Monthly Archives: November 2014

chromebook 4g – part 1 – verizon’s 4g plan

Posted on by
1

Two years ago, I bought a Chromebook for my mother. She has been very happy with it. The 3g plan met all her needs other than getting updates for the Chromebook itself. I had predicted in 2011 that a Chromebook is good for senior citizens because:

Senior citizens who use a computer to check e-mail, view pictures of the grandkids, research vacations, maybe watch some videos on youtube and some other random surfing. People in this group do not want anything to do with taking care of their computer; they just want it to work.

This turned out to be accurate. My mother didn’t need an ISP (everything over 3g) and it was great for her not to have deal with virus scan/a firewall. Since nothing can be installed, it isn’t possible to get a virus.

The only problem was that we didn’t realize that the Chromebook pushes wouldn’t occur over 3g. My mother went to a wifi connection to patch, but it quite far behind at this point. She requested starting over with a new machine. I was thinking I would just patch when I visit, but then I saw there are now models out with built in 4g. I’ll take her old Chromebook in case I want to see what something looks like for support and she can have a 4g one.

Researching how much the 4G plan costs

I wasn’t able to determine how much the 4G plan cost before buying the Chromebook. I currently pay for the 3G plan for the old Chromebook. I was expecting the 4G plan to cost more. (It didn’t. I was pleasantly surprised.) However, this information is apparently secret. I couldn’t find it on Verizon’s website. I did find the Jetpack hotspot price, but that is expensive ($60/month for 3GB.) I also found the prepaid tablet price list which turned out to be what I wanted. I wasn’t clear if the Chromebook was considered a tablet. I even called Verizon and they couldn’t tell me the price for 4G on a Chromebook.

I did find a PCWorld article from a year ago quoting $50/month for 5GB. That’s a lot given my mother uses less than 1GB/month.  I decided to buy the 4G model and hope for the best. If the only plan was the $50 one, I’d get a separate hotspot from T-Mobile or AT&T whose prices were easier to discern.

How much the Verizon 4G plan costs

I pay $20/month (no line charge) for 1GB on 3G. I was pleasantly surprised to see that 4G will cost me the same.

The pre-paid rates for 4G are:

300MB for one day $5
1 GB/month $20
2 GB/month $30
4 GB/month $40
6 GB/month $50
10 GB/month $80

The contract “more everything” plans are:

4 GB/month $30
6 GB/month $40
8 GB/month $50
10 GB/month $60
12 GB/month $70

For “more everything”, this price includes a $10/month line charge. There’s also a $35 initial set up fee and $15/GB for overages.

It isn’t clear from the website if the $35 setup and $10 line charge apply to pre-paid. They don’t.

The rates are competitive with AT&T and T-Mobile. Who both post their rates online more clearly.

Usability issue  #1 – Getting to the activation page

After buying the Chromebook, I went to settings and clicked “Verizon Wireless”. The name of my access point is listed as “4G LTE Contract (vzwinternet). When clicking “View account”, it said “Please Come Back Later” and “The Verizon Wireless Portal will be available after you restart your device”. I got this after restarting too though.

This article says there is no 3G support, only 4G. I was worried I was mysteriously not getting 4G, which wasn’t the problem. Per the support article, I did ctrl-alt-t and “modem status”. My signal strength which was -43dbm and better than their example. I would expect my home wifi to be strong so this isn’t a surprise.

After updating to the latest Chrome OS and restarting, “mobile data” was disabled in settings instead of thinking I am on a Verizon contract. Rebooted a third time and now I see “not connected” and “Verizon wireless” as a choice instead of “disabled”. Finally, I can start signing up.

Settings > Mobile data > Verizon wireless > Activate

This time it loaded. I choose “create new account” since I want the prepaid route. And finally. I clicked “show pre-paid plans” since that is hidden by default to see these choices.

Usability issue  #2 – Timeouts

I was doing this while doing the laundry so had the page with the rates on it open a while before paying. After letting me enter all my information, I got a session expired message. It’d have been nice to get that message before entering anything. After all, that’s when my session expired.

Usability issue  #3 – Validations

Verizon didn’t like my address. I thought it was the “#” sign (for apartment number.) Nope. Must be the dash. Each attempt at this requires me to re-enter virtually all the info. It would be nice to remember some of this information and just make me re-enter the parts that actually failed validation.

Usability issue  #4 – How much does it cost.

Prior to paying, I couldn’t figure out if I was going to get charged $20 or $30 per month. The payment page says on top that there is a $10 line fee. But at the bottom, it says I’ll be billed $20 per month. I found out it was $20/month when I got the email confirmation.

What went well

Finally, it tells me that I’ll be activated in 15 minutes and to call 800-786-8419 if can’t connect. I was able to connect significantly faster than 15 minutes.

Another improvement from 2 years ago is that  I can now go on My Verizon online and see how much data is used in the plan. It used to be that you had to do this from the device itself or call.

See part 2 for which model I picked.

why we can’t be replaced by 16 year olds

Posted on by
Reply

I mentor the programmers on a high school robotics team. There’s a range of skill levels. Some of them are completely new to programming. Some of them are really good at coding. So does that mean if someone is looking to hire a programmer, they can just hire a 16 year old? Well, not quite.

Tech skills

A teenager will take a Python course at Udacity and think he knows everything there is to know. (And I say “he” because girls tend to be more aware that there is so much out there to learn.) This means the new programmer will spend much time reinventing the wheel or “deriving” idioms.

Skill vs experience

I won’t dispute that a teenager can be a great coder. How there is more to development than coding. Solving the right problem is important. Asking the right question is important. Challenging assumptions is important. Knowing when to reuse code is important. Being able to sell your idea is important.

More reading

Peter Norvig has an excellent article titled “Teach Yourself Programming in 10 Years” which explains why the teach yourself X in 24 hours can’t hope to cover everything.

contrast security plugin for eclipse

Posted on by
1

I recently learned that Contrast Security has a free plugin that tests your application against the OWASP Top 10.  We’ve tried to fix these already. You can read about how we fixed Clickjacking, CSRF and XSS in JForum.

Installing

I started out by installing the Contrast plugin from the Eclipse Marketplace. After restarting Eclipse, a Contrast view automatically opens with instructions. It says to right click your server and choose “Start with Contrast.” Easy enough. I usually use Sysdeo so I can start the server in one click, but this is hardly onerous.

A Diversion: Fixing Tomcat Configuration

I got an error on startup. I then tried to start the server using the server view (without Contrast) and got the same NoSuchMethodError:

java.lang.NoSuchMethodError: sun.security.ec.NamedCurve.<init>(Ljava/lang/String;Ljava/lang/String;Ljava/security/spec/EllipticCurve;Ljava/security/spec/ECPoint;Ljava/math/BigInteger;I)V

I fixed this by switching Tomcat 7 to use Java 7 instead of Java 8. (We aren’t using Java 8 yet for CodeRanch’s JForum software so this is fine.)

  • Workspace preference
  • Server
  • Runtime Environments
  • Click Tomcat and edit
  • Choose Java 7 as JRE

This had nothing to do with Contrast. I hadn’t encountered it because I was using Sysdeo to start Tomcat before this.

Actually testing

Now that the server starts up, I stopped it and restarted with Contrast. Then I clicked around the app a bit. (You can use Selenium tests or any other testing tool to automate this part.) The Contrast view starts to populate with its findings. I clicked around until I had about a dozen findings. They were:

Category Issue # Instances Details My analysis
Orange Insecure hash algorithms in XXX 3 Provides an explanation of what the problem is, why it might/might not be a problem along with the stack trace (showing how it is used) and the HTTP request/headers for the request(s) that triggered it. Two of the three findings refer to the exact same line of code. (Which was run on two different screens). The other appears to be in Tomcat itself. My configuration isn’t the same as the real server here. [The other two I need to look into further]
Yellow Anti-Caching Controls Missing in XXXX 6 Provides the HTTP request/headers, suggested remediation It’s annoying to have this reported on every page. Glad there is an :ignore this rule” option. We run a public website and want things to be cached. Client side caching makes the site faster for users and doesn’t leak information since 90% of our information is public to begin with. The only risk is if a moderator access the private forum on a public computer. We are technical users and know to clear data if this happens.
Yellow Forms without autocomplete prevention 3 Provides the HTTP request/headers, suggested remediation Again, we are a public site so not a big deal for browsers to retain information.
Warning CVE(s) in commons-httpclient-3-1.jar 1 Provides links to the two CVEs along with the manifest of the vulnerable library. I knew this from running Sonatype CLM Insight. The two CVEs are in functionality in the library that we don’t use. Still it is sweet to have this information available for free and with almost no effort. (Insight is a commercial project. We saw a one time result from the report.) I was concerned that information about the jars was being sent over the internet so I asked on Twitter. Jeff Williams replied that the CVE information is in a built in database updated via Eclipse Marketplace. Neat!

What to do with the results

When right clicking on any finding, you have four options:

  • Mark Resolved
  • Delete
  • Ignore (this instance) – useful for a false positive
  • Ignore rule – useful for a rule that doesn’t apply

My thoughts on the Contrast plugin

  • I like that the stack trace is included because it is easy to see context. I also like that lines belonging to the app is in blue in the stack trace.
  • It was very easy to use. And free. Which makes using it a no brainer.
  • While there aren’t false positives from unused code, there are false positives from context (which a tool can’t know).
  • Two of the rules triggered on a number of pages. (and would have triggered on a lot if I tested more)
  • While I don’t have a long list of things to follow up, it was a good thought exercise. And the reason I don’t have a long list is because we manually went through the OWASP top 10 in preparation for the “Iron Clad Java” promo recently. (so as not to have embarrassing issues pointed out)