Rust Bluing for the Home Hobbyist

What is Rust Bluing?
Steel rusts. Since our species has been making steel tools we've been searching for ways to stop that from happening. Bluing is the most common method of protecting steel from the elements. These methods include things such as:

• Browning
• Fire bluing
• Cold chemical bluing
• Hot caustic salt bluing
• Rust bluing

Rust bluing results in a very durable finish. When done properly you will have a blued metal piece that is nicely polished. World famous British gun maker, Holland and Holland, still uses the rust bluing process today on their very high end firearms (When I say high end, I mean if you don't have 12K to spend on a double barreled shotgun, don't even walk in there)

The process, at its core, is pretty simple. You take metal, let it rust into red oxide, convert it to black oxide, stop the reaction, and then polish. However, the process is time consuming. You can refinish a pistol in a day, but it is what you will be doing all day.

What do I need to get started?
You are going to need a bunch of stuff to do this properly. Luckily it's all pretty cheap

Pre-Work Materials:

• Sandpaper (300 - 600 grit)
• Degreaser
• Nitrile or latex gloves
• Lint free cloth
• Goggles, face shield, or other eye protection

Bluing Materials:

• Large, but ideally shallow, pot. Unless you want to be sleeping on the couch, don't use the pots in the house. Go hit the thrift store and pick one up. I got mine for 4 bucks
• Steel wool (000 or 0000)
• Fine wire brass or steel brush. I prefer brass as it won't mar, since brass is softer than steel
• More gloves
• Goggles, face shield, or other eye protection
• 1 gallon of *DISTILLED* water. This must be distilled water or your reaction is going to be ugly and you will not like the results.Other types of water are going to have minerals and other impurities in them.
• Bottle of Mark Lee Express Blue #1
• More lint free cloth
• You will be working with an oxidizer, but you don't need to wear a respirator. That said, during the boiling process, avoid inhaling the steam as it's probably not good for you.

Finishing Materials:

• Chemical resistant gloves. Those thick yellow rubber ones they sell with the cleaning supplies at the grocery store will work. You will be working with lye/caustic soda during this process. You need to protect yourself from chemical burns
• Goggles, face shield, or other eye protection
• Polishing wheel
• Polishing compound. I prefer Flitz
• 2 pounds of lye or Sodium Hydroxide. You'll be making up caustic soda to stop the reaction
• Container to hold your caustic soda liquid. Get something that's unlikely to result in spills Label it so people know what's in it and that it's dangerous. I went with a 1.25 gallon HDPE gas can because it has a pour spout that is closed by default and a nice flat base so it's unlikely to tip over
• 1 gallon of distilled water (yes another one)
• Lint free cloth

Prep Work
Preparing the Part
For this to work right you need to put in some work ahead of the bluing process. This is where the bulk of the hard work comes in. The time you take to prep your part and the thoroughness with which you do it will directly determine the outcome of the final product. The four main enemies here are:

• Pre-existing coatings
• Existing rust
• Pitting
• Oils/grease, including the oils on your hands

First, glove up. From this point forward you will not be touching your parts with bare hands until we are done. The oils on your fingers will mess up the finish. Even if you can't see them, they'll be there. I have a part I blued years ago that looks great except for a thumb print that's clearly visible on the finish.

Second, you want to make sure the part is free of any existing coatings. If the part has previously been cold blued, you can remove that bluing by soaking the part in apple cider vinegar. If the part has been lacquered, as is the case with my axe head, you can get that finish off by soaking it in something like Brownell's Steel White. I soaked the axe head for 12 hours, then hit it with a wire wheel, then a steel brush, then sanding.

This axe head has a lacquer on it that will prevent bluing

The part after cleaning. Note the lack of a shine

Third, you want to make absolutely sure your finish is free of rust and pitting. You might be thinking, "Why do I have to get all the rust off? Aren't we going to be rusting these parts anyways?". Rust is like cancer. If you do not get it off before we start the bluing process it will survive under the finish. Even a little bit left in some pitting will grow under your nice finish and ultimately ruin your part. You can take a wire wheel or a Dremel to the part if it's in rough shape. From there hit it with with 300 grit sandpaper in a circular motion, then 400 grit, then 600 grit.You want a nice smooth finish free of rust and pitting.

Fourth, degrease the part. I use an industrial degreaser available at Harbor Freight that comes in concentrate form. I mix it up a bit stronger than the directions say. Once you have degreased, wipe your parts down with a lint free cloth and put them somewhere where they won't pick up debris.

Preparing the Caustic Soda
At the end of the bluing process we are going to need to kill the reaction. We do this by soaking the parts in "caustic soda". So, what the hell is caustic soda? Caustic soda is quite literally lye (sodium hydroxide) in an aqueous solution. You'll be using 1.5 pounds of lye to 1 gallon of distilled water.

Your caustic soda supplies. Not pictured: Gloves & eye protection

Fill a pot or tea kettle with distilled water. You don't need to fit the whole gallon in there. Get the water hot, but not boiling. You're just warming the water up to help dissolve the lye. While you are waiting for the water to get hot, dump your pound and a half of lye into your container and put on your personal protective equipment (PPE). Once the water is hot, pour it slowly into the container with the lye. BE ADVISED, you will most likely get a hot jet of caustic steam out of the container so make sure you are not holding your face over the opening. Have the windows open as well. Should you get a face full of caustic steam, get your face under cold water quickly and rinse for 10 minutes. Hopefully you were wearing your eye protection, but if not wash your eyes out for 10 minutes as well. Once the hot water has been added, add the last of your gallon to the container and seal it up. You want this solution to be roughly room temperature when you need it later (another good reason not to heat all of it up)

Clear your schedule, because you're now ready to start rust bluing

Rust Bluing
Congrats, you're about to start your first rust bluing project.

First, get that pot of distilled water boiling. Don't fill the pot all the way up. You want enough water to cover the part plus another inch or so. Filling the pot all the way up increases the chances of splashing and it makes it harder to get your parts out. Keep your jug of distilled water handy and just top up the water as you move through the process

Next prepare your work space. Think about where you will be working and where you need your tools. I keep my tongs near the pot of water along with paper towels to put my wet parts on. I keep my supply of gloves and rags next to that.

Since I'm doing this in my kitchen, I wrapped the cutting board in cling wrap, then laid down some paper towels. I don't want any of this nasty stuff getting on surfaces where I will prepare food. That said, I also scrub everything down when I'm done regardless

Pour some of the bluing solution in a container that you can easily dip your sponge in. Remember, a little goes a long way with this stuff. You don't need the sponge soaking in it. As you move into the next rounds after round 1, you'll mostly just be moistening the sponge again

I ultimately cut the top part of the cup off so I could get in there better

Throw your gloves and PPE on. Set your oven to 'warm' and put your parts in there so they can begin warming up.

Get in here Billy, granddad's making cookies!

Once your parts are about 100 degrees (F) you're ready to start with your first round of bluing. Take the parts out of the oven (be careful you don't burn yourself). Holding the part firmly, begin to apply the bluing solution with the sponge in nice, even, strokes. Also remember to work in 3 dimensions! Get the sides of the part, underneath, on top, any holes in the part. Also remember to blue the part you are holding as well. The reaction should start immediately. Should the reaction not start you might be dealing with 2 issues:

• The part still has some kind of coating on it that needs to be removed
• The part is aluminum or another non-steel material. You can't blue aluminum! You can anodize it, Duracoat it, Cerekote it, but you can't blue it.

Now that you've applied your first coat, set the part down and let it sit for 30 seconds. After 30 seconds, apply a second coat and let it sit for another 30 seconds. 

The process begins. Don't freak when your parts look like this initially

Now that you've added two coats of solution to your part(s) it's time to boil them. Carefully place the part in the boiling distilled water and set a timer for 5 minutes.

Mmm. That's good soup!

After 5 minutes, take your parts out of the bath and place them on the paper towels. Dry the parts with a clean towel. If there's any build up of material, hit it lightly with your brass brush to clear it off. Be careful, they will be hot. In fact, you'll be working with hot metal for the remainder of the day.

Once the parts are dry, take them to your bluing work space and begin the process anew. Once you've applied your bluing solution twice, drop the parts back in the boiling water and do this again. Overall, you will be doing this *eight* times.

Each time you do the cycle, you will notice more and more of the surface is turning a uniform color. Don't be concerned if they don't look dark after the first few rounds. This is an ongoing process.

For example, this is what the parts looked like after round 3:

Parts are darkening, but clearly have a ways to go

After round 4 I decided to make a quick video of the process:

I'm not very good at videos

And after round 7:

Parts are much darker and uniform in color now

And after round 8:

We're going to call this done!

Stopping the Reaction
We're almost done and you're about to get a break! We've repeated the coat/boil process 8 times and our parts are looking pretty darn good.

Take care when working with caustic soda it can burn you

Turn the stove off and carefully dump that nasty distilled water you've been boiling down the sink. Wash the pot with hot water (no soap) and wipe it down. Set your pot on a cold burner or the counter top. Place your parts in the pot. Now slowly and carefully pour your caustic soda solution over the parts till they are submerged.

You'll now be happy to know that the parts need to sit for 90 minutes. Take your gloves off, take off your goggles, go catch up on Facebook.

Clean up from this stage is a snap too. Once you've removed your parts simply pour the caustic soda down the drain. Sodium Hydroxide in water is basically Drain-o. You're doing your pipes a favor by pouring it down the sink. Just make sure you don't get it on you and clean up anywhere you might spill. After dumping it down the drain, I run hot water from the tap into the sink for a few minutes. Make the most of your pipe cleaning!

Final finishing and Wrap Up
Pat yourself on the back, you've prepped your parts, you've rust blued them, and now you've killed the reaction. The final step is to finish up the part to give it a nice finish and to protect the metal. You have two different routes you can take here:

*Don't forget to put your PPE back on*

Option 1: Polish the metal
Take your parts and apply your favorite polishing compound. I use Flitz because it is nonabrasive. I don't want to polish off the nice finish I just spent all this time putting on. I apply a nice coating of Flitz, let it sit for a few minutes, and then buff it off with a polishing wheel on my drill press

I then do it again. Once I've polished twice I wipe everything down with a nice, clean, rag and call it a day. In a few days I'll wipe my parts down with some sort of gun oil (I usually use RemOil) to further protect them.

Option 2: Oil impregnate the metal
This option takes longer and will result in a higher luster in your metal. If you're going for a matte finish, you're probably better off with option 1. To oil impregnate the metal you will need a couple of things:

• Quart of motor oil (doesn't matter what kind. I use 10-W30 because its what I run in my car)
• Cling wrap or a container that can hold the parts

Put your parts back in the oven on warm. Once the parts are nice and warm either place them in the container you set out and cover them in motor oil or coat them in a thick layer of motor oil and wrap them in cling wrap. Let those parts sit for the next 24 hours. Once you let 24 hours go by, take your parts, wipe them down, then polish them up on your polishing wheel

I went with Option 1 for my parts because I wanted a nice matte finish. Don't be surprised if the finish changes a bit when you look at your parts the next day. Mine went from a deep black to a black/grey that looks really nice

Sending Personalized Emails to your Representatives The Easy Way

Overview

Writing your lawmakers can be a time consuming and arduous task. If you try the old trick of sending email to yourself and adding your lawmakers to the BCC line, there's a very good chance that email will go directly into their spam folder. Alternately you can put everyone on the TO line, however this is also likely to send that email to their spam folder. Additionally you cannot personalize the emails to them and are stuck with a "To Whom it May Concern" intro, which is unlikely to sway anyone.

This tutorial will show you how to use Outlook's "mail merge" function to quickly send bulk emails that contain a personalized greeting to the lawmaker in question and will deliver individual emails to their account through one easy bulk action

Pre-Requisites

In order for this to work you need two things:

1. You need to have Outlook set up on your computer. You can use Outlook on your desktop with your web mail providers too! So you can set up your Gmail, Yahoo, etc. accounts to work with Outlook. I have Outlook set up with my Gmail account
2. You need to have the list of people you want to email in your Outlook contacts. In addition to their names and email addresses, I highly recommend also adding their Title (eg. Representative or Senator) and adding the committee they are on to the Department field. This will make it easy in the future to filter your contacts to send email to a specific committee. I also recommend adding a contact for yourself and including it in your mail merge so that way you can verify that your emails were sent and delivered

How To Do It

Step 1: Open Outlook and go to your contacts. Select the contacts you want to email. If the contacts are all grouped together, you can click one, hold down the SHIFT key and hit the down arrow till they are all selected. If the contacts are non-contiguous you can hold down the CTRL key and select each name

Step 2: Select "Mail Merge". You will get a pop up. Verify that the following looks like this and click OK:

Step 3: Write your letter. Include the initial greeting "To the Honorable Representative/Senator " at the top

Step 4: Add the personalized greeting. Go back to your title line and make sure you click just after your greeting such as "To the Honorable Representative |" and click the "Greeting Line" box:

You will get a pop up that lets you customize your greeting. Since you've already included an initial greeting line, you don't need to have another greeting added, so select the drop down for the greeting and set it to none. You will see an example from your mail merge fields that you can click through to make sure everything looks good. Ignore the "Mr. Randall" thing, that's just an example:

If everything looks good, click 'OK'

Step 5: Make sure it looks right. You should now see the addition of <<GreetingLine>> in your document. Make sure its in the right place. If it's not, delete it and repeat step 4

Looks good? Go to step 6

Step 6: Sending the email. You should now click the "Finish and Merge" button. A drop down will appear and you need to click on 'Send Email Messages'

When the dialog box comes up, add the title to your email:

From there, click OK to send email

Step 7: Verifying email got sent. You now have supposedly sent your emails, but we want to make sure they actually went out. If you included your own contact in the mass mail, you should get an email from you to that account. You can so check your sent messages folder to verify that mail has been sent as well:

And look, I got an email to my other address that I had included in my Mail Merge

Conclusion

This is actually pretty quick to set up and let's you send professional, personalized, emails to your lawmakers. Once you have your contacts set up, sending out mass email will take you less time than it took me to write this post!

Keybase, we've got a privacy problem

What is Keybase? 

Keybase (keybase.io) is a platform designed to help users send and receive encrypted communications as well as securely store files and collaborate with others in “teams”. Keybase also allows users to attest to ownership of other accounts on sites such as Github, Twitter, Mastadon, personal websites, as well as validating cryptocurrency addresses. Keybase was founded by Chris Coyne and Max Krohn.

Note: Updates to this issue are now being included at the bottom the the post

What is the issue? 

Keybase currently lacks controls to allow the user to control how others interact with them. These lack of controls means that anyone who follows you (an event you cannot control) can begin messaging you or adding you to “teams” on Keybase without your consent. 

The end user, as of this writing, cannot opt-out of this functionality

This control gap is currently being exploited in the wild

Impact of the issue

The impact of this issue can range from annoying to dangerous. By preventing the user from being able to control who follows them on Keybase, any user can follow you and begin sending you messages or adding you to teams. This can lead to issues such as:

• Stalking and harassment
• Spam
• Malware delivery

Proof of Concept 

Methodology

To accurately demonstrate this issue I have taken the following steps on a newly installed Windows 10 VM:

• Create a new Gmail account for a user none of my participants have ever seen before
• Create a new Twitter account for a user none of my participants have ever seen before
• Create a new Keybase account for a user none of my participants have ever seen before
• Validate the Twitter account created for this demo with my Keybase account created for this demo
• Follow several users on Keybase
• Add those users to a team they are not currently a part of and begin sending them unsolicited messages

Note: All participants in this are willing volunteers who have been told they are participating in a Proof of Concept demonstration. I am merely demonstrating that I could be doing this to truly random people 

Execution

Step 1: “Raoul Duke” created a Keybase account 

Step 2: “Raoul Duke” followed several people, created a team, and then added those folks to the team

 
Step 3: “Raoul Duke” begins to message these users without their consent advertising crypto currency. I was also interested to see if there was any URL filtering happening on Keybase so the second link went to a site hosting a malware command and control portal. I blurred the link for obvious reasons 

Timeline

• November 9th, 2019 – I became aware of this issue when a random user added myself and others to a team and began discussing cryptocurrency
• November 9th, 2019 – I looked up the bug submission process and was instructed to contact “Chris” and “Max” via encrypted email. Their keys were provided, but no email addressed were listed. I instead began a Keybase chat with Chris and Max, but received no response
• November 13th, 2019 – I received yet another unsolicited chat from a user who follows me, but I myself do not follow
• November 13th, 2019 – I took a guess and emailed chris@keybase.io and max@keybase.io. I heard back from Chris within a few hours, but would not hear back from Max until I made reference to publishing my writeup of this issue on Twitter
• November 13th, 2019 – Chris replied to me suggesting that this was intended functionality. I replied reiterating my concerns and providing possible remediation steps. There has been no further communication from Chris at the time of this writing
• November 15th, 2019 – I made a post on Twitter about disclosing the issue publicly. This elicited a response to me from Max via the initial group chat I created on November 9th, 2019
• November 20th, 2019 – A Keybase user provided me with a screenshot demonstrating that they are also experiencing this issue
• November 21st, 2019 – Following Google Security’s guidelines for issues being actively exploited in the wild, I chose to release this information 7 days after I last heard from Keybase

Communications

• Initial communication from myself to Chris and Max. This was originally messaged to them in a Keybase chat on November 9th and again delivered by encrypted email on November 13th:

Hey guys,

I've got something to report. It's not a serious security bug, but I'm leery of posting the issue to the public forum for fear of exacerbating the issue. Currently any user that follows you can add you to a team without any kind of request to the user. I had a random guy I don't follow add me to a team and start messaging me about cryptocurrency stuff*. This really shouldn't be default behavior. This can result in a spam or harassment vector (hence why I'm reluctant to post it on the open forum). Ideally the default behavior should be that no one can add you to a team without your consent. Then maybe have an option of allowing those you follow to be able to do so, and as a final option let anyone add you to a team (but make sure folks know this isn't recommended).

Anyways I wanted to report this to you. Keep up the great work. I love the platform and find it invaluable.

- noid

 *[Note to the reader. The event described here was a separate event from my PoC. This event happened on November 9th and was a truly unsolicited team addition. My PoC event occurred on November 16th]

• The reply I received from Chris Coyne on November 13th (Highlighting by me):

Hi Dave - thanks for reaching out in a responsible way with what you see as a security issue.  

We currently see team additions as analogous to email thread additions or phone messaging — lowering the friction makes for easier/healthier group forming, and if you’re not interested you can jump out. We’re actually rolling out shortly some newer/better tools around dealing with this, so it will be very obvious to you that you can choose not to be in the team upon being added….and it will therefore feel a bit more like an invitation.

We’re constantly revisiting this and we might also add an advanced setting that lets users specify rules around themselves getting invited/added to convos.

• On November 13th I again received unsolicited messages from a random Keybase user who follows me, but I do not follow back:

• My final reply to Chris on November 13th:

Chris,

Thank you for taking the time to get back to me. I'm going to disagree with you somewhat on this. Currently any user of Keybase can follow any other user and begin messaging them without consent. The idea that it’s up to the user being messaged to leave the conversation or team puts the onus on the wrong participant. For example, I can begin messaging any Keybase user right now with ads for Chinese Viagra or, even worse, an opportunity to check out this cool thing over at hxxp://somemalwaresite.com/hostile.js.

While yes, this is no different than email thread additions or unwanted SMS messages, but you don't see people calling those things a feature; rather the opposite. In fact, there's an entire ecosystem around blocking unwanted messages, calls, or texts from other people. Platforms like Twitter and Facebook give me the opportunity to not get messages from people I'm not connected to. Just ask any woman what happens when she opens her Twitter DMs to the world. That's currently what's at play here.

Just this morning I got another message from someone who I don't follow (but who follows me). This is just a matter of time before this gets abused for spam, harassment, or malware. The simple solution here would be to give the user the opportunity to say 'I don't want to be messaged by people I'm not following or added to teams by them'. Another alternative would be similar to how Twitter protects those with "protected tweets": If you want to follow someone who protects their tweets, it sends an approval request to the user. So on Keybase I can either say "I can choose who follows me and anyone I approve may message me or add me to a team" or "Anyone can follow me, but you can't message me or add me to a team unless I follow you back". Of course you could always leave the user the option of "Anyone can hit me up any time" as well. However, that shouldn't be the default (and currently only) option.

I've not looked into the Keybase API just yet, but I'd be willing to bet I could exploit at least part of this programmatically.

• On November 16th, Max responded to the initial chat after a posting I made on Twitter about disclosing the issue: 

• On November 20th a Keybase user provided me a screenshot of an unsolicited conversation from someone effectively panhandling for crypto currency: 

Issue Remediation

As discussed in my email, the fix to this is pretty straight forward. Give the users some options:

• No one can message me or add me to a team
• Only people I follow can message me or add me to a team
• Anyone can message me or add me to a team

Guidance for Keybase Users

The crux of this issue is that the Keybase user currently lacks controls to alter or block this behavior. However, I would like to provide some guidance on how to identify this behavior:

• If you are receiving unsolicited 1:1 chat messages you cannot leave the chat, you can only mute the notifications. However, if you click on the user’s profile you do have the option to block the user
• If you have been joined to a team or group message without your consent you can leave the team by selecting the “gear” icon and choosing “Leave Team”. From there you can view the profile of the user who added you and block them there
• Note: If you leave a team, members of that team can add you right back to the team. There is no mechanism to stop this. If you block the person who added you to the team, they obviously can't add you back, but others in the team can. 
• Finally, and probably the best corrective action you can take, would be to mail Chris Coyne (chris@keybase.io) and ask him to provide Keybase users with controls that allow them to change how users interact with each other. Alternately you can hit up Chris and Max on Twitter. Baring that, you could always take advantage of this control gap and contact Chris or Max directly on Keybase or add them to a team to discuss this matter. Good user experience (UX) design for an online collaboration and messaging platform puts control of who contacts you and how they can contact you into the hands of the end user

Conclusion

I’m disappointed in Keybase’s response to this issue, given the nature of their platform. Keybase bills itself as a place to collaborate for friends, families, communities, schools, etc. Unfortunately, this issue opens those users up to online harassment, spam, and potential compromise. In short, until sufficient controls are put into place to protect its users, Keybase is not a safe place despite the fact that everything is encrypted. I can only hope that this disclosure pushes Keybase to implement strong controls to the end user that will allow them to control who they interact with and how they interact with them. 

Acknowledgements 

I would like to thank several people who contributed to this work: 

Christopher Hultin, Nate Campbell, Robert Hoffmann, Lucky225, and Marc Rogers

Updates

Since going live with this blog post there's been a number of new developments. The biggest being a blog post from Keybase themselves on December 4th, 2019:

• https://keybase.io/blog/dealing-with-spam

While ultimately this is the right course of action to take. Myself and others are disappointed that they still don't seem to be getting the crux of the issue. This is more than just spam, this is about harassment and user privacy. For example:

• https://twitter.com/LeaKissner/status/1202294767217868803
• https://twitter.com/aredridel/status/1201338814859501569

On December 3rd, 2019 Keybase and the Chaos of Crypto talks about this as well
On December 5th, 2019 The Register published a story about this issue
On December 6th, 2019 ArsTechnica published a story about this issue
On December 6th, 2019 Slashdot also discussed this issue
On December 12th, 2019 The Register issued a follow up story about this issue

All good things..

After DEF CON 21 I will be retiring from my position as Director of Security. I will be handing the Directorship over to Marc Rogers. Richard Fleason, Pappy, and Pescador will continue to head up the leadership team as well.

So, the big question folks have been asking is 'why'. Well, there's a lot of reasons, but the biggest one is that I've been going to DEFCON for 21 years and I've been staff for 20 of them. Each year the conference requires more and more of my time, but as I get older I have less and less of it to give. This isn't fair to Jeff and it's certainly not fair to my team.

Also, I think it's a good time for a change in leadership on the team. As DEFCON moves into the 'post-DC20' era I think it's a great time to bring in a fresh perspective and reorganize the team a bit to make us more effective.

Finally, I've been doing DEFCON my entire adult life and don't have any idea of what life is like without it. I schedule my world around DEFCON and planning for the conference. I've quit jobs over DEFCON. Eve and I scheduled our wedding around it. DEFCON makes up a huge chunk of my life. People understand that a lot of work goes into making the conference happen, but I don't think they truly realize how much work it is and how much time it consumes.

I do want to say that I am proud of what I have been able to help create. I am also deeply honored that my team has allowed me to lead them into the fray year after year. These people are my family, my goon brothers and sisters, and nothing will ever change that.

So what now? What's next? That's the most awesome part about this...I don't know, but I can do anything I want. I may get back into research and start presenting *at* the convention. I miss hacking firmware and embedded systems and would love to have time for it again. I may go get involved with one of the contests if something catches my eye. Or, I may just go walk the earth, like Caine in the Kung Fu. What happens next is all up to me and I like the sound of that.

Toorcamp Site Review

March 17-18 2012 I had the opportunity to join the ToorCamp staff out at the location for this year's ToorCamp event.

Overall, I'm really excited about the opportunities that Black Lodge Research is going to have at this years event. Here's a review of the location and the facilities:

The event site is the Hobuck Beach Resort in Neah Bay, WA. The resort is owned by natives of the Makah Nation and is on tribal land. It should also be called out that the resort is actually on the west coast of Washington and not in Neah Bay proper (this can actually result in two different types of weather). The event site is really large and features a couple of distinct areas, so be prepared to do some walking. The Quiet Area is half a mile from the main gate and probably a quarter mile away from the main event area. That said, walking on the beach is nice, it's a gentle walk, and we could all stand the exercise.


Main Speaking and Camping Area

This is where it's all going down. There are a number of cabins that line the northern side of the area that are available for rent. I got the distinct impression that the ToorCamp folks want these to be rented out by Groups/Vendors/Hackerspaces so that they can host workshops and other sub-events. Somewhere in the open area will be the main speaking tents as well as the general camping area. Parties will be allowed to go late into the night over there.

Quiet Area

The quiet area is slightly more reserved. There's roughly a dozen, single-bedroom cabins (more on these later) over in that area along with plenty of camping space. The cabins will also be rented out to different groups so they can host their private (or public) events in them. This is actually where I want to see BLR get a cabin. The difference with this area is that there won't be any late night parties or noise. If you were at the last ToorCamp you know that the only place you could get some quiet was if you camped up by the security tent at the front gate. This year they will provide a space for those of us that only want to Rock and Roll part of the night and party for a certain part of the day.

The Beach

The beach is nice. In fact, the beach is really really nice.


However one very important thing to note is how far the tide comes in. When the tide is out you have nearly 100 yards from the start of the beach to the water. However when the tide is fully in, it can come up all the way to the dunes. This is something to take into account when placing your tent or if you are thinking about passing out drunk on the beach.

The Cabins

The cabins are small. They aren't much different from the insides of a single-wide trailer or a good sized RV. The cabins do feature electricity and hot water. Even though the cabins feature running, potable water, I still intend on bringing bottled water for drinking so I can use the on-site water for showering and washing up dishes.



Upon entry through the locking, sliding glass, doors you come into the living room. The living room is small but as we found out you can put a dozen or so people in there if you are good with playing chair Tetris.



Next in from the living room is the kitchen/bathroom area. Unlike an RV or trailer, the bathroom is actually fairly large. The bathroom features a regular toilet, a sink, plenty of storage space, and a good sized shower. The kitchen is just basically a kitchenette. There is a two burner range in the counter top, a microwave, a coffee maker, and a hotel sized fridge. There is no oven or dish washer. In the kitchen cabinets I found an assortment of pots, pans, dishes, cups, and utensils. For ToorCamp I would highly suggest bringing your own cookware, plates, and utensils to make sure you have everything covered for what you want to make.

I would also suggest bringing an electric griddle/waffle maker, or a portable gas grill to use outside. I intend on bringing both a proper BBQ and an electric smoker. I also plan on bringing my own cookware and utensils so I don't have to worry about messing Hobuck's up. Also, plan on bringing a large cooler as the fridge, as previously stated, is about as large as you'd find in some hotels. You could probably store a 12 pack, a couple of 2L bottles, and some cold cuts in there. It's not super tiny, but it's certainly not large.

Finally, we have the bedroom. It's a simple queen bed affair with hotel provided bedding. Not much to look at, but does the job.



That concludes the site review portion of my post. However I also wanted to discuss some of the environment and logistics around this location.

Getting There

First off, getting to the location takes a while. It took me roughly 4.5 hours each way. There's several different ways to get to the area and some are better than other.

Option one is to drive from Seattle to Highway 101 and go up the interior of the peninsula to Highway 113 and then onto Highway 112 into Neah Bay. I'd only go this route if you are coming to Toorcamp from Olympia or points south thereof. The amount of backtracking to from Seattle down to even the Tacoma Narrows Bridge is going to add a ton of travel time. This might be useful if you are coming from Seattle and bringing a large trailer or something that would cost a ton to take on the ferry.

Option two is to take the ferry from either the Seattle ferry terminal or from the Edmonds terminal (this is what I did) over to the peninsula, catch up with Hwy 101, then Hwy 113, then Hwy 112. This is probably the fastest route to take. It's actually longer to go 101, 113, 112 than to go 101 to 112 all the way, but you'll get there faster. To see why, read on

Option three is to take Hwy 101 to Hwy 112's start in Port Angeles and just drive 112 all the way to Neah Bay. This is the route I took on my drive in (but not my drive out). This route is very scenic. This route is also full of twists and turns along with the beautiful coastline. If you're on a bike or in a performance vehicle, this route will not let you down. However I should call out that if you see any turn signs with speed restrictions of 25mph or lower, heed them. There are ample opportunities on this route to lay your bike down or to drive your fancy sports car off a cliff. Due to having to slow down and carefully navigate the terrain, this route, while shorter on paper, took me longer than planned.

Option four is for the adventurers with time on their hands. You can come up (or down) I-5 and hook up with Hwy 8 in Olympia then take that route up the western coast of the state to Neah Bay. The route is gorgeous but will take you a significant amount of time. Alternately, but in the same vein as this, you could come up Hwy 101 from the bottom of the western part of the state to the top. This would be the route I would take if I was coming up from Astoria, OR.

Neah Bay, WA

The town of Neah Bay, WA is a beautiful little place nestled up in the northern most pocket of the continental US. You can look out across the water and see the vast cornfields of Canada, where kilted yaksmen roam the plains in search of herring. Neah Bay is also a tiny little town in the middle of nowhere, so expect gas to be very expensive.

As with many small towns (particularly on tribal land) expect the speed limit to be enforced to the letter. Unemployment is high in these villages and getting out of towners to empty their wallets into the city coffers is a prime directive. If the speed limit says 25mph, do it, as I can almost guarantee that there's a cop not more than 200 yards from you at all times.

Services in Neah Bay are limited as well. This is partially because they're a little town out in the middle of nowhere and partially because the natives tend to have a real DIY streak in them. You don't buy fish, you catch it. You don't buy firewood, you cut down a tree and chop it up. If you're a city person, then get ready to be in for a shock. There's a mini mart in town, a tribal casino, a gas station, a small grocery store, as well as a restaurant called the Warmhouse. I should also call out that there are no fast food restaurants in town. The closest you're going to get is a corndog from the mini mart.

I would highly suggest bringing your provisions in with you, or at the very least do your final shopping in Port Angeles prior to making the final trek into Neah Bay. If you're one of those types that goes camping but looks for any and every reason to hop in the car and 'go into town', you might not find what you are looking for. Also, since the camp is not even directly on top of Neah Bay its a several mile drive from the camp to the town I would expect the tribal police to just be camped out along that road looking to issue tickets. So make your provision list, check it twice, pack your stuff, check it again, and once you hit the gates of Toorcamp prepare to remain there for the duration.

The final thing to remember is that this entire event is on tribal land. The Makah are really cool people. Be polite and respectful of them. Hell, I learned a few tricks about chopping wood in a 5 minute conversation that I hadn't figured out in a lifetime of chopping wood. We also got to see the proper way to butcher octopus. So be respectful of the Makah, clean up after yourselves, pack out your trash, don't fuck with the locals, and observe their rules.

Kindle Fire - Follow Up

I've had my Kindle Fire for a few weeks now, so I figured it was time for an update.

First off, I rooted my device. I know I had said previously that I would do a full write-up about rooting it if I decided to go that route, but I figured 'why?' as there are numerous sites already describing the ridiculously easy method for rooting your device. Be aware, however, that once you root your device it's not all sunshine and candy. For the moment, if you root your device, video from Amazon Prime will cease to work. Since I pull video from Netflix and local streaming sources on my LAN this did not affect me horribly, but if you live and die by Amazon Prime's free video on demand you may want to consider this. That said, there's no reason you can't 'unroot' your device after getting things on there that you wanted. For me the lacking applications were things like Dropbox and Astro File Explorer (yes, ES File Explorer is out there but I prefer Astro). Once you unroot your device, Amazon Prime will work again. This, of course, just means developer/hacker folks need to figure out how/what it's checking for and come up with a workaround.

Second, it looks like some of my predictions about this device have come true at least for me. The current #1 issue I have with this device is the lack of external volume controls. I knew it would be a problem, I just didn't realize how much of a problem it would be. Most applications don't give you the opportunity to control volume from within them. This leaves you with having to bounce back to the system pull-down and do it there, which can frequently result in you not being able to resume your application or causing your application to become unstable. All of this could have been solved by two plastic buttons on the side of the device.

Also, as predicted, the power button is a huge issue. I hit the power button pretty constantly while handling the device.

Lack of external storage is also a recurring problem as well. First off, some things can't be downloaded to the device such as streaming Amazon Prime movies, Netflix, etc. So when I'm sitting around some place looking to be entertained, I better hope that there's [good] WiFi nearby. First time I take this on an airplane it's going to get old really quick. That said, if I want to load it up with media to amuse me, I'm going to hit that 6gb limit of useable storage really quick. Obviously I knew going into this that the Fire had fixed storage and no connectivity options other than WiFi, I just didn't realize how quickly I'd hit the upper limits of my storage.

In the 'new issues' pile is the UI itself. I had mentioned in my previous post about how clunky it felt and that feeling has only grown. I press icons and nothing happens. The UI seems to only do what I tell it 90% of the time with no explanation for the other 10%. Applications seem particularly unstable on the Fire as well. I'm not talking about the 3rd party applications that I installed from sources outside of the Amazon App Store, I get that those might not run as advertized. I'm talking about the apps I get from the Amazon App Store crashing and burning on a regular basis.

Final UI issue that I have grown to absolutely loathe is the recent items scroller. First off, there's no way to exclude items from appearing there so it's not just recently opened applications, it's recently installed applications and web pages I've visited. The result is a large, unsorted, pile of junk that I have to hunt through to 'quickly' access it. I find it easier to ignore it completely and just pull apps from the app menu, books from the book menu, etc. The other issue with the recent items is that it's too sensitive to even the slightest touch. One thing I have noticed about the Fire is that if you want an icon to execute you have to make sure you are touching it in exactly the right place and in exactly the right way. The recent items scroller is so sensitive that you will spend time trying to get that icon you want to execute into the one and only position from where you can execute it while alternating between scrolling too far or not far enough. I feel like I'm trying to balance something on the head of a pin before I can open it. Luckily the solution here (for me anyways) dropped into my lap this morning: You can now get CyanogenMod7 running on your Kindle Fire.

In the good news column, I no longer hate the screen size. I still think Amazon would do well to offer a larger version, and if they do I would be inclined to buy it, but in the meantime I have grown used to the display. The battery life on the device is pretty nice as well. I've so far only had to charge it about once a week. The other interesting note is that despite my gripes about it, I do find myself using it daily. If I had to do it again, I'd probably go with a Nook Color though.

Kindle Fire - First Impressions

I had been reluctant to get into the tablet market for some time. To me tablets seemed like a solution to a problem I didn't have. Every time I wanted to get one I would stop and ask myself "Why? What exactly is this going to do for me that isn't already done by my laptop or netbook?" and every time I would come up without an answer.

Several months ago I decided I wanted to get some variety of e-reader. The physical weight of the books I carry around for reference is not insignificant so I would love to ditch it all for a magical device that could hold hundreds of pounds of books while weighing only a pound. "Finally!", I thought "I have a problem that might be solved by a tablet." The Kindle was my first choice in terms of readability, however with a lot of technical manuals there are tons of diagrams and pictures and the e-paper display of the Kindle just didn't do it justice. I then looked at the iPad but was turned of by both the price and the display. The iPad display is overall really nice but for some reason it just didn't jive with me when it came to reading. When the Kindle Fire was announced I decided it would be the device that I was going to try. First, you can't beat that 199 dollar price point and the specs of the gear were more than adequate. Second, Amazon has a certain reputation to live up to in terms of producing e-readers so I figured they would be a good bet. This logic in hand, I pre-ordered my Kindle Fire and got to waiting.

November 17th arrived and as UPS had foretold, so did my Kindle Fire. I took it out of it's rather unique packaging, plugged it into the wall, and was surprised when it fired up on its own after I plugged it in. Initially I was impressed.

This device is well built and feels solid in my hands. One issue I had noticed with some of the cheaper tablets is that regardless of build quality, I felt like I was going to snap them in half if I didn't exercise extreme caution.

The screen is very sharp. I was impressed with the screen resolution as well as the fact that the colors are crisp and not over-saturated. I haven't been able to see how it holds up under outdoor usage and sunlight as I live in the northwest and we won't be seeing that angry fireball in the sky till sometime next May.

Setup was a snap. I powered the device on, it associated with my wireless network, and then it registered itself with my information unprompted. That last part spooked me a bit as I still need to dig into it to understand how they did that.

Finally my device was up and operational, let's get some apps on this thing and give it a try! At this moment, disappointment began to set in. I wouldn't say that I am unhappy with my purchase, but I have not been terribly 'wowed' by it since I started using it. Here's my current take on it:

1. It's too small. The display is awesome, but this device really needs to be 10" and not the current 7". Yes I can zoom in and look around, but to really be valuable as an e-reader (that is, first and foremost, what I bought it for). With any luck they will release a Kindle Fire + or something that has a larger screen.

2. Power button is on the bottom. It's funny, when I first saw a generation 1 Kindle the first thing that I noticed about it was that the buttons to turn the pages weren't intuitively placed and that frequently the very act of holding it caused you to change pages. Well, it looks like Amazon did it again with their first generation Kindle Fire. The power button is on the bottom of the device alongside the micro-USB and headphone jack. So far I have managed to hit the button repeatedly with my hand by holding the Kindle or by resting the base of the Kindle against my chest while using it. This is going to get old quick

3. No external volume control. This is going to be a problem with this device, especially given that the one thing the Kindle Fire is really awesome at is video playback. As I fired up Angry Birds last night I was made very aware of the fact that the game has no volume control. Since the game had no volume control and there was no physical volume control my only option was to turn the system volume down...which is not even remotely easy, especially while the application is running. I am going to have to figure out a solution to this before I end up disturbing people at work, at the gym, or god forbid waking my wife up.

4. The OS is not responsive, despite the specs. One thing I've noticed about Android based devices is that time and again, vendors take a perfectly functional bit of hardware and make it run poorly by trying to put some custom UI over the underlying OS. HTC has done this with its Sense UI, Motorola has done this with Motoblur, and Amazon has done this with their UI. Based on hardware specifications this device should be screaming fast for Android. That said, I found that hitting buttons (such as the return/back button) frequently yields slow responses if any at all. On numerous occasions I kept hitting the back button to have the device do nothing, then suddenly on press #10 it takes me back. This is supposed to be cutting edge technology, but it runs a bit like Windows Mobile 6.1.

5. No 3g and/or external storage. I obviously knew that the Kindle Fire lacked 3g connectivity and external storage before I bought the device. Amazon was up front about this lack of functionality and that decision was panned by critics almost immediately. Now that I have the device in my hands, I wish it did have one or both. Honestly, I'd be happy with a micro-SD card slot.

6. This may or may not be a problem of scale, but I found last night that numerous parts of the Amazon store didn't work. I would try to download an application from the Amazon AppStore and nothing would happen. I would try again, but still nothing. Final try it worked. This cycle would happen over and over again for every application I tried to pull down. In another instance the Kindle wouldn't pull down graphics/icons for items in the AppStore. As of right now the icon for my Accuweather application is the Amazon 'Image Not Found' image. Someone was quick to point out that this may be the result of Amazon getting hit with a ton of traffic as people unbox their Kindles and begin loading them up with applications. So, I will withhold my judgement of this for a few days till things settle down. I really hope its a scaling issue that Amazon can fix quickly.

7. No 24hr clock. Yes this seems trivial, but I live by the 24hr clock and not being able to select my date and time preferences is annoying.

So what does the Kindle Fire do well? Media. The Netflix application is pretty slick and the video quality is great. Shame that due to some of Netflix's recent business decisions they probably won't be around this time next year. The streaming content from Amazon Prime and my Amazon Cloud Player work great though. It's very likely that I will continue my Amazon Prime membership after my trial month is up.

So what are my plans going forward? Well, it looks like busting root on the Kindle Fire is fairly trivial, so I will probably be rooting my device in the near future. Hopefully Amazon approaches the idea of rooted devices with openness as opposed to the Apple approach of 'fixing' them with every update. Once rooted I'd like to get the Google Market up and running on the device so I can have access to a much wider range of applications. I'll document the rooting of this device when I get around to it.