that it improved by flipping an internal flag somewhere that said "Try English, German, and French words in no particular order". The consequences are interesting, and not always an improvement. For example, yesterday, I said, "I was not feeling well today." My phone's voice recognition parsed it as, "iOS Nacht Frühling Welt zu die."

This is my standard advice for buying smartphones: Buy an iPhone if you can. If you really want an Android device, buy a Pixel. Try to avoid carrier phones. I recommend this because: Architecture matters. Apple devices are very locked down. Antivirus is unnecessary on iPhones. Patch speed matters. You don't want to be stuck waiting for your vendor or cell phone carrier. Apple makes everything, so their process is fast. With Pixel, Google makes the patches, and pushes them to phones quickly. I recently bought a new cell phone. What did I get? A Sony Experia Compact. Even I didn't follow my own recommendations. Why? Because even though I'm concerned about security, it's not my only concern. My priorities worked out like this: Must work with European cell phone frequencies. I actually own a Google Nexus phone, and I love it. Unfortunately, it's a US model, and I was finding myself with no coverage in areas where everyone around me was fine. Must be available

One of the things that you quickly learn when traveling in other countries is that it helps to adopt a stereotypical accent. When you say, " Schönen Tag," (Good day) you should try to say it in a stereotypical German accent. It sounds really weird to the locals if you don't. Same thing with " Bonjour" in French or " Ciao" in Italian. Just run with the stereotypes. If you're not mumbling the ends of the words, you're not speaking French properly. If you're not moving your hands, you're not speaking Italian properly. In Zürich, a lot of people speak English. In fact, I suspect that for most people, their preferred language order is Swiss German, English, then Hochdeutsch (High German -- what they speak in Germany). But, they all learn English from other Swiss people, so they speak English with a pronounced accent. I've picked up that accent. A lot. I don't do it when I'm speaking with other native English speakers or with

There's a concept called "Threat Modeling" that's used a lot in Information Technology (IT), but it's a useful thought exercise for day to day life, particularly when you think about computer security. Here's the simple version: try to think about all of the different people who might try to come after you online. Think about how they might attack most effectively. Then, worry about those things. Stop worrying (or worry a lot less) about attacks that won't happen to you. Why do this? Because your time and energy is limited, and a lot of the security advice that you'll see is targeted at people with a completely different threat model. A journalist has to talk to a lot of people, and makes a lot of enemies, but has to keep their sources safe. A soldier is a target because of who he is, but doesn't need to talk to strangers online. And so on. You don't have those problems, so products that are targeted at journalists or soldiers or freedom fi

Last weekend, the weather was warm, and we had the windows open. We could hear children playing outside. Silence for a few minutes, punctuated by occasional screams, laughing, and running. It sounded like they were playing hide and seek. Then, I happened to look out the window and I saw a pair of little girls on the top corner balcony of the building across from me. One was lying prone and aiming a squirt gun that was as big as she was (a super soaker, or something similar) through a small gap in the bottom of the balcony railing. The other was acting as a spotter with her head poking over the railing and looking around the corner. They were accurately aiming and leading to hit running kids on the ground with water from about 4 stories up. I have to admit that I was impressed.

I'm going to lose some of the non-geeks on this one. I've been playing with cryptocurrency lately. Bitcoin (BTC), Dogecoin (DOGE), etc. It's interesting technology. Essentially, it's a way to buy and sell things without a centrally owned repository (like the federal reserve, or Visa/Mastercard/etc.) In a nutshell, if I want to send you a bitcoin, there's no central authority who approves the transaction (just a consensus that the transaction was valid), so there's nobody who can stop me. It's the same advantage that gold has, but it can be done over the internet. It has one enormous downside, though: it's SLOW. Because of the way that these currencies are designed, it can take more than an hour for a transaction to go through and be finalized. (You can see that it has started after about 10 minutes, but it's not truly final for about an hour.) Some of them, like Litecoin, have developed ways to speed up the process, but it still takes 10-15 minut

Since moving, I've had to rely on Google Translate a lot. Everything from government websites to local news websites has to be translated. I'm slowly learning German, and I can occasionally make out simple articles without translation, but that little "This page is in German. Would you like to translate it?" notification gets a lot of use. Somewhere along the way, the algorithms have noticed. I'm seeing a lot more German spam, the web page ads that sneak past my adblockers are increasingly in German, and  Google Play has been playing a lot of Europop lately. Tonight, for a change of pace, Google's "I'm feeling lucky" song guesser decided that I wanted to listen to French pop. Ça joue .

I recently checked in on my retirement fund for the first time in a while. I was up 16% from this time last year. Yay! Go me! Of course, most of my retirement is in index funds that track the market as a whole. (I keep about a third in relatively low risk bonds). So, how's the market as a whole doing? Up 17% from this time last year. So, uh, I did almost as well as everyone else. Participation medals all around!

I'm visiting Leukerbad again. It's a Small town in Switzerland with beautiful mountains, hot springs, and lots of hiking trails. Today, I took the cable car to the top of the mountain and went hiking. I should mention that Swiss trail markings are different from Pennsylvania markings. In particular, the scale is different. A PA "Moderate" is a Swiss "Easy", and a PA "Difficult" is a Swiss "Moderate". I'm​ reasonably comfortable​ with difficult hiking trails in Pennsylvania. I had nowhere to be the next day (though I was hoping for more hiking and sightseeing), and I was in a town full of spas. There was no better time to push myself. Unfortunately, I only had a few hours before the cable car down the mountain stopped for the night. So, I chose a middle difficulty trail that was supposed to take about two hours and took off. It was easy going at first, but it started to get a lot harder somewhere along the way. I was expecting a ch

I had a slightly disappointing experience with Apple support today. I've been an Apple user for many years. I created an Apple ID back when they introduced the iTunes music store. I've used it ever since. A few years ago, when Apple was getting a lot of bad press because people's Apple IDs were getting hacked, Apple introduced 2-step verification for Apple IDs. When you switched to 2-step, you're given a recovery key (an RK) -- a long password-like string. They warn you at the time that you must store your RK in a safe place. I thought that I stored it in a known, safe place. Back in mid-May, after returning from overseas travel, I decided to change the password on my Apple ID. Something went wrong. Neither my old password nor my new password worked any more. It turns out that if this happens, you eventually end up at this Apple support page . Short version: you must have either your password or your RK. Lose both, and you're screwed. So, I went

A small computer success story: I have a Synology NAS at home. For those who aren't familiar with them, they're small computers that are set up to make storing and sharing files easy. They keep your data across multiple hard drives so that if a hard drive fails, no data is lost. Or, at least, that's the theory. After we moved last year, I set up the NAS and ran all of the status checks. It reported that one drive was still working but starting to have problems. I bought another drive, plugged it in, and set it as a "hot spare" (basically, the system knew about it, but it wasn't being used). I also turned on monthly disk checks. Months passed with no more problems. ...until last Tuesday. On Tuesday night, the system automatically sent us mail to tell us that The troubled disk had finally failed. Since we had a hot spare, it would be used as a replacement disk and our data would be copied to it. When everything was finished, the system would let us k

Imagine that moment of confusion when you wake up from a deep sleep and, for a few seconds, you can't remember where you are or why you're there. Imagine that you had a little bit too much to drink last night. Not enough to be sick, but enough to feel like you're sweating a little bit too much and people are talking just a little too loud. Except... you're pretty sure that you didn't drink last night... whenever night last night was. Imagine that your body may or may not be fighting off a cold. You're simultaneously too warm and too cold. A painkiller seems excessive, but your bones ache and you wonder whether you've slept too much or not enough. Imagine watching the sunrise and being disturbed at a deep level because the sun shouldn't be coming up at this hour. What world have I fallen into where the sun rises at the ungodly hour of... 6am. Oh. I guess that's normal. Here. Imagine that your alarm goes off at 8 O'clock, and you have no idea w

A small thing that I haven't talked about before: When we moved from the US to Switzerland, because there was a voltage difference, we did not take any electrical kitchen appliances with us. We've also tried to resist buying things until we were certain that we'd use them. So, we only decided to buy a microwave oven a month or two ago. One of the first things that we noticed was that microwave ovens in Switzerland almost never have a revolving tray. A revolving tray is common in all of the higher end US microwave ovens, while only the cheapest Swiss microwave ovens had this feature. It turns out that there's a good reason for this: most Swiss microwave ovens also have conventional heating elements. They're basically a cross between a microwave and a toaster oven.  A lot of frozen food offers 3 reheating times: oven only, microwave only, and a combination time to use with one of these combination ovens. It works pretty well, particularly with things like p

A few months ago, I finally gave in and applied for a Supercard and a Cumulus card -- the loyalty cards for Coop and Migros, respectively. The process was a bit more onerous than in the US. I had to apply online, then I received the cards in the mail, but the cards couldn't actually be used until I confirmed them again online. This is to ensure that I have both the cards and the online account information -- a sort of one-time 2-factor authentication. With the cards, I was able to drastically change the way that I shop. Now, when I go to the grocery store, this is the shopping process: When I walk in the door, I stop at a kiosk where I scan my card (or a picture of my card on my phone), and it unlocks a handheld barcode scanner. I could also skip this step and scan groceries with an app on my phone, but my phone is a lot slower because the camera takes a while to focus on the UPC. When I want to buy something, I scan it with the barcode scanner then put it into my reusable g

When you set up a network, whether it's for home or work, you need to think about how the network's going to be used and which resources are going to be most limited. For a long time, the relative scarcity looked like this: Internet bandwidth was very limited Wireless network bandwidth was somewhat limited Powerline adapters were faster than wireless, but slower than Ethernet Wired Ethernet network bandwidth was relatively fast To get around these limits, you would avoid using the wireless network whenever possible. If you needed to get an internet connection from one end of a house or building to another, you'd try to find a way to use wired whenever possible, even if that meant something like Powerline adapters. Anything to maximize the scarce WiFi bandwidth. Keeping local copies of big files like OS updates also made a lot of sense, as those could take hours to download. I even had a well-tuned QoS (Quality of Service) setup on my old home network to prioriti

A quick one for today: I've been looking into what passes for American food in Zürich. Short answer: fried appetizers and burgers. Here are the menus for a few places that sell American style food in Zürich: Fork and Bottle sells a wide selection of beer, along with burgers, ribs, and salads. Like one of the good the microbrew / gastropub places that are in almost every city in the US. We visit them regularly. Brisket Southern BBQ and Bar is a rib joint. Their ribs are a blend of US styles. They're pretty good, but they're not quite as good as the ribs from that run-down shack outside of town. You know the one I mean. (For my non-US friends: I'm mocking rib snobs. No matter how good the ribs, they've always had better. The place with the best ribs in the entire world is always, amazingly enough, just outside of the town where they live or grew up.) Papa Joe's has recreated the "fried food and lots of crap on the walls" restaurant concept popu

I've been rethinking my personal threat model due to wholesale scanning of electronic devices at the U.S. border. I think I've figured out a few things that I can use that might be useful for others. The problem is this: Currently, Customs and Border Patrol (CBP) is scanning devices, but they are not scanning data that's not on the device or not directly reachable with the device. This is due to their interpretation of Riley v. California -- a U.S. Supreme Court decision that said that law enforcement can't use credentials found on the phone to gather additional data without a warrant. If they're suspicious (or if you annoy them), they can seize your phone. So, I need to be sure that my phone is "disposable" and I won't lose any critical data. Wiping my phone might work, but there's some information that I'd like to install on my phone before I leave (phone numbers of people I'll be visiting, for example), and if searched, a wiped phon

Last year, before I moved overseas, a few friends told me to follow them on Facebook so that we could stay up to date with each other's lives. At that point, my Facebook account had actually been deleted, but I did want to stay in touch with people, so I reactivated it. I should mention that this was early 2016. The US presidential campaign was kicking in to high gear, and it was getting ugly. Whenever I would log in to Facebook, I would have to scroll my way past many fake news posts. It was absolutely ridiculous. These were people who knew what Snopes and Politifact were and how to verify what they saw, but they weren't doing it. Critical thinking seemed to go out the window whenever politics was involved. Initially, I tried to ignore it, but there was a ton of it, and some of it was coming from a few relatives close enough that I didn't want to block them. I foolishly thought that perhaps education was the answer. I started off by calling out some of the more o

I've been thinking about how to handle email, chat, and social media accounts. With some help, I've come to realize a few things: My immediate concerns about being searched at the border are unlikely. US citizens are not yet being searched, and I've paid extra (it's the American way!) to be pre-sorted into the "boring pile". If my information is compromised, I'm in very little danger. My concern is almost exclusively for friends who have confided in me. I don't want THEIR information compromised. It's impossible to know who has old data about me. I'm a little bit concerned about history and my own bad memory. If you claimed that you had hard evidence that I said something stupid ten or twenty years ago or exchanged messages with a criminal, I probably wouldn't argue. After that much time, who knows? Plus, there have been a lot of security compromises and mergers and policy changes. Some of my "online presence" may be good fo

I'm deleting messages (and, in some cases, accounts) across the remaining social media sites that I use. More changes may be coming soon. I'm currently living outside of the US, but plan to travel to and from the US a few times per year for the foreseeable future. Unfortunately, US Customs and the Department of Homeland Security have started to demand email and social media account information at the border. While I suspect that I wouldn't be interesting to them, and neither would most of the people I follow, friends have shared personal secrets over the years, and the government has a bad record when it comes to keeping personal information secret.  I don't want to have friends' private concerns about depression, suicide, sexuality, or anything else captured and stored in a government database. I won't allow this to silence me, but I'm stepping back and thinking hard about how to properly partition things for the future.

On Zürich buses, stops are announced automatically. Normally, the only time that the driver speaks is when there's a problem (like road construction) that will result in the bus being diverted. As someone whose Schweizerdeutsch is terrible, I have developed a certain dread whenever I hear an announcement. It means that something's about to go wrong, but I don't know what it is. Today, I got on the bus at a busy stop where most people were exiting, and someone had spilled a newspaper all over the floor on their way out. The bus was nearly empty and stopped while waiting until it was time to leave, so I set down my bag, picked up all of the newspaper, folded it into a bundle, and tucked the bundle into a spot where it wouldn't spill again. As I finished, I heard an announcement and looked up with my usual sense of dread. I only caught "Danke" and rein...something. I looked toward the front of the bus, and there was an old man standing next to the driver and sm

Uetliberg is a small mountain near Zürich where you can find many hiking trails. You can also find the Schlittelweg (sled trail) -- a 3.1 km (about 2 miles) long sledding trail. Even better, there are train stops near both the top and bottom of the Schlittelweg, so you don't even have to walk up the hill again. Last weekend, Laura and I took a walk along Uetliberg that ended near the top of the Schlittelweg and we took the train down into the city. Swiss trains are usually immaculate. It's rare to see anything worse than an occasional discarded newspaper, or smell anything worse than a whiff of detergent or excessive perfume. The Uetliberg train, though, smelled awful. If you've ever shoveled a long driveway or gone skiing, or if you have children who like to play in the snow, you may remember the unique "wet dog and unwashed socks" funk that comes from peeling off a snow jacket after a few hours of hard exertion in the snow. That was the smell that we endured

As far as I can tell, Swiss children are taught public manners from a very young age. It's not uncommon to pass elementary school students walking to school alone or in small groups (wearing their reflective vests, of course) and be greeted with a polite "Grüezi!" ("Hello!") as they pass. A few days ago, I was riding the train when another train pulled alongside. This is uncommon. Trains are normally staggered by a few minutes, but the other train was running late. These were electric trains in the city, so speed was tightly regulated, but as we'd go around corners, the inside train would pull ahead. The children on the train were very excited by the "race", and all ran to the windows on that side of the train. We pulled into one station at the same time. When it was time to leave, the other train's doors closed a few seconds earlier, and it started to pull away. The children on my train became absolutely frantic. They started stomping

I have too many blogs and social media accounts. I was trying to keep things separate, divided for appropriate audiences, but it's too much of a hassle to keep track of them all. So, I'm consolidating. More specifically, I'm consolidating here. Blogger supports labels for each post. You'll see that this post has the "announcement" label. If you only want to see posts about Switzerland, find one of those posts, and click on the switzerland label . If you only want to read about technology, click on that label. Etc. If you read this via an RSS feed or some sort of indirect method, and you don't want to read everything, you may need to adjust your feed.