The Cheap Parts Paradox

Every hobbyist has experienced it, and yet it seems to be the hardest lesson to retain over time: The more money you save by going with cheap parts, the more of your time you will waste getting them to work… if you can.

I was recently reminded of this rule while adding GPS to a Raspberry Pi project on which I was working. One of my co-workers had recently had good results with a GlobalSat USB dongle on a Pi project, and even though I had an Adafruit Ultimate GPS Breakout in my wishlist I was enticed by the price and the plug-n-play state that didn’t require me to do any additional wiring. So, I ordered a GlobalSat BU-353-S4 from Amazon.

Getting gpsd set up was pretty trivial, but the results I was getting from ‘cgps -s’ was inconsistent.   Despite the GPS unit reporting that it had a lock, the clock display was several hours off from the displayed timezone, and the ‘Speed Err’ was +/- 300MPH.  The unit, which was marketed as having a start time of less than 15 seconds, needed to run for an hour or more to finally settle down.  Meanwhile, ‘cgps -s’ would keep crashing after a few minutes at most.

At the time, since this was my first experience with gpsd, I assumed cgps was just unstable.  After a bit of googling, and reading other people’s tutorials, it became clear that cgps wasn’t unstable and that something was frak’d with my rig.  That’s when I visited the gpsd hardware compatibility table.  On the entire table, the only device with a ‘do not buy’ rating is the BU-353-S4.  (Turns out my co-worker has bought the GlobalSat BU-353, which doesn’t have the ‘do not buy’ rating’)

I’ve since wired up an Adafruit Ultimate GPS Breakout directly to my Pi project.  It just works.   GPS lock was quick, time reported was correct, margin for error was reasonable, and I was able to run ‘cgps -s’ for hours without issue.

It’s easy to be tempted by the plethora of cheap parts on Amazon and eBay.  Not to mention that sweet perk of free shipping…  But sometimes it just isn’t worth it.  There is a huge value in buying parts that have been fully vetted by someone with more expertise, even if it does mean you have to solder eight measly wires.

Raspberry Pi, and Breaking the Arduino Mindset

I build a lot of projects around Arduino micro-controller boards.  They are simple, easy to program, have lots of fiddly I/O ports, and there are all kinds of crazy ‘shields’ for extending their functionality.   I have published a couple of Instructables that utilize Arduino controllers, and I have several projects that I still need to document.

I had one of those D’oh! moments today, when I realized that I had become stuck in an Arduino mindset, and it was holding me back.

I’m building a set of Raspberry Pi image capture systems for my Jeep.  Each Pi will be running a camera.  One will be shooting GPS tagged stills, and the other will be recording video in five minute segments.  I need two Pi’s because the cameras I am using have a single dedicated port on each Pi.   Maybe the camera port dependency is what got me locked into mirrored system mindset, or maybe I’ve just spent too much time fiddling with Arduino projects.  Either way, I ordered a pair of Ultimate GPS modules from Adafruit.

It wasn’t until after the order had already shipped that I realized this was a bit of waste.  I don’t need multiple GPS units, I just need to network the Pi systems to access a single instance of GPSD.  I’ve got a sweet ASUS WL-330N that I can use to build a low power-draw wifi network in the Jeep, and two USB 802.11n modules cost less than a single Ultimate GPS module.  I plan on giving the Edimax EW-7811Un modules a try.  There’s a decent write-up on making these work, so I hope I won’t get burned by the Cheap Parts Paradox.  (I’m only giving these a shot because Adafruit is out of stock on their RTl8192cu based wifi modules.)

How many other Ardunio-isms can I break during this project…

The Importance of Monitoring SSL Certs

The certificate for this server is invalid. You might be connecting to a server that is pretending to be “swscan.apple.com” which could put your confidential information at risk.

As of  4:59 PM on 5/24/14, every Apple user is getting the same scary error.

Don’t worry, you are probably not the victim of a man in the middle attack.  It appears that the SSL cert for swscan.update.com, which is hosted at Akamai, has expired.  This was probably due to a gap in the monitoring and management of the SSL certs provided to Akamai.

It is certainly possible that Akamai has been hacked, and a compromised SSL cert was installed.  Not likely, though.  To be safe, just hold off on any updates until Apple and Akamai get the cert updated.  Alternatively, you can download updates directly instead of using the App Store.  You can download all major updates here, and this server uses a different SSL endpoint that has a valid certificate:  http://support.apple.com/downloads/

Pro tip for Apple’s security team:  Even though swscan.apple.com lives at Akamai, you should set up SSL cert checks in Nagios for all  exposed HTTPS end-points that are in the apple.com domain.  These are the sorts of things you want to get notified about 60 days in advance.  In the unlikely event that Akamai has been hacked and the cert replaced, this type of monitoring would have immediately alerted you.  Win-win.

Both Apple and Akamai should have been monitoring this SSL cert.  I do not think anyone should lose their job over this. If anyone does lose their job over this, that would be a failure of management, not the person or team responsible for SSL certs.  I think this should be seen as an opportunity for improving monitoring and business processes.

I tried sending an email to security@apple.com to let them know they had a critical SSL cert that has expired.  My email received an error in response: “Your message to jmet-si@group.apple.com could not be delivered for the following reason: This group does not accept external messages.”  

Update:  I received a response from Apple’s Security Team.  They obviously resolved the expired SSL certificate, and they’ve addressed the bounce issue I reported.  Fairly promptly, for a holiday weekend.