A notch above a monkey

Travel articles and gear

We like to travel, but I avoid reading travel pieces unless we are researching for an upcoming trip as we currently are. Too much of this semi-fictional genre is snobbishly prescriptive or laughably overconfident (and sometimes both).

The most annoying example of former is almost a sub-genre of writing describing the right way to travel while scolding “detractors” where right usually means backpacking for months with a small backpack and on cheap trying to meet locals. I find it especially annoying because not only do we not all travel for the same reasons, for most of us how we travel is a compromise between our wishes and abilities including available time and money. What every traveller should strive for is to minimise their negative impact on environment and visited cultures and apart from cruises there are few travel approaches that I would describe as a priori wrong.

The other grating notion is the idea that spending a few months in a foreign society will result in your understanding of it. This is not true even if you are an anthropologist. More exposure rarely hurts, but I wish more people stayed humble in their interpretations of observed events. I understand English pretty well, have spent cumulatively almost two years in England, have friends there and have spent decades consuming British culture through media, books, TV, movies and music. An investment I am unlikely to be able to repeat with any culture and yet I am still not completely fluent in it. There are bits I don’t understand and frankly not all British do either as is likewise true for me and Slovenian culture.

However, I find an interesting advice or insight can salvage almost anything. With this hope, here’s mine. Try watching local TV at least a bit during your travels, especially commercials. I find advertisement provides a skewed, but interesting lens on how society wants to see itself and what it finds important and profitable. Also, asking for opinions instead of facts is more likely to elicit richer answers and repeating previously answered questions to newly met people can be illuminating.

(Photo) gear

Like I said, I read articles about travel rarely except when doing research, which mostly is looking for information about specific locations and travel gear.

Over the years we’ve developed check lists for all types of trips we do and got pretty good at packing, but the need to tweak our gear never goes away if for no other reason to replace worn out stuff.

Few items I am almost obsessed about. Backpacks are one of them. Their designs have immensely improved over the years and I have also accepted that we need several, but I think philosophical differences between me, and backpack designers make it unlikely I will find a perfect one for multi-day treks.

Trekking trousers are another. Men trousers are usually serviceable, but women’s are generally awful because of creators seemingly almost phobic fear of external pockets. If one needs to wear a jacket or take off their backpack to have access to a map or one’s phone, then they are not fit for use and most aren’t.

But since we are both keen photographers, I especially try to optimise photo equipment we lug around. Last decade brought a lot of changes to gear I see used on our trips. Most casual shooters have switched to using smartphones and mirrorless cameras are replacing DSLRs among photo enthusiasts although later group may carry as much as it used to since new space and weight are now often taken by drones. Everyone uses whatever device makes desired shot the easiest (e.g. wide panoramas tend to be taken with smartphones).

Our trips usually include up to a weeklong off grid treks. It took me way too long to figure out that the best way to handle those is carry a high-capacity power bank and making sure every electrical device can be powered through USB connection. This makes everything easier also when we are back as it reduces number of cables, is generally easier to fix if something goes wrong and reduces the need to find free electrical sockets. We don’t use solar cells because they would rarely if ever be practical to us.

On our last trip I tried to see how well I can do with smartphone as my only camera. Generally, I was pleased with the results but found phone’s lack of zoom too limiting. Which is why I have switched to iPhone X with its 2x optical zoom. Still, while better than before this is often not enough and cannot be compensated with cropping because significant crop of a 12M image does not leave many pixels even when change of perspective is not an issue.

It seems new phones will add even wider lenses that are fairly useless to me as stitched panoramas are excellent and have better resolutions. I have experimented with switchable lenses from ShiftCam. I still love their design, but lenses themselves are of poor quality, a problem also plaguing their competitors based on published online images. Would gladly pay more for an easy to use quality zoom lens if I could find one.

On the other hand, apps available for tweaking photos are often phenomenal. As an iOS user I mostly rely on built-in tools, SKRWT for perspective corrections and TouchRetouch for removing unwanted items. It can feel almost magical how easy it can be to shape up a photo. I am sure equivalent tools exist also on Android platform.

Nevertheless, the technical quality of these photos is still noticeably worse than those taken by our Nikon so we will continue carrying all that stuff. If only I could now find a compact travel tripod that would be easier to attach to our backpacks.

Securing web applications

I recently finished working on a project with stricter security requirements than I am used to. While my work on the project is done and I am deciding on what to do next, I keep thinking about what I did and what I could do better next time beyond following established good implementation practices. This is my attempt to jot down my (unpolished) thinking, which will be light on technical details as I am not allowed to divulge them.

First thing I did was to create a threat model for the app’s frontend. It is not something I would see done on every project, but it really should be a standard practice even if it is simplified to a “living” list of assets to protect, identified threats and planned countermeasures.

An under-appreciated part of web frontend development using client-side frameworks is that practically speaking, it is not possible to secure the app you are building on your own. Every major framework depends on and installs hundreds of packages (usually more than a thousand) and it is not feasible to audit all of them and their updates. Even a smaller problem of tracking license compliance is a nightmare. Therefore, managing risk also involves managing trust in external parties.

When using such frameworks is beneficial enough, I favour libraries built and in use by major tech companies such as Google and Facebook, especially if their documentation does not ignore security. They may not be better in all aspects I might care about but will have both more resources invested in their development and more likely to be properly audited as those companies present a much bigger and valuable target than companies I work with. I avoid adding 3rd party libraries as much as economically possible and when not, prefer to copy parts actually used (with license and reference to original) when only small bit of that library is needed.

Loading 3rd party code directly in browser should be frowned upon. Even with modern toolbox for avoiding/limiting abuse (iframe sandboxing, CSP…) nothing is remotely as safe as not loading unknown resources in the first place. Since this is not always possible or desirable it is best to treat them as an existing exploit of unknown severity and decide where they must be avoided and how to best manage their risk elsewhere.

Similar risk is posed by browser extensions. User fingerprinting is a very good reason for trying to prevent discovery of loaded extensions, but I would still find it useful to at least know if there is any extension loaded that has access to my app’s contents without explicit user request. It seems this is not possible. Admittedly this is not a wide-spread desire and most applications would not change their behaviour based on this information, but few should (e.g. banking web apps).

In simpler, more naïve times we used to discuss if DOM is a good place to store state of a page. Clearly this is not a good idea for anything beyond storing state of UI controls and even then, every change should be reflected on screen with an appropriate user notification (change transition, alert…). I remain undecided on how much uni-directional data flow helps with security, but it does some, similarly to how private class properties do and I find it easier to track possible attack points, if interface is a rendered reflection of application’s state and I can focus my attention on interactive parts with which user changes it.

Protecting code and data from nosy scripts with Javascript closures is already effectively done by frameworks and rarely requires manual intervention. This is mostly enough, but an unsolved problem for me was to keep data private and survive a browser window reload as I can only do one with any kind of certainty. I am reasonably sure this is not possible since every available storage is also available to other scripts as is requesting data from server without authentication.

sessionStorage is preferred to localStorage. Any personal data should be removed with sessions that shouldn’t be long either.

It would be nice, if all my research and effort provided me with more comfort than they do. Maybe fear is just the price paid for remaining vigilant.

2018 review

I just reread my last year review and could copy first two paragraphs with few changes. I am still fine, loved ones less so and there were new horrific organisational experiences to replace old ones.

Without wish or intent to go into much detail, this was a year in which our home had to be listed as a no-go location in a restraining order and I observed Slovenian police and justice system dealing with credible threats to life and continue failing miserably to this day. Not all failures come down to sex, but being a woman certainly seems to make things worse for you.

Still, I ended last year in a much better mood than I started or was for much of the year. No doubt visiting Madagascar and Réunion, while physically taxing, helped a lot. As did summer visit from friends, hiking more than ever, building Legos and working on a new project.

Recently a British minister was ridiculed for playing with Lego sets, but I can only recommend it, especially to those under stress. Calming effect of putting bricks together and satisfaction of building something is truly relaxing. I don’t know what I might do this year, but last year I build Taj Mahal:

Taj Mahal

This year I would also like to build something more useful and less tactile. I made prototypes to test the idea of an email Instapaper at the end of last year and hope to get it running some time this year, if I can resolve problems around financially tolerable and reliable email delivery. It might even lead to some fresh content on this website if I write up an idea or two after I test it with this service.

Last year I did not read much, but we hiked often which really paid off in Réunion where a bout of dengue led me to carrying heavier than expected backpack for days at end. Possibly was the fittest I’ve ever been and if I could get into the same shape this year while improving my diet and losing some weight, then that would be great.

My main goal last year was to take care of loved ones. I cannot remember why I felt it necessary to state this as it is, will be and should be most important thing I do every year.

I do not want to give myself a pass again for not doing much else. I felt getting stupider this year, which was a wholly unenjoyable experience. 2019 is the year of my new, less flattering demographic age bracket, but I will not be remotely old enough that dulling of intellect would be expected or acceptable. I suspect this “development” had a lot do with what and how much I read last year and I will focus my efforts there to expand my general knowledge.

Speaking of learning, I did not make much progress with Spanish last year and won’t first few months of this year either. At some point (spring?) I’ll have to if I don’t want to forget what I already learned.

My plans for 2019 are unintentionally vague so there is a good chance that I could in some sense fulfil more than usual including another long trip abroad. There is one thing I want to change from 2018 and that is just being more intentional in whatever I will do. Nothing seems to make time feel wasted so reliably than spending it without a forethought.