Regional Ruminations

With my hunting for a job and a number of other factors in my life, an item which has been floating around in the back of my head has been a mix of “What did I like about places I lived in the past?” and “What would have me consider moving?”. And just to make it more difficult, because of those factors, it morphed into an interesting but even more thought provoking question, which is summed up as:

Totally ignoring individuals who currently live in given locations (and no coordinating with others to end up someplace jointly agreed upon), if you had to relocate to someplace at least a 2.5+ hours or 150 miles away within the continental US (or whatever country you currently reside), where would you move or not move, and why??

Now, for me this would rule out places such as Richmond, Roanoke, Danville, Blacksburg, Wytheville, or Hagerstown MD, to say nothing of Covington, or Greenbank. And places like Norfolk, Virginia Beach and Beckley WV are just barely outside of that “radius”. But outside of that area, where would I “like” or “not like” to live.

Well, first, let me rule out “big” metro areas like DC/Baltimore, NYC and a number of others. Indeed, from the list of “Combined Statistical Areas” and the associated “Metropolitan Statistical Areas“, I would have to say that you have to get down to at least the Pittsburgh CSA before the size of the CSA itself does not rule the area out, as being “might be OK to visit, but don’t want to live there”. And when you just look at the MSAs (the top 100 most populous being listed at the bottom of that second page), I have been to most of the top 50 and spent at least a day there, if not played tourist, including 3 of the top 5 (not NYC or LA), and with only a few exceptions would I consider living there if I could afford it, and even then with restrictions. For example, the outskirts of Pleasanton is “OK”, and I would love visiting Mt. Diablo again, as well as Santa Cruz, on a regular basis, and getting outside of Denver proper is the same, but most of that list still rule themselves out just on population/crowds alone, and some more than others. And for the most part most places on that list fall into the “an hour outside of them might be OK”, with only Pittsburgh being one where on its own I might consider.

But also figured into the question are the questions of job market and cost of living. If money were not a huge object, and I could telecommute or were miraculously retired with perhaps 2/3rds what I have been making, it would be something which I could otherwise ignore. And regardless, I will always have to consider the cost of living. Even were I able to make what I have been, were the DC or other metro areas not already ruled out, there is no way I could consider living there… it is just way too expensive, as are other areas. (You can see some real shockers if you check this site, select Staunton VA as where you live, and just for round numbers, select $100K for what the current salary is (far easier than $50K to figure in your head). In DC, this would have to be $167K, Arlington or Alexandria VA would be $155K, but places like the SLC, Pittsburgh or the Atlanta/Marietta GA areas are roughly comparable ($104K to $107K)

So, ignoring where friends are, where would I like? I want places with lots of green (e.g. trees, or failing that grass and farmland) with some lakes/rivers, and if all possible, skies dark enough to clearly see things like the fullness of Orion, including the nebula, and Andromeda, as well as the splendor of the Milky Way stretching overhead through Cygnus during the summer… But, I also want someplace where I can get my broadband Internet, and be able to take an easy drive (maybe an hour or so) to a decent sized Con several times a year, and have things like a good movie theatre, places to eat, stores and such. And if there is a nice airport in the area, all the better. I also want someplace which experiences winter to some degree, and does not feel like an oven during the summer (e.g. not Vegas or Phoenix).

There is also one which ends up conflicted… I really love mountains… not just hills, but real mountains, and I prefer for them to be either tree covered, or failing that, I could perhaps deal with more barren and snow-topped. But the conflict comes in that there is something to be said about being in the middle of nowhere, watching a supercell thunderstorm build, and hoping to be able to experience a storm chase. I remember one such instance, driving back to Columbus OH from visiting my uncle Bob and aunt Nancy in Cheyenne, coming across I-80 in Nebraska, and looking off at about our 4 or 5 o’clock (behind and to the right of us) as we came up on I-76, which heads down to Denver… and seeing a storm fully anviled out and overshooting. We were roughly 180 miles away, as at that time the storm was along I-25 near Ft. Collins, and it was clearly visible off in the distance. To have been able to watch and photograph that at night… and maybe even catch a few sprites.

So… where would I live? I think at the top of my list would be to live somewhat north or east of Pittsburgh… easy access to the likes of Steel City Con and several others there, and being a high-tech center on part with Silicon Valley, RTP and others (Google, Intel, NetApp, Seagate and others are there), it definitely has more jobs than here in this area of VA, and by the time you start getting a bit of distance away from Pittsburgh itself (which is halfway toward feeling like a bunch of small towns, due to the terrain, with lots of trees, parks, etc.). The area breaks away from the slightly smaller (population wise) Columbus MSA, due to the way Columbus itself (though I will say that C’bus has far better bike trails compared with Da’Burgh.) And with things like the Waterfront, Carnegie Libraries/Museums, and all… it comes out a solid #1 on my list.

Second on my list was a bit of a tough one… and one which has delayed the finishing of this post. SLC has some nice mountains, and it is a major tech center, as well, with Suse, Adobe, and others. And while speaking of UT… some of the most beautiful astrophotography shots have come out of places like Bryce Canyon NP. I just wish the area was more greens like here in the eastern US, instead of the browns/tans which a satellite view shows

Then there is the RTP area (Raleigh/Durham NC) with RedHat and numerous others. And I have been told by friends that contrary to what my experience has been, Atlanta has lots of spread/green, and it has DragonCon as well as other bits of fun. And then the Denver/Colorado Springs region. But I am not quite sure the order of those.

Why not Columbus? While it does have a good amount of tech and a few nice Cons to attend, and some of the best bike trails, it is way too populous, and it is bad when you struggle to see even 2nd magnitude stars, like those in the belt of Orion. And while going down US 33 towards Athens and then Marietta has some nice views, Appalachian Ohio sucks for several reasons… the economy and pollution being two inter-planetary level space suckages, with Fort Wayne, IN is much the same.

And one last place I will throw on… Buffalo and Dallas County MO… were it not for other factors, I have seen pics of the area… and were I able to find a decent paying job, it would be an area with lots of opportunities for recreation, dark skies, and some good storm chasing, as well as for riding my bike. It is one reason why I fell in love with that area, mountains totally lacking. But there is no way I could stand to live there today… as it is an area which would constantly be breaking my heart.

So with that said, if you had to move someplace else, where would it be and why???

SSL Certificates

As I make this site publicly accessible, it occurred to me that many of you will be getting warnings from your browser about the host SSL certificates not having a recognized certificate authority. Now, before I get into a techie rant (what I will also refer to here as a “Solar Flare”), here is a not so techie “here is how you fix it” post.

So, when you connected to a site such as this, rather than getting a pretty page, you likely got something like this…

Now, if you are going to a site such as for you bank, going shopping at some big-name (or not-so-big-name) company’s site, etc., seeing this screen is like coming to a stop-sign to cross a busy 4 or 6-lane highway, where traffic is doing 65MPH… the mind should go “Danger! Danger! Danger Wil Wheaton!” (Yea, I know… mixed memes, but…I could not resist, as a soon to be written post will tell you why.) The reason is that for your bank, or any reasonably sized company, the primary stumbling block for the certificates should be a non-issue, and that stumbling block is the cost. More on that in a moment, but in this case, how do you fix it for this site? And the answer is simple, and just involves going to another site, clicking on a link, and accepting/trusting a couple of certificates there. And that site is www.cacert.org. On their main page, up at the top, they have a link labeled Root Certificate, where with a few clicks, there is no more warning. They even have a number of Wiki articles about this process, such as ImportRootCert where they go into trusting their certificate, so that mine and others like it don’t give you the warning to begin with.

Now, for those who are interested, please allow me to snag my soap box….

and while I do, let me start out by saying that regardless of what it may sound like, I am a firm believer in SSL and what comes with it. But like I would rather go to say Ohio or even travel around town to get groceries by car rather than by horseback or horse and wagon, just as cars have some massive downsides which could be improved (pollution and cost being the top two), there are some issues, sometimes huge, with SSL certificates.

SSL certificates, if you were not aware, are the high-tech way in which things such as web-sites can present an ID which your browser can look at and say “OK… you are who you claim you are.” It is kinda like presenting your driver’s license when making a big purchase in a store, only maybe a touch better. How many of you would recognize the driver’s licenses for a different state? Myself, even though I lived for much of my adult life in Ohio, could not look at what might be a driver’s license and say for an absolute certainty that it was valid. The same is true for Pennsylvania, even though it was far more recently that I lived there. I wonder how many officers for say CHP, VSP or other state or local agencies could do it visually, which is perhaps part of why they call dispatch with your license info when you get pulled over. But rather than having to contact a central authority, what your browser does is this. The certificate which a web site presents to your browser when they start talking contains a whole wealth of information, such as the hostname or IP address, what uses for which the certificate is valid, an expiration date, a certification “stamp”, and what is known as a public key, which is used for validating the connection and later communications. The public key goes along with a private key which the site works hard to protect, and the certification stamp on the certificate was created with a similar private key which the “certificate authority” (CA) supposedly protects as well, just like your local notary keeps their “stamp” or “embosser” secure. But it all relies on what is known as “Asymmetric” or “Public-key” encryption, where through the use of complicated maths involving huge numbers, I can use one number to either encrypt or sign an electronic document, and you can use a number which matches to decrypt the document or authenticate the signature. Feel free to follow the links or drop me a message if you would like to talk more about it, but the huge question remaining is… how do I get the public key for some site (or even a certificate authority), and know that it can be trusted?

My soap box…

The trick is, with your browser or operating system, somewhere in all the bits and pieces which get installed, you have a list of public keys for the certificate authorities (CAs) I have been mentioning. Think of it as having a booklet with a list of all the stamps and signatures of key notaries out there, with a way to look up and see more pages, with each page itself notarized by one or more individuals in your booklet, either directly or indirectly. But unlike just having a spot on the page where the page is embossed or stamped and signed, and you don’t know if a word was possibly changed or added, here the entire document, made up of a long string of 0’s and 1’s, can be “stamped” in such a way that changing anything in that string will, in near certainty be detected. Indeed, the digital form is like the old style wax seals which were common in the Middle Ages, only more so. (Encryption works in a similar way, but is a bit more complex). And there is quite a bit which goes into determining who ultimately gets into that “booklet”. Part of it is trust… such as, can I trust them to keep their private key secure? Can I trust them to go through all the right procedures to verify the information before they sign the certificate saying that this is the real “Wil Wheaton”? Seems kinda like the 50s-70s game show, To Tell the Truth, doesn’t it?? And therein resides a lovely little industry similar to the military industrial complex President Eisenhower warned us about. How little? Try more than $1 billion (yes, with a B) according to one report in 2016, with projections to exceed $3 billion by 2020. And this is, in part driven by effort’s such as Google’s “HTTPS Everywhere” effort, where more and more, sites without SSL certificates will be “shamed” or worse.

The dirty secrets…

Because many places which will “sign” SSL certificates used to prove a site’s identity can charge $100 or more per year for just a few minutes work to do what amounts to electronically notarizing, the cost of getting an SSL certificate and keeping it up-to-date is more than what some blogger (such as Wil?), or even an IT professional such as myself can justify spending. In a quick check, I found some of the big names such as Verisign and Thawte (both now owned by Symantec) charging nearly $400/yr for a certificate to “protect” a single hostname (such as ‘cinnion.ka8zrt.net’) while not protecting any others even in the same domain. And historic vendors such as Network Associates, now McAfee (yes, as in John McAfee infamy, among others) were as bad or perhaps worse.  And while there are places which charge less, it remains a cash cow being milked in a huge way. And yet, what does a company such as Symantec get you for the cost of the certificate? For a blogger and their readers, it is not that big of a deal. It is true even for myself and this web site, though I will likely put up some interesting spots which will go beyond what is in place at the moment. The point where it becomes a thing for me, and hence my awareness of the dirty secrets, is I am a computer professional who has been working with the web since the transition from services such as Gopher in early 1993, and as such, I am supposed to know how to set up secure web sites, and using SSL is a part of that. But for a bank or someplace such as Amazon, they need to know that they and their customers are protected, and the same is true for us as individuals doing business with them. And supposedly, this means that we can TRUST the CA.

There I go again with those TRUST waves (Name that movie!). Does the CA take steps to protect us, such as checking the information for someone requesting a certificate, take the time to do audits of their processes and servers, and the countless other things involved to make sure that things stay secure? And going along with this… can we trust the browsers to do what is needed to validate that a certificate is still valid beyond not having passed its expiration date. At times, this is like walking into the grocery and buying hamburger and lettuce for your weekend cookout, but ending up in the hospital due to E.Coli contamination, such as the multi-state breakout of E. Coli O157:H7 affecting romaine lettuce we are seeing in the news which has resulted in multiple deaths. And like with that, the answer is sometimes no, as seen in a number of incidents such as one where Network Associates/McAfee had their intermediate signing certificate compromised, and the resulting problems it revealed This is why companies sometimes resort to purchasing SSL certificates such as this. Yes, you are seeing almost $1500 per year, and I do not know if they limit the number of servers under that certificate… as they sometimes do. But along with that trust is the fact that the CA is willing to back that up with a warranty, so that if something happens, they can pay out, sometimes in a big way (I have seen warranties for $1M or more for some certs). And aiding all this was how Mozilla (e.g. Firefox), Microsoft and others were controlling how a CA doing everything right could not get on their trusted CA list, while countless others, such as Verisign, Comodo, DigiNotar, GlobalSign and many others remained on the list. Add in some of the other mistakes, such as a CA revoking a certificate which results in tens of thousands of sites with their SSL connections reported as being untrusted, and you start wondering what many a developer has asked himself, sometimes at 3am after finding a bug which needed fixed when they started looking at things at the start of their work day: How did this ever work?? And the answer is, you can have a crowd walk through a field of mines rigged to go off only when a single switch in one spot is stepped on, and sometimes, you could play a major football game on that field, and not have things go BOOM! But even if there was no BOOM! today, there will always be a BOOM! tomorrow.

So given all that, years and years ago, while still living up in Da’Burgh (Pittsburgh for those of you who are not Yinzers out there), I needed to set up things for some in-house testing, and rather than using a self-signed certificate (and creating my own certificate authority, just like how Verisign, Network Associates and all the others did), and then having to add the public root certificate to my browser, I opted to go with CAcert, so that if I had to go through things again, I did not have to setup another personal CA later. It has its limitations… right now, every 6 months, I have to go through and renew and replace all my server certificates, which is a little bit of a hassle given I have roughly a dozen different certificates in use right now, with most being used only within the confines of my home network. But as I get them synchronized, it simply becomes logging in, clicking a checkbox, clicking the “Renew” button, then doing some cutting and pasting. And as soon as I get a new version of the program I use to manage these certificates, xca, compiled, repackaged, and reinstalled on the machine where I manage everything to do with my certificates (private keys, certificate requests, signed certificates, etc.), I will turn things into a mostly automated process. Or, I may just move over to using Let’s Encrypt, since that project, which has major name sponsors such as the EFF, Cisco, Facebook, Google and others, is already in the list of trusted CA’s… I may pretty much just switch over, if things are as good as they are now seeming (they have made much headway in the past two years). Besides, my old not quite friend, more than acquaintance Rich Salz (or as he often signed in those days “Rich $alz” or just “r$alz”, when we were the admins of the two largest USENET news installations around) is a part of their TAB (Technical Advisory Board). And even if they are issuing only 90 day certificates, instead of the ~180 day ones I am currently able to produce (or the 2yr ones I hope to produce if I can ever meet up in person with a couple of certified assurers to get the points I need before I can take the assurer test myself, the use of ACME might offset what was two years ago a problem with a solution awaiting release of the tools.

Well, it is now after midnight here, and even though I was asleep until almost 4pm, it was light when I went to bed (around 7am), and I have an appointment I am either going to have to cancel or pay a nice chunk of $$ to keep, and while there is a bunch of unemployment I have yet to be able to access, due to them sticking it on a pre-paid card instead of direct deposit like I requested, and my not having received the card… as much as I really Really REALLY need to keep this appointment,  having to use perhaps 15% of what I have left in the account right at the moment… yea… (gawd, I hope something comes through soon!! No paychecks and no insurance is like having nearly empty air tanks while floating alone in the vacuum of space at the midpoint between here and the Andromeda Galaxy/M31)

Oh… and as for all the Wil Wheaton references… that will become apparent in the next post, which I should have up sometime tomorrow… and will continue that last reference.