Beware the Wiley Hacker: a Cautionary Tale

Not an approved method of securing your network...
Not an approved method of securing your network…

A while back, we wrote about rebuilding a crashed Raspberry Pi system.  In the course of reinstalling the system (on a new chip–the old SD card that contains the operating system had “worn out”), we had made a fatal slip.  This system happens to be our gateway system, i.e., connected directly to the Internet to provide us access to our files and some web services while out of the office.  Unfortunately, this also provides the opportunity for the world-wide hacker community to try to break in.

Normally, we have safeguards in place, like restricting which network ports are open to the outside and which machines and accounts are allowed login access.  However, in our haste to get the new system up and running as quickly as possible, we connected the device to the Internet to download upgrades before the configuration was complete, meaning the system was exposed without full protection for several hours to several days.

Screenshot-larye@raspberrypi2: -var-log
One hour’s worth of break-in attempts by hackers. Note that attempts to access system accounts (root, pi) are denied because we don’t allow external logins for these accounts.  The accounts that are allowed are restricted to public-key authentication (basically, a 1700-character random password).  Attempts on this one-hour snapshot come from four different sources: Porto, Portugal; Shanghai and Baoding in China; and Tokyo, Japan (possibly hacked machine, as the name is spoofed).

Now, our security logs record, on a normal day, hundreds of break-in attempts (see screenshot above).  We aren’t the Democratic National Committee or Sony, just a small one-man semi-retired consulting business.  But, the hackers use automation: they don’t just seek out high-value targets, they scan the entire Internet, looking for any machine that isn’t fully protected.  If they can’t steal data or personal information, they will use your machine to hack other machines.  If you use Microsoft Windows, you are undoubtedly familiar with all sorts of malware, as there are many tens of thousands of viruses, trojan horses, adware, ransomware, and other malevolent software that invades, corrupts, and otherwise takes over or cripples your machine.  Unix systems are less susceptible to these common attacks, but, if an account can be compromised, or a bug in the login process exploited, eventually a persistent attacker can gain system privileges and install a ‘rootkit,’ a software package that replaces the common monitoring and logging software, redirecting calls through the rootkit, which hides its existence and activities from the reporting tools, even the directory listing utilities.

Once an attacker takes over a Unix or Linux machine, there is no limit to the damage they can do on the Internet, as Unix/Linux is the basis of most of the servers on the Internet, and can become as a SPAM server, web-spoofer, or hacker-bot itself.  (Microsoft Windows Server has the rest, nearly half, and they are even easier to break into.)  I began to suspect this might have happened when normal system functions failed to terminate or run correctly.  We have a lot of custom software built on this machine, which runs on a scheduler.  The machine got slower and slower, and it was apparent that the jobs run by the scheduler were never exiting, filling up the process table with jobs that weren’t doing anything, except taking up space, which is always at a premium.  Clearing out all the jobs, restarting the machine, and starting the processes manually worked–until about 2:00pm.  Very suspicious: a rootkit, once installed, can repair or re-install itself even if the administrator restores many of the co-opted command files by normal upgrades or by a conscious attempt to recover from the intrusion.

The main problem seemed to be with /bin/sh, the system shell, which is actually /bin/dash, a shared object.  Cron, the scheduler, uses dash to run the jobs, where the normal user login shell uses /bin/bash, a non-linkable executable shell with similar functionality.  A rootkit is generally constructed as a filter, wrapped around the co-opted commands, so it would be easier to link to the *real* /bin/dash in an undetectable manner from the filter program than it would to wrap /bin/bash.  In this case,  assuming an intrusion was the cause, something went wrong, rendering dash non-functional.  Perhaps the intrusion was not compiled for the ARM  processor used by Pi, though most of a rootkit would be scripted to be portable among different CPU architectures and Unix/Linux versions.

An analogy to the problem would be like finding out who let the horses out: it is easy to identify wolf or horse-thief tracks outside the barn when the door is barred, but, if you left it open and the horses have bolted, it is more difficult to find out what happened–the traces are covered. I did install some intrusion-detection software, but running it after the tracks are covered over is usual a futile effort.  However, there were enough questionable traces to warrant taking corrective action.  Besides, even if the problem had been caused by some inadvertent misconfiguration on my part (unlikely, considering the fact that the machine could be made to run for several hours before the problem reasserted itself), the solution was clear:  reinstall everything.

The first step is to backup the data, including configurations.  Now, this is not just an ordinary computer:  Raspbian, the Debian-based operating system distribution designed for the Raspberry Pi computer, comes with a simple desktop intended to introduce new users to Linux.  But, this machine doesn’t use the desktop and is not even connect to a monitor most of the time: it is an internet gateway, web server, and custom webcam driver, so has a lot of “extras,” both loaded from software repositories and written especially for this installation.  Backups are important, since much of the software only exists on this machine.  And, since we only have one camera, fail-over isn’t possible without physically moving the camera from one machine to another, not a trivial exercise, as the connection is on the motherboard rather than an external connector.

Now comes the glitch: Since the introduction of the Raspbian operating system, it has been based on Debian 7; but, since Debian 8 was recently released, a new version of Raspbian is also available.  So, the machine was rebuilt with Raspbian “Jessie”, replacing Raspbian “Wheezy” (the releases named after Toy Story characters rather than just the numbers–as with Apple OS/X, Debian releases tend to have names in addition to release numbers).  Installation on Raspberry Pi is not like other computers.  Since there is no external boot device, the operating system “live” image is loaded onto the SD card that serves as the boot device and operating system storage.  Initial configuration is best done without a network connection, since the startup password is preset and well-known.

So, avoiding that mistake (booting on a network with the default passwords, the single most preventable source of hacker intrusions), we booted with the network cable disconnected and a monitor and keyboard attached, changed the password and expanded the system to fill the SD card, set up the other user accounts, then shut down the system, removed the SD card, and mounted it on the backup server to finish transferring vital data, like the security keys and system security configurations.  In larger systems with a permanent internal boot drive, such “hacker-proof” installation is done on an isolated network, but, since the boot drive on a Pi is removable, it is easy enough to edit the configuration files on another system.

So, with the system fairly well hardened by securing the system accounts and user accounts, it was rebooted attached to the network and the system upgrades and extra software packages (like the web server) installed.  So far, so good.  But, since we upgraded the operating system, the server packages were also upgraded, most notably moving from the webserver, Apache, version 2.2 to version 2.4.  Apache has been the predominant web server software on the Internet for 20 years, so it is in a constant state of upgrade, for security and feature enhancements.  Between version 2.2 and 2.4, many changes to the structure of the configuration files  were made, so that not only did the site configuration need to be restored manually, but there was a fairly steep learning curve to identify the proper sequence and methodology by which to apply the changes.

Then, of course, were the additional Python modules needed to be installed to support the custom software, which involved downloading and compiling the latest versions of those, since Python 2 also upgraded from version 2.7.3 to 2.7.9 (we haven’t yet ported the applications to Python 3, which moved from version 3.2.3 to 3.4.2 between Debian 7 and Debian 8).  Finally, there were other tweaks, like comparing system configuration files to update group memberships for access to the camera hardware, loading the camera drivers, and setting file ownership and permissions for data and program files.

We could have saved most of this by sticking with Raspbian Wheezy, but eventually, support for older systems goes away, and the newer systems are usually more robust and faster: open source software evolves rapidly, with new minor releases every six months and new major releases every two years for most distributions, and an average life span of five years for maintenance of major releases and a year for minor releases.  As we said before, Linux is free, if your time is worth nothing.  The price of keeping current is constant maintenance.  Patch releases occur as they are available, with maintenance upgrades almost daily.

Finally, after a week of tweaking and fiddling, the webcam service is back up and running.  And, the security logs show break-in attempts every few minutes, from multiple sites all over the world (one from Portugal recently, others from unassigned addresses–ones with assigned addresses undoubtedly come from computers that have been compromised and used as hacking robots, as hackers don’t want to be traced back to their own computers, ever).

So, the moral of this post is:  don’t ever expose a stock, unmodified computer system directly on the Internet (which is difficult to do, when all upgrades, new software, etc is available only through download from the Internet–which should be accomplished only from behind a proven firewall).  But, you can set passwords and change system accounts before joining a network.  And, if your computer is hacked, take it to a professional, and don’t grumble about the cost or time it takes to restore it.  Pay for malware scanning software and keep your subscription up to date, as well as scheduling upgrades on a regular bases.  And, if you are a professional, don’t take shortcuts (i.e., install and configure off-net or behind a firewall), keep good backups, install intrusion-detection software early, and check for security upgrades daily.  Change the default passwords immediately, and create a new, weirdly named administrative user, and deny external logins for all administrative users.  Use two-factor authentication and public-key encryption on all authorized user accounts.  They are out there, and they are coming for your computer, even if you don’t have data worth stealing: they can use your computer to spread SPAM or steal data from someone else.

Warm Showers 2016, Part 1

Despite our absence on our own shortened “Beyond 70” tour mid-March through mid-May, 2016 brought a steady stream of Warm Showers guests. We had to turn down a few while we participated in the NorthWest Tandem Rally in Klamath Falls, Oregon over the July 4th week, and plan to take a short break at the end of July to get in some more cycling and camping before heading east at the end of August for an early September tour of Door County, Wisconsin. This entry covers the 39 guests we have had through 22 July (including Toph, the dog).

Cara came through in early March, headed south. With El Nino, the bicycle touring season in the Pacific Northwest is nearly year-around.
Carina and Mat, from the U.K., arrived in mid-May, traveling from south to north on the Pacific Coast.
Nico, from Iowa, traveling down the Pacific Coast at a more leisurely pace than most. As of this writing, he was in Los Angeles.
Mark and Seth also traveled down the Pacific Coast.
Simon, from Switzerland, was a “drop-in,” guided to our house from downtown by our neighbor after finding there were no campgrounds nearby. He was already a Warm Showers member, but hadn’t made firm plans for daily distance, counting on finding campgrounds near the end of the day. Simon was touring south on the Pacific Coast route.
Justin was riding north to British Columbia and points east, to the Great Divide Mountain Bike Route, having cycled from his home in mid-Texas to California and up the Sierra Crest route.
Betty and Robert, AirBnB hosts and new Warm Showers members from Vancouver, BC, were touring to San Francisco.
Lisa, headed north from Portland to tour the Canadian Rockies, crossing paths with Tony and his dog Toph, below.

During the busy part of the summer, we often get multiple requests for the same night. Sometimes the travelers are headed the same direction and may meet on the road, but sometimes they are headed in opposite directions, as were Lisa and Tony. Tony had rescheduled because of the medical emergency with Toph. We have plenty of room, with three guest rooms, large open porch, and large format leather furniture in the living room, having hosted seven once.

Tony, from southern California, was traveling the Pacific Coast route with his small dog, Toph. Our cat insists that dogs camp outside, so Tony and Toph pitched their tent on the porch.
Toph cut her feet on shells on a beach a few days before and the cuts got infected, so she got the dreaded cone the day before she and Tony arrived.
Brian and Heather, finishing a loop around the Olympic Peninsula.

Shelton is a nexus for several popular routes: The most used is the Pacific Coast Route, with riders chosing the ACA route between Bremerton and Elma, or riding down U.S. 101 from either Port Townsend or Port Angeles. Some choose to take a short cut to Centralia via Olympia (or around Olympia on Delphi Road, skirting the Capitol Forest), and some head west from Elma for a more direct route via U.S. 101 and the 6800-meter-long Megler-Astoria Bridge across the Columbia River. Some extend to the Washington coast at Westport. The Olympic Peninsula Loop is also popular, but most riders continue south along the coast from Aberdeen, so bypass us entirely. Some riders starting or ending in Seattle also choose to follow the route of the Seattle-To-Portland ride, east of Puget Sound, and also bypass Shelton. This year, we’ve gotten riders who have ridden the Sierra Crest Trail through California and Oregon and continue on the Pacific Coast Route to Vancouver. We also have gotten, from time to time, Trans-Am riders who head up the coast from Newport, Oregon to Seattle to fly home.

And, there are some riders who are in the middle of a Grand Tour, either from Alaska or the Yukon Territory to South America or a loop tour of the U.S., via the Southern Tier, Pacific Coast or Sierra Crest, and Northern Tier. And, of course, riders to and from Portland, Oregon, the undisputed bicycle capital of the West Coast. Not everyone stops in Shelton: we see a lot of riders throughout the day, passing through, and some who stop at motels, the other Warm Showers host on the north side of town, or Couch Surfing hosts.

Glenn and Bobbie had ridden across the Southern Tier from Florida to California and up the Sierra Crest Route, headed for the San Juan islands.

Another night with two groups: Veteran tourists Glenn and Bobbie, finishing their tour at Anacortes, while Jason and Amy, below, first-time tourists, were just starting a cross-country tour. Conversation is interesting when comparing notes. From our own experience touring the Canadian Rockies 28 years ago, much of the fun is meeting and sharing stories with other tourists on the road.

Jason and Amy were headed north from Portland to Anacortes to join friends on the Northern Tier route to the East Coast.
Ana, a graduate student at UBC in Vancouver, BC, was taking a summer break from her studies to ride the northern half of the Pacific Coast route.
Mark finished the Trans-Am route from Virginia to Oregon and intended to take a break from cycling to hike in Colorado before heading back east on the Northern Tier route. He stayed a couple of days to recover from a bout of food poisoning, a risk when food stops are sometimes limited to convenience stores.

After Mark headed north toward Seattle, we clamped our Bike Friday tandem on top of the car and headed down the Oregon Coast, following the route of many of our guests. We spent the night at an AirB&B near Seal Rock, a nice couple who recommended a gastrobpub nearby and fed us a nice breakfast. We then drove to Eugene to augment our Bike Friday accessories and ride the wonderful trails, staying at an AirB&B downtown across from a brewery and pub. After another stop in Rogue River to visit relatives, we spent several days at Klamath Falls, along with 650 other tandem riders, for the 30th Anniversary Northwest Tandem Rally. Then, we headed north, following the Sierra Crest Route to Bend, then over the Cascades to camp at the beautiful Silver Falls State Park, hiking to several of the breathtaking waterfalls.

Judy with Julia, Christina, and Dana, friends from Ottawa, Canada cycling from Vancouver to San Francisco.

While camping in Oregon, we got several Warm Showers requests, which we regretfully had to decline. But we would be home in time to receive Christina and her friends. Knowing we were arriving from our own trip at about the same time, they graciously offered to bring and cook dinner. What a fun evening, and it gave us time to unpack before they arrived.

Hugh (right) and Liam, a father-son team cycling the Pacific Coast route from their home in North Vancouver, BC.
Chris, from southern California, cycling back home from Vancouver, BC. Chris’ arrival got delayed a day to ship his front rack and panniers home to lighten the load on the hills ahead, on his first self-supported tour.
Jamine, Taylor, Mia, and Nicole, housemates from Portland on a tour to Bellingham.
Jacy and Tom, on the last day of their tour from New York to Virginia to Oregon to Seattle.
Ryan, from Philadelphia, on tour on the Pacific Coast, starting from Vancouver.

Jacy, Tom, and Ryan arrived about the same time, from different directions, and at different ends of their tours. It was interesting to see the contrast between seasoned tourists about to finish a long tour and someone just starting out. Many of our travelers start in Vancouver or Seattle, on their first long tour, and are just finding their limits, so they arrive in that period of doubt about the feasibility of continuing on, whether the destination is 200, 2,000 or 20,000 kilometers away. This year, the 40th anniversary of the Trans-Am tour and founding of the Adventure Cycling Association, has seen more riders finishing that tour with a final week-long dash from Newport, Oregon to Seattle, as well as riders following the warm weather north on the relatively new Sierra Crest route.

Ludo, Pierre, and Phillip, friends from Montreal, cycling from the Pacific Coast. They intended to start in Seattle, but had to switch plans to start in Vancouver, so rescheduled to arrive three days later than planned.

Seasoned tourists Pierre and Ludo, knowing how hard it is to fill up hungry cyclists, supplemented our pizza and salad offering with a pound of spaghetti, with pesto sauce, and also broke out packets of oatmeal in the morning to supplement our bagel/cold cereal/fruit. buffet

Genie and Lydia, a mother-daughter team on the last day of their tour. Lydia started her tour in Paraguay 19 months ago, and Genie joined her in Los Angeles for the trip north, riding the Sierra Crest to Yosemite, and the Pacific Coast the rest of the way, ending in Seattle.

Genie and Lydia had arranged to meet Brad, a cycle tourist they met in the Sierras, who lives in Puyallup, for dinner, so invited us along as well. A fun evening, at a local BBQ restaurant we hadn’t been to before, being vegetarian. However, we found lots of good items on the menu with meat optional.

As has been our custom, we publish two lists of Warm Showers guests, divided at mid-summer or before and after our own tour, typically in late summer. This year, we changed tour plans in mid-tour, breaking up what was to be a four-month expedition into a series of short tours and weekend cycle/camping outings. We’re probably going to be unavailable most of the rest of the summer now, with our own travel schedules, but will, no doubt, take in tourists when we are home for more than a few days.

And Now, a Word From Our Sponsor…

The new, $9 CHIP computer, which comes complete with WiFi and installed Linux OS (mouse, keyboard, power supply, and monitor not included, of course): running “headless” as just another network appliance, along with the five nearly as small Raspberry Pi computers and numerous virtual machines.

The last few months, our articles have focused on our bicycle adventures, notably, the preparation for, launch of, and, ultimately, termination of our planned four-month expedition from Florida up the east coast.  We arrived home just less than two months after departing, and just in time to perform some much-needed maintenance on the Chaos Central computer network.

As the title of this blog indicates, we have, for the last 25 years or so, depended on Unix, Solaris, and Linux for both our livelihood and, of course, to operate our in-house network.  The majority of our systems run GNU/Linux, in various distributions: Ubuntu and Mint Linux on desktops and laptops, CentOS on the server and virtual machines, and Raspian on the collection of Raspberry Pi micro-machines (and the above CHIP nano-computer) that are rapidly becoming the backbone of the home network.

GNU/Linux is very stable: we have, in the past, run systems for up to two years without a reboot–and then only because we suffered a major power outage.  But, with a collection of systems, something is bound to go wrong.  First, less than a month after we left on our trip, a power surge that made it through the power conditioner/battery on the server took out the virtual machine that renders the timelapse videos from our driveway surveillance system.  We actually didn’t notice this until I went to review the current day’s timelapse progress and found the video was an hour out of date.  Ah, this was because I had programmed a failover plan into the system: the videos were now being rendered by the Raspberry Pi cluster in the basement, much, much more slowly on a 32-bit ARM single-core processor with 512 MB RAM than on the Intel Xeon quad-core processor with 8GB RAM in the virtual machine host.

The server rebooted without incident when we got home: it actually didn’t reboot when the power hit came, but had an error that locked up the processor, an unusual condition.  Had we not been headed for home at the time we discovered it, we could have instructed our house-sitter in how to cycle power and bring up the system.

Then, a couple of weeks after we returned, the surveillance system, which is also the remote login gateway, simply stopped, which would have been a show-stopper had we not been at home.0  We happened to have a spare Raspberry Pi, one that had seen duty as a print server and scanner server before we got a new WiFi-enabled printer/scanner.  It took a couple of hours to add the necessary software packages to run the camera and web server and configure the machine to perform all of the necessary duties of the old one, including limiting access to specific machines and login accounts, and we were back in business–for a while.  A few days later, the external disk drive that we use to store the camera output had an unrecoverable error.  The files affected could not be erased due to the error, but renaming the folder and creating a new one kept the system running until we could get a new disk and copy the rest of the files onto it.  The old disk had been re-purposed from use as a portable backup for travel, and is about six years old, so it’s time to replace it, anyway.

After taking care of the disk issues, I revisited the Raspberry Pi failure: it turned out that the SD card that the Pi uses as the internal system drive had simply expired of  natural causes.  SD flash memory chips have a finite lifetime, and can be rewritten only so many times before becoming useless.  The culprit here was the surveillance system software (which I wrote, so I only have myself to blame)–even though the camera photos, taken every 10 seconds, are written to the external hard drive, my program copied the latest one to the system disk, in the web space.  Every 10 seconds, 8 to 18 hours a day, for a year and a half. That’s about 2 million writes, all in the same location, in addition to logging system activity.   So, a simple fix to preserve the new system: put the web file on the external drive.

The discovery of the worn-out SD card meant that the old Raspberry Pi was still OK, it just needed a new system drive.  About this time, I replaced my 3-year-old Android phone with an iPhone.  I had installed an SD card in the old phone for photos, so I removed that, backed up the files, reformatted it, and built a new Raspian “Jessie” operating system on it (the rest run the older “Wheezy” version), and booted up the once-dead Pi.  Yeah!

This uses up nearly the last of the 8GB cards around the house, though I still have a 2GB card in an old Kodak camera that I use to document our Warm Showers bicycle visits.  We have a few 16GB cards yet:  the smallest cards on the general market (Costco, Best Buy, etc) are 32GB.  I have one 64GB card, installed in a GoPro camera, which required installing an additional set of packages to handle the exFAT (no, not skinny: it’s an acronym for EXtended File Allocation Table) file system when copying files to Linux systems.  New purchases tend to be the micro-SD footprint, since most new devices, plus phones and POV cameras, take those, and the older devices use adapters that are supplied (for now) in the package.  Speed is important for high-resolution cameras and video devices.  But, when cost is a factor, we still look for the lowest capacity and speed, as older devices have a size limit, and won’t operate with the new cards.  In the age of mass-production, the devices themselves become obsolete while still functional because the supply of suitable storage media dries up.

So it goes–it has been said that Linux is free, but only if your time is worth nothing.  It takes a lot of time to build a custom system, but the flexibility is enormous.  Each machine takes on a personality of its own, as it develops different capabilities, selecting from among the many different distributions available and the thousands of software packages downloadable for free in addition to the basic system.  Plus, the machines acquire a collection of custom scripts over time, that don’t exist anywhere else.  As a software and web developer, having instant and free access to database engines, web servers, and many different programming systems is priceless.

When I need to run several different software systems or distributions, I can use virtual machines, running all versions at the same time, on the same physical machine.  And, there are choices, with no buyer’s remorse penalties with free software. I’ve tried three different non-linear video editors, and stick with an older version of one (the new version isn’t compatible with the old project files…).  The stock desktop systems come with web browsers and office productivity software, and several different graphical desktop systems, which can be chosen at login time.

The latest addition to our Linux/Unix obsession is the CHIP computer, by Next Thing, which I pre-ordered for $8 back in January and which arrived direct from the factory (in China) a couple of days ago.  The CHIP is a bit smaller than the Rpi, with no HDMI (TV output), only one USB port, but a built-in 4GB flash drive, WiFi, and Bluetooth, which are all not included in the Rpi.  The CHIP is low-power, has a battery connector (3.7v rechargeable battery not included), and can be  programmed via the micro-USB power cable if connected to a laptop.  This device is more suitable to mobile (read: robotic) applications, as, like the Pi, also includes a number of digital/analog input/output circuits.  And, being a full-featured Linux computer, is more versatile than the Arduino micro-controller popular for hobby embedded applications.   Unlike tablets and phones, which are powerful miniature computers in their own right, and microcontroller-based devices like thermostats and security systems, these small experimenter’s devices are completely programmable and physically extensible, becoming whatever tool your imagination can envision.

So it goes: in our 21st-century cottage (built in the early 20th), computing devices are as ubiquitous as light bulbs, with Windows becoming as irrelevant and obsolete as incandescent lights.  But, “some assembly required” becomes “a lot of assembly, some compiling, and a bit of fabrication essential.”  And, you may have to write your own documentation, operations manual, and maintenance plan, as well as some software.

Expedition 2016: Afterword and Video Record

Even though we had planned to be on tour well into the summer, it was good to be home in the Puget Sound in mid-spring.  Our trip north on the East Coast had been accelerated by the switch to automobile speeds, rolling the seasonal clock back to tree buds.  At the same time, Facebook’s Memories algorithm enticed us with photos of our yard in springs past, in full bloom.

We missed the apple blossoms, dogwood, and the giant Rhody that gets full sun early, but most of the rest of the yard was just starting to bloom.  The cat quickly adjusted to having her “regular” people at home, once more demanding a fire on chilly mornings and a warm lap until the room got cozy.  And, we, too, settled into a routine that didn’t involve packing up and moving on, attending our fiber guild meetings and resuming our yoga practice, neglected while on our own, but easier to arrive at the Senior Center at the appointed time, mat in hand.

As usual, video documentation of our trip was sketchy and random, an afterthought rather than a deliberate production.  The footage we hastily published while “on the road” got a post-tour review, with minor edits uploaded, and the “rest of the tour” documented with slide shows of still photos shot on walking tours of the old cities and historical sites, from the back of the tandem, and out the windscreen of the car.

Meanwhile at homewe reassembled the bicycle, encountering some adjustment difficulties that were best resolved by partial disassembly and a more careful reassembly.  After five years, I have finally realized that the adjustments that affect the timing chain tension also affect the shift cable tension, and that a lot of futile adjustment of the shifters can be avoided by rechecking the fit of the frame tubes.  And, finally, I got the new rack system installed on the car, ready for a summer of trail riding and distant events.  One of the first things we did on arrival home was to sign up for the 30th anniversary NorthWest Tandem Rally, being held this year in Klamath Falls, Oregon in early July.  We’ve ridden the roads around Klamath Falls before, in 2007, and are looking forward to socializing with the 900-1000 other tandem riders that show up for the event.  We last attended (and for the first time) in 2012 at Salem, Oregon, with little training before the rally, so we hope  to keep up with the slower groups this year.

The Bicycle

Our route via the bicycle took us from Orlando to Folkston, Georgia, then from Savannah, Georgia to Walterboro, South Carolina, for a total riding distance of 597 km (370 miles). We rented a U-Haul truck to bypass bad weather and dangerous roads between Folkston and Savannah, about 170 km (110 miles).

Week 1 took us to from Orlando to St. Augustine.
Week 1 took us to from Orlando to St. Augustine.

Expedition 2016 – Week 1 from Larye Parkins on Vimeo.

We spent a day with a walking tour of St. Augustine…

Expedition 2016 – St. Augustine from Larye Parkins on Vimeo.

Week 2 took us to Folkston, Georgia, where we trucked to Savannah  in the rain for a trolley and walking tour of the city.

We didn't have a firm plan for Georgia, making the route up as we went along, using the ACA route and GA Bike Route 95 as guides, driven by road construction and weather.
We didn’t have a firm plan for Georgia, making the route up as we went along, using the ACA route and GA Bike Route 95 as guides, driven by road construction and weather.

The Florida segment of this week’s route was the most pleasant of the trip, with actual off-road bike trails and a bike lane.

Expedition 2016 – Week 2 from Larye Parkins on Vimeo.

We stayed in Garden City just outside Savannah, which happened to be the rail, truck, and port area, and were glad to have shuttle service to the historic district from our hotel, since the 4-lane road outside was bumper-to-bumper and curb-to-curb with large, fast trucks. Choosing routes that minimized (but did not eliminate) truck traffic, we crossed into South Carolina through Alligator Alley and picked a route parallel to Interstate 95 for access to motels, but access to food was a problem. Weather and bad roads meant stopping at every town along the freeway. With our experience with urban roadways near Savannah and the prospect of long, arduous stages ahead through the rest of South Carolina, we decided to abandon our plan to cycle the entire East Coast, renting a car in Walterboro for the rest of the journey.

Savannah to Walterboro, SC.
Savannah to Walterboro, SC.

South Carolina didn’t offer much in way of scenery: Judy took lots of swamp pictures, and pictures of modest homes in poor communities, festooned with Trump signs. But, although the Deep South is deep crimson in their political leanings, we found drivers courteous for the most part: even though we had to “take the lane” on shoulder-less roads, overtaking traffic waited patiently behind us until it was safe to pass, unlike most of Florida, where we seemed to be invisible to motorists, who seemed to always be late and in a hurry. However, it may have had something to do with us mounting a small American flag on our trailer in Savannah, something suggested to us by one of our hosts in Florida. The reasoning was that, while “Bubba” (our stereotypical name for aggressive drivers of large pickup trucks) may hate bicyclists, as a Patriot, he won’t run over the Stars and Stripes, even if he wears the Stars and Bars on his truck.  We actually didn’t see any of this type in the South at all.

Expedition 2016 – Week 3 from Larye Parkins on Vimeo.

The Automobile

The flexibility of the automobile allowed us to use our time to explore Charleston in depth, with a ferry to Ft. Sumter, a horse carriage tour of the University district, and a walking tour of the historic Market and Battery districts.

Expedition 2016 – Charleston from Larye Parkins on Vimeo.

Our gasoline-powered tour took us quickly through the rest of South Carolina and into North Carolina, where we elected to drive the bridges across Roanoke Island instead of the ferries up the Outer Banks as we had planned. We did make a brief excursion to Hatteras Island before spending the afternoon at the Wright Brothers Memorial at Kill Devil Hill, where they tested their gliders before making the historic powered flights in December 1903,  on level ground at the base of the hill.

Expedition 2016: North Carolina from Larye Parkins on Vimeo.

Entering Virginia, we missed the James River Bridge somehow, and a coffee stop in a construction zone got us on the wrong road in Norfolk, so we wandered through back streets before finding our way back to the Interstate, through the Hampton Roads Bridge-Tunnel, and on to Williamsburg and Jamestown, visiting both the recreated 1908 Settlement and museum, run by the state, and the Jamestowne historical site, a national archeological site. The next day, we were back on the I-95 for a quick trip up the Potomac to Mount Vernon, where we spent the day touring George Washington’s estate.

Expedition 2016 – Virginia from Larye Parkins on Vimeo.

We elected to bypass Washington, DC this trip–the traffic on the Beltway was overwhelming even on a Sunday afternoon, so we pressed on north into Maryland, where we took time to ship our bicycle and camping gear home before crossing into Pennsylvania for a tour of the Gettysburg civil war battlefield and cemetery. A leisurely drive through the Amish and Mennonite country dumped us into the expressway rat race of suburban Philadelphia, arriving at Valley Forge too late in the day to tour the Visitor’s Center or the only historical building of interest, Washington’s headquarters. However, driving through the park brought us back out into the countryside for a relatively quiet drive to Allentown, with lots of pictures of stately old homes and well-preserved 19th-century city architecture in towns along the way.

Expedition 2016 – Pennsylvania from Larye Parkins on Vimeo.

After a tour though the Delaware Water Gap, and a hike to a waterfall, we finally headed west, a portion of the trip well-documented with photos in earlier posts.  We’ve decided that our elder years will be best spent exploring bike trails: our days of jousting with trucks on narrow roads on long-distance treks should be well behind us.  And, we can pick the distances we’re comfortable riding, with a minimum of baggage on the bike.

Expedition 2016, Week 5 — Bucket List and Family Time: Mentor, OH to Madison, WI

Fokker D-VII, one of my favorite WWI aircraft designs, at the Air Force Museum
Fokker D-VII, one of my favorite WWI aircraft designs, at the Air Force Museum

We left the Cleveland area early, in the rush hour to Akron and Columbus, and on to Dayton to close the loop on our Wright Brothers pilgrimage.  We arrived at the Air Force Museum just before 1100, and spent the next six hours wandering through 108 years of military aviation history, ending with a drive downtown to stand in front of the Wright Cycle Company, where it all began with two bicycle mechanics obsessed with a quest for flight.

After such a long day, we were glad to have reserved a room nearby. We enjoyed an evening out with vegetarian “bar food” appetizers at a nearby pub.  The next morning, we headed west in an all-day rainstorm, plowing a tunnel through the mist through Indiana and Illinois to cross the Mississippi and arrive in Iowa for the night, fighting a fierce northeasterly wind to get to our room, which no doubt had helped the gas mileage on our long day’s drive.

Sunday morning, it was still raining, but less.   We headed west to Iowa City for morning coffee, a convoluted search because of massive downtown road construction and closures, but worth it to find a huge coffee shop in this University town.  By the time we reached Waterloo, the iPhone we’ve been using for navigation got indecisive about routing, so we ended up driving west on US 20 to I-35 and north to I-90, a bit farther, but easy to follow.

We thought about a hot sit-down lunch, but the restaurants at Clear Lake-Mason City and in Albert Lea, Minnesota were backed up with locals as well as tourists on a spring Sunday mid-day, so we grabbed our usual yogurt and hummus in the convenience store section of a travel stop and moved on, later stopping at a supermarket for eat-in-the-room cold supper supplies.  Traveling in the south and midwest is difficult for a vegetarian: we find ourselves improvising a lot, eating cold out of grocery stores and coffee shops, with the occasional veggie burger patty and all-day breakfast eggs ala carte (no bacon in my milkshake, please).  Judy is still in the “road kill vegetarian” mode, not one to turn down a meal just because it was prepared with chicken broth or spiced with bacon bits, and she does order seafood within sight of salt water.


The sun came out as we arrived in my birthplace, Jackson, MN, where we had a lunch appointment the next day with the family elder, my one remaining aunt.  We spent the morning in the local coffee shop, one of the few espresso places in this part of the world (we found two more in Algona, Iowa, the next day).  Our lunch turned into a whole afternoon of reminiscing, mostly among the three nurses.  Aunt Jo was an Army nurse in WWII at various military hospitals and POW camps around the country, and had a long career in Jackson hospitals. Cousin Cathy recently retired from 39 years of nursing, and Judy was active in nursing for 35 years before opening her fiber arts and quilting business in 2001.

After our visit, we traveled a short way “down the road” into northern Iowa, staying overnight at Emmetsburg, a town about which I had heard a lot, growing up, but had never visited.  A caffeine recharge in the aforementioned coffee shop in Algona sustained us into Mason City, better known as “River City” in “The Music Man,” as it was the home of composer and playwright Meredith Wilson.  Mason City is also the site of the only remaining hotel designed by Frank Lloyd Wright.  The hotel and attached bank building were the basis for the design of the famous Imperial Hotel in Tokyo, Japan, which has since been destroyed.  The town is also home to many street sculptures, most around the Central Park and the city library.

DSCF2260Our destination in Iowa was our daughter’s house.  She had recently moved to “Brick City,” Clermont, home town of Iowa’s first governor, William Larrabee . Clermont is a picturesque collection of historic brick buildings straddling the Turkey River in a pretty valley at the edge of the rugged Driftless region of bluffs and canyons radiating outward from the Mississippi River between Minnesota, Iowa, and Wisconsin, a region in stark contrast to the deep layer of glacial drift in the surrounding area.  This spring brought a half-dozen kids to the small goat herd on their 7-acre hobby farm at the edge of town, so we spent some time in the barn with the nippy little critters and the rest of the herd.  She is a jewelry artist: we got to see her latest creations before they went off to a gallery for a weekend show.  A good visit, all too short to take in the area, but we’ll be back.


The final stage in our expedition took us the short way down through the bluffs to cross the Mississippi for breakfast and coffee in Prairie du Chien  and on to our son’s home near Madison, Wisconsin, looking forward to seeing the grandchildren this weekend before our flight home on Monday.  As it turned out, it was a typical weekend for our family: our son was on call for his job on the organ transplant team, was called out to travel to Illinois soon after we arrived and again (to California) during lunch the next day, so we were left to pick up our grandson after school for the weekend.  Reminded me of the bad old days in the 1970s and 1980s when I would rush off to the airport after dinner or in the middle of the day to parts unknown and return days or weeks later, having worked long days or around the clock on ships or secure shore facilities with no outside communications.

But, we had a nice visit through Mothers Day, and had most of Monday to prepare for our evening flight home, having put 5600 km on the rental car since stopping our bicycle adventure in South Carolina after 600 km.  So it goes.  We are headed home, looking forward to a summer of shorter bicycle adventures and road trips.

Musings on Unix, Bicycling, Quilting, Weaving, Old Houses, and other diversions

%d bloggers like this: