PAYEE! at the Disco

Note: This post is a part of a series detailing my family's fight with dementia and elder abuse.

Navigating the patchwork of pensions and benefits systems available to my grandfather is a challenge, but it’s necessary to help him live comfortably now that he’s safe. If a relation or friend of yours needs help managing their finances, you may be able to help them with most financial transactions through a Power of Attorney, but the US Social Security Administration does not recognize such documents.  Instead, SSA has a separate process for helping someone administer their benefits by being named as a representative payee. It is fairly straightforward for something that feels like it was designed in 1940, but it can take time and be hard to navigate.  Your experience may be more or less complicated depending on the nature of your relationship and who the payee is, but the process to get started should be the same.

When someone you care for needs help with their benefits, you need to be named by SSA as their representative payee.  You can become a payee for a partner, spouse, child, parent, or close friend, and the only power you have is to help this person administer their Social Security Benefits. This means the money is sent to you, but you are merely an administrator for it. You spend it on behalf of the recipient, and it must be used for their care and upkeep. Everyone with a Social Security Number can pick a designated representative payee by logging on to their Social Security Account at ssa.gov and naming them. This might ease the process should something go wrong that prevents you from administrating your own benefits, but the person you name will still have to go through the verification steps that follow.

The payee appointment process starts with an interview (in-person or over the phone, depending on the current pandemic threat level) with the SSA itself.  Your local office should be able to help you directly. At the appointment, they ask you questions about your eligibility, relationship with the beneficiary, and try to tease out if you are taking advantage of the person you want to represent.  Be honest, and if it comes out during the interview that you may not be the best person to take care of them, you and the SSA rep will know. The SSA rep will ask for documentation (sent via fax or mail, blech) of why this person needs a payee due to their disability or incapacitation.  Afterwards, the rep may solicit more documentation from doctors or care facility staff about your relationship with the person receiving benefits.  They will ensure this person is being taken care of now, and that you, as the payee, are working with skilled providers in the patient’s best interest.  The collection/submittal period for this documentation has a strict deadline of 30 days.  You will need to start all over again with another interview if something goes awry.  In my case, the payee appointment coincided with the beginning of the pandemic. Doctors were slow to respond, and the first attempt expired with no decision, so stay on top of it!  If you have any doubts, reach out to the SSA rep that interviewed you.

After a nerve-wracking 30 days, you should receive paperwork in the mail from the SSA that you have been appointed as as representative payee.  It should also explain how much the benefits are, how they will be paid, and where they will be sent. The booklet that comes with this details your responsibilities, so read it, memorize it, and prepare to follow its guidance. It is also possible that you will receive a letter after appointment but before the payment has been sorted out.  It may say something panic-inducing like, "We have chosen you to be NNN's representative payee. However, we cannot pay you benefits at this time." After calling around and finding some threads after the fact, this letter is nothing to panic about.  It is automatically generated by the system, and it indicates that you, personally, are not receiving benefits, even if your payee will be.  This thread helped a lot to assuage my fears. The benefit information pertaining to the person for which you are responsible will be in the letter about your appointment as a payee.

If your are the payee for a relative or friend (not a spouse, child, or institutional relation), the next step is to create a separate bank account for the payee.  This will make managing the flow of money as easy as possible without mingling your funds with theirs. It also gives you is an account for direct deposit so you don’t need to handle paper checks..  Talk to your bank or credit union. Most will understand what you mean when you say you want to open up a "payee account", and the guidebook on payees includes specific language for titling the account.  Talk with your banker to ensure you have chosen an account type with no fees. Having direct deposit means you can usually get one for free, so shop around, and don’t be afraid to take your business elsewhere if the big banks want to charge you a monthly fee. I was able to set up an account and direct deposit the same day. You will need to call the SSA National Line at (800)772-1213 once you have the routing and account numbers. Once this is set up, another letter with a panic-inducing first sentence may arrive.  It may say, "We cannot pay you NNN's regular monthly benefit at this time..." followed by the fact that they are instead sending them to a financial institution.  This is just to warn you that you will no longer be getting paper checks. At this point, the benefits should be flowing securely and with minimal overhead for you.

Your main paperwork duty is the annual Representative Payee Report detailing that funds were spent in the interests of the person receiving the benefits.  Start keeping receipts in a central place, write expenses down in a log book, make copies, and familiarize yourself with the forms ahead of time.  You don't want to panic at the last minute and have to assemble documentation from scraps or jeopardize your appointment as payee. While I haven't had to do the yearly accounting just yet, I have had to do similar steps for trustee paperwork. I'll be sure to update this once I have gone through the process.

Having the payee designation allows me a lot more peace of mind when interacting with SSA on my grandfather's behalf. It's parallel to a Power of Attorney process, and its procedures are a little arcane. I hope this brought you some clarity when doing it for your own loved ones.

Preparing Legally and Medically for Dementia

 Note: This post is a part of a series detailing my family's fight with dementia and elder abuse.

Most people know about Do Not Resuscitate orders and similar preparations for care should the worst happen, but they may not include in their plans a long goodbye.  As a part of estate and healthcare planning, it is important to prepare for end-of-life scenarios that include dementia.  This includes consultation with a lawyer and those that will have power after you become incapacitated so the path during a crisis is clear.  It also includes keeping family involved in your health planning and interactions.  Options and decisions should also be publicized to your broader family and cleared with the people you plan to rely on for care to reduce their stress and yours.  This preparation is an act of love for your family just as much as it helps you protect yourself.

My grandfather appeared to have done everything right.  He had an estate lawyer with whom he set up a trust; we knew he had a DNR as he would often talk about not wanting to linger should he become a "vegetable"; he had a talk with my father, brother, and I about how we would all split his assets after he was gone.  This preparation assisted him and us when my grandmother passed, and he was able to collect her death benefits and notify pension organizations in fairly short order.  But there was a donut hole in his preparation, and none of us saw it until after he started showing signs of dementia. Alongside a provision that covered his passing included a separate line about incapacity that kicked in once he was declared as such by two doctors.  All of the provisions for taking over his trust were triggered by this provision.  His appointed the successors, my brother and I, could only take over and have the power to manage his assets in his stead if he was so far gone as to be considered incapacitated.  And this line, one that seemed straightforward at first glance, turned out to be an incredibly high bar in the middle of a crisis.

Understandably, doctors are loathe to declare someone as incapacitated based on the word of panicked relatives alone. My grandfather was gregarious, if forgetful, and he seemed collected at times of low stress like after a hospital stay.  Through a steady five year decline, he appeared lucid enough to sow doubt that anything was actually wrong at all!  His dementia made him unable to make and keep regular doctor appointments, so it was impossible to obtain the opinion of a primary care physician capable of a longitudinal assessment of his mental state.

This gradual breakdown of personal interaction also extended to family relationships.  His personal choices to bring in strangers to the house had also alienated his family from his day-to-day health.   He became combative when we tried to intervene in his healthcare or suggest he was being adversely impacted by the people living with him.  He would argue that he was well enough to live independently and that he would rather die than go to a home.  Truthfully, his moments of lucidity caused me to wonder if he was fine, he didn't see anything wrong with the people taking advantage of him, and that maybe I had misjudged his character my entire life. I even had the heartbreaking thing that maybe he was just an asshole in disguise this entire time.  This all brought out one of the most pernicious symptoms of dementia: it can make victims actively antagonistic to caretakers like doctors and family.

Without two statements of incapacity, we could not administer any part of grandfather's estate even if it was obvious to us that he was no longer capable of doing so.  Banks turned us away even while they acknowledged my grandfather was being shadowed by his abusers in and out of the branch.  Without the trust paperwork in order, the bankers could barely acknowledge that he was a customer. Repeated hospitalizations for failing to take his medications properly were met with stonewalling by recovery centers when we set about trying to obtain a psychiatric evaluation.  The doctors had only seen him for a few weeks, and most were used to judging physical, and not mental, fitness.

To counter this wall of professionalism, we built strong ties to his in-home care nurses that began to visit once or twice a week after a particularly egregious health scare.  Luckily, the attending physician at the home health company was also doing rounds at a facility connected with the hospital my grandfather would go to in an emergency.  This created a chain of custody for his medical history that eventually lead to him being declared incapacitated.  After that piece fell into place, the planning of the trust finally worked to his benefit.  And my brother and I were able to manage his healthcare, his finances, and his safety with the full force of the law backing us up.

Preparing early to allow affirmative control of an estate by trustees rather than aging relatives can save time and heartache for both.  Those given control can dispute fraudulent transactions, process evictions for abusive house guests, or allow trustees to deal with police while enjoying the legal backing of the estate's property rights if situations escalate.  Setting up your aging relative to retirees CEO to become Chairperson of the Family allows a family Board of Directors to take on the burden of management, but it also invests capable individuals with the power to react with their full facilities.

If I have advice, it is to protect your assets within a trust or similar legal framework, but make the bar for taking control in the case of your partial mental incapacity be lower than the one for your total incapacity. My grandfather chose to protect his assets with a trust having multiple co-trustees once either he or my grandmother passed. The trust held all assets and property, and appointing multiple co-trustees meant everyone with a stake in my surviving grandfather’s health and well-being had a say. My brother and I, even while living in different states, had to stay informed and consent to any material changes in assets or income. The same attorney that helped draw up the trust also helped with DNR and Medical Power of Attorney documents that were vital in ensuring my grandfather received care even as he stopped being able to advocate for himself. The one part of the trust that made it difficult for us in the case of dementia was the requirement for an assessment of capacity before co-trustees would assume control. The fact that we could not act on his behalf in terms of his property or financial health, meant he lost almost $100,000 through theft, fraud, and property damage.  I am still unsure if estate law has been able to provide a middle ground in this area. Please talk with your estate planner, especially if you have a history of dementia in your family, to find out what your options are in the current legal system for your jurisdiction. Being prepared for dementia can be just as important as prepping for incapacitation from a stroke or an accident.

In the end, everything you do with and for your family will ease the burden of dementia on them.  Talk to an estate planning professional about your options, as a family, to prepare for long-term illnesses that may cause diminished capacity.  Keep in regular contact with your loved-one's doctors or assist your loved ones in obtaining such care.  Discuss options before symptoms start to appear instead of after the difficulties mount.  The interaction of legal and medical preparations will protect both your loved one and you should they decline.

Reducing Oregon Tax Liability for Washington Residents that Work From Home

NOTE: 

I am not a CPA, tax specialist, tax attorney, or other skilled professional in the tax space.  I'm just a schmuck with personal experience with the system.  If there is any doubt as to the applicability of my experience to your situation, consult a tax specialist near you.  Throwing a few hundred that them, just in case, could save you thousands in the long-run in audits, refund delays, and headaches.

Pholos - Magos Biologis

This Tech-Priest Dominus from 2017 is the first 40K miniature I had done in over 5 years.  My last army were the Heirs of Vulcan, Mega Man-style Space Marines that I never got around to finishing before I sold the lot during spring cleaning.  The new Adeptus Mechanicus minis as well as the hype around 8th Edition finally got me to pull the trigger on more models.

The thing that really hooked me was the change in resources available to hobbyists during my hiatus.  The explosion of high production-quality painting tutorials on YouTube, lead by none other than Duncan Rhodes on Warhammer TV, is what really got me excited to paint.  I assembled miniatures for Blue Table Painting around 2005 which included conversions fed by their huge bitz wall.  But as much as I loved creating a new model, I didn't have the talent for my painting to keep up with my building.  This mini became the gateway to my current hobby enjoyment.  In addition to finding a Bob Rossian Joy of Painting, I have slowed down the rate of purchase, and I have also worked to level up my painting with each mini.  Check out other projects tagged Warhammer 40K for the latest.

The colors reflect the theme of the army.  Verdant green on ripped robes with gold sleeves.  This ragtag assemblage hates the weakness of flesh, and they despise the plants they're turning into war material for the Imperium.  The bottles of unguents keeping them alive are just as sickly green as their robes.

I pushed my skills in terms of layering.  At this point, I was doing no wet blending or even palette mixing.  Following painting tutorials, I applied a base, wash, base again on raised areas, and layers.  The techniques were basic, but seeing the miniature go from grey to painted was transformative.  I settled into a routine of finishing a single color through to highlights with this miniature.  Rather than base-coating everything (and reaching a featureless mini some people call "the ugly stage"), it felt good to practice basic techniques then iterate on the next color.  Before finishing the model, I went back over my novice areas and applied what I had learned.  This one miniature taught me so much about the process of painting.  If you also have a fear of painting, maybe try painting a squad leader before picking up a squad?

The base is a small circular medallion from a craft bin.  The cork and basing material help give it height in the display case without building a whole diorama.  The base is painted with drybrushing.  I finished it with stain after sanding away any stray brown base paint.  The bushes and grass from model railroad supplies.

First Coat

Almost Done

Around and Around

Yarn Pet Mod - Platform for One Pound Cakes

My roomate has been picking up knitting and expanding their crochet skills during the pandemic Stay at Home orders.  As a part of their stimulus, they bought a Yarn Pet from Nancy's Knit Knacks.  They have also acquired a yarn ball winder that claimed to be able to do one pound skeins.  The curlicue tensions the yarn as it unwinds from the outside of the cake.  The platforms that came with it were thin circle platforms afixed to a smooth metal spindle with stops and set screws (you can see the spindle and stops above).  The platform holds the cake above the base at the appropriate height for the curlicue.  Small cakes?  Set it high.  Big cake?  How low can you go!

When they actually tried to use the Yarn Pet with the largest cakes (Caron One Pound FTW!), the little platform circles that came with the pet allowed the cake to slump and sag.  The cake would also rub against the curlicue and made it hard to pull.  They were worried about the yarn slipping below the edge and tangling under the cake.

To fix this, I used a board as wide as I could get and made it a circle:

1. Found a home depot pine board in my scrap bin that was 5 3/4" wide.  Solid wood is preferable to plywood which can get splintery and snag the yarn.  Avoid knots if at all possible.
2. Cut length to match width.
3. Find the center by marking two lines from corner to corner
4. From center, use a protractor to mark 22.5 degree increments to the edge.
5. Drill a hole in the center mark.  To fit the Yarn Pet spindle, I needed a bit with a width  7/32".
6. Using a table saw with miter gauge set to 45 degrees or a miter box, cut your square into an octagon
7. Test your new platform on the spindle.  My square was about a quarter inch too wide at the widest point, but it had plenty of play between a flat side and the curlicue.  I knew trimming it again would allow it to spin freely.
8. I trimmed my octagon into a hexadecagon by setting my gauge to 22.5 degrees.  (Towards the end of the piece, the side touching your miter gauge will be incredibly small.  Keep a firm grip, and beware of kickback!)
9. Sand the tarnation out of every surface with 150 up to 220 grit.  You can see in the picture above that I rounded every edge and corner.  I chose not to finish the wood, but I can always go back and do this between knitting projects.

Things learned:

• I thought the thickness of the platform might be an issue, but it turned out to be perfect for giant cakes. The added thickness prevents the platform from wiggling on the spindle.  You can plane down your board to match the included platform circles, but then I might be worried about their integrity.  As is, the yarn comes off cleanly with the center-line of the cake coming just above the curlicue.  So smooth...
• When putting the largest cakes on the pet, use the rubber stoppers for spindle-wound skeins to keep the cake centered on the spindle.  This will prevent wobbling due to a loosening center as it is pulled from side to side.
• If you have a circle of the appropriate width and thickness already, all you need to do is find the center and drill it.  Couldn't be simpler.

Splined Miter Jig and the Resulting Picture Frames

Here are a few pictures from back in 2016 showing a picture frame which was the first thing I made using my brand new jig: a miter sled I built from scratch for my Jet table saw.

The frame is Indian Rosewood. It has a very strong grain and is slightly oily. It was easy to book match, and each corner has a key from some yard cypress. The contrast between the two woods wasn't enough to make them stand out, but it gave the frame lots of strength. The finish is paste wax and nothing else. Very lustrous.

The glue up was really awkward due to the thickness of the piece. I bought strap clamps for next time. I'm not a fan of the simple geometry either. I need to take the time to make a few more shaping passes before cutting the miters. The frame itself kind of consumes the photo placed therein because there is such a deep well between the inside edge and the glass. It is very chunky as a result.

The hardware and glass was bought or salvaged from cheaper frames. I didn't measure right for the glass and had to shave a mm off one side to make it work. Gulp.

The Aviary: Huckleberry

The Aviary, Pg 404

One of the cocktails hailing from The Office, a speakeasy basement bar underneath The Aviary, this seemed simple to assemble with only one bit of complicated machinery: a sous vide.  Also, the presentation alone was intoxicating: a frothy head atop a mauve concoction? Sign me up!

I was able to obtain a chinois at a Goodwill.  The strainer and pestle separates juice from pulp and seeds.  However, the main ingredient is a clove tincture (fancy word for Everclear infused with clove). This required a sous vide as written.  As long as I've heard about them, I have never pulled the trigger on this low temperature wonder-machine (I don't have an instant pot either).  I figured it was time to lay that to rest.

There are plenty of DIY sous vide videos on the internet.  I settled on one that recommended a rice cooker combined with an industrial 110V AC temperature controller instead of a brewer's setup.  The most important part of this setup is the type of heated pot you use.  I couldn't use my crock pot, for example, because it had a digital control.  Every time the power cut off and then back on, it would not return to heating the pot.  My manual-switch rice cooker worked like a charm, however.  Then, for $20 in parts from the hardware store and $20 for the temperature controller on Amazon, I had a safe contraption through which to control my rice cooker and keep a pot of water within 2 degrees of a specific temperature for any length of time (perhaps "safe" is relative; use wire nuts and an electrical box when playing with mains, kids; the picture below shows iteration one with no cover).

The clove tincture was dead simple but extremely smelly.  $1 in bulk cloves and some Everclear got me a half dropper full of the cloviest drops the ever passed your nose. A word of warning: toasting the cloves is a horrendously smokey business.  Do this with a hood on full blast or outside.  We had to open all the windows and run for coffee.  I already had a vacuum sealer so I dumped the toasted cloves into a bag, poured on the alcohol, and dunked it into the rice cooker for an hour.  I decanted the result into an amber bottle with dropper and savored the aroma (which wasn't hard; it was everywhere).

The rest of the recipe was fairly simple.  Huckleberries don't come into season until August, so we went with blackberries from Mexico.  The syrup came together easy with a few gradually finer strainings.  6oz made 166g of juice.  Amaro Averna from Total Wine, Bombay Gin on sale, and Angostura bitters I already had on hand completed the boozy bits.  A quick trip through a shaker came out with a pink foamy pour that gradually separated into mauve and foam.  The bitters and pepper hit our nose, and the herbal hit of the drink completes it.  It's just sweet enough with off-season blackberries to be pleasant without being overpowering.  As we drank, we noticed the colors change and aromas deepen.  Very fun and dynamic drink.

A second round (can't waste syrup, after all) made with vodka toned down the herbal nature.  This will probably be the version I make for myself unless the guests are already gin drinkers.  Too close to 'too much' pine.  A friend suggested ditching the clove and replacing it by painting the glass with Chartreuse.  Either way, this seems to be a reliable cocktail to just have on hand.  Freezing berry syrup during their season in 2oz portions and the huge amount of clove tincture I have left over means it will be quick to assemble with a fun story to tell while we shake it up.

Testing Encryption - 3 years of Dan Boneh's Online Cryptography Course

Three years ago in July, I completed Dan Boneh's online cryptography course with distinction through Coursera's Cryptography 1.  Since then, I've had the opportunity to use and test cryptographic systems at work and for hobbies.  Here are a few lessons learned when testing encryption.

I have found my fair share of bugs in the crypto we chose to use at work.  I've gotten into a routine when testing encryption used for message authentication:

• Test the same plaintext multiple times.  Does it need to be different each time?  How much of the MAC is different each time?  It might help to explore the data your hashing function spits out as it can tell you how your hash function does what it does.
• Replay it.  How can a user abuse identical MAC'd data if they replay it at a later date?  For a different user?  Can you add items to the plaintext that will allow you to validate not only the data but the source or timeframe as well?
• Ensure your hashes are detecting changes. Is your MAC rejected if you change the data at various places within the message?
• Rotate the key. Do you need a hash to survive a key change?  Usually you can just regenerate the data and re-MAC it, so figure out if you really need to use MACs over long lifetimes.  They're easy to compute.
• Generate a bunch at once.  Is performance an issue with the service?  Most hashes are built for speed, but is yours?

For each of these failure modes, I'm looking mostly for hints of weakness.  I'm expecting pseudo-random noise, but how does my brain distinguish that from almost random noise?

There are many times when you need to generate a unique but random value but don't have the space to use a GUID.  To evaluate if a solution will be "unique enough", check out the Birthday problem wikipedia page, and this table of probabilities in particular.  Find out how many possible values exist (9 numeric digits = 10^9 ~= 2^30).  Compare on the table with that value as the hash space size versus the number of times you'll be setting this value.  This will tell you if the algorithm you want to use is sufficient.  If you are making long-term IDs that can only be created once, you obviously  want the probability of collision to be extremely low.  If you can recover from a collision by creating a new transaction fairly readily, you might not need as much assurance.  Ive used this to help drive a decision to increase unique token size from 13 to 40 characters, guide switching from SQL auto-numbers to random digits to hide transaction volumes, and ensure internal transaction IDs are unique enough to guide troubleshooting and reporting.

Time and again, the past three years have taught me that cryptography must be easy for it to be used widely.  I've stayed with Signal for text messaging because it just works.  I can invite friends and not be embarrassed at its user interface.  It doesn't tick all the boxes (anonymity is an issue being a centralized solution), but it has enough features to be useful and few shortcomings.  This is the key to widespread adoption of encryption for securing communications.  Since Snowden revealed the extent of the NSA's data collection capability, sites everywhere have switched on HTTPS through Let's Encrypt. Learning more about each implementation of SSH and TLS in the course was both informative and daunting. I was anxious to get HTTPS enabled without rehosting the site on my own.  Early 2018, Blogger added the ability to do just that through Let's Encrypt.  It requires zero configuration once I toggle it on.  I can't sing its praises enough.  The content of this blog isn't exactly revolutionary, but this little move toward a private and authentic web helps us all.

Dan Boneh's Cryptography course continues to inform my testing.  The core lesson still applies: "Never roll your own cryptography."  And the second is how fragile these constructs are.  Randomness is only random enough given the time constraints.  Secure is only secure enough for this defined application.  Every proof in the course is only as good as our understanding of the math, and every implementation is vulnerable at the hardware, software, and user layers.  In spite of this, it continues to work because we test it and prove it hasn't broken yet.  I'm looking forward to another three years of picking it apart.

Quotes from Dan Kaminsky's Keynote at DEF CON China

Above is Dan Kaminsky's keynote at the inaugural DEF CON China.  It was nominally about Spectre and Meltdown, and I thought it was immediately applicable to testing at all levels.  Here are some moments that jumped out at me:

On Context:

"There's a problem where we talk about hacking in terms of only software...What does hacking look like when it has nothing to do with software." 1:55

"But let's keep digging." Throughout, but especially 5:40

"Actual physics encourages 60 frames per second. I did not expect to find anything close to this when I started digging into the number 60...This might be correct, this might not be. And that is a part of hacking too." 6:10

"Stay intellectually honest as go through these deep dives. Understand really you are operating from ignorance. That's actually your strong point. You don't know why the thing is doing what it is doing...Have some humility as you explore, but also explore." 7:40

"We really really do not like having microprocessor flaws...and so we make sure where the right bits come in, the right bits come out. Time has not been part of the equation...Security [re: Specter/Meltdown] has been made to depend on an undefined element. Context matters." 15:00

"Are two computers doing the same thing?...There is not a right answer to that. There is no one context. A huge amount of what we do in hacking...is we play contexts of one another." 17:50

[Re: Spectre and Meltdown] "These attackers changed time which in this context is not defined to exist...Fast and slow...means nothing to the chip but it means everything to the users, to the administrators, to the security models..." 21:00

"Look for things people think don't matter. Look for the flawed assumptions...between how people think the system works and how it actually does." 35:00

"People think bug finding is purely a technical task. It is not because you are playing with people's assumptions...Understand the source and you'll find the destination." 37:05

"Our hardest problems in Security require alignment between how we build systems, and how we verify them. And our best solutions in technology require understanding the past, how we got here." 59:50

On Faulty Assumptions:

"[Example of clocks running slow because power was not 60Hz] You could get cheap, and just use whatever is coming out of the wall, and assume it will never change. Just because you can doesn't mean you should...We'll just get it from the upstream." 4:15

"[Re: Spectre and Meltdown] We turned a stability boundary into a security boundary and hoped it would work. Spoiler alert: it did not work." 18:40

"We hope the design of our interesting architectures mean when we switch from one context to another, nothing is left over...[but] if you want two security domains, get two computers. You can do that. Computers are small now. [Extensive geeking out about tiny computers]" 23:10

"[RIM] made a really compelling argument that the iPhone was totally impossible, and their argument was incredibly compelling until the moment that Steve Jobs dropped an iPhone on the table..." 25:50

"If you don't care if your work affects the [other people working on the system], you're going to crash." 37:30

"What happens when you define your constraints incorrectly?... Vulnerabilities. ...At best, you get the wrong answer. Most commonly, you get undefined behavior which in the presence of hacking becomes redefinable behavior." 41:35

"It's important to realize that we are loosening the assumption that the developer knows what the system is supposed to do...Everyone who touches the computer is a little bit ignorant." 45:20

On Heuristics

"When you say the same thing, but you say it in a different time, sometimes you're not saying the same thing." 9:10

"Hackers are actually pretty well-behaved. When hackers crash code...it does really controlled things...changing smaller things from the computer's perspective that are bigger things from a human's perspective." 20:25

"Bugs aren't random because their sources aren't random." 35:25

"Hackers aren't modeling code...hackers are modeling the developers and thinking, 'What did [they] screw up?' [I would ask a team to] tell me how you think your system works...I would listen to what they didn't talk about. That was always where my first bugs came from." 35:45

On Bug Advocacy

"In twenty years...I have never seen stupid moralization fix anything...We're engineers. Sometimes things are going to fail." 10:30

"We have patched everything in case there's a security boundary. That doesn't actually mean there's a security boundary." 28:10

"Build your boundaries to what the actual security model is...Security that doesn't care about the rest of IT, is security that grows increasingly irrelevant." 33:20

"We're not, as hackers, able to break things. We're able to redefine them so they can't be broken in the first place." 59:25

On Automation

"The theorem provers didn't fail when they showed no leakage of information between contexts because the right bits went to the right places They just weren't being asked to prove these particular elements." 18:25

"All of our tools are incomplete. All of our tools are blind" 46:20

"Having kind of a fakey root environment seems weird, but it's kind of what we're doing with VMs, it's what we're doing with containers." 53:20

On Testing in the SDLC

"We do have cultural elements that block the integration of forward and reverse [engineering], and the primary thing we seem to do wrong is that we have aggressively separated development and testing, and it's biting us." 38:20

"[Re Penetration Testing]: Testing is the important part of that phrase. We are a specific branch of testers that gets on cooler stages...Testing shouldn't be split off, but it kinda has been." 38:50

Ctd. "Testing shouldn't be split off, but it kinda has to have been because people, when they write code, tend to see that code for what it's supposed to be. And as a tester, you're trying to see it for what it really is. These are two different things." 39:05

"[D]evelopers, who already have a problem psychologically of only seeing what their code is supposed do, are also isolated from all the software that would tell them [otherwise]. Anything that's too testy goes to the test people." 39:30

"[Re: PyAnnotate by @Dropbox] 'This is the thing you don't do. Only the developer is allowed to touch the code.' That is an unnecessary constraint." 43:25

"If I'm using an open source platform, why can't I see the source every time something crashes? ...show me the source code that's crashing...It's lovely." 47:20

"We should not be separating Development and Testing... Computers are capable of magic, and we're just trying to make them our magic..." 59:35

Misc

"Branch Prediction: because we didn't have the words Machine Learning yet. Prediction and learning, of course they're linked. Kind of obvious in retrospect." 27:55

"Usually when you give people who are just learning computing root access, the first thing they do is totally destroy their computer." 53:40 #DontHaveKids

"You can have a talent bar for users (N.B.: sliding scale of computer capability) or you can make it really easy to fix stuff." 55:10 #HelpDesk

"[Re: Ransomware] Why is it possible to have all our data deleted all at once? Who is this a feature for?!... We have too many people able to break stuff." 58:25

A) Original Twitter Thread
B) Thread Unroll from @threadunrollapp

Fixing Ford AC Head Controller Vacuum Problem

The AC on my land yacht (2009 Mercury Grand Marquis) has been in the fritz for a while. Last winter, it gradually stopped switching from max AC/recirculate (a necessary in Vegas), then got stuck on norm AC until it rested on Defrost/Floor. I was able to fix it with some basic troubleshooting, YouTube sleuthing, and two bucks in o-rings.

This shaky yet informative video by Ian Smith helped me diagnose it as a problem with vacuum only. The AC itself was fine. It blows cool air all day long. It just did so at the windshield. It couldn't be the blend-door actuator.

The same video showed me how to diagnose the vacuum problems. The black hose providing vacuum from the engine seemed fine: I was getting 20 inches of vacuum with the car turned on when I hooked up a bleed pump with a gauge (mine came from Harbor Freight, shown in the video). To test the actuators, all I had to do was hook a 'jumper' pipe from black to the other pipes. Each one seemed to hold air, and the actuators sprang to life once again. For the first time in a year, I had cold air blowing from the vents. The problem couldn't be in the lines. I pulled the controller head for a closer look.

The head itself is a bunch of electronics, a control panel, and one removable plate with four solenoids. The vacuum hoses come into this through a manifold, and the head controls trigger the solenoids to route vacuum from the black hose to the others. This triggers different actuators under the dash. Something was amiss in the manifold.

I returned to YouTube looking for rebuild instructions. I found this extremely helpful video from a Chicago mechanic. The solenoids contain an o-ring that dries out, wears out, and loses the ability to hold vacuum. I obtained close to the recommended o-rings from Lowes (#36, 5/16 OD, 3/16 ID, 1/16 thickness) as I was not willing to wait for Amazon. A little Oatey silicone lubricant made the tight squeeze work a little better. I found I had to seat the solenoid heads at least once before total reassembly. It was too difficult to do so at the end and fight with the other small parts at the same time. 45 minutes later, I had full control of my AC restored.

I can't believe it was this simple to fix the controller. I think I was intimidated by the AC (having spent $1500 last year to have the dealer redo the whole system from seals to refrigerant). I didn't want to break anything. A few targeted troubleshooting steps helped assuage any fears of irreparable harm, and now I have a comfortable cabin once again.

Urns

My father passed late last year, and I made three nondescript urns as keepsakes for family and friends. It was the first time I made a box of any respectability since 2000.  I hadn't originally planned to make them when he passed, but making them helped me process things in a difficult time.

I was the responsible party for my father's estate as his wife does not speak English very well. As such, it fell to me to arrange the funeral, notify friends, and start to organize his affairs. I kept it together. The arrangements were made, the bills were covered, and all in a few days. I kept it together, that is, until I tried to return to work. I got ready. I even got in my car to go. But I could not. Instead, I went into the shop and executed a simple design for holding a portion of his ashes.

The material is Indian Rosewood (the same that I used for the magnetic bottle openers). The strong grain made mitered corners a natural choice. I even had enough contiguous grain to try to book-end most sides. I didn't have a keyed or splined miter jig (which could have strengthened the corners), but I figured the lid and bottom would provide a good brace against failure.

Dimensioning the lumber wasn't very difficult; it was the geometry of the corners that caused me real trouble. I left the sides thick to give each box some heft. I eyeballed the lid thickness and shaved down some beautiful figured grain to just the right height (maybe I overshot it a little and had to clean it up later). When I got to cutting the miters, I found that I didn't have any accurate way to match them up. The miter saw was definitely not accurate from cut to cut. I lost a lot of material on the table saw trying to get a canted blade to just the right angle. I finally settled on using my miter sled. I had to cut the sides down a bit to make sure I could make the entire cut in one pass. By the end of this therapeutic day, I had three roughly identical boxes ready for glue-up.

The second half took a few more months to pull off. Uncertainty about the accuracy of the cuts lead me to put the project on hold. Should I delay and try to true then with a shooting board? My girlfriend gave me the most wonderful advice once: when you find yourself rushing a project, put it down and come back later. The parts to three urns marinated on the bench and in my mind for a few months.

A test fit in March didn't seem too bad. The time off convinced me to persevere and get them together. I discovered too late that I mixed up the orientation of the edges. My careful bookends were a jumble on two of the three boxes. However, the imperfect corners and dimensional problems worked to hide the errors amongst each other. Sanding trued up protruding tear-out and splinters without obvious rounded-off corners. Finally, dark stain and some paste wax finished the work of hiding imperfect joints in dark recesses and shiny polished surfaces.

I finished the bottom with plywood. If I had to pick a spot where I'm uncertain about my choices, it's here. Glue is strong, but how will the baltic birch bottom hold up over time? I'm thinking of throwing in some brads there just in case. The bottom served as a canvas whereon I could memorialize my father. I was able to burn the message "Invictus Maneo", the Armstrong Clan (and our ancestral) family motto. Loosely translated, it means, "I remain unconquered."

This entire project was an object lesson in how I'm still learning some of the most basic techniques in woodworking. I need a way to clean up miters that start on the saw. A shooting board or similar has been recommended. Fine adjustments on my existing miter sled might also work. Though it didn't seem too bad once finished, the tearout for certain cuts makes me think I have a dull blade. I'll have to investigate, tune, and try again.

I think I've worked through a phobia of complex geometry. Something my father always talked about is how to hide your mistakes in woodworking. Bookends, miters, and a fitted lid left precious room for that, but I found a few tricks along the way such as meticulous test fitting, blue tape as clamps for difficult pieces, and patience above all. Regardless, I'm looking forward to the next boxes I build. I hope those have a markedly different emotional footprint.

OFBC 2.0

For Toxic BBQ 13 (DEFCON 25), we returned to the OFBC to see if we could improve the design and add some needed table decorations.

The first step was to simplify the PCB creation. I created a new layout in Fritzing that reduced whitespace. It also moved off-board components like batteries and the LED modules to use JST connectors for easy installation and swapping.  OSH Park did a great job with the PCBs. I was able to directly convert the Fritzing designs to printable format. Each board was less than 2 bucks by the time we finished. Never again will I make my own PCBs by hand. 

Sparkfun supplied most of the same components for about 15 bucks per light. Here is an updated BoM for this case:

• Battery: 850mAh Lipo
• Switches: Hinge Lever Micro Limit Switch
• Mosfet: N-Channel 60V 30A
• Transistor: NPN Transistor
• Resistors: 100K and 3.5 Ohm Resistors
• Slide Switches (ensure pitch matches the PCB)
• LED: Cool White, Aluminum Backing

Next, we redesigned the case. Instead of a three piece design requiring glue to assemble, the two pieces would be a base and a lid with a logo. Everything could be screwed into designed posts and covered with the lid. It was a snap. Production was easier with Shapeways. However, this lead to had longer lead times that prevented us from delivering to the barbecue. The prototyping went well and matched the designs, but the mass printings were so delayed that they didn't arrive in time for the barbecue even with expedited shipping. The resin product looked much better than the filament-printed 1.0 model. The cost at 20 bucks or so each was not prohibitive, but it certainly wasn't mass-market ready.

PCB at OSH Park
Case Files on GitHub

Design Pics

Updated Lid Design for Toxic BBQ 2018

Inquisitor Eisenhorn

Recently finished painting the Inquisitor Eisenhorn 30th Anniversary figure. As he was one of my father's favorite characters from Dan Abnett's 40k works, he will lead the reliquary squad to guard his urn in my display case!  Most of the techniques are standard, but I learned two things.

The first is that faces are really difficult without the right colors. I couldn't get the blending right with the washes and pots I had. The end result was muddy and pale. I touched it up after some research, and he looks better as a result. The hooded eyes ensure that the genetic anomaly called Private Dickard Syndrome doesn't affect Eisenhorn too. A little grey dry brushing on his chin gave him the 5 o'clock shadow and a little depth to match his hair.

The second bit of learning was around highlighting armor. Because he has so little, I didn't get sick of it and give up. The teal shoulder pads were a dream. They are a very simple highlight that allowed me to build up a rich color. The sharp white highlight was carefully applied, and it makes it look shiny without having to apply a lustrous enamel. I like it so much that the rest of the reliquary squad will have this color on their Tempestus breastplates.

Overall, I like one shot characters like this to learn new techniques. And this figure has enough detail to try many more. I particularly enjoyed the base with its cracked emblem and shiny brass.

Testing uTest: or How I Learned to Stop Worrying and Love the Gig Economy

I’m a member of an online community of testers called uTest (the practitioner-facing side of Applause).  The company hosts a social network for testers as well as offers short-term gigs to its users (the cliched Uber for testers).    I was called on this weekend for my first gig: testing a payment method in Taxis.  It was pleasant, if stressful, and it made me think of ways a company could take advantage of it to expand the perspective on their products. 

After the initial invite to the test cycle, I communicated with a project manager via Skype to ensure I was able to carry out the test scenarios.  I brought to the table a specific model of phone and a verified ability to pull debug logs from it (thanks Verizon for turning off the op codes on my S4; I resorted to adb logcat).  They provided technical assistance and reimbursement for the transactions, but the primary incentive was a reward for test cases completed.

Throughout, I felt like a skilled secret shopper rather than a functional tester.  I was asked more about the non-software components of the launch than the app or phone functionality.  I reported on the advertisement of the feature, the education of the employees, and the capability of the equipment that supports the feature. In spite of expectations from the participating companies that the advertisement would match hardware would match training, this happened 0% of the time, and no employee had been informed why their equipment had been updated.  I wasn’t the only tester in this project on the ground, and the others testers saw related issues, and none had all their ducks in a row.  In all, the information they were most excited about was the boots-on-the-ground report I provided.  It was fascinating to see a live product launch from that perspective, and doubly so considering my history in this product space. 

The final bulk of time spent on this gig was an experience report.  Complete with detailed feedback, photos of the equipment, and other evidence, this is where I was able to comment on the process as a whole.  From a testing perspective, I was able to provide detailed UI/UX feedback, evaluate the consistency of the process, and help them understand how much of their plans actually came off during the launch period.  There was some repetition in these reports.  One was a document with pictures, the other was a survey that linked to the doc and a third was a JIRA-in-spreadsheets for tracking testers.  These reports were all submitted to the project manager for feedback, and I received an up/down "accepted" in less than 24 hours.  While there is definitely room for improvement on the platform that would reduce tester overhead, it wasn't enough of a burden to avoid gigs.

Participation in this project taught me that coordination is hard, education of low-skill workers is even harder, and successful coordinated nation-wide launches like this are next to impossible.  This mirrored my experience with other companies.  There are always bits and pieces of projects that do not make their way down the chain to the workers that are face-to-face with customers, so having a boots-on-the-ground perspective is vital.

Overall, a company can leverage uTest services to add layers of testing to their launch activities over and above internal testing.  Specific and targeted verification is where they are the strongest.  They can provide feedback on as to whether an uneducated but motivated customer can make it through the new process right now.  Specific errors and third-party verification can be  farmed out for feedback through such a relationship: things the company wants to do but can’t do efficiently given a small staff or tight timelines.  This can provide a company with an enhanced view of the product and help challenge their assumptions before their customers do.

Note: edited to be a little more coy about who I was testing for and what I was testing.

Failing Faster, Succeeding...Soon?

I listened to a good podcast about having and executing on ideas.  Here was the gist of it:

1. Have an Idea: Gather info directly from customers.  Implement now or Punt for later
2. Once implemented, get a Minimum Viable Product to a Website, county fair, etc.  Fulfillment can be slow at first.  Persevere and refine or Punt
3. Once it is selling, enter a Customer Validation Loop and handle their concerns first.  New ideas?  Start at top.  
4. Once major customer concerns are addressed, enter a Product Design Loop: Change design or manufacturing as needed.

The core of the idea is to fail faster in the hopes that you succeed sooner.  Your backlog of unvalidated ideas are there to experiment on and validate.  Then you Implement, Persevere, Resolve and Redesign or Punt and wait until you've churned through your good ideas.

http://www.ssireview.org/blog/entry/fail_faster_succeed_sooner/

Another formulation of this is the 2-2-2-2-2 method.  When you are trying to determine if an idea is feasible, first spend 2 minutes getting it down on paper.  If it still captures your interest, spend 2 hours fleshing it out.  As it grows, time box your commitment to the project.  See it through or bin it.  By the time you're spending 2 weeks or months on an idea, it should be clear whether it can bear fruit or not.  I cannot find an online version of this idea.  If you can place it, let me know in the comments.

While this applies to product development, it can also apply to hobbies, chores and other activities.  Have an idea for homemade Christmas presents?  Try it out on a small batch before you become consumed with a monster of a project with no practical timeline for delivery. Have a request from a friend to help you with a project?  Spend a few minutes talking logistics.  If you get down to a trip to the hardware store, make sure you can finish that phase with results in an afternoon.  Re-evaluate before committing to future efforts: is the benefit still worth your collective time?

Magnetic Bottle Openers

In the tradition of doing something snazzy for the DEF CON Toxic BBQ, I created a bottle opener that would both mount magnetically as well as catch bottle caps with the same force. 

Amazon had a selection of sturdy bottle openers by Starr X, and a particularly helpful blog post by K & J Magnetics helped me pick out the featured magnet.  I'm relying on the interesting grain of the Indian Rosewood to give the piece character as I didn't have the tools to do a fancy profile, and my router bits are incredibly lacking, so I just went with dog-eared corners and a chamfered edge.  The burning visible on the below pre-finishing shot (accompanied by my favorite Wasatch brew) was due to the bit I used.

The magnet was epoxied in place after I cleared out a spot for it.  In order to prevent the opener from sliding on slick surfaces, I added slightly inset tiny rubber feet.  This also set the opener off from the fridge by just enough that you can get your fingers behind it to pry it off with ease. Lots of sanding from 100 to 600 grit made a great smooth base for some stain and spar urethane.  After three days of curing time, I plopped it on the post at the Toxic BBQ and had a pile of at least 50 caps by the time the night was through.  A great first run!

Bike Rentals, An Adventure

The local subreddit received a post requesting one of us rent a bike to a visitor while their significant other was at a conference.  This spawned an interesting adventure, and I learned a ton.

The post provided me with a list of expectations, and we quickly moved to Private Messages to hash out the details.  The end result was $20 per day for a bike, helmet and tools needed to keep you going.

I quickly found out I wasn't as prepared to rent as I had presumed.  For the bike, I had a $150 Wal-Mart special with a good amount of wear, baskets on the pedals, and some upgrades like a headlight.  The back tire on the bike was completely shot, so any money from this venture was going to go right back into it.  I didn't have patches, a portable pump, and my bike tool was nowhere to be found.  A trip to JT's and I was set.

The renter was staying at the Green Valley Ranch, a local hotel/resort, and their bell desk was endlessly accommodating.  I dropped it off with a note for the person staying in the hotel.  I communicated the tag ID to the renter, and I was off.  I even did it on the way to work, so it was relatively painless.

Until I got the phone call.

As a software tester, you would think I would learn to test my own stuff before I deploy.  Unfortunately, I forgot this portion and ended up handing over a bike with a disabled chain.  I got the phone call in the morning after the renter's arrival, and I was frantic and embarrassed.  U rushed over on an early lunch, fixed the mangled chain, gave it a spin around the parking lot, and kicked the tires for good measure.  Again, the bell staff was extremely accommodating, and it was stowed securely in time for lunch.  The rest of the experience was relatively painless.  I picked it up after the renter had flown.  I paid the bell desk a tip on pick-up.  All the kit was there and intact.

Could I streamline and improve this service?  Here are some ideas:

• The sign-up process could be accomplished online.  
• Several waivers should be added to make sure the lawyers don't come calling after our first injury.  
• Accident insurance and similar services could be added on as well.  Neither renter nor owner wants to be caught unawares.  
• A service level could also be established: will work on delivery (oops), service calls available within X hours, deposits or charges for repairs, and so forth.  
• Instructions for the bell desk, advertisements, and similar services could also be bolted on.  Making it easy for the staff engenders trust and is good advertising.
• The kit was mostly good, but delivery could have been more glamorous (kit bag attached to bike instead of in a plastic grocery sack).  
• I would make people bring their own helmets or have them available for purchase.  Helmets are very hard to gauge if they have gone bad.  Why risk the lawsuit if an injury does occur.

So, was it worth it?  That is a definite no.  Could I make it worthwhile?  Maybe.

The cost to take the bike, if everything went smoothly, would be gas and time for delivery,  Spread over enough hotels, this could be accomplished relatively easily once the service hit critical mass.  The repair was a huge hit to profitability (driving there and back on lunch), but careful testing and integration with deliveries/pickups would also make it something that could be priced in with some research.  Theft could be mitigated by insurance, but it would need to be managed carefully and included in the cost.  Finally, payment was through PayPal which took a sizable cut.  Cash might be better, but since the ideal rental involves never meeting your customer, it is impractical.  Credit would slice the charges in half.

An attractive alternative is to offer rental services to the hotels/resorts themselves and only deal with them.  It would be a simple way to attract business, and they could take advantage of existing infrastructure for payments, renting, waivers, etc.  With enough coverage, it might just make a profit.

Clark County, Nevada Elder Abuse Resources

I was concerned for the safety of a family member who is older not long after their spouse passed away.  Below are some things I learned about Elder Abuse, the resources available to help those in need (individuals or family), and things to do when investigating elder abuse.

Before going nuclear on someone new in your relative's life, first do the single most important thing: talk to your older relative.  Often, misunderstandings or matters of privacy can be sorted out without resorting to law enforcement, state assistance or subterfuge.  The matter of trust between you and your relative is the single most important factor in maintaining their long-term health and well-being.  If you lose their trust, you lose almost all ability to help them.

Local Police Resources

Police seem to only be able to make 'welfare checks' for elderly people that outsiders suspect are being abused. They can only visit the premises when the person is home. The Las Vegas Metropolitan Police Department Operator and Dispatch informed me that there are dedicated Elder Abuse detectives. Unfortunately, they only operate M-F, 7-4. As the crisis was after this time, we couldn't get a welfare check immediately. The numbers for these departments are below:

• Metro Operator: 702-455-8697
• Metro Dispatch 702-828-3307
• Elder Abuse Detectives: 702-828-3111 (Hours are 7-4, no voice mail)

State Resources

Though I I have not taken advantage of these resources, there may have been help available through the Aging and Disabilities Services connected through the county. Comparable services may exist locally in your neighborhood.  Perhaps there are some interventions that would be helpful going forward?

• http://www.shouselaw.com/nevada/elderabuse.html
• http://www.health.nv.gov/HCQC/SB129ElderAbuseTrainingforWebsites.pdf
• In Nevada, crimes committed against elderly command double the sentence.

Social Engineering

When trying to find out more about people that have entered a loved one's life unexpectedly, unexpected phone calls from unknown people are a great source of more information.  Generally, act as if the person is at home but not available.  The person on the other end of the line may divulge information that gives you clues about the intruder.  Effective phrases are below:

• "Yeah, he's here but he's busy.  He asks what you need."
• "Hold on, let me get her...She's here but can't pick up right now."
• "Who is this again?  I didn't get that down last time."
• "His phone is dead.  What number can he reach you at?"
• "What was it again that you're meeting for?"

While the person is out, check the circumstances of the house, but try not to disturb things too much.  Look for signs of drug abuse, behavior you know your relative would frown upon such as smoking and drinking in the house. If you know their location, ensure firearms are secure, and check the status of belongings, heirlooms and money caches.  Document and narrate your search by video.

If you must get the police involved, minimize the impact on your relative.  See if they will come around when you try to have a person escorted off the property.  Ensure your relative is not involved in any illegal activity before involving the police, and, most importantly, get the consent of your relative before escalating.  You must maintain their trust, and asymmetric reactions to otherwise benign or diffusable situations can ruin that bond and expose a vulnerable relative to harm from both the intruder and the police.

Test Early, Test Often

Of late, I have been enamored of testing techniques that come earlier and earlier in the development cycle. It can be called static analysis, design auditing, prospective testing, shift -left or the like, but the research is in: testing before you get something bears fruit in most organizations.  Here I present a few examples from my own experience.

At the start of a sprint, we leave Sprint Planning with the requirements.  The next interaction with developers is when we review their Developer Design Overview document that spells out the development approach and helps QA scope their testing effort.  This developer had chosen to put an error message into a file usually reserved for configuration.  QA saw the DDO and raised concerns immediately.  Why was a message being added to this file when they were usually reserved for the language DB?  With this one question, before QA saw the code, we changed the trajectory of development.  The fix was in before we got our first build, and the story closed with the Sprint instead of carrying over with the do-over.

An even earlier example came when we looked to implement secure communications between two servers.  While I couldn't code my own implementation, I was able to provide recommendations at design-time by staying educated and confirming my understanding with developers who had dealt with crypto.  By starting early, we were on surer footing when troubleshooting and confirming the implementation was sound.

As the examples above illustrate, QA often saves time for developers by defending standards and consistent implementation early in the cycle, but that is not the only savings that comes from shifting left.  Often, test environment issues can also be aided by an early understanding of requirements.  In one case, as story had carried over from a previous sprint which meant we were already behind.  The roadblock was a production issue pulling the developer away from the story.  Instead of sitting on our laurels, QA worked with the configuration manager to make sure our test environments were ship shape before the code was completed.  When the developer's changes passed build verification, we were off and running almost instantly.  Not only did our preparation help us get to the work of testing faster, but it also helped us close more stories as environments were made ready before they could become an obstacle. Not only was I able to test early, but it lead to me testing more and in greater depth.

Most modern test engineers have their own war stories from early testing.  For every story where requirements changed and early notes became meaningless, there are ten stories where early questions lead to greater clarity, fewer bugs, and more time for digging in.  I consider projects that foster this early access for QA to be among the most fruitful and least volatile.