An interview with me about The Geek Atlas

This appeared on CNET this week:

Last week, Graham-Cumming took 45 minutes out of his schedule to sit down and talk over instant message with me about the book, his approach to traveling as a geek, and why his shyness didn't stop him from getting the British government to apologize for its terrible treatment of the famous scientist Alan Turing.

Q: Welcome to 45 Minutes on IM. How did you come up with the idea for the "Geek Atlas"?

John Graham-Cumming: I came up with the idea while working in Munich when I visited the Deutsches Museum. I had never heard of it, and I discovered it's a fantastic science museum that clearly rivals places like the Science Museum in London and the Air and Space Museum in Washington, D.C. I thought to myself: someone must have written a travel book for nerds. A Lonely Planet for Scientists. I really wanted it because I was embarrassed that I didn't know about the Deutsches Museum. That evening I made a list of places I'd been around the world and came up with about 70. From that, the idea of the "Geek Atlas" was born.

Read the rest here.

Lots of domains are using crackable DKIM RSA keys

Whoops. The other day I posted that Facebook's DKIM RSA key should be crackable.

They are not alone.

Jim Fenton has done an analysis of keys seen in the wild

Tribute to Alan Turing by a Second World War WREN

The following letter and poem was received by Bletchley Park. It was written by a WREN who working on the Turing Bombe. The poem was composed shortly after the Alan Turing apology petition was successful.

You'll find it here.

Duodecimal

My paternal grandfather enjoyed doing arithmetic using base-12. That's perhaps not surprising, he was an engineer, and he lived at a time when Britain used £sd. The British currency was pounds, which consisted of 20 shillings each containing 12 pence.

And the number 12 pops up all over the place: between noon and midnight there are 12 hours, 12 months in a year, 12 signs of the zodiac, a dozen is used as a common measure of eggs, there are 12 inches in a foot, ...

He referred to base-12 as duodecimal. At school I had to learn the times table up to 12 x 12. And the English language even has special words for 11 and 12.

Part of the reason that 12 is such as nice number is that it has a lot of factors: 2, 3, 4 and 6. Compare that to just 2 and 5 for 10 (as in base-10). With lots of factors numbers that are common expressed as multiples of 12 have easy to calculate 1/2s, 1/3s, 1/4s and 1/6s.

To use duodecimal you 'simply' add two symbols for 10 and 11: for example, you could use A and B and so you'd count like this: 1, 2, 3, 4, 5, 6, 7, 8, 9, A B, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 20, ... There 10 is the number we usually call 12.

It's possible that my grandfather was influenced by the 1935 book New Numbers: How Acceptance of a Duodecimal Base Would Simplify Mathematics, part of that book appeared in the Atlantic Monthly under the title An Excursion into Numbers.

Although it's unlikely that duodecimal will replace decimal in everyday use, especially since metric is used in place of imperial weights and measures across the world, and since the British pound was decimalized in 1971, other non-decimal base systems are in common use.

Computers use base-2 (binary), and programmers often use base-16 (hexadecimal). Vestiges of another computer base, base-8 (octal), still remain: aircraft transponder codes are four digit octal codes.

The Elevator Button Problem

User interface design is hard. It's hard because people perceive apparently simple things very differently. For example, take a look at this interface to an elevator:


From flickr

Now imagine the following situation. You are on the third floor of this building and you wish to go to the tenth. The elevator is on the fifth floor and there's an indicator that tells you where it is. Which button do you press?

Most people probably say: "press up" since they want to go up. Not long ago I watched someone do the opposite and questioned them about their behavior. They said: "well the elevator is on the fifth floor and I am on the third, so I want it to come down to me".

Much can be learnt about the design of user interfaces by considering this, apparently, simple interface. If you think about the elevator button problem you'll find that something so simple has hidden depths. How do people learn about elevator calling? What's the right amount of information to present to people? Do people need to know where the elevator is, or just that it's coming? Are up and down buttons necessary? What about having a single call button?

1. I don't know how I learnt that the correct thing to do was press the button indicating the direction I wished to travel. It's sort of elevator folk wisdom. Somehow you learn through experience or an elder passing on the knowledge. I've never actually seen an elevator with instructions. Have you?

So, it's quite natural that some people won't have learnt the user interface of an elevator. If you're designing a user interface it's worth stopping and pondering the things you assume 'everyone knows' about it.

2. The information about the current floor the elevator is on actually presents a problem for the caller. It's additional information that the person I interrogated assumed was needed to make a decision. Sometimes extraneous information takes on an importance all of its own. Here the user was assuming that you needed to know where the elevator was.

Actually all you need to know is that the elevator system has responded to your request and an elevator is coming.

3. Another oddity is that you call the elevator with up and down buttons (indicating a travel preference) and then get in the elevator and press a button. There's nothing to stop you contradicting yourself by indicating a different direction of travel. Which makes you wonder why you had to indicate the direction in the first place.

Typically, you have to tell the elevator your direction because an arriving elevator may already have people in it who have already instructed it to go to a certain floor. Thus the elevator is going up or down. If you register your request then the elevator can tell you whether it can meet that request.

One interface optimization would be to replace the up and down with a single call button. Passing elevators would stop and indicate which direction they were traveling. This simplifies the interface while placing a burden on the system which will perform wasteful stops for people who want to travel in the opposite direction. Here's where UI and internal system dynamics trade-off. A UI decision might actually make the system less efficient.

PS Of course, you can do away with buttons altogether and just have a Paternoster. I used to love riding in one in the engineering building in Oxford.

A final reply about awarding a Knighthood to Alan Turing

Last October I posted the reply I received from Buckingham Palace in response to a letter I wrote to Her Majesty The Queen suggesting a Knighthood for Alan Turing.

The Palace had forwarded by letter to the Cabinet Office. Here's their reply:


I'm not sure what this has to do with sport (which the letter highlights), but I suspect there's some confusion because I didn't write to them on March 12 about a Knighthood (that was on the separate matter of honoring Turing at the 2012 Olympics).

Nevertheless, I'm not going to push any more for the Knighthood.

Facebook's DKIM RSA key should be crackable

If Facebook sends you a mail they will sign it using DKIM. Here are the headers from a mail I received the other day:

 DKIM-Signature: v=1; a=rsa-sha1; d=facebookmail.com; s=q1-2009b; 
 c=relaxed/relaxed;
 q=dns/txt; [email protected]; t=1276438946;
 h=From:Subject:Date:To:MIME-Version:Content-Type;
 bh=Yn52UpOukFZwR3a9mIx7vzTOepw=;
 b=RGMm2Lp2Jms1yLuanKsEhSfSLpXQ15Y9RaGb0KgzWfGqcnEFUeQlhazkJXuT0+Nh
 3iNqMAfwE6TvLQmiv55YUA==;

The signature itself is the b field (RGMm2Lp2Jms1yLuanKsEhSfSLpXQ15Y9RaGb0KgzWfGqcnEFUeQlhazkJXuT0+Nh
3iNqMAfwE6TvLQmiv55YUA==). The a field tells you the algorithm used (in this case, it's RSA/SHA1). The d field tells you the domain of the entity that signed the mail, and the s field tells you which key you need to retrieve (q1-2009b).

So, let's go get that key (the q field tells you that this can be retrieved by a DNS TXT query):

$ dig -ttxt q1-2009b._domainkey.facebookmail.com

; <<>> DiG 9.4.3-P3 <<>> -ttxt q1-2009b._domainkey.facebookmail.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19407
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 3

;; QUESTION SECTION:
;q1-2009b._domainkey.facebookmail.com. IN TXT

;; ANSWER SECTION:
q1-2009b._domainkey.facebookmail.com. 434 IN TXT "k=rsa\; t=s\; p=MFwwDQYJKo
ZIhvcNAQEBBQADSwAwSAJBAKrBYvYESXSgiYzKNufh9WG8cktn2yrmdqGs9uz8VL6Mz44
GuX8xJAQjpmPObe6p2vfTMWeztKEudwY6ei7UcZMCAwEAAQ=="

The answer section gives the actual key. It's an RSA public key, so let's turn that into a file that OpenSSL can handle:

-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKrBYvYESXSgiYzKNufh9WG8cktn2yr
mdqGs9uz8VL6Mz44GuX8xJAQjpmPObe6p2vfTMWeztKEudwY6ei7UcZMCAwEAA
Q==
-----END PUBLIC KEY-----

Feed that file to OpenSSL and we can find out information about it.

$ openssl rsa -noout -text -pubin < facebook.key 
Modulus (512 bit):
    00:aa:c1:62:f6:04:49:74:a0:89:8c:ca:36:e7:e1:
    f5:61:bc:72:4b:67:db:2a:e6:76:a1:ac:f6:ec:fc:
    54:be:8c:cf:8e:06:b9:7f:31:24:04:23:a6:63:ce:
    6d:ee:a9:da:f7:d3:31:67:b3:b4:a1:2e:77:06:3a:
    7a:2e:d4:71:93
Exponent: 65537 (0x10001)

So, Facebook is using an 512-bit RSA key. Wikipedia says: "Keys of 512 bits have been shown to be practically breakable in 1999 when RSA-155 was factored by using several hundred computers and are now factored in a few weeks using common hardware."

Aside: that modulus is a 154 digit number. Good old pexpr can dump it in decimal for you:

$ ./pexpr 0x00aac162f6044974a0898cca36e7e1f561bc724b67db2ae6
76a1acf6ecfc54be8ccf8e06b97f31240423a663ce6deea9daf7d33167b3
b4a12e77063a7a2ed47193

8943186814115303114568660480537979564493722038302983441617064
6773160165001660444316004226000197630872797343250751845439313
40226281950481206150316967621011

Of course, the RSA modulus there is the product of two prime numbers and quite hard to factor. But there are techniques that can be used to break keys like that fairly fast. The General Number Field Sieve is widely used and there's a nice open source implementation called GGNFS for those that want to try.

Some months ago I started an 8 core Mac Pro machine at work on breaking this key. It ran for 70 days non-stop and was close to a break when I had to use the machine for something else.

If I can do that, pretty much anyone can. And those people will be able to forge mail from Facebook. Facebook has a simple solution, of course, just change the key length. And if you are using 512-bit RSA keys in your DKIM implementation, please stop.

PS The owner of a spam botnet could factor keys like that very quickly. Imagine having a few thousand machines that can be used for key factoring.

PPS I actually got interested in breaking DKIM keys when I read about the TI calculator break which was a break of a 512 bit RSA key done in 73 days.

Update: I received mail from Facebook indicating that they are taking this seriously and will switch for 1,024 bit keys.

Your last name contains invalid characters

My last name is "Graham-Cumming". But here's a typical form response when I enter it:


Does the web site have any idea how rude it is to claim that my last name contains invalid characters? Clearly not. What they actually meant is: our web site will not accept that hyphen in your last name. But do they say that? No, of course not. They decide to shove in my face the claim that there's something wrong with my name.

There's nothing wrong with my name, just as there's nothing wrong with someone whose first name is Jean-Marie, or someone whose last name is O'Reilly.

What is wrong is that way this is being handled. If the system can't cope with non-letters and spaces it needs to say that. How about the following error message:

Our system is unable to process last names that contain non-letters, please replace them with spaces.

Don't blame me for having a last name that your system doesn't like, whose fault is that? Saying "Your last name contains invalid characters" is plain offensive. And I'm quite used to the situation that computer systems don't like the hyphen. On every flight I've ever been on I've been JOHN GRAHAMCUMMING.

The first time this happened the woman at the check-in counter did not say (in a robotic voice): "Your last name contains invalid characters", she actually said "I'm sorry, our system can't accept the hyphen". Fair enough.

So, form designers: stop blaming the user for your inadequacies.

PS Would accepting the hyphen actually destroy your database?

AOL sort of gets this right, although it claims it'll accepts numbers in a last name which, in fact, it won't:


Yahoo oddly believes that I don't know how to type my own name and decides to lowercase the C in Cumming. It's willing to accept the hyphen but not that I know who I am.



PPS Think of it this way; if I'm entering my name I'm probably signing up for your service. Do you really want part of my sign-up experience to be that you tell me that my name is invalid?

10:10 Code FAQ

Yesterday's post about my 10:10 code idea resulted in quite a lot of comments. Here are answers to common questions.

1. What about using both lower- and upper-case?

I could but that makes it a lot more fiddly to enter on a device since you are having to change between upper and lowercase. Using just uppercase is consistent and easy to enter (think most GPS device keyboards).

2. Take into account that at higher latitudes, longitude need not be encoded as accurately.

I agree that it would be possible to project onto a map projection to change this, and it would provide some improvement. The advantage of the system as proposed is simplicity. It gives gives 11.1m of accuracy at the equator and 7.1m of accuracy at 50 degrees of latitude (either north of south).

3. Don't combine latitude and longitude. Keep them separate, with a space in between.

The 10:10 code isn't meant to be interpreted by a human, it has a specific purpose for entry into mapping devices. There are plenty of other codes that allow comparison easily.

4. Hey Nice Idea man.. But I propose either to use alphabets only or remove some confusing (look a likes )LIke: (1 and I,l),(0,o,O),(B,8),(b,6)

The solution to this is mostly not to change the alphabet. As I originally wrote the solution is for systems that accept these codes to be permissive. For example, I don't have L or I in the alphabet, I also don't have 0 and O. So a system can interpret user input. Example: user enters O when they meant 0. The system just transforms it to 0. I agree that B and 8 might cause some confusion, but there is the check digit in there to spot those errors.

5. Do you have decoding code?

Yes, I will release this shortly in a nice, tested version that everyone can play with.

6. What are the licensing conditions?

The idea, the source code, the algorithm are all placed into the public domain. I would prefer that this get adopted widely to make everyone's lives better. I reserve the right to trademark "10:10 Code". The greatest reward for me would be people saying: "Ah, so you're the guy who invented that".

7. Why restrict yourself to 10 digits?

The idea is that 10 digits are a fairly common quantity for people to type. For example, a standard US phone number is 10 digits (e.g. (415) 555 1234). I write the 10:10 codes in a 3:3:4 form, e.g. R5T 3ED J9VW.

The 10:10 Code

Four years ago I wrote about a way to encode the latitude and longitude of any point on the Earth's surface to 10m of accuracy with a 10 character code. Apart from a modification to the way the check digit is calculated, the code remains unchanged.

The idea is this: instead of giving people addresses, or coordinates, you can give them something like a post code for any point on the Earth's surface. This can then be entered into a GPS device and decoded. Thus a business can provide its 10:10 code and know that people will be able to find it.

I was reminded of this, this weekend when I took the Eurotunnel to France. On their web site they say:


Now those latitude and longitude values are very hard to enter, and, although in the UK post codes are pretty accurate, they are not universal (e.g. in France and the US there's no equivalent). In contrast the 10:10 code is global.

Here's some JavaScript code that calculates the 10:10 code:



The 10:10 code of the Eurotunnel terminal in the UK is: MED 8FV N9K5

PS. Many people have pointed out that there are existing systems like this, and existing patents. As far as I am aware, none of them include a check digit. For example, there's the Military Grid Reference System, the Natural Area Code, this Microsoft patent and Geohash. The check digit is critical because it reduces operator error when entering a location on a GPS device.

How to write a successful blog post

First, a quick clarification of 'successful'. In this instance, I mean a blog post that receives a large number of page views. For my, little blog the most successful post ever got almost 57,000 page views. Not a lot by some other standards, but I was pretty happy about it.

Looking at the top 10 blog posts (by page views) on my site, I've tried to distill some wisdom about what made them successful. Your blog posting mileage may vary.

1. Avoid using the passive voice

The Microsoft Word grammar checker has probably been telling you this for years, but the passive voice excludes the people involved in your blog post. And that includes you, the author, and the reader. By using personal pronouns like I, you and we, you will include the reader in your blog post. When I first started this blog I avoid using "I" because I thought I was being narcissistic. But we all like to read about other people, people help anchor a story in reality. Without people your blog post will sound like a scientific paper.

2. Engage the imagination of your readers

You need to draw your reader into your post. There are two good ways to do this: stories and firing their imagination. People like stories, narrative keeps them interested in knowing what happens next. But firing the imagination is even more powerful: if people can start imagining themselves in the situation, or how they would solve the problem the blog post is talking about they become more fascinated.

I put down the success of More fun with toys: the Ikea LILLABO Train Set to the fact that the problem being described is easy to understand, and people could instantly wonder how they'd solve the problem I was describing. Double checking Dawkins did well because it's a detective story.

3. Spend offline time thinking about the post

Most of my blog posts are written in my head. I'll lie in bed at night or sit on the bus in the morning and repeat over and over again in my head the sentences and paragraphs I want to write. By head writing I listen to my own words and make the readable. And this head writing let's my imagination run riot. This sort of brainstorming leads to lots of new ideas that can be incorporated, and it avoids the fearsome blank page problem where writer's block can begin.

If you want to do one thing to make your blog posts better do this: walk away from your computer and stare out of the window.

4. Write and write and write

When I began this blog I didn't know what to write, and I thought I only had a few ideas. I ended up writing short, boring blog posts and saving my ideas up because I was afraid that I would run out of things to say. It turns out that the opposite is true. The more you write, the better you get at it. And the more you write the more ideas seem to appear from the ether. I don't set myself a goal of a blog post per day, but I do try to prevent my blog from going stale. Some of my posts are winners, some are not. But I would not have written successful posts without having written the duds.

I never would have written How to sleep on a long haul flight if I hadn't already trained myself to write. The topic seems rather dry, but once you start imagining writing about something you can, if you've got into the habit, tease out the interesting elements of the subject.

5. Avoid blog posts that are reposts of other people's material

You know those blog posts where someone grabs the initial paragraph from someone else's blog post? They publish the paragraph, comment on it, and then link to the original. That's boring. They haven't added anything significant.

If you want to post about someone else's content then add something significant: if you can't add something significant then what you planned to say is likely better written as a comment on the original site. I have commented on other posts in the past; for example, in A bad workman blames his tools I wrote a riposte to a post I strongly disagreed with.

6. Reread your blog posts aloud

I find that the only way to improve my writing is to stare at what I've written and read it aloud. Suddenly, when spoken, awkward phrases become apparent, the places where the flow ebbs become clear and repeated use of certain fetish phrases (I over use 'In fact') stand out. If you can't actually read aloud because the people on the bus (or wherever) would think you strange, then read aloud in your head: deliberately and slowly enunciate the words in your head.

I read and reread sentences and paragraphs over and over again. Each sentence in one of my blog post has likely been read four or five times before I hit publish.

7. Be playful and create something new

Commentary can be interesting, but what's often more interesting is new stuff. This means you actually have to create something: the blog post will just be a description of what you did. Some of my most successful posts have been about things I've done. For example, lots of people read about my attempt to 'hack' a spot-the-ball competition in Tonight, I'm going to write myself an Aston Martin. That blog post required a lot of work before any writing began.

You need to be playful away from your blog (and, perhaps, your computer) to come up with the sort of posts that will be winners. Walk away from your blogging software and think about something else. That something else might make a great post.

8. Teach

If you can find a subject that can be taught in the space of a blog post then do it. People won't read blog posts for long (the average person spends about 3 minutes on a single blog post on my blog), so you need something bite-sized and interesting. In Squaring two-digit numbers in your head I showed people an arithmetic trick and told a little story.

9. Be personal

I said above that I'd avoided "I" in the beginning. This was a big mistake. You need to speak from your heart to come across as genuine and interesting (unless you are an excellent writer), oftentimes this means speaking about yourself and about a subject that you are passionate about. In Just give me a simple CPU and a few I/O ports I wrote about my desire for a simple computer and how things had changed over the years. The post doesn't have a lot of insightful points, it's really a personal story.

How to sleep on a long haul flight

To the annoyance of people around me I have no trouble sleeping on long haul flights. And I don't take any fancy medication to do so. Having traveled a lot I've come to the conclusion that sleeping on a plane is a matter of attitude and a little preparation. This post is not for people who travel business or first class. It's for the average stiff who, like me, travels hundreds of thousands of miles in economy class.

First the gear. I put this here because everyone thinks that buying stuff is the vital element. This isn't actually true, the important bit is mental, but buying stuff might be a salve that'll make you work on the mental stuff later.

To create the conditions suitable for sleep you need: quiet, darkness, comfort and warmth. These are all hard things to come by on a jet, but much can be done do get close to good conditions.

Quiet

This is cheap and expensive: I use ear plugs plus noise canceling headphones. Even with good quality ear plugs the noise canceling headphones will cut out sounds (particularly hissing sounds). I typically use silicone ear plugs because they mould to your ear shape and then I wear Bose QuietComfort 3 headphones. I'm not recommending specific brands though, just get good quality ear plugs and good quality headphones.

With those on and in you've got quiet.

Darkness

Avoid the free blindfold that's given to passengers in economy class. They are usually ill fitting and uncomfortable with tiny elastic straps. Just buy a good blindfold which is wide enough to cover your eyes completely (including round the side of your head and above your eyebrows), that fits snugly around the nose (best if there is material that flaps down along the nose to keep out light) and has a wide, adjustable strap. Such as these.

Also make sure that the blindfold really cuts light: test it by shining a torch in your eyes while wearing it.

Now you have dark.

Comfort

Get a neck pillow. I fly with one sewn by a member of my family, but you can just go buy one. I avoid the inflatable ones because they tend to be uncomfortable. It's worth the carry on space to have a good neck pillow (and they squash easily).

Wear it 'backwards' (i.e. with the slot pointing backwards so that your head can flop forward onto it. You'll still be able to lean sideways onto it to rest your head, but when you are asleep your head will move forward without you realizing.

Warmth

I usually find that the blanket given by the airline is enough to keep me warm on a flight. If the flight is empty I'll steal a second one. One goes around by stomach, chest, legs with the seat belt fastened on the outside so that you will not be awakened by a flight attendant checking the belt. The other goes around by shoulders to keep my back and upper arms warm.

It's very important to keep your feet warm, but don't do it with your shoes on. To sleep comfortably you need to loosen your clothes. I loosen collar, cuffs and waist (undoing my belt and lowering my fly: looks odd to you, but it's under a blanket so no one else need to know) and I remove my shoes and socks.

To keep my feet warm I travel with a pair of sport socks that are two sizes too big for me. These slip on easily, don't constrict my ankles, and keep me warm.

The Seat

You want the best seat available: that means avoiding people walking over you (so you need a window seat), with lots of leg room (a bulkhead or exit row), that reclines (some seats on some aircraft have limited recline). Since you can choose your seat with most airlines online (often weeks in advance) do so.

To find out which seats are best use SeatGuru. SeatGuru has seat maps for all the airlines showing which seats are good or bad. I recently flew from San Francisco to London on British Airways and used SeatGuru to choose seat 29A (here's the seat map). 29A is an exit row seat with a half row of seats in front of it. Your legs stick out further even than a bulkhead seat. It reclines normally and is by the window.

Get in the Zone

The rule of sleeping on a plane is that that is all you do. You do not eat, you do not read, you do not watch a movie, you do not think about the time: you do nothing but sleep.

If you need to eat, do it at the airport before you board. You are not going to waste time waiting for the onboard meal when you could be sleeping. I prefer to eat at the airport and have a single drink (such as a beer). Do not drink anything caffeinated. I avoid caffeine for about four hours before each flight. Then I'll wait at the gate. Once onboard immediately use the toilet to avoid needing to go a little later (also the toilets are at their cleanest then).

Then sit down and prepare to sleep by getting out all the gear above. After take off recline the seat and prepare to sleep. Tell the person sitting next to you that you are going to sleep and do not need waking up for meals (at least once a helpful person has woken me for a meal I didn't want), tell the crew that you do not want any food now or before landing (you can always change your mind about the latter if you are awake when breakfast is served).

Do not think about the time. Last week when leaving San Francisco it was about 1730 which is much too early to sleep (think that and you'll stress yourself thinking you can't go to sleep yet), in the UK it was 0130 which is much too late to go to sleep (think that and you'll stress yourself thinking of sleep you've missed). But the flight was over ten hours. The right thing to think is: oh, 10 hours of sleep, that'll do me good. But do not look at your watch and think about the flight time left. Just close your eyes, put on the blindfold, shut out the noise and relax.

Of course, relaxing is hard, but I find that something simple like alternate nostril breathing works wonders to calm me down. The yogi probably won't tell you but the beer also helps.

PS It's important to know how to unblock your ears because blocked ears can be painful. Here's a good description.