Hey, you sass that hoopy Bill Napier? There's a frood who really knows where his towel is.

My Heart is Bleeding

A funny name for a serious bug. -- Bill Napier

You may have heard about it in the news, but may be unsure of what to do about it. I know this because I've had a number of people already ask me what they should do about it. Let me enlighten you.

What's the problem?

So I'll try and explain it two ways. Semi-technical, at a level most people who are familiar with computers should understand. And then as an analogy, for those of you who don't understand the first explanation.


The bug is in openssl, which is a library used in many (many) please to do secure communications. If you see "https" in your browser, there is a chance that the site you're talking to is protected via openssl.

Without going into specifics on the bug (Check out http://heartbleed.com/ or the CVE for more specifics there), the bug (essentially) allows an attacker to access anything the webserver can access. For most websites, this could mean everything. Usernames, password, credit cards, SSN, tax returns, etc. Or even use it as a starting off point for exploiting another bug and creating a backdoor.


When you leave your house, you lock all the doors, right? Imagine that your door lock had a bug in it (a design flaw) that allowed an attacker (theif?) access to your home without you even knowing that they have been there. Obviously they can do the easy stuff. Steal your TV and your jewels. They could also be rather annoying and steal your Social Security card and birth certificate and passport and start impersonating you (Identity theft). Or they could come in and just put up hidden cameras and bugs and a backdoor into the house so they can come and go and do whatever they want, even after you've changed the locks.

Hold me, I'm scared

So first of, not every website is affected. There are some site (I like LastPass) that will check if services you use are affected or not. As you can see from this infographic, a lot of the financial sites are fine.


Should I change my passwords then?

Short and sweet? Maybe.

Here's the tricky part. The bug has existed for 2 years. As far as we know, nobody knew about it until December (at which point the bug was fixed and a release pushed). There is a slight chance that black-hat hackers silenty discovered the bug first and have been using it prior to December, but it's not thought that is a huge risk. So even if a site you use has the bug for a bit, you may be safe.

Prior to this weeks announcemnt, the good guys (white-hats) knew about it, but that doesn't really change the risk profile. Things changed this week when a tool was release that exploited the bug to recover recent traffic sent to and from sites with the bug. This made things much riskier because it makes it easier. Anybody could download this tool, click a few buttons, and possibly catch your username and password while you were logging into the site. And chances are people did.

Keep in mind that it makes no sense you change your password until the site has the bug fixed. Otherwise you're new password will be at just as much risk as your old one.

Levels of Paranoia

If you're a tin-foil-wearing-hat kinda guy, you should probably change any and all password for any site that has ever been affected by the bug (once they have fixed it of course). This isn't feasible for most people. In my LastPass vault I've easily got 150 passwords, and I know there are some that it doesn't know about (usually due to laziness).

A more reasonable approach would be to change the password for any affected site that you've accessed since (say) 4/5/2014. (again, once they have fixed the bug). And by affected I mean affected after the tool was release. Sites (like Google) that patched it prior to the tools release are probably ok. Even if you haven't entered the password during that "risky" window, you should do it to get a new login cookie. This should protect you aginst any of those "Script Kiddies" who downloaded the exploit and immediately started snooping traffic. This is a case of fixing things that we know are a problem (we know that people are going to be doing this) vs. fixing things we think may have happened (a more sophisticated custom attack).

I can't recommend doing nothing at all. At the least you should check any important sites (as defined by you) and change your password if accessed inside that risky window. For me, this is anything to do with money. PayPal, Google (wallet/play/drive/gmail), banks, credit cards, etc. Should hopefully be a smaller list that the full 150+.

Any other reccomendations


I'm going to plug LastPass again. the basic gist of what they do is keep track of all your passwords. This is handy so if something like this happens again, you have a list of sites you go to rather than trying to figure that list out. LassPass also has a proven record of trying to inform and protect their customers and their tool can already tell me which of my sites have been affected and if it's time to change my password there or not (depending on fixed status).

An additional protection is its ability to handle site-specific passwords, where each site has it's own unique password. If you don't have site-specific passwords, it may be possible for an attacker to gain your username/password from a HeartBleed affected site and then start trying it against "safe sites". If each site has its own password, this isn't an issue.

And I promise I'm not a LastPass shill. I get no compensation for this post, just a VERY happy customer.

Second Factor

Please turn on second factor authentication on any site that offers it. This also provides defense-in-depth as even if an attacker gains your password via another bug, without having access to your second factor, they cannot access your acount. I wish more services had this kind of setup (banks, I'm looking at you).

Further References

Krebs is great. You should just read his stuff because.

Beer Bug: Bringing moar data to your brew

Getting started in brewing beer has a minimal capital investment. For around $80, you can get all the equipment you need to brew a beer better that most of the beer you can buy in the store.

What you'll quickly find is that yes, you can make good beer with a starter kit. But there are parts of it that just suck. Like trying to get a siphon going to rack your beer (but an auto-siphon). Or post boil, getting the temperature down to where you can pitch the year (get a wort chiller). Bit by bit you keep getting things that make the process a little easier.

The Beer Bug

So I signed up to kickstart this thing back in November 2012, expecting to have it by Christmas. It ended up arriving in Feburary 2014. This is pretty much par-for-the-course for kickstarter.

Anyway, what does this thing do? In short, it measures temperature and original gravity of your brew, and uses Wifi to upload that data to the cloud. On their website, they have pretty graphs and other stuff so you can keep track of how your brew is going.

Tracking temperature is actually a really good way to make your beer even better. Basically you want to keep it within a small temperature range to control the flavor of your beer. Too warm or too cold and the yeast may give off undesirable flavors. Without the data, there's no way to control that temperature range without resorting to guessing.

Example Graphs

Original gravity takes a bit more explaining, as it's not a measurement people have heard of. Roughly, it measures the amount of solids dissolved in a solution. For brewing, this means fermentables (basically, sugar) to feed the yeast. By taking a measurement at the beginning and the end of the brew, you can calculate how much alcohol your brew will end up with.

OG is also the only way to know when you're done fermenting. If you look at the green line in the graph above, you can see the OG leveling off towards the end, indicating the fermenting is done.

Without the Beer Bug, measuring OG is tricky. To do it safely (ie. with no contamination risk), you need to sneak a sample out and use your (rather fragile) hydrometer in a tall flask. It's a pain. I usually just end up guessing when the fermentation is done (based on time) and then taking the final measurement.

I plan on getting a brew together in the next couple weeks to try my new toy out. Very much looking forward to it!

One Month with Google Glass

So yeah, I promised updates on using Glass. And then things got busy. But I've now got some time to write, so here goes some updates after a full month of using it.


I've been forcing myself to try and wear it every day. I usually succeed about half the time, and almost all of that is during the week. I'm up to almost all day with it, but around 2 in the afternoon it has to come off for a bit. But then I can put it back on again when I come home and wear it almost all night. I'm really starting to not notice it.

But I have a hard time wearing it on the weekends. It's one thing to throw it on and wander around Mountain View, it's a whole different thing to take Joshua to Gymobree on a Saturday morning with it on. Glass has gotten so much bad press with the possibility of people being "pervy" with it, that I feel very self consicous about wearing to to a class that has about 30 2 year-olds in it. And if I don't put it on then, I usually don't bother with it for the rest of the day.

But I have worn it out to Target, Whole Foods, Starbucks, etc. I've even been stopped a couple of times by strangers asking me about it. This is all expected, I mean, I have a computer welded to my head! I'm surprised I haven't been stopped more. And I'm always very pleasent when people ask. I try to be an ambassador for the future and tell them what it is and what it does and answer their questions. Sometimes people even know what it is by name, but haven't ever seen it. But most of the time they have no idea (even in Silicon Valley).

Good Things

One of the first things you must setup is the BlueTooth connection to your phone. This is vital as this allows the MyGlass app on your phone to configure thing (like Wifi settings!) on Glass.

OK Glass, Call Margaret

In addition to a control channel, Glass uses your phone (via BT) for data when outside of Wifi coverage. But Glass also implements the BT Handset profile. So you can initiate calls from Glass with a simple "OK glass, Call Margaret". And sometimes it actually works. :)

I was totally surprised the first time I got a phone call while wearing Glass. My first thought was, "What is that noise?". And then Margaret's picture popped up in my vision, indicating that she was calling. A quick "OK Glass, Answer Phone" and I'm talking to her via the built in mic and the bone-phone on Glass. The bone-phone is OK if you're just doing a quick call, or as you try to quickly switch to handset, but I couldn't see taking a longer call with it. First, the volume is kinda quiet, and I'm usually in the noisy cafe when I get calls. And second, it just feels funny on your head.

SMS (or Messaging) via Glass is pretty nice. Especially since the messages are meant to be short, so you can easily word your response and send it out. Of course, this is leading to all new kinds of "auto-correct" issues, as Glass likes to swap homonyms or simiar sounding words.

Bad Things

Going back to my first post, there is still a lot of "feeling like a tool". It can't be helped. There's just no way to use voice control of any sort without feeling like everybody is staring at you because you're talking to your glasses. Not sure I'll ever get used to that.

I say "OK Glass" ALL THE TIME. It's get's kinda boring, especially since you're think "OK PEOPLE, LOOK AT ME USING GLASS" every time you say it. Plus it's different than the voice control for Google Now (OK Google), so I get mixed up quite a bit as well.

Some of the "default" apps are so simple as to be childish. I guess they really are "sample" apps, like the timer. I want timer that works like Google Now. "OK Glass, remind me in 45 minutes to check the laundry. Not the clunky interface provided in current builds.

Wish List

OK Glass, Turn on Flashlight

I wish Glass had a "flashlight" mode. This would be super handy when I'm trying to peer into the back of the cabinets in the garage. Or maybe trying to work on the car of something where I need the light to see, but also need both hands free. Of course, this also requires new Hardware, so not something I'll be seeing any time soon.

I want a better way to build Glass apps. I understand why they are built the way they are (Glass runs Android after all), but I think there could be a better way to build apps. Like maybe some hybrid HTML/Javascript/DOM thing, that could be packaged up into an APK. Or even something more like the classic "Hypercard" paradigm. I think you could whip up a lot of pretty simple (but effective!) apps with this method, and then fall back to the Java API when you're app get's big enough.

There is no way to simply push information cards to Glass (at least none that I could figure out). Like things that I want to refer to without having to pull out my phones. Like recipes, shopping lists, lullaby lyrics. It's almost like I'm asking for better Keep integration, but I would take it in almost any form! I think this would be a really useful tool in the aresnal.


So I've not written a lot about Glass (2 long blog posts). But I don't feel like I've even scratched the surface. There are a lot of features that I haven't had a chance to use yet (like the Strava integration, or turn-by-turn nav). And they push software updates every month that will bring out new features and fix issues. So I'll keep writing about Glass as the mood strikes me and keep you updated on what I find out.

Google Glass: My First Few Days

I've now had Google Glass for almost exactly 3 days. Not enough time for a really worthwhile review, but I can at least give some first impressions.

How I Got It

Back in December, I found out that one of my friends got Glass. I was jealous. We chatted for a bit about it, and I then started really thinking about Glass. I finally put in for the Glass Explorer Program at the beginning of 2014. About 3 weeks later, I got my invite. As a big coincidence (or maybe not), I got my invite on the day my year end bonus got paid out.

It still wasn't a done deal at this point, I had my doubts. $1500 is a lot of money for an unproved product that I'm not really sure how I'll use. But what put me over was the 30 day trial. This way I would be able to try it out and see if it works for me.

My main uses cases were pretty straight forward:

  • Strava app for bicycling
  • Some way to put text in front of my when I need my hands free (cooking, etc.)
  • Capturing those moments with my son that would be hard with one hand holding the phone

The Struggles

I'll be honest. Glass is beta hardware. Even calling it beta might be generous. Reference platform maybe? In any case, I Was prepared for some rough edges and a learning curve. As of day 3, it's been a struggle.


I haven't worn glasses in over 8 years, since I got my eyes lasered. My nose and ears are still trying to get used to having this weight on them (they get sore!).

I'm also struggling to get used to actually wearing the darn things. The screen is constantly hovering above you right eye. Outside you normal vision, but right outside (so you can easily glance at it). I've been working everytime I put them on to get this placement right. Too low and you spend a lot of time looking through the screen. Too high and you can't see the screen, it's either blurry or not all of it.


For me, this is the most interesting part. How does wearing Glass affect how I interact with people, and how they interact with me?

First off, it's really hard to ignore the fact that you have a computer attached to your forehead. Makes me very self concious. Kinda like when I switched back to glasses after wearing contacts for 10 years.

I'm still not sure when I should wear Glass and when I should take it off. So far, family dinner is a "no Glass" time. I don't want that extra screen in between me and my family. This is inline with "no cell phone at dinner", I don't want the possible interruptions.

How about at drinks with friends? Or just sitting down and chatting? I'm kinda torn in these cases. It feels a little rude and disconnected to have this device between me, but on the other hand, if I take it off, what was the point in putting it on in the first place?

It's important to note that Glass is pretty unintrusive. The screen only comes on when you ask it to, either by touching the side of your head, or by making an awkward head nodding motion. In either case, everyone around you knows you're checking Glass.

I think these kinds of questions are part of the reason Google is keeping things exclusive. We (as a society) need to figure out the right way wearables change how we interact with each other, and figure out what's rude and what's acceptible. I don't have it figured out yet, and probably won't have it figured out by the end of the 30 days either. But it's very interesting to think about. Let me know if you have any ideas on this as well.


The battery life isn't that great. So far, I've gotten it to last until about 5. I'm still trying to figure out the best strategy to extend my battery life. In general, I think I need to turn it off if I plan on taking it off for an hour or more, I don't think the "suspend" mode saves enough power.

I also think the processor is a little under-powered. It feels a touch sluggish at times, especially when rendering web pages.

Also not 100% happy with Wifi performance. I seem to have a few dead spots in my house, where all my other devices work just fine. Probably had to sacrifice this to get the smaller form factor (smaller antenna).


I've only had it for 3 days. I've worn it around the house (where everyone already knows I weird), at the office (where wearing Glass isn't that unusual), and out once or twice. But not out on the street or to Targe or anything like that. I need to work up the confidence first.

So, will I keep it? Only time can tell. I'm 100% convinced that it's impossible for Glass to live up to it's pricetag. I've been viewing part of it's pricetag is the exclusivity, which is priceless. My friend put it the best:

It's also pretty cool to be one of the only people in the world with it - it's how i felt w/ my gmail addr initially ;)

More Glass reports coming. Stay tuned!

Nimbus (by Quirky)


I got a new toy for Christmas (thanks Mom and Dad!), a Nimbus. It's an internet connected mini-dashboard, designed to convey status of things to you at a glance. Basically 4 little dials with a little text display on each dial.

Out of the box setup was a breeze. Configured it to jump on Wifi via my phone and started setting up the dials. My current configuration is like this:

  • Fitbit steps (LCD shows step count, dial shows how close to goal)
  • Weather (basically temperature)
  • Commute time to work
  • Commute time home

It also handles things like # of unread emails in your gmail, # of likes on your last facebook post, etc.

So, pretty basic functionality in a pretty good looking pacakge. My only complaint is that the hands on the dial can be kind hard to read in low light. Maybe a later hardware revision will make the dial hands glow. One can only hope.

But that's not all. Earlier this month they release their own API to allow you to add custom data sources to your dial.


API design is hard. Most of the time when a company decides to add an API to their product, it's pretty much an afterthought. Maybe something they'll give to one of their junior programmers so they can check a box for Program Management. As a result, most API's are half-assed, hard to work with, and don't have 100% feature coverage.

Not this API. Somebody sat down and decided to do it right. The API has enough functionality that you can stop using the app on your phone to configure it. (Initial setup still requires the phone). This is in addition to defining custom data sources.

So I took the API for a spin last night. In about 2 hours (or so, I wasn't on the clock) I was able to hook enough stuff up to show stock prices on a dial. It was pretty amazing to see the commands running on my laptop and then within seconds the dials update.

Future Development

So I talked about the stock ticker data source. I think that's pretty cool, but there are some other things I want to see.

Remeber above when I used two dials, one for outbound and one for inbound commute? Why waste a dial? I know the times during the day in which I need to see what, so I'm going to program it up such that I can see my "to work" commute until about noon, and then my "to home" commute for the rest of the evening. I could even get fancy and start adding in commute time to other events (maybe reading it off gcal?).

I also have a BeerBug on order. Would be nice too hook up the data pushed from that (fermentation temp and gravity) to a dial. I could then know when the beer is done brewing by looking at the dial.

Got any other ideas? Let me know!

Api Docs: http://docs.wink.apiary.io/

One does not simply relaunch a blog...

I've been having the urge to start writing some more longer-form things. Things that just don't fit into the current social media landscape. Stuff that's too long for Facebook or Google Plus. So I've decided to revive the blog and use it as my outlet for some longer writing.

So, what kind of topics am I going to cover? Pretty much all the same stuff as before. Expect tech heavy coverage in things that I'm interested in:

  • Gadgets (mobile, TV, etc.)
  • Software (programming, hacking, etc.)
  • Projects that I'm working on in my spare time.

But I'll cover stuff beyond just this narrow scope. Anything that I find interesting is fair game.

Now of course, I couldn't just start writing again. I had to tweak some stuff in the software stack. And finish the migration away from VPS hosting to Amazon EC2 (as long as I'm changing things).

Blog Software

I've been slowy trying to reduce the amount of software I host and manage by moving things to hosted solutions. For example, I stopped with my own Gallery installation and moved to Picasa (now Google+). Less things for me to worry about.

I had looked into moving the blog to a hosted solution (Blogger, Tumblr, etc), but it didn't really work for me. But I wanted to still host the blog under hoopyfrood.net, still wanted my old links to work, and had to host some static content (not related to the blog). It could be done with a hosted solution, but it wouldn't have been idea. So hosted was out.

So, self hosting solutions. This blog had been powered by Wordpress for many years. But the thought of configuring MySQL again actually caused me physical pain. So I went looking elsewhere and was pointed to Ghost. Since it uses SQLite instead of MySql, I was on board with it (yes, that was my top selling point).


I hate migrating blogs from one machine to another. I'm a bad sysadmin. I keep no notes on how I set things up last time, so it's all brand new to me when I try and move to the new host. So this time, I tried something new.

Docker is a container management system. Basically you bundle everything up into a bundle, and then you can easily move it from system to system. When I spun up the new EC2 host, all I had to do was install docker (a one line command) and then start deploying my containers.

My (rather simple) workflow is to build the container on my laptop, deploy it locally, and test to make sure things work. Once I'm happy with it, I push it to my server and deploy it. And it works on the server just like it works on my laptop.

I'll write more about Docker in a later post, as this one doesn't even scratch the surface.

Now what?

Well, I think that's enough for the first post after the relaunch. I'll try and get another update out soon!