I Lost My Wallet in El Segundo

Actually I lost my wallet in Venice, CA, but no one wrote a song about that. So what do you do if you lose your wallet while traveling? I had no government ID, no credit/debit cards and no cash. Nothing. Luckily I was traveling with a friend, but if I were alone I’d be screwed. Credit cards were sent to me in 2 days. They would not send debit cards to me, only to my home address.

To get through the TSA without ID it helps to have anything that confirms your identity. I had my new credit cards. FYI: I had a copy of my passport, but they didn’t want copies of anything. Tell the TSA agent you have no ID. They will call a supervisor over. It took a while for the guy to show up, so go to the airport early. You put your name/address on a document. Then they call some other office, give them your info and they ask some questions. I was asked for the last 4-digits of my home phone. Then my previous address (I didn’t remember the zip code). They asked for the name of a close relative. I offered my dad’s name. Then they asked for his birthday. I don’t remember anyone’s birthday; however, it happened to be my dad’s birthday and my phone alert had gone off that morning. I only remember his age because he hit a milestone the previous year. So some quick math and I had his birthdate right. I went through security and then had more checking. They did a quick pat down, the bomb residue test on me and my luggage. They didn’t search anything. Although I look like a terrorist, the whole thing was fine.

In the future, I need to pack some backup. I should leave a debit card in my luggage so I can get cash and buy things. For some reason the TSA guy asked for that, so it might be a more legit form of identity. If you look at the list of valid ID, I only have a passport but I don’t carry it for domestic travel. It might be worth getting a Global Entry card as a backup ID. Alternatively, maybe the state will give me another non-driving ID even if I already have a driver’s license. I can just leave that in my luggage.

One-Way Sync on Windows

I have pictures scattered and duplicated across multiple Windows machines. I want them all on one machine. So if picture [A,B,C] is on machine 1 and [B,C,D] is on the central server, I only want to copy A over. Pretty simple.

I tried to use unison, a fancy synchronization tool that sort of runs on multiple platforms. But I could not figure out how to get it to do this. I tried using “-force”, but it kept synching in both directions. Finally I switched to Windows’ robocopy. The command line is “robocopy /s /xc /xn /xo source-path destination-path”. The first option “/s” says to go down all directories. The other options say don’t copy the file over if the file changed or is older/newer. It’s not a clean way to do it, but it seems to work.

Why I still won’t use Windows

TL;DR: It’s the service and hardware vendors that suck, not the OS.

I upgraded a family member’s computer to Windows 10. It went smoothly and the new OS UI seems fine. The laptop is a Dell XPS 12 (2013). Overall it’s an OK computer if touch is your thing. In doing this I discovered a lot of strange behavior in the hardware/OS interaction that was there before Win10. Things like (1) the computer suddenly wakes from sleep and drains the battery. (2) The USB port that does NOT support Powershare still provides power when the computer is asleep. (3) All the Power Plans have disappeared. And so on…

I expect problems with computers. The issue is it is damn near impossible for a novice to find a solution. In this case, even I can’t solve these problems. The support from the hardware and OS vendors is near non-existent. The forums are filled with dumbasses giving partial or incorrect answers. The OS doesn’t offer many clues. I’ve wasted far too much time searching for solutions.

Honestly, for most people Mac OSX is nothing special, except it Just Works. People spend 90% of their day in the browser anyway. Being able to walk into an Apple Store and have a “Genius” fix simple problems is a killer feature. AFAIK there is nothing comparable for Windows nor any consumer hardware vendor. Dell’s XPS support was never useful. Best Buy’s Geek Squad is a royal ripoff. ($70 to fix your email!) If Microsoft can’t entice hardware vendors to do a less shitty job they will continue to lose market share to simpler devices. The jury is still out on the Surface.

Google’s ChromeOS is the right idea, but still falls short. What can it do that can’t be done with a tablet + keyboard? Most people would rather get the latter. Some people still require extra software to connect to work and run work applications (like WebEx or Excel/PPT or VPNs). Those applications are ported to iOS/Android before ChromeOS. Also, the Chrome hardware is mostly $300 plastic garbage, plus the expensive Pixel.

Apple wins because their service is fantastic (IME), their hardware/OS combo Just Works, and OS X is good enough. Microsoft loses because even if Win10 were perfect, the service is abysmal and the hardware/OS combo is atrocious. The Surface might solve the last point. ChromeOS is in the middle because the hardware/OS just works, there is no service (AFAIK), and the OS might be just short of good enough for some people. A tablet + keyboard is better than ChromeOS for most people because iOS/Android has more apps.

Offline Google Drive without changing default browser

Google Drive supports offline access of your documents by running the little Google Drive sync tool. When you click on something, the Drive tool acts like a local web server and opens your default browser. However, this will only work if Chrome is your default browser. What if you want to use something else? I found this old script googledrivesync-chrome which appears to do the trick for Windows. Download the zip file, copy the files to C:\Program Files (x86)\Google\Drive, and run “googledrivesync-chrome.wsf /install”. I just tried it on Windows 10 and it seems to work.

Notes for Computer Security

I’m not a security expert. For a long time I used the same terrible password everywhere because I’m a lazy moron. But I finally cleaned up my act. The first thing to decide is who is my adversary. I’m not trying to protect myself against government agencies nor violent crime lords. In both cases they will merely cut off my fingers until I give up my password. I’m primarily worried about hackers grabbing passwords in bulk from web sites. I’m only a tiny bit concerned about hackers getting on my machine directly.

I used Diceware to come up with a 6 word password, which is about 77 bits. I then changed a few characters randomly. Each change adds another 10 bits. I wrote it down on paper and store it in my wallet. I use this as my master password for LastPass. In addition, I use 2 factor authentication (2FA) using Google Authenticator to generate login codes (TOTP). Using LastPass I’ve generated unique, big, complex passwords for all the sites I use. Basically, there’s no way for me to log into anything without LastPass. For important sites that support it, I use 2FA with Authenticator. For these same sites I generated backup codes and stored them as secure notes in LastPass.

I use LastPass app on my iPhone 5. It’s a pain to type in my master password, so I use a PIN code to protect it. I wish that LastPass copied the iPhone’s Erase Data option: after 10 failed attempts it should delete the LastPass encrypted file. For someone to get this data, they need to get through the iPhone PIN and the LastPass PIN. I should use a password instead of a simple 4 digit passcode on the iPhone.

On my Mac I use the LastPass browser extension and the LastPass desktop app. Neither of these are password protected, and I turned off 2FA. I can set them to auto logoff after a timeout, but then I have to type in my master password every time. I’d prefer to enter a PIN code, which falls back to the master password after 3 failures. Instead, the only thing protecting my computer is a terrible account password. I should change that. Again, I wish the Mac supported a PIN for quick login and a backup password. Or 2FA somehow.

My laptop is encrypted with FileVault. Backups run by Crashplan are encrypted with my account password. The spare computer holding my backups has a terrible password and is not encrypted. I think that’s all ok so far. Though I’m not sure why security people trust FileVault and not Microsoft’s BitLocker.

For some inexplicable reason, none of my banks — the most important sites to protect!! — support 2FA. Etrade does support Symantec’s VIP Access app. However, why don’t they support Authenticator or just plain TOTP? Also, if I turn it on then I can’t use Quicken or Mint.com. It should support app-specific passwords that have read-only access to my accounts. This is a serious weakness.

I really don’t like Google Authenticator. I’d prefer to use Authy. It’s easier to use and it stores an encrypted backup of your codes to load onto another phone. But I don’t quite understand how they ensure the other phone is under my control. Could a hacker fool them into copying my Authy data to another device? Plus, their desktop app doesn’t feel like it’s in the spirit of 2FA.

LastPass is the center of my security universe. If someone breaks into LastPass, as they did recently, I’m pretty much screwed. Other people use KeePass because they have control over the encrypted DB. But it isn’t easy to use like LastPass. It’s a tradeoff I’m willing to make. I’d like to use Yubikey when LastPass supports U2F. This would prevent phishing attacks. However, I’m still vulnerable if someone figures out how to write a page that extracts data from the browser extension. Also, I’m not comfortable with their account recovery schemes. I think there’s a way for an attacker to turn off 2FA and then force recovery using a OTP stored in your browser. This would work if they have your laptop, including email access. I should fix this somehow.

Overall this setup is moderately secure, but the NSA could break it in a jiffy.

3-way merge of PowerPoint with git

This doesn’t work for some reason, but I’ll make a note and look at it later. On the Mac’s Script Editor, the dictionary for MS PowerPoint 2011 says it has a method called mergeWithBaseline. That sounds like a 3-way merge. This is a sketch of what the code should look like. For some reason I can’t get mergeWithBaseline to do anything.

#!bash
# pptmerge LOCAL REMOTE BASE MERGED
osascript -l JavaScript << EOF
PPT = Application("Microsoft PowerPoint");
PPT.activate()
local = Path($1)
PPT.open(local)
PPT.activeWindow.presentation.mergeWithBaseline({withRevisionPath: $2, withBaselinePath: $3})
PPT.activeWindow.presentation.endReview()
PPT.save({in: $4, as: "save as presentation"})
PPT.quit()
EOF

In the .gitconfig there should be something like this:

[mergetool "powerpoint"]
    cmd = pptmerge \"$LOCAL\" \"$REMOTE\" \"$BASE\" \"$MERGED\"

It looks like you can select different merge tools with “git mergetool –tool=powerpoint fileName”. Is there a way to trigger this by file extensions (.pptx)?

Build an interpeter in .NET

A long while ago I noted one could build an efficient language interpreter if the runtime could inline operations more aggressively. .NET has long had an attribute called MethodImplAttribute that gives the runtime some hints on how to compile a method. In .NET 4.5 they added one more hint: AggressiveInlining. This instructs the JIT to inline the method if possible. It took some doing, but I verified that it does inline methods most of the time. This post talks more about it. Plus, at the bottom is a comment from (probably) a .NET dev that says, “It simply turns off all our heuristics, and causes us to inline the method if the JIT is capable of inlining the method. The reason the documentation is so vague is that there are limitations to what the JIT can actually inline…”. So it works, but it might not sometimes.

To determine if inlining is working you can scan the ETW output from the JIT as described here. I did the following:

// Run wevtutil only once on your machine. It should work fine forever after. :)
wevtutil im C:\Windows\Microsoft.NET\Framework\v4.0.30319\CLR-ETW.man
// Do the following each time.
logman start clrevents -p {e13c0d23-ccbc-4e12-931b-d9cc2eee27e4} 0x1000 5 -ets
// RUN YOUR PROGRAM IN RELEASE MODE, NOT IN THE DEBUGGER
logman stop clrevents -ets
tracerpt clrevents.etl

Search in dumpfile.xml for MethodJitInliningSucceeded and MethodJitInliningFailed. They will give you a reason for what it chose to do. To make this a bit easier you might be able to use Reactive Extensions to monitor the logfile as described here.

The goal is to inline and optimize the interpreter directly into the program, thus creating a compiled program. This is the first Futamura projection. This is already pretty good, but to get the 2nd and 3rd projections you’d need to do the inlining at the bytecode level at compile time, not at runtime. That way you can save the optimized assembly and specialize again. This should exist somewhere. I couldn’t find anything comparable in the JVM. Perhaps LLVM? Maybe Rosyln?