The MEGABUS

This story is best read while listening to this.

Rick was driving north on I-95, he had to find an uplink or this whole trip had been for nothing. "Rose, scan the vehicles ahead." His onboard computer sprang into action attempting to connect to internal networks of each and every car on the road around him. "No joy" she responded. All the cars either were too outdated to allow wireless access or detected their connection attempt and shut it down before they could get in. Rick sped past the cars in front of him, he had to find what he was looking for and these cars weren't going to help.

It had been three long weeks since he had access to the 'hub. Way too long for any self respecting keyboard cowboy. Back in 2017 when the loss of net neutrality caused the global collapse the internet as we knew it, all of the east coast had lost their uplinks to the internet. The Silicon Valley was the only place where you could get a reliable public connection and nobody dared to go there anymore. The internet wasn't dead it was just hard to get to. Large corporations had the only uplinks and provided their own cell and wifi coverage to only their most elite customers. Having cast off the chains of debt and credit cards Rick was not considered an "Elite" customer. As a result it was hard to get online, and he had code to push.

Three quick "BEEP BEEP BEEP" sounded over the music, Rose flashed all the HUD's alarms. His modified 6LOWPAN radio had picked up packets from a speed trap up ahead. He toggled back on his transponder and slowed down to the regulation 75 MPH. 6LOWPAN was supposed to be the savior of the net, allowing us to put all our devices online in distributed low power mesh networks. At one point you could send packets from New York to Boston via the ip6 mesh. The powers that be had different plans however. Private security had taken over the spectrum. Civilians quickly lost access to private low power networks and if you ran your own you were accused of interfering with national security and shut down.

Once he was sure he was clear of the trap Rick switched off the transponder and increased to hunting speed. This made him invisible to the EZPass speed checkpoints that littered the highway every few miles. They'd have no idea how fast he was going. It randomized his UUID whenever he switched it back on and appeared to be just another vehicle on the road. This got him past tolls and checkpoints. Even in this day and age it took the government a few weeks to even notice anything was out of the ordinary. Any tickets they would want to issue ended up in someone else's inbox.

"Pay Dirt!" Rose exclaimed. A Fung Wah bus was up ahead and it had a connection to the net! Fung Wah had long since been shut down, but their buses still drove the roads. Their drivers were able to pick up the buses on the cheap after the company went bankrupt and had organized their own routes free of oversight and regulation. It was pretty lucrative. Luckily the bus's uplink hardware was valuable enough that it remained in service and if you rode the bus you could use it to connect to your own systems. Someone on this bus had it activated and was using it right now!

Rick pulled up alongside the bus in the driver's blind spot. If the driver or the passenger noticed him, either in real life or cyberspace, he'd be shutdown, reported and locked out from all uplinks until he could cycle his hardware address and that took weeks. Rose started the connection attempt. It was almost too easy. He had his 128 bit address in no time at all, and routes to all the backbones populated almost instantly. It was never this easy. The passenger on the bus either had no security or had seen him coming miles away. "Fuck it, git push.. wha!?" Rick was cut off by a squeal of sound. The whole car shuddered and the smell of magic blue smoke sifted into his nostrils. The safety circuits kicked in and the car drifted slowly to the side of the highway. It stopped, dead. What happened! Had been back hacked? "Rose!"

After what seemed like an eternity Rick was able to get the car to spring back to life. It took flashing the firmware in his starter circuits twice to get the engine running. Rose had detected the hack and shut everything down before the hacker on the Fung Wah bus could get too far. The navigation and scanning circuits were toast however. Not only were they hacked but the hacker had decided to pump emergency current into their subsystems and destroy $30,000 worth of equipment. Rose and the rest of his systems were fine. He could drive. And he better leave before any private security showed up to see why he stopped.

That was close but he couldn't give up.

"You wont believe this" Rose piped up. It had been two hours and they had almost reached their destination. Rick had feared they wouldn't be able to push any code tonight. "It's a MEGABUS". MEGABUS had been one of the few companies to survive the collapse. Every bus had power and material hookups at every luxury leather seat, and most importantly a corporate uplink connection active 24/7 for use by all passengers. Rick wasn't going to mess around this time. He killed his lights and activated stealth mode. Rose picked up and identified packets from all 36 of the passengers on the megabus. Most were encrypted but one was downloading a ton of data. Mostly facebook, twitter and netflix. Streaming video on the east coast!? Gluttonous. This guy wouldn't notice a little extra bandwidth. Rose cloned his MAC and carefully connected to the bus. Connections to twitter and the hub were successful. "I'm in" she reported. "Alright, easy now. cd johnny-five, git push origin master." Rose connected via SSH to github and started pushing binary blobs of robot control data. "Eta 137 seconds" she reported. Rick decided to tweet.

There was only 30 seconds left when the MEGABUS driver noticed him and pulled hard to the right narrowly missing Rick as he slammed on the breaks. "We're losing signal!" Rose yelled out as the bus sped away. 20 Seconds! Rick sped up, this time right behind the bus. It slammed on it's breaks, and broke off towards an exit. Rose quickly deduced the situation "The Fung Wah hacker must have reported us to all uplinks in the area, they knew we were there from the second we pulled up!" Rick yanked on the wheel and slammed the pedal. Even if it meant leaving the safety of the highway he wasn't going to drop this connection. 5 seconds left! He pulled ahead of the bus and slammed on his breaks. Time for some of the your own medicine! The buses safety circuits kicked in and the bus slammed on it's brakes skidding to a halt before tapping Rose's bumper. It would need a visual inspection before it was allowed to drive again. "Git push complete."

Rick sped off into the night.

Conference Video roundup

I have a video of my talk at RobotsConf 2013!

I've also got a video of my informal session at JSCONF 2014!

And lastly (and most excitingly)

I have a video Sara talking as jQuery Chicago 2014!

The One Place to Hang Out

I've been making my way through this presentation by Maciej Cegłowski

Some kinds of services are just crying out for decentralization. Fifty years from now, people will be shocked that we had one social network that all seven billion people on the planet were expected to join.

Imagine if there was only one bar in Düsseldorf, or all of Germany, and if you wanted to hang out with your friends, you had to go there. And when you did, there were cameras everywhere, and microphones, and you were constantly being interrupted by people selling you stuff. That's the situation that obtains with Facebook today.

Surveillance as a business model is the only thing that makes a site like Facebook possible.

All the parts

Yesterday at JSConf 2014 we had a nodebots event. (We also had noderockets, nodeboats and nodecopters.) One of my favorite bots is below.

laserbot 2

 

We have a lot of different parts here.

Facebook sponsored the entire event. So props to them for making it happen.

laserbot

I'm still hunting down the maker to get more info, but it blows my mind how simple it was to put all the different parts together.

–Francis

Our Two Visions

I've been doing a lot of outward thinking* lately about Wizard Development's vision. "Vision" means a lot of things to a lot of people, so I should specify. To me it means the general principles and goals by which everyone in our company should guide their actions. I believe that, in general, everyone is a nice person and will try to act accordingly. However, having specific and clear goals will help everyone work together. Here are Wizard's:

Outward Vision: To help small businesses' dreams come true by building tools and applications which allow them to be more impactful in their business.

Inward Vision: To teach ourselves and each other to be the best developers we can be, and for our company to be a model of how we'd like our industry to operate.

People are solving problems all around us all the time. Small businesses are usually local and employ our friends and neighbors. By meeting the needs of their community small businesses  strengthen them. By moving their operations out of clunky tools (like Excel and email) and into custom applications, we enable them to do a lot more with a lot less. This should, in turn, benefit the communities they serve.

I speak a lot about wanting a diverse team. When I first explored starting Wizard Development, I wanted to hire a small and diverse team of senior developers so we could hit the ground running and tackle gigantic, complex problems. When you have a diversity of people, you get a diversity of ideas and ultimately that leads to a stronger team, stronger products, and just maybe stronger people. Unfortunately, diversity in senior developer roles barely exists. Software development has abysmal numbers in the categories of age, sex and race. This means that in order to get that senior team, I'm going to need to hire a diverse team of junior developers and help them grow.

I don't think I could do this without the help of my developer community. These people, many of whom I've worked with professionally and in Open Source software, have become my friends. A lot of them run events with the goal to educate and empower. Some of them have become amazing teachers. Others spend all their time solving problems for all our benefits. I want to link you to some of these people's work, but they have so many projects I don't know where to start. Most importantly we share some common values: Teaching, Learning, Inclusivity, and Acceptance.  I've already tapped a few of these wonderful people to help Wizard grow in both our business and our training. I can't wait to see how we can start giving back.

And so I'm putting my money where my mouth is and hiring a diverse junior team. My partner Sara just graduated from the Flatiron School's Brooklyn Web Development Fellowship (BK-000). During her 5 month course she introduced me to the brightest minds I've ever met. The Fellowship did the hard part of diversifying the industry —  they selected a class of students with a population representative of New York and gave them a fundamental understanding of computer science and web development. I had the luxury of watching them learn and seeing their curriculum, and I'm excited. They graduated two days ago and they are now entering our industry. My first job offers are going out to them.

I'm really looking forward to refining these two visions as we work together. =)

–Francis

* It's when I think about something and tell everyone about it, over and over.

Multiple Domain Tracking with Segment.IO and Mixpanel

At One Month, we've chosen to operate our app across several domains depending on what course you're taking. (OneMonthRails.com, OneMonthHTML.com, or the primary domain OneMonth.com)

As a result we broke a lot of our tracking that we do to figure out how people are using our site. We use a services called Segment.io that abstracts away a plethora of providers including Mixpanel, Google Analytics, and Customer.io. Segment.IO provides Analytics.js a nice well documented open source library. That we make a lot of use of.

Problem

The crux of the problem is that analytics.js and (and every service it supports) leverage a cookie to uniquely identify users. Cookies are local to the domain that served them. As a result you'll be identified as someone new on each domain of ours that you visit. If for example we wanted to see how many users were getting stuck trying to log in from the OneMonthHTML.com homepage. We wouldn't be able to tell who visited the homepage and then tried logged in, as the login happens on onemonth.com. We'd see them as new people during each step.

To work around this we'll need to move the responsibility of identifying users to a single domain. In this case onemonth.com. And we'll need to modify analytics.js to ask onemonth.com for the user's unique ID and use that on our other domains.

Cross-Origin XMLHttpRequest

There are a number of thought out security attacks around allowing javascript from other domains to run on your site. Because we own all the domains in question we don't need to worry about most of the issues. I opted to go for an asynchronous approach using Ajax and CORS. This required a little server side support. I'll save the details for another blog post, but you'll need a route on your primary domain that does the following;

— Returns a unique id for the user (saved in a cookie)
— Has the the proper CORS headers for your secondary domains
— This id should also be available for calls to `identify()` on pages served from your primary domain.

All this will enable analytics.js to ask for the ID of the user before sending tracking events. Now on our secondary domains we have the following JS.

It defers loading the analytics.js until we have an ID and forces the identify call to be processed before calls to `track()` or other functions. In a future version we'll probably write our own `track()` that doesn't processes until after after the user has been identified. Both approaches allow other parts of our app to track events without knowledge of our identify scheme.

Broken but solvable things

— Mixpanel Super properties are stored in cookies and don't follow across domains
— Initial referring domain on events often reflect one of our own domains

It would be cool if we could work this scheme and the fixes for super properties and referring domains into an extension of analytics.js. But that's something for next time.

–Francis

Wild West Mail Delivery in the Age of Bitcoin

If you saw me talk at ManhattanJS you know I have a dream about a decentralized mesh network that supports decentralized applications that cater to our decentralized behaviors.

There are a lot of parts to this dream, the hardware, the network, the software, the apps, the critical mass. All sorts of things. A ton of things. So I have to start somewhere. hackerchat should be the app with some plugable network backends. The two backends I have are one that works on the local network, and one that works over mesh'd xbees.

Say later we figure out a way to have a truly decentralized network. Say a cellphone to cellphone alternative radio network. (GoTenna seems to be doing this btw.) Maybe bluetooth to bluetooth? I like these ideas, they get us a Mobile Ad Hoc Network. We'll need a routing schemes that incentives efficient delivery and one that tolerates extremely high latency all while keeping security in check.

I'm going to start with incentivizing efficient delivery by leveraging a crypto currency (like bitcoin or namecoin) and it's blockchain.

I posted this to the bitcoin stackexchange.

The problem

I'm exploring having a bitcoin (or any blockchain) backed a distributed secure messaging system.

This is a peer to peer network that would pay for transport. In essence, it's the wild west, your key pair is your wax seal, and you've given someone $10 to deliver your letter back home to New York. I want to use Bitcoin to hold that $10 in escrow until the letter has been delivered.

I know Bitcoin can do multi-signature transactions but I'm not positive Bitcoin can do what I want, so I turn to this community.

Bitcoin gives us public and private keys for secure message delivery.
Bitcoin gives us the ability to pay people for transport.
We have 3 parties involved. A courier, sender and receiver.
We also have two transactions. One of the message from sender to receiver (or a key for said message), and one of the payment from sender to courier.
I'd like to ensure both transactions happen simultaneously. Without trust.

The Answer?

I got a cool answer but it required some trust. Over dinner I came up with a possible solution.

Seth wants to send Martha a message and is willing to spend 10 BTC to see it delivered. Charlie is happy to deliver it from South Dakota to Michigan at that price. Seth would like to ensure the message is delivered and Charlie wants to ensure he gets paid for his trouble.

They could do the following;

  1. Seth signs and encrypts the plaintext message (m1) to Martha into a cyphertext message (c1) using Martha's public key and his private key.
  2. Seth further encrypts the cypher text message with a nonce (n1) into a new cypertext message (c2)
  3. Seth builds a bitcoin transfer (t1) and adds the nonce (n1) to the transfers comment section and signs it. (t2)
  4. Seth then encrypts the signed transfer and nonce (t2) with Charlie's public key into a new message (t3).
  5. Seth then encrypts both the encrypted transfer (t3) and the nonce encrypted message (c2) with Martha's public key. This final package is good for shipping (c3)
  6. Charlie takes our package to Martha, it's a long trip but the 10btc is worth it.
  7. Martha decodes the package (c3) into it's parts the encrypted transfer (t3) and nonce encrypted message (c2)
  8. Martha gives Charlie the encrypted transfer (t3)
  9. Charlie decrypts the encrypted transfer (t3) into the a signed transfer and nonce (t2)
  10. Charlie tells everyone on the plant about the transfer (t2) including Martha. He wants to do this so people know he has the money.
  11. Martha takes the transfer (t2) and extracts the nonce (n1) and uses it to decrypt her message (c2) into the signed message (c1)
  12. Martha then decrypts the message (c1) again with her private key and gets Seth's letter (m1)

Lets see if I can make this a truth table;

Seth
(m1, seth_pk, martha_pub) => c1
(c1, n1) => c2
(t1, n1, seth_pk) => t2
(t2, charlie_pub) => t3
(t3 + c2, martha_pub) => c3

Martha
(c3, martha_pk) => t3, c2

Charlie
(t3, charlie_pk) => t2

Martha
(t2) => t1, n1
(n1, c2) => c1
(c1, martha_pk) => m1

The major problem I see is that this isn't composable. Charlie couldn't give the package to someone else and offer to pay them a smaller sum to complete the delivery. But I think we could switch this up so it could be composable. I also need to look into Bitcoin Contracts. Which gives a ton of power to a bitcoin transaction and might negate the need for as complex processes.

I keep thinking about the Diamond Age, it had some cool stuff about crypto and networks. Back to dreaming!

–Francis

NPM Wishlist

I don't write a ton of nodejs modules. I work on a few*, and I don't even work on them as much as I like. However I do end up using a ton of them. Here are some cool things I'd like to see that would make my life easier as a node developer.

Historical Versions

We see the latest readme, and the latest version number, but no info on the old versions. You'd have to go download them and check their readme's and and docs.

More support for docs

The readme is awesome but I'd love to be able to link to a doc site. The `man` option is cool but widely unused. Web docs may vary widely in quality and scope but they're googleable and have become a staple.

The 'directories.doc' directive mentions linking to a markdown formatted file that might get displayed in the future. That is also not widely used but would be a step in the right direction.

Finally I'd like to have versioned docs, I'd like to be able to see the readme and docs for a package at any point in it's life. Often I find a lot of modules in use that are out of date and even if there are good tests which might make upgrading easier, upgrading a module so the docs are relevant is silly.

That's it?

That's it for now. It's not a lot to wish for. NPM is in great shape and I'm quite happy with it. =)

–Francis

* johnny-five, node-serialport, firmata-pi

The internet is fucked?

On the NY Hack and Tell mailing list we've been discussing the recent news of Netflix paying Comcast for bandwidth. The two sides of the debate seem to be such;

Netflix had a cheaper inadequate backbone provider who doesn't have fast enough uplinks to major providers. Deals between providers can be anything they want, and Netflix just sidestepped the issue and got their own connection to Comcast.

Comcast is pushing smaller backbone providers out by pricing uplinks too high, forcing their customers to deal with them directly. Comcast is already being paid by their customers so this deal with netflix is essentially double dipping and sucks for competition and business.

James the instigator of this debate linked to a verge article that stresses making the internet a "common carrier".

Someone asked "If the internet were considered a utility, like electricity and water, would we be okay with metering it and paying per bit transferred?" and I had to jump in.

You know what? I would be. I'd be ok paying for what I use if there was a market that could set the price. Currently it's all about bandwidth speculation. For wholesale electricity there are 3 parts to your bill.

  1. The delivery fee, this covers the power lines and substations etc.
  2. The demand charge, this is calculated by the highest 30 minutes of usage during the billing cycle, they need to keep a % of that on hand in case you decide to spike again.
  3. The usage charge, the $ per kwh– this fluctuates as different zones have different transfer points with different limits and generators are all over the map. This is also public and available 24 hours to 15 minutes in advance depending on how you bill.

Commercial internet works similar to retail internet . I pay for the speed of my connection and I get to use it as much as I want. If I get a connection to a service provider I'll also pay them for an uplink to their backbone, data limits, speeds, who they're connected to, all factor into that contract. It's all upfront and I get to pick and chose. These two parts are of course often bundled together. If I'm in a datacenter already I may just be paying to patch a cable to another cage and then paying for the bandwidth. The key point is choice.

So we have an open market for commercial internet, just not retail. I'm curious what an open retail market would look like.

There are some great responses and I look forward to seeing where this goes. =)

–Francis

CORS issues always take 2 more hours than I think

Protip: Cross-Origin Resource Sharing headers are sent slightly different between Firefox and Chrome when hosts have a non standard port.