In order to reduce my risk of being phished or otherwise have my account(s) hacked, I decided to get a Yubikey for my personal laptop. We use them at work, work is paranoid, if it’s good enough for them it is good enough for me.

So I bought a Nano4 and a NEO. I want the Nano4 so that it just stays plugged in by default, and the NEO has NFC so it can talk to my phone and tablet if I am authenticating from there. Both of these come with way more capabilities than I need, but they are the only two keys that can stay plugged in and support NFC.

Those way more capabilities are a problem because they’re all enabled by default. One authentication method that I’m not using is OTP — long press on the Nano4, and it burps a string of characters as if I had typed them. “Long Press” is what you get if your hand rests over your USB port, if it touches your leg, etc. Yubikey made a mistake here; almost certainly, the new customers for this gadget will be people less technical than me, and (more alarming) less technical than the tech support guys at work who hand these out (preconfigured) for our use, who also didn’t have an immediate answer to this question. Nobody’s going to want OTP configured, it’s incredibly annoying.

But, here you are, like me, you have your shiny new Nano4 and it does this annoying thing. How to fix? You need the YubiKey NEO Manager.

It has a window that looks like this, when you start it with your “Change connection mode” button will include “OTP”. It’s pretty obvious from here: click the button, make your choices, follow instructions (the key has to be removed and inserted) and you will be done and none of the U2F associations you’ve already made will be bothered (i.e., it will work exactly the same except that the annoying OTP typing burps will be gone).

If you don’t need NFC, or don’t need the key always resident in the laptop (that may have been a mistake; we use them several times daily at work, but I don’t for my personal account) you can save money and avoid this by instead buying a FIDO U2F Security Key. U2F is what Dropbox and Gmail use. I’m still working on figuring out how to not use text messages to my phone, since some of these services require both phone (which can be socially hacked from your provider, though that is well beyond normal phishing). One choice for some accounts is Google Authenticator (for a Mac); to use it requires physical access to the phone, not the account.

I would add, that at this point I feel a need to draw myself a graph of services and authentication methods and password managers (that can store data in the cloud on these services) to be sure that my access protection is “just right” — not so weak that it’s trivially hacked by phishing, not so strong that if I lose a single phone or key I am screwed.

Other stuff I use to help secure my laptop: Little Snitch (intercepts network connections) and Little Flocker (intercepts file I/O — i.e., ransomware).

E-bike owners survey

November 15, 2016

I’m writing an article on e-bikes for the Belmont Citizens Forum,
so I need information from e-bike owners.

I don’t own one; I ride a cargo bike, so I don’t have any first-hand experience.

I’ve the questions here so that people can answer them in the comments, and so that they can send the link around to other e-bike owners.

I’m most interested in feedback from people in the Boston metro area, but feedback from other areas helps, especially if you can provide contrast with Boston (e.g., it’s hilly in West Virginia, it’s very snowy in Buffalo, it’s hot in Houston). If you prefer not to answer in the comments, you can mail them to me at dr2chase@mac.com.

  1. What motivated you to try an e-bike? Was a hill too steep, or a commute too long, or were kids too heavy, or did you need to arrive at work not too sweaty?
  2. Have you had your bike for long? Is it reliable?
  3. What kind of bike is it? (for example, Pedego, Specialized, or some brand of electrified cargo bike?)
  4. Can you describe how you use your e-bike? That is, do you ride for fun, or for commuting and errands? Do you ride every day, once or twice a week, or less often? Are there hills or long distances involved? Do you carry heavy loads, or children?
  5. How does the e-bike help this?
  • May I use your name or initials in the article?
  • May I describe your situation in some detail, rather than general terms?
    For example: “AR commutes year-round from a steep hill in Belmont to Kendall Square in Cambridge, carrying two small children in a ButchersAndBicycles tricycle to drop off at day care along the way”

Thanks you for your time. If you would like a copy of the article, please mention that in the comments or email.

Charitable plans

November 12, 2016

SPLC, NAACP, CAIR and/or ICNA, Planned Parenthood, Lambda Legal, Trans Lifeline.

and ACLU, EFF, National Popular Vote.

Any other suggestions? I think I’m a little light on defending rights of immigrants.

Oops — As JF points out in email, ADL.

I’d also like to fund organizations doing voter registration work, especially in swing states, especially in states where Republicans narrowly control legislatures and/or executive. We need to reduce the amount of gerrymandering in this country, we need representation in the House of Representatives that more nearly reflects the popular sentiment, and we need to ensure that we are well safe from crazy constitutional amendments (a constitutionally mandated balanced budget would be a macroeconomic disaster; recessions would turn into depressions).

I realize I am setting myself up for a deluge of please-help-our-worthy-cause solicitians, both electronic and paper. We get those already, plan is to set up a spreadsheet, and just give once a year, every year.

People will live in electric vans

Reading an article about people in Silicon Valley living in cars (didn’t save the reference, go look for it) and noticing that there was no plan to build new housing fast enough to meet demand, it occurred to me that (necessity being the mother of invention) there would be innovation in the world of cars-for-living-in.

I thought about this a little more, and realized that electric vans (camper vans, minivans, step vans, not sure exactly what) were likely to hit the sweet spot for this. So many things go better with electricity, especially nowadays. Electricity runs lights, computers, fans, phones, electric blankets, in a pinch it can even run air conditioning. And it does all this quietly, with no smells. Gas powered cars can supply a little power for a little while from their batteries, but they’re small, and the usual way to recharge them is to run the engine when there is otherwise no need. Mechanical constraints to get power to the wheels usually force the floor of the car (or van) relatively high above the ground, reducing interior headroom.

Electric cars have comparatively huge batteries, and will certainly be able to refill at charging stations (and some employers even provide these for free, at least for a little while more), or at relatively low cost from someone else’s electric power, and there is always the option of solar (especially in sunny places like Silicon Valley), especially on the squarish roof of a van. Rooftop solar wouldn’t provide enough energy for a lot of driving, but it would cover consumption by electric amenities. Because power can be distributed to the wheels through wires instead of mechanical axles, the floor of the van can be relatively low to the ground (this is a really good idea anyway for a delivery van) which provides a lot more headroom inside.

It’s possible that a self-driving van could also dodge overnight parking restrictions by driving very slowly on low-traffic streets, automatically pulling over whenever faster traffic approached from behind (5mph or less, to conserve energy, minimize motion for sleeping passengers, and maximize safety).

If I can think of this, I’m sure someone else is already working on this. Anywhere that artificial restrictions on housing supply cause prices to spike, this could be an option.

After a little more thought, this: “Neighborhood Electric Vehicles”. A weight budget of 3000lbs, but no need for a high-strength frame or collision crumple zones gives you room to work with (old VW vans weighed much less than that).

Avoid Paypal

August 29, 2016

Avoid Paypal

I’ve been using Paypal intermittently for years, but recently encountered a problem so severe that I am now trying to terminate my account completely. The fact that I cannot, and that they cannot tell me why (without contacting “customer service”, as if I expect that to be productive) is one of the reasons why.

What precipitated this was two things. First, I moved my primary bank account from the credit union whose only remaining branch was a 30-minute drive away, to one a short walk from work, and our credit card company “upgraded” (?) us from MasterCard to Visa. Over time I took steps to upgrade all my recurring payments and stored credit cards. Most organizations would let me know if they had been missed, and I’d fix it, and poof, it was done.

Except PayPal.

For months, every attempt to remove the deprecated (now closed) bank account produced a message “Sorry, you can’t remove this bank account because of a pending transaction. Please try again later”. Same for the defunct credit card. This continued for months. I managed to find the place where the primary bank and credit card were configured, I changed those to be the new ones. I found the place where the recurring and preauthorized transactions were listed, and I canceled all of them, and went to the vendors at the other end to update their payment methods to a credit card (happily, I have a leftover credit card from oldest child sent to college, he’s employed, married, and working on a retirement plan, and it is perfect for this – low credit limit, almost never used, this cuts the risk both to me and my credit card company should any of the recurring-payment people be less secure than we might want). So, those two accounts have been deselected from everything, all the recurring payments are shut down – and no change. Still can’t delete the dead accounts.

Note that nowhere in the message from Paypal does it suggest that I can do these other things; I did have one shot at “customer service” and they told me about making sure that they old accounts were not the primary funding source – but that didn’t work.

So, given proven incompetence on the part of Paypal, it seems pretty wise to sever all ties with them, how do I know my money is safe, it was foolish of me to ever give them access to any of my money. But when I hit the “close my account” button, I get:

Before you close your account
Sorry, there’s a problem. If you keep seeing this, please contact customer service.

I’m not entirely sure what to do next. I may talk to my bank; I really don’t like the idea of these guys having access to my money, and I’m virtually certain that in the EULA that I didn’t read I consented to binding abitration bullshit, and that’s just way the hell too much exposure to someone else’s incompetence.

On June 22 Cambridge held a public meeting on traffic in Inman Square. I did not attend. I did receive a pointer to the presentation. The next day, a woman on a bicycle was killed in Inman Square, perhaps first doored, certainly run over by a landscaper’s truck.

Preliminary comments.

Slide 4, I see counts of “traffic volumes” measured in “vehicles per day”.
Which of the following is “vehicles”:

  • bicycles only?
  • cars and trucks only?
  • bicycles and cars and trucks?

I see no pedestrian counts, which seems like a major omission.
I also see no breakdown by turns, which makes it difficult to know how much of a priority to place on turning traffic.
I also don’t see any information about existing light timings.

For slide 13, the only group for whom “increase efficiency” is a concern is “Vehicle”, and I suspect that really means “Motor vehicle” since “Bicycle” is a separate category. This seems like a major omission, since you have apparently not measured either the bicycle traffic or the pedestrian traffic, we don’t know if optimizing motor vehicle efficiency reduces the total time wasted at this intersection, and it might well compromise safety. Lacking any other information, I think we must assume that each person traversing this intersection is equally important.

It’s also important to notice that attempts to “increase efficiency” for motor vehicles here could be pointless. This intersection doesn’t exist in isolation; it is connected to the rest of Cambridge, which is also filled with traffic jams. In contrast, both bicycles and pedestrians flow freely through the rest of Cambridge (I bicycle commute on Broadway or Hampshire every working day of the year, I have video) so impediments removed here would result in actual gains.

One efficiency problem that could be addressed with no infrastructural changes is locally-greedy misbehavior by drivers; people frequently enter the intersection without a clear path to exit it, resulting in a blocked box when the light changes (bicycles are less affected by this; again, I have video). Drivers also speed fruitlessly (later to be passed in a line of stopped traffic by a fat old man on a huge heavy bicycle, so truly useless speeding), endangering everyone. In both cases, the remedy for locally-greedy misbehavior is enforcement; tickets for blocking the box, tickets for speeding, tickets for running red lights. Automated enforcement is probably more cost-effective than staffing the intersection every day at rush hour.

Another thing I saw no mention of was the role of parking in reducing safety. The door zone is a constant worry to cyclists, and the space allocated to parked cars also reduces options for creating safe places for cyclists to ride.

Other questions that need answering:

  • I know that buses use Hampshire. How many people use those buses, and how much delay (summed over all the bus passengers) results from that delay? That’s another thing we should optimize.
  • There’s a lot of bike traffic on Hampshire, especially at rush hour. If we knew the range of trip distances for people traversing Inman Square in cars (especially at rush hour), we might get some idea of the potential number of bicycle commuters that would use Inman Square if were less dangerous and more pleasant (it is one of the more significant unpleasantness bottlenecks in Cambridge).

Given what looks like a severe case of car-centric tunnel vision by whoever prepared these slides, I think that someone needs to start over again, perhaps doing the mental exercise of banning cars and seeing what sort of intersection results. (That’s not quite a serious proposal for an intersection design, but it is definitely a serious proposal for being sure that something other than cars-cars-cars is considered.)

My choice for a starting point would be to de-emphasize traffic “efficiency” for single-occupancy vehicles since those are the least-efficient users of scarce road space, the most needy in terms of a clear path to travel, and relatively dangerous to other people on the roads. Buses are space-efficient, very safe for their passengers, necessary for the less-able, and a good backup choice in nasty weather. They’re not a good thing to crash into, but their drivers are trained professionals, and risk-to-others is amortized over all the passengers on the bus and thus is not that large per passenger. We should remove enough cars from the road to ensure that buses are not impeded. Both bicycles and pedestrians are very space-efficient and though neither mode is risk-free, they are very safe for other people, and they’re also able to cope with narrow paths and impediments that completely block automobiles. I would therefore do as much as possible to make those two modes attractive. When I look at all the somewhat-unused space in Inman Square, my reaction is to try to find ways to use that space make things better for pedestrians and cyclists, instead of trying to use it as more places for cars to drive on.

Videos of Inman Square:

Hypothesized mechanisms for “safety in numbers”

Safety in numbers is a cycling safety rule that says that the more people ride bikes, the safer each rider will be. Hypothesized mechanisms include (1) driver familiarity – because drivers more often see bikes on the road, they become better-trained to see them on the road and (2) driver empathy – because so many drivers also ride bikes, they are more aware-of/concerned-about bicycle safety issues. (Here’s a nice pile of pointers to papers, tracked down by a real live researcher.)

I think both of these mechanisms are entirely possible, but riding an actual bike in actual traffic in actual crowds of cyclists, I’ve noticed what looks like other ways that greater numbers provide safety. In at least one case I’ve captured it on video. The difference between these mechanisms and the others that are hypothesized is that they are extremely short term – “safety in numbers” can appear whenever there is a biking crowd and disappear as soon as it disperses. These are also somewhat more likely in crowded urban areas and depend somewhat on the existence of traffic jams.

The first mechanism I might call “schooling” (after Bike Snob’s “shoaling” and “salmoning”). Bikes riding in a line are schooling, and for several common cycling hazards, most of the risk is borne by the lead fish, and the rest get a free ride. If someone in a parked car is not looking for bikes and is about to open their door, but then a bike zips by, it’s not unreasonable that they would be startled, and maybe then look to see if it was clear – and if the bikes are schooling, all the followers get the benefit of that. The dooring risk is almost entirely on the lead cyclist. Similarly, cars pulling into or across traffic represent a threat only to the lead cyclist, and very little to the ones in the rear. A line of bikes is also somewhat protective against right hooks, since those usually occur when a driver thinks they can overtake a bike and turn right, or forgets the presence of a single bike. With a line of bikes, once the first is across the side street, it is obvious to the driver that a right turn is not possible.

A second method is less obvious, but safety decreases markedly in the range of speeds between the slowest and fastest typical commuters. A low-speed (below 10mph) crash is stupidly survivable; you can almost step off your bike as it falls down. A high-speed crash (above 20mph) is far more likely to send you to the hospital or worse. Bike lanes at rush hour tend to run single file for some distance, usually because the bikes are hemmed in between parked cars on the right and “parked” cars on the left. Inevitably, some riders will be slower than others, and the inability to pass then compels the would-be-faster riders behind to slow down until they can pass. This makes them safer, whether they like it or not. This, I’ve seen on video, where I play the role of impatient rider. The probability of this delay and the difficulty of passing both rise pretty quickly once there’s more than a couple of riders delayed behind a slow leader.

After dark, a school-of-fish also multiplies the effectiveness of any lights that cyclists might be using. Just considering use of lights and not, if an unlit cyclist pairs up with one using lights, they can obtain most of the safety benefit of the lights. When two cyclists both have lights, the variations in their movement or in the flashing style of their different lights will create additional visibility over a single cyclist; for example, one cyclist’s flashing light might draw attention, but the other’s steady light might allow a driver to accurately locate the pair. Not nearly as many cyclists ride at night, but bicycle lighting use in the US is not nearly as good as it should be, so there’s plenty of room for this to help.

I don’t know if I’m typical, but if I’m riding at night and overtake another cyclist without lights who’s not too much slower than me, I’ll slow down to give them the benefit of my lights. I’ve even done this with a (impressively fast and competent) rollerblader caught out too late on the local multi-use path.

The interesting (to me) thing about these is that they can work in the US, they take no time to work, and they take no change in driver empathy or enlightenment. And if a crowd of bikes disassembles, then the safety effects do as well. The effects should appear most often at rush hours, when the largest number of bikes are on the road and when they are most hemmed in by traffic.

A historical/hysterical note is where the idea for safety-in-numbers comes from, and why we assume its existence even when we’re not entirely sure how it works. Once upon a time, when Effective Cyclists were peddling their prescriptions for safer cycling (ride in the road, in traffic, just like the “vehicle” that bicycles legally are, and that legal status is a good thing for which the EC movement certainly deserves some credit) the counterexamples of “the Dutch” and “the Danes” came up, where many people often ride bikes on lanes entirely separate from auto traffic, with crash fatality rates 5 times lower than ours. The EC people were very good at finding and/or interpreting studies that “proved” that if only the Dutch would get rid of their separate facilities, they would be even safer than they are now, that in fact their extraordinary safety must have some other cause. (This might even be true, but nobody’s ever managed to get more than about 1% of the population to bike in an “Effective” style.)

And what was the obvious difference that might be the cause of that anomalous safety? “Numbers”. It must be “Safety in Numbers”, assumed to exist to fill a (huge) gap between theory and reality. This was convenient for the Effective Cyclists because they got to continue to feel correct about their prescriptions (“just you wait, once everyone here rides bikes, we’ll be the safest cyclists on the planet!”) but now this same hypothesized mechanism is used to justify creation of cycling-specific infrastructure that Effective Cyclists hate (“we’re tired of waiting, EC is phenomenally unpopular and we’ll never get the numbers that give us the safety we want if we do it your way. And by-the-way, global warming, particulate pollution, pedestrian deaths, urban congestion delays, traffic noise, and public health, we need this now. Infrastructure will get butts in saddles and safety-in-numbers ‘proves’ that they’ll be safe.”)