Email is a Misguided Effort

I heard a commercial with the booming and illustrious voice of Rush Limbaugh. After I recovered from banging my head against my desk, I reflected on what was said in the commercial.

Rush pointed to the popular free email providers (Yahoo, Google, and others) to remind you that they scan your email. To remind you that they sell your email address, and other information about you, to the highest bidder. To remind you that the use of these free email addresses may increase your risk of spam mail. In contrast, purchasing an email address from provides you with private and secure email, and your information will never be sold.

I was intrigued.

I found that Rush was not the only conservative advertising this servic. Fox, CBS, and many others also endorsed it, though for slightly different political reasons; they primarily portrayed it as an email alternative “for conservatives”. They said that, unlike these free services, email would not have you unknowingly contributing to “the liberals”. These are hard-and-fast definitions, people.

Michael Reagan, founder of and son of, you guessed it, Ronald Reagan, has this to say about his service:

[…] every time you use your email from companies like Google, AOL, Yahoo, Hotmail, Apple and others, you are helping the liberals. These companies are, and will continue to be, huge supporters financially and with technology of those that are hurting our country.

Because apparently liberals are the only ones that are interested in using technology to advance our country. And apparently “the liberals” are the only people benefiting from these huge corporations. Obviously, they would never help “the conservatives”. Regardless, this is a relatively empty claim as its never actually substantiated.


Politics aside, allow me to explain to you from a technical perspective why the commercials endorsing and even the information on is largely misleading.

First, let’s address the script Rush was fed in his advertisement. It is well known and accepted that free email providers, along with many paying internet providers as well, will harvest and sell your information to advertising companies. It’s well known because these companies clearly state this in their Privacy Policies. The claim is that the Reagan email service, which costs you $40 per year, does not do this. However, if you read through the Privacy Policy for, it is true that says they will not collect your information, but they do allow their affiliates to collect your information.

We may also use one or more advertising network providers to help present advertisements or other content on this website. These advertising network providers use cookies, web beacons, or other technologies to serve you advertisements or content tailored to interests you have shown by browsing on this and other websites you have visited. Advertising network providers collect non-personally identifiable information such as your browser type, your operating system, web pages visited, time of visits, content viewed, ads viewed, and other click stream data.

The key phrases here are that their “advertising network providers” have the right to collect information about “content viewed”. I don’t know about you, but the content I primarily view while logged onto my email is … email.

The use of cookies, web beacons, or similar technologies by these advertising network providers is subject to their own privacy policies, not our privacy policy for this website or its Service. uses the affiliate for their ads (why they show ads on a service they charge for is beyond me). Ironically, if you look through the list of partners of Network Advertising, four companies may quickly jump out at you: Microsoft (Hotmail), AOL, Yahoo, and Google. Just to name a few. Which means much of the same ad revenue that these companies may generate from your use of their free email services may still be generated for them through your use of

This last point is key to highlighting the disconnect between the claim of the email service and the reality of the internet’s interconnectivity. This disconnect has also recently been highlighted with the controversial SOPA and PIPA bills passing through Congress. You have politicians proposing bills, or in this case making a buck using the influence of politics, on technical subjects in which they have little to no understanding.

If privacy is what you seek, you cannot use the internet, and you certainly cannot use email (unless it is isolated to an internal network). Even if a given email was secure and private while on the servers, any incoming and outgoing messages will go through a server at some point somewhere in the world that is likely owned, operated, or affiliated with one of the internet or server giants, including Google. Coincidentally, even if you had a email address and sent an email to yourself, the email would still go through one of these external servers before returning to you.


Next claim. is email for conservatives, right? So supposedly using will support a conservative agenda rather than a liberal agenda. Perhaps directly, and on the very surface, but indirectly (and about half an inch below the surface down to bedrock) no. As I said before, you can’t take something as intertwined and complex as the internet and expect to take the biggest internet giants out of it. Ironically, on the same site that Michael Reagan is falsely boasting that his service will get you away from those Big Brother liberal companies, he provides instructions for how to configure his email service to work on your mobile device. You know, the one made by Blackberry, Apple, or Motorola (owned by Google) running the Android OS (also owned by Google).

Let’s give Reagan the benefit of the doubt. Let’s assume he’s not trying to insinuate it’s Big Business we should distrust. Maybe he’s suggesting Google, Yahoo, and the like sell your information to the government, and that’s where the privacy risk comes in. This is half true … although they don’t sell it. And, again, won’t get you away from this. Even when using, as soon as the email leaves the servers, the United States government will have the opportunity to seize and view the email. They probably won’t, unless you’re a terrorist suspect, but they always have the right, no matter your provider, thanks to the Patriot Act. Heck, even on the servers the government has the right to seize it under this act.


There’s a phrase that somebody said once goes something like:

Is it really free if it costs you your privacy?

That’s up to you to decide, really. But if you believe internet companies are the only ones tracking personal information about your daily habits … well, let’s just say you should stop shopping at Target. Or Wal-Mart. Or Best Buy. Or really any major chain in America. Personally, I don’t think a corporation tracking your habits to better serve you with ads related to your interests is an invasion of your privacy.

The cost of Reagan’s supposedly private and secure email service is $40 per year. This service is rented from a man who has no technical expertise and is not a server administrator. His Terms of Service clearly and painfully guarantee you nothing in terms of support, up-time, warranty, or back-up. And if you’re expecting new features in the future … well, don’t hold your breath.

On the other hand, companies like Google and Yahoo have incentive to provide you with new features. They have incentive to guarantee you up-time, because every second their servers are down is ad revenue lost for them. They have dedicated support teams to ensure their servers are always running at peak health, and they have redundantly connected servers and farms, just in case.

Reagan’s servers go down? I’m sure they’ll get it back up eventually. But, you know, you’ve already paid them your $40, so they don’t lose money by the second when the service is down. And it is owned by a politician … so don’t expect a quick turnaround.


Using VirtualBox to Host a VPS

Oracle’s VM VirtualBox is a virtualization program that allows you to run another operating system from within your native operating system. Though it is most commonly used to run fully functional operating systems such as Linux or OS X from within Windows 7 (or vice versa), it can also be used to host a Virtual Private Server (VPS).

This post does nothing to compare benchmarks between more efficient (and recommended) VPS environments such as VMware or Linux-VServer, and I would not recommend using VirtualBox as a VPS in a production environment. However, it is useful in many situations, and I’ll let you be the judge of when this should or should not be done. It is certainly acceptable for personal and developmental purposes. And hosting a VPS through something like VirtualBox that is extremely simply to setup and use allows you to easily experiment with configurations and operating systems, or even jump between multiple VPSs on the same computer.

This tutorial assumes you have a rudimentary knowledge of server software and operating systems. I’m going to be explaining virtualization to you, not the details of the server installation and configuration.


Setting Up VirtualBox

First, some definitions. When I refer to the host operating system, that is the primary operating system that your computer boots into. When I refer to the guest operating system, that is the virtualized system that is run from within VirtualBox. There will also be references to IP address and ports on the host and guest. They follow the same theme. Now that we’ve got that of the way …

You can pick up VirtualBox for free from their website here. Download and run the installer for your host operating system. Congratulations. VirtualBox is now ready to run. Unfortunately, it doesn’t have a guest operating system installed or configured yet, so it doesn’t do much for you. But before we actually install one of those, let’s create a virtual environment for it and configure some VirtualBox settings.

In VirtualBox, click New to create an environment where we install a guest operating system. I’m assuming you’re a civilized human being and installing a Linux server operating system, so select Linux, then select the version of operating system you’re using. If the exact version isn’t in the VirtualBox list, select the parent Linux distribution (for instance, for CentOS you’d select Fedora).

Ideally, you should grant at least half of your host system’s memory to the guest operating system. You should dedicate at least 8GB to the guests hard drive space. Luckily, since this is a virtual environment, you can select to dynamically allocate this space, so the virtual hard drive will only consume space on your host’s hard drive as it is needed. Finish up the wizard, and the guest environment will be created.

Now, to make that guest environment accessible to our host computer. Right-click on the newly created environment and select “Settings”. Click on “Network” in the list on the left, and click on “Adapter 2”. Enable this adapter and, from “Attached to:” select “Bridged Adapter”. This will cause the guest environment to resolve DHCP IP information directly from the host operating system, which means we can now forward some host ports directly to the guest operating system.

Go back to the “Adapter 1” tab, make sure this adapter is “Attached to: NAT”, and click “Advanced”. Click on “Port Forwarding” and add a new TCP forward. Let’s call it “SSH”. Specify 22 for the host and guest ports. This will forward the host machines port 22 to the guest machines port 22—they don’t have to be the same, they just have to match other configurations on the host and guest side of things. It’s also worth adding an “HTTP” forward for port 80 as well as any other the forwards for ports controlling any other services you’d like accessible from the guest environment.


Server Operating System

If you haven’t already, now’s the time to choose what operating system you’re going to use for your guest environment. I recommend Ubuntu Server if you’re used to Ubuntu or Debian environments, and CentOS is another wildly popular one, though it’s not my cup of tea. Whatever operating system you choose, download the ISO for it’s installation and open up VirtualBox again.

Right-click on your guest environment and select “Settings”. From the list on the left select “Storage”, and point your virtual disc drive to the ISO you just downloaded. Once this is done, you can simply start the guest environment and it will boot with that disc “in the drive”, so you can install that operating system in the guest environment.

If you’re installing Ubuntu Server, selecting OpenSSH during the install process as well as LAMP and any other services you’d like available will make things much easier for you. However, as I said above, this tutorial assumes you have a rudimentary knowledge of server operating systems, so I’m not going to go into the details of installing those services. But to prove that our port forwards worked, you should at least install OpenSSH (during installation or as soon as you boot into the environment), and if you are able to SSH to your host computer on port 22 and access the guest environment, then everything worked the way it should have.


Launching Server When Computer is Booted

It may be useful to launch this virtual server when the computer boots. To do this, create a BAT file with the following command:

VBoxManage startvm “VM Name” –type headless

Place a shortcut to this BAT file in the Startup folder of a (or all) user accounts and you’re good to go. The server will launch and run in the background, allowing you to SSH into the server to control it from a terminal.

For maintenance purposes, you may also want to create a second BAT file for stopping the server (since it’s running in the background with no visible window). To do so, create a BAT file with the following command:

VBoxManage controlvm “VM Name” poweroff


Access from External IP

Login to your router and go the Port Forwarding section. Add a new port 22 forward, and forward that port to the IP address of the host. Do the same for port 80 and any other ports you added during the configuration above. Now, by typing in the external IP address of your network, you can SSH into the guest operating system through port 22, and you can utilize other services available to other ports.

There’s a lot more than can be done from here (using DNS to propagate to your external IP address, mail servers, etc.), but this tutorial has gotten you to the point where you can use tutorials for non-virtualized environments tutorials to accomplish those goals now. Good luck with your endeavors!


Secure PHP Login

When perusing the internet for discussions on PHP sessions and cookies in regards to credential validation and user logins, I’ve never been satisfied with the approaches I find. Many of the tutorials are just plain lousy or incomplete. And the others seem to imply that you should only use sessions or cookies and never mix-and-match, a confusion that would probably trip up many PHP novices. So I’ve decided to post a tutorial explaining the complete PHP login format I use for my sites and web applications. Before we start, I should let you know that you can grab all the source in this tutorial from GitHub.

How it Works

The way to create secure pages using PHP is a simple enough concept: determine the pages that can only be visited by logged in users and put a piece of code at the top of them to redirect logged out users to a login page. If a user visits the login page and is already logged in, they should be redirected to the main page.

So, how do you determine if a user has been logged in? You have PHP to see if there’s a fingerprint that pairs the server to the client’s computer. To do this, PHP provides access to two mechanisms: sessions and cookies. Once a user has logged in with a valid username and password, you fingerprint either the server (session) or the client’s computer (cookie). Once the fingerprint is in place, each secured page just needs to check to see if it exists. If it does, show the page to the user; if not, kick the user back to the login page.

It’s that simple.

Comparing Sessions and Cookies

Before you can really proceed, you need to understand the primary differences between sessions and cookies in PHP (and, well, anywhere). Let’s break them down for comparison:


  • Stored on client’s computer
  • Slower, since they have to be sent to the server from the client’s computer
  • Limited on size and how many can be stored on the client’s computer
  • Can be used across multiple servers
  • Can have a lengthy lifespan
  • Can be viewed and modified by client and can therefore be a security risk, depending on the content
  • Not available until page reloads, since cookies will be sent to the server on page load


  • Stored on server
  • Faster, since they are already on the server
  • Less bandwidth transfer since, rather than sending all data from client to server, the session only sends the session ID to be stored in a cookie on the client’s computer
  • Size of a session is dependent on the PHP memory limit set in php.ini, but my guess is that limit is significantly higher on your server than the 4k generally allotted to cookies
  • Cannot be used across multiple servers
  • Lifespan is very short; always destroyed when browser has been closed
  • Can only be accessed through the server, so much more secure than cookies
  • Available immediately in code without a page reload

From the above, you should be able to deduce that if you are working with sensitive data (passwords, credit card data, etc.), a session should be used. If you simply want to carry non-sensitive data between pages (the contents of a shopping cart), a cookie may be used.

Now that we understand the differences between sessions and cookies functionally speaking, what are they? Basically, as far as the code is concerned, they’re just arrays. The cookie array can be accessed using $_COOKIE[‘project-name’][‘val-name’], and the session array is conditionally accessible by referencing $_SESSION[‘project-name’][‘val-name’]. The session array is only accessible if you have started a session by calling session_start().

To store a value into a cookie, we use the provided function setcookie(‘project-name[val-name]’, $myData, time () + $keepAlive). Now let’s break this down: val-name will be the string used to reference this cookie as shown in the paragraph above. Whatever is in $myData is the string that will be stored in the cookie, and the cookie will stay alive until $keepAlive seconds from the current time have passed.

To store a value into a session is much easier. After a session has started, you simply execute $_SESSION[‘project-name’][‘val-name’] = $myData. The values will be accessible as shown above so long as the session exists—that is to say, so long as the browser has not been closed and session_destory() has not been called.

With this understanding of sessions and cookies now, you should be able to see that a session will be useful in allowing a user to login to a secured page, but that it will not allow a user to close the browser and return to that page still logged in. We’re just about to dive into the code that will allow for both of those things, but first let’s look at a common oversight.

The Shared Server Conundrum

This is a sneaky issue, because you likely won’t know that it exists until your security has been compromised, so I’ll let you in on the secret now.

PHP session variables are stored in /tmp by default, and this is true for any user on a server. Since the HTTP server software has access to read and write from this folder, and all users of a shared server execute from that same user, there is never a complete guarantee that your sessions are completely safe when you’re in a shared server environment. It is also possible for session collisions to occur because of this, for instance, if you and another user on a shared server are using the same session string. For this reason, it’s a good idea to regularly regenerate the session ID, and it’s also smart to use session strings that are related to the application you’re working with.

Another issue with shared server sessions in PHP is their timeout time. Though you may set a session timeout to be five hours, if another user on the shared server sets the timeout to be something else, say two hours, all of your sessions will also timeout in two hours, since PHP does not disambiguate between users within the /tmp folder.

I don’t know of a remedy for the timeout issue, though you may be able to contact your server admin to ask if there is a user-based php.ini file that could be configured to store your sessions somewhere other than /tmp. There are also ways to store your sessions in a database, which would get rid of both of these potential issues.

Regardless, neither of these issues are extreme vulnerabilities, but they should be something you’re aware of. If your application simply cannot share its sessions with other users, or your session data needs to be tightly maintained and secured, your best bet is to go with a dedicated server.

User Database

Before we can make a secured page that only certain users have access to, we need an access list of those users and their credentials, right? The way we achieve that goal is with a database. In our code example below, we’re using a MySQL database, so you’ll need to perform the following steps using MySQL:

  • Create a database named project_name
  • Create a table within project_name named Users
  • Users should have (at least) three columns: UserID int(11), Username char(25), and Password char(60)
    • The UserID column needs to be unique and auto-incrementing, starting at one (1)—the code below checks for a UserID equal to zero, which means that the user was not in the database
    • Ideally, the UserID column should be the primary index for the table
  • Users should have (at least) one row added: plain text Username, and hashed Password

Once a MySQL database setup like this, you’re ready to write the PHP code.

If you are a PHP beginner, please look into database sanitization. Anytime you are going to be accepting input from a web form and passing that input into a database (for example, in the case of accepting user credentials and logging that user into the website), you need to sanitize the inputs to prevent potential attacks on your website. In the source code below, database inputs are sanitized through the use PHP’s PDO library.

The Code

The snippets of PHP code below are robust enough to be deployed with a large-scale web application. If all you require is a simple authentication page and don’t much plan on using the session variables throughout your user’s stay, this code can easily be trimmed down to fit those needs as well. So, let’s walk through the code, shall we?


If you are making a large-scale web application a database helpers class can help streamline repetitive database calls. If you are making a more simple login interface, you can move the functionality within this class to functions.php.

If your application eventually has a settings.php file, it’d make more sense to move the defined database constants out there.

<!--?<span class="hiddenSpellError" pre="" data-mce-bogus="1"-->php

define ('DB_HOST', 'localhost');
define ('DB_NAME', 'project_name');
define ('DB_USERNAME', 'sql-username');
define ('DB_PASSWORD', 'sql-password');

class DatabaseHelpers
   function blowfishCrypt($password, $length)
      $chars = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
      $salt = sprintf ('$2a$%02d$', $length);
      for ($i=0; $i < 22; $i++)
         $salt .= $chars[rand (0,63)];

      return crypt ($password, $salt);

   public function getDatabaseConnection()
      $dbh = new PDO('mysql:host=' . DB_HOST . ';dbname=' . DB_NAME, DB_USERNAME, DB_PASSWORD);

      $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

      return $dbh;



The UserData class should be an almost identical interface to the MySQL Users table. Almost identical. You should not have the Password field, as PHP will handle checking that value and beyond that the user’s password, hashed or not, should never need to be displayed.

This class is unused by this tutorial, but it is a template that can be used to easily retrieve information from a database table. When you’re ready to move on beyond the login page, you can easily use PDO to fill class variables from corresponding variables in a database table with a call like $stmt->setFetchMode(PDO::FETCH_CLASS, ‘UserData’), and then calling $stmt->fetch(PDO::FETCH_CLASS) to fill the class variables.


class UserData
   public $UserID;
   public $Username;



The Users class is used to retrieve, assess, and modify data stored in the UserData class. For our purposes, we only need a checkCredentials() function to validate the given username and password against MySQL database elements.


require_once ('class-databasehelpers.php');
require_once ('class-userdata.php');

class Users
   public function checkCredentials($username, $password)
      // A UserID of 0 from the database indicates that the username/password pair
      // could not be found in the database
      $userID = 0;
      $digest = '';

         $dbh = DatabaseHelpers::getDatabaseConnection();

         // Build a prepared statement that looks for a row containing the given
         // username/password pair
         $stmt = $dbh->prepare('SELECT UserID, Password FROM Users WHERE ' .
                               'Username=:username ' .
                               'LIMIT 1');

         $stmt->bindParam(':username', $username, PDO::PARAM_STR);

         $success = $stmt->execute();

         // If results were returned from executing the MySQL command, we
         // have found the user
         if ($success)
            // Ensure provided password matches stored hash
            $userData = $stmt->fetch();
            $digest = $userData['Password'];
            if (crypt ($password, $digest) == $digest)
               $userID = $userData['UserID'];

         $dbh = null;
      catch (PDOException $e)
         $userID = 0;
         $digest = '';

      return array ($userID, $username, $digest);



This class acts as an enum of pages on your site.


// To get around the fact that PHP won't allow you to declare
// a const with an expression, define our constants outside
// the Page class, then use these variables within the class
define ('LOGIN', 'Login');
define ('INDEX', 'Index');

class Page
   const LOGIN = LOGIN;
   const INDEX = INDEX;



Here’s where it gets fun. As you create more pages that should only be accessible to validated users, make sure you add them as an OR to the return of isSecuredPage().

The checkLoggedIn() function is our primary work house. This function checks to see if the current page requires validation. If the page requires validation and the user is not logged in, they are redirected to login.php. If a user has been logged in and visits the login page, they are redirected to the main page. If the user has been logged in, this function allows them to access secured pages. The checkLoggedIn() function is also responsible for completing both the login and logout process, and on successful login it sets the proper session and cookie variables.

Take note of how the secondDigest cookie parameter is being used. We need to store authentication information in the cookie so we can securely implement the “Remember me” functionality, but if all we store are credentials, the cookie could still be stolen and used. To prevent against this, we also store physical characteristics of the connection, in this case IP address and HTTP User Agent information. That data should be hashed as well so a hijacker can’t just spoof it when they steal the cookie. Now, if a hijacker takes our cookie to their own computer, the cookie will pass user authentication but fail the second digest, and the hijacker will be prompted to login again.

You would be wise to modify what exactly is in the second digest. If a standard were used, hashing it would pointless, even with the salt. Additional salt beyond the Blowfish cypher would be good, adding additional information, reordering the information before it’s hashed, etc. For increased security, you could also store the second digest on the server in the Users table, comparing the cookie’s value with that value (which would need to be updated after each successful login).


require_once ('class-databasehelpers.php');
require_once ('class-users.php');
require_once ('functions.php');
require_once ('pages.php');

function isSecuredPage($page)
   // Return true if the given page should only be accessible to validation users
   return $page == Page::INDEX;

function checkLoggedIn($page)
   $loginDiv = '';
   $action = '';
   if (isset($_POST['action']))
      $action = stripslashes ($_POST['action']);

   session_start ();

   // Check if we're already logged in, and check session information against cookies
   // credentials to protect against session hijacking
   if (isset ($_COOKIE['project-name']['userID']) &&
             $_COOKIE['project-name']['secondDigest']) ==
       $_COOKIE['project-name']['secondDigest'] &&
       (!isset ($_COOKIE['project-name']['username']) ||
        (isset ($_COOKIE['project-name']['username']) &&
      // Regenerate the ID to prevent session fixation
      session_regenerate_id ();

      // Restore the session variables, if they don't exist
      if (!isset ($_SESSION['project-name']['userID']))
         $_SESSION['project-name']['userID'] = $_COOKIE['project-name']['userID'];

      // Only redirect us if we're not already on a secured page and are not
      // receiving a logout request
      if (!isSecuredPage ($page) &&
          $action != 'logout')
         header ('Location: ./');

      // If we're not already the login page, redirect us to the login page
      if ($page != Page::LOGIN)
         header ('Location: login.php');


   // If we're not already logged in, check if we're trying to login or logout
   if ($page == Page::LOGIN && $action != '')
      switch ($action)
         case 'login':
            $userData = Users::checkCredentials (stripslashes ($_POST['login-username']),
                                                 stripslashes ($_POST['password']));
            if ($userData[0] != 0)
               $_SESSION['project-name']['userID'] = $userData[0];
               $_SESSION['project-name']['ip'] = $_SERVER['REMOTE_ADDR'];
               $_SESSION['project-name']['userAgent'] = $_SERVER['HTTP_USER_AGENT'];
               if (isset ($_POST['remember']))
                  // We set a cookie if the user wants to remain logged in after the
                  // browser is closed
                  // This will leave the user logged in for 168 hours, or one week
                  setcookie('project-name[userID]', $userData[0], time () + (3600 * 168));
                  $userData[1], time () + (3600 * 168));
                  setcookie('project-name[digest]', $userData[2], time () + (3600 * 168));
                  DatabaseHelpers::blowfishCrypt($_SERVER['REMOTE_ADDR'] .
                                                 $_SERVER['HTTP_USER_AGENT'], 10), time () + (3600 * 168));
                  setcookie('project-name[userID]', $userData[0], false);
                  setcookie('project-name[username]', '', false);
                  setcookie('project-name[digest]', '', false);
                  DatabaseHelpers::blowfishCrypt($_SERVER['REMOTE_ADDR'] .
                                                 $_SERVER['HTTP_USER_AGENT'], 10), time () + (3600 * 168));

               header ('Location: ./');

               $loginDiv = '
<div id="login-box" class="error">The username or password ' .</div>
                           'you entered is incorrect.</div>';
         // Destroy the session if we received a logout or don't know the action received
         case 'logout':
            // Destroy all session and cookie variables
            $_SESSION = array ();
            setcookie('project-name[userID]', '', time () - (3600 * 168));
            setcookie('project-name[username]', '', time () - (3600 * 168));
            setcookie('project-name[digest]', '', time () - (3600 * 168));
            setcookie('project-name[secondDigest]', '', time () - (3600 * 168));

            // Destory the session
            session_destroy ();

            $loginDiv = '
<div id="login-box" class="info">Thank you. Come again!</div>


   return $loginDiv;



This is the base for a login form on the login page. Notice that now we’re modifying front-centric PHP files, the only reference you see to heavy lifting is a simple call to our checkLoggedIn() function. The form handles POSTing to this page to log the user in and redirect them to index.php.

The $loginDiv that we receive from checkLoggedIn() allows us to display informative statuses to the user, for instance, if they try to login with the wrong password.


require_once ('functions.php');

// Check to see if we're already logged in or if we have a special status div to report
$loginDiv = checkLoggedIn (Page::LOGIN);


      <h2>Sign in</h2>
      <form name="login" method="post" action="login.php">
         <input type="hidden" name="action" value="login" />
         <label for="login-username">Username:</label><br />
         <input id="login-username" name="login-username" type="text" /><br />
         <label for="password">Password:</label><br />
         <input name="password" type="password" /><br />
         <input id="remember" name="remember" type="checkbox" />
         <label for="remember">Remember me</label><br />
         <!--?php echo $<span class="hiddenSpellError" pre="echo " data-mce-bogus="1"-->loginDiv ?>
         <input type="submit" value="Login" />


Last, but certainly not least, our secured pages. All the work we’ve done above to ensure a robust application allows us to make one simple call from a secured page: checkLoggedIn(). Everything we’ve done above handles the rest. Add this call to any page you want to be secured and you’re good to go!

One thing to note is the logout button, which simple POSTs a logout action to login.php.


require_once ('functions.php');

checkLoggedIn (Page::INDEX);


      <form name="logout" method="post" action="login.php">
         <input type="hidden" name="action" value="logout" />
         <input type="submit" value="Logout" />

The Common Exit Issue

Take special note that as soon as it has been determined that checkLoggedIn() in functions.php succeeded or failed (i.e. following a header call to redirect), exit has been called. This is crucial if your secured page makes ready use of your session or cookie variables, because it tells PHP to cease construction of the page immediately. It is a common mistake to not call exit after a header redirect, which is not necessarily insecure, but it is poor practice. If you fail to call exit immediately, the remainder of the page will still be evaluated by PHP (though the variables may not have been initialized), and error reports may occur. Not data will be displayed to the user, but you neglecting to call exit may fill up your PHP error logs.

The Payoff

You now have login page, secured content areas, cookie storage for returning users, and working sessions throughout your pages. What’s cool about this from this point forward is that you can easily apply this new knowledge of cookies and sessions outside of the credentials realm.

You now have live sessions on your pages, so you can store additional values in the $_SESSION variable to carry them between pages. You’ve seen how cookies work, so you can curse your clients with crumbles of your website for the next time they return (don’t be evil).

If you have any further questions regarding the login process, sessions, or cookies, or if you just found this tutorial useful, let me know in a comment.

Investment vs. Loan Payoff

A few weeks back, I was contemplating various ways Jess and I could possibly payoff school debt sooner rather than later.  I had a spreadsheet detailing my current Loan Payment Plan, but I was more than willing to knock months off the bottom of that plan, if at all possible.  So I mulled over several schemes for paying them off sooner: embezzlement, bank robbery, pirated movie sales.  The usual.  But none of these options gave me complete confidence that they were bullet proof.

And then another, slightly more ethical thought crept into my mind: what if I pulled money from my own investments and used that to pay off school loans?  After all, my investments were earning less interest on a monthly basis than the loans were accruing interest.  Surely it made sense then to use the money from investments to payoff the loans.

Additionally, though I would be lowering the balance of the investments for the short term, I would more quickly be able to put larger monthly contributions toward them, as I would no longer be putting those monthly payments to my student loans.  This seemed intuitive.  And, after Googling the idea, I found that this isn’t all that uncommon of a practice, and many of the articles encouraged this practice.  The other half of the articles suggested that it’s not possible to take money from a mutual fund (like a 401k or an IRA) before you’re 59 and 1/2, but this isn’t true.  I know.  I called several brokerages.


The Realization


Upon further research, and with an Excel spreadsheet that was the brain child of my brother, I have found these assumptions to be untrue.  It seems common sense—and it seems reason would suggest that pulling low interest investments out and putting the money toward high interest loans would save you money in the long run, but the long-term ramifications of this were actually quite startling.

The attached spreadsheet, I believe, will speak for itself.  But the understand you at least need to have going into it is knowing why the these posts suggesting pulling from a mutual fund is a good idea; they’re missing the concept of exponential growth.

In the short-term, you believe that pulling a few thousand out of mutual funds now won’t matter, because you’ll quickly pay that few thousand back, with interest.  But you’re missing how fast mutual funds start to grow exponentially each subsequent year, and the more you pull out, the more difficult (or even impossible) it will be for you to catch up with payments over the long-term.


The Big Idea

Download the spreadsheet, plug your numbers in, and see if pulling from your investments is a good idea for you (there are a few circumstances where, if you’re disciplined, you can pay yourself back soon enough).  But I would suggest against this.

But here’s the Big Idea, and the real heart of the issue.  Withdrawing money from your investments, whether you can ultimately pay the amount back in full, or whether you’ll save money by paying off your loans sooner, gives you a dangerous mindset toward long-term investing.  It puts the thought into the back of your mind that, if absolutely necessary, your mutual funds may be liquid cash.  And they’re not.  They shouldn’t be.  You will need those funds for you in thirty years when inflation is catching up with your finances, when your kids start looking at college, and when you’re thinking about retirement.




Paying Off Your Loans



Everybody has debt.  And, I assume, we all want to pay it off.  But how quickly should we pay it off?  Did you know that on a $100,000 home mortgage at 12.0% interest, increasing your monthly payment by only $100 (from $1,100 to $1,200) will save you nearly $50,000 of interest paid over the course of the loan?  Now do I have your attention?

Here’s another scenario.  You’ve cancelled your credit card with a remaining balance of $3,499 (you know, from the new Mac Pro you bought).  Your credit card has an interest rate of 15% and requires a minimum monthly payment of $40.  In some moment of madness, you decide that making the minimum monthly payments will be a good idea.  If you die in sixty years, you will not have come close to paying off that small balance.  In fact, when you die, the new balance on that card will be $2,441,399.88, and you will have paid over $2.4 million in interest.  Of course, the credit card company would never divulge this information to you.

In both of these situations, you only have one loan.  What if you’re a recent college graduate (like my wife and I) and you have several smaller loans and would like to find the fastest, most cost-effective way to pay them off?  For that, I present you with an Excel spreadsheet I created.  You may even be surprised to find that you will spend less on interest just by paying off your loans in a different order.

I’ve tried to make the spreadsheet as simple as possible, with buttons and drop-downs to help you add/edit/sort your own loans.  Once your loans have been added and the details specified, the spreadsheet will automatically populate a payment plan for you.  It will tell you the projected date when all of your loans will be paid off, how much you will have paid in interest, and how large the loans will have gotten with accrued interest.  For fun, sort your loans by different criteria (there are drop-downs for sorting at the top of the spreadsheet) and change your monthly payment.  You’ll be surprised how much things like that will ultimately affect your payment plan, and it’ll be good knowledge for you to better understand your own loans.

If you don’t have any loans currently but are about to start college (or are considering getting five separate credit cards), I still strongly recommend opening this spreadsheet and putting in bogus loan values for your speculative debt.  The misinformation or simply lack of understanding among my peers when it came to financial responsibility (and future debt) was immense in college.  Sure, college loans generally have a better interest rate than credit card or auto loans.  And, sure, you could pay your $80,000 loans off over the next thirty years … but do you know that, when all is said and done, on that $80,000 loan, including interest, you may end up paying something upwards of $150-$200,000?

I could continue with example after example of loan payments and the penalties incurred if you don’t pay attention to your interest rates and monthly payments, but my main point is that you need to stay on top of your loans, and the best way to do that is to make a plan for them.  That’s where I hope my spreadsheet can help you; it has helped me come up with a simple way to quickly pay off Jess’ and my school loans in only a couple of years.  Not only that, but after putting my own loans into this spreadsheet and sorting them in different ways, I found that paying them off in a different order than I originally perceived to be the best would save me about $350.  That may seem like nominal savings to you now, but my wife and I (comparatively) don’t have that much school debt−so imagine how much would be saved if we did, or in the future when we have a home mortgage and maybe a car payment or two.  When that time comes, knowing this information will save us thousands or tens-of-thousands (see my first example).

Let me know if you have any issues with the spreadsheet or if you have any ideas that might make it better−I’m always open to ideas!  And happy savings :).


For your convenience, especially if you are a soon-to-be or current college student that may be unfamiliar with much of loan lingo, I’ve provided some guidance that will help you better understand loans and the spreadsheet.

  • Status:  A word or two describing the state of the loan (ex. “Open”, “Enrolled”, “In School”, “Closed”).
  • Loan Name: A unique name to help you identify the loan.  This is a required field, and it must be unique from all other loan names.
  • Account Number:  The account number given by the lender for this loan.
  • Lender: Every loan has a lending institution that granted you the loan.  For your reference, put the name of that institution here (ex. “The Department of Education”, “Capitol One”, “Collins Community Credit Union”).
  • Type: The type of loan this is, either generically (ex. “School Loan”, “Credit Card”) or specifically (“Stafford”, “Direct”, “Perkins”).
  • Interest Subsidy:  Subsidization is a type of assistance you may get from the lender or another financial institution (or the government) to help you with the loan or its interest.  For example, if your loan payments or interest are deferred for six months, your loan is “subsidized”.  If your loan does not have any sort of assistance with it, it is “unsubsidized”.  An unsubsidized loan begins accruing immediately.  This is a required field.
  • Interest Rate:  The percentage rate at which your loan gains interest annually.  This is a required field.
  • Minimum Payment: Most loans require a minimum monthly payment. The payment plan will deduct minimum payments each month so your payment plan is accurately generated. This is a required field—just input $0 if your loan does not require a minimum payment.
  • Due Date:  The date on which payments are expected to begin for this loan.  In the same of a subsidized loan, this should be the date your interest will start accruing.  This field is required.
  • Initial Balance: The initial amount that the loan was worth.  This field is required.
  • Current Balance: The current amount that the loan is worth.  This will be the same as the initial balance if you haven’t already started paying toward this loan.  This field is required.


Download Sample Loan Payment Plan Spreadsheet
For an example of how the spreadsheet will look when it’s filled in with loan values, download the sample spreadsheet above.

Download Ready-to-Use Loan Payment Plan Spreadsheet
For a ready-to-use spreadsheet that you can more easily enter your own loan information into, download the template spreadsheet above.


Ernie’s Adventure

What … Is This?

If you’re like my brother and me, you love old-timey computer games almost more than the latest and greatest shoot-em-up.  For as long as I can remember, my brother and I have loved playing classic puzzle games like King’s Quest, Commander Keen (yah, I realize that’s not really a puzzle game), and, later, games like the Myst games.

As such, after years of my brother and I writing our own useful programs, Andrew had a brilliant idea.  “Hey, why don’t we write an old-school adventure game with lousy DOS graphics?  You know, in the fashion of King’s Quest and the like?”

This was an idea through most of 2008, began development in 2009, and became what it is now sometime in 2010.  Obviously, we could have put effort into making these graphics cutting edge … but that would kind of defeat the purpose.  We intentionally made this game for nostalgic purposes.

The music is pure genius, I must say.  Any likenesses you may here throughout the game to other old-timey games you’ve played is purely coincidental.  Don’t sue us.


Alright, I Follow.  So Who’s Ernie?

Ernie was my dog.  I don’t say “was” because he’s dead or anything terrible like that−I say “was” because he now belongs to my brother.  I now have a new dog named Dante, and he and Ernie get along great.  But I digress.

When Andrew started developing The-Yet-To-Be-Named-Old-School-Game, he needed something to fashion it after, and he wanted it to be something he and I had in common, since we had the same affinity for such games.  Ernie must have been trotting by at the time, because he decided to make him the main character.  And thus development began.


Uh, I Didn’t Play Old-Timey Games.  What Do I Do?

Use the arrow keys to move the Ernie character around.  When you walk up to an object you’d like to do something with, type the action.  Then press enter.  Yes, type.  For instance, if you walk up to a shiny object on the ground, try typing the command “get key” and pressing enter.  Don’t know if it’s a keep?  Try the “look” command to see what’s around you.  Be specific.  If you see a person, type “look person”.

The key to these old game typing commands is verb noun.  So to talk (verb) to aperson (noun), you’d type “talk person”.  Don’t know the name of the person?  Type “look” and maybe the description will tell you the name of the person in the screen.

Type “inventory” to see a list of the items in your … you guessed it … inventory!

Oh, and as I said before, this was intentionally made as a DOS-style game.  That means your mouse won’t work at all.  If you’d like to access those menus at the top, press Alt and use the arrow keys to navigate.


The Nerd-Speech in This Post is Minimal.  Anything to Add?

Yah.  The game can also be run on Mac, if you’re interested, but the build isn’t as stable, and, frankly, I didn’t feel like dealing with getting it to that state.  Deal with it.  If you’dreally like to see the game run on Mac, you’re more than welcome to brave the build yourself.  You can find it on Andrew’s Google Code repository here.  Don’t say I didn’t warn use.  Seriously.  Not a pretty build.  And even if you do get it to build, I’ve only gotten it to run a few times, and it does crash from time to time.

And speaking of crashing, it may crash a bit on Windows Vista.  I don’t think we got all of the Vista bugs worked out because, well … it’s Vista.  Not worth our time.  But it worked consistently on Windows XP and Windows 7.  Anyway, you know, we offer this game with absolutely no guarantee or warranty.  And it should work just fine for you.  I promise.



If you’re a fan of the classics, or you just really like stalking the work I do, or you just want to take my old dog on a walking-tour of my parent’s house, it’s certainly worth a play through!

And, since a lot of the commands and scenarios on this game are very Laird-specific, I’ll leave comments and such enabled on this page so people can post and help each other out if absolutely necessary.



The End of an Era for NASA

STS-135: The Final (Shuttle) Launch

This morning marked the beginning of the end of an era.  I say the beginning of the end because the era does not conclusively close until next week, when the Space Shuttle Atlantis returns safely the Earth.

The beginning of the end happened at 11:29 A.M. EST as Atlantis’ rocket engines propelled the 4.5 million pound vehicle off the pad and, in eight and a half minutes, out of the Earth’s atmosphere, into space, and up to a speed of 17,320 mph.  (For the astute reader, you’ll note that this means it must be travelling at over 4.81 miles per second as it left the Earth’s atmosphere.)


Ominous weather taunted the launch of this shuttle all week, but all systems were a go this morning, and aside from a slight hold at T-minus 31 seconds (due to the GOX Vent Hood not registering with one of the sensors as fully retracted), Atlantis left the pad and disappeared into the heavy blanket of clouds above in less than forty seconds.

What you may not realize is that, at the time of the launch, according to NASA’s own protocol, the shuttle technically had the red light.  Yesterday, storms were furious around Cape Canaveral, and lightning even struck the ground twice just around the launch pad.  Luckily, there was no significant damage done to the pad or the surrounding area.  The weather, however, persisted.

NASA’s launch safety protocol dictates that precipitation cannot occur within twenty miles of the launch pad during a launch.  This morning, after all launch systems reported back “go”, the weather crew came back without a go.  It wasn’t a no-go, per se.  They just hadn’t reached a verdict yet.  This was at the T-minus 9 minute hold; it was definitely raining within the twenty mile radius.

Ultimately, Mike Leinbach, the Shuttle Launch Director, who gave the launch a go under the assumption that the weather would continue to move away from the launch pad before launch.  This was not a dangerous maneuver, as if weather hadn’t gone as predicted, the launch could have been scrubbed down to the thirty second mark.

The weather was so variable in fact, that Mike Moses, Launch Integration Manager, said in the post-launch press report that the decision to fill the External Fuel Tank (ET) this morning, a six hour process that costs $500,000 to undo, was settled over a game of darts. But the calls were made.  The delays, insignificant.  And after over 1,000 onboard systems were a “go”, STS-135, the final shuttle of its kind, launched safely from Pad 39A this morning.  But this is only the end of one era.  The end of the space shuttle era.  It seems Americans and the media have focused so intently on the ending of this era that they’re acting as though NASA is closing its doors for good.

Nearly one million people were present to watch Atlantis liftoff from the Kennedy Space Center this morning.  That doesn’t include the tens of millions of viewers watching the stream live from all around America and the world.  Certainly this was a momentous occasion—the conclusion of the near $200 billion dollar space shuttle program’s 30-year reign—but NASA has plans to return to space.  They just need a new vehicle to do it in.

The aged space shuttles weren’t originally built to optimal safety standards (you can thank the government for NASA budget cuts on that one), so they’re being retired.  Though the shuttles could continue to fly safely, NASA has brighter plans for the future.  My hope is that the one million people at Cape Canaveral chanting, “U-S-A … U-S-A” and “GO, GO, GO!”, as well as the cubicle-confined fans (like myself) shouting “Get ‘outta here!” from their desk chairs mourn only the conclusion of the shuttle generation, but not the death of NASA.


Eye on the Prize

The Space Shuttle Atlantis was hauling its crew and cargo to the International Space Station, a $100 billion dollar structure in a low-Earth orbit (about 220 miles out).  The Space Shuttle itself was designed primarily for this purpose even—a low-Earth orbit. But what about deep space exploration?  That’s exactly what NASA said.  Orion, the vehicle being built for the future of space travel, is being designed with manned deep exploration in mind.  It’s slated for a completion date of 2016, and it is expected to launch that same year assuming NASA gets a contractor to build a rocket for it and assuming that rocket is also completed by 2016. The Orion space capsule follows the primitive design of the Apollo spacecraft, but with much more of a vision.  Obviously, we’ve advanced quite a ways technologically since the Saturn V rockets boosted the Apollo capsule into space.  The aim for Orion is that she’ll have the reliability and safety the old Apollo spacecraft with the ingenuity and technology of the future.  She’s being built with the purpose of landing a man (or woman) on the surface of Mars.


But … Why Space?  It’s a Money Hog!

A money hog?  Because the space shuttle cost us nearly $2 billion each?  For the $450 million dollar price tag per mission?  Because the shuttle burns more than two million pounds of solid propellant in the two minutes after takeoff?  Because a satellite can cost upwards of $300 million to launch?

Sure, NASA is expensive.  We get it.  But can you name me a way to advance society that doesn’t cost a pretty penny?  You can debate it all you like, and you can argue that the budget for NASA is too large, or that the tax break NASA gets (that’s coming from your pocket) is too much, but the fact remains: NASA paved the way for your current way of life, and space exploration, especially through NASA, will mold the lives of our future generations.

Unfortunately, the advantage of space exploration is currently evading our current administration.  Yet in an economy continually teetering just above and below a 10% unemployment rate, I’d say the jobs created by subcontracted construction of rockets, satellites, space vehicles, space equipment, and research and development projects are nigh invaluable.

Lockheed Martin, the primary contractor for the Orion project, has published posters that boast, “Orion is being built near me!”  And, as a means of spreading out the love (and keeping the primary decision to scrap the project out of the hands of the government), they’ve spread the research, development, and construction work for Orion out over twenty-six separate contractors all over the country.  Not only are they stimulating jobs in the economy, but they’re also inspiring families and the job market alike with the excitement of being involved (directly or indirectly) in the future of the space age.


Don’t Care.  I Still Don’t Need NASA

Perhaps you’re still not convinced.  Maybe you still think you you don’t need NASA, and that NASA has done nothing to personally effect your life and loved ones.  Then I’ll leave you with these thoughts:  well over 1,700 technologies, many of which you use daily, were brought to you from the multi-billion dollar space program and NASA …

… The fibrous material in your tire tread.  Your home’s insulation.  Velcro.  Image processing (which gave you all the technology from a steady cam to image enhancement to HD movies to a personal video and still camera the size of your palm).  Prosthetics.  The GPS in your phone … not to mention the satellite that your phone, television, and possibly even your internet connection talk to … not to mention these satellites are now used to predict weather patterns, tornados, hurricanes, and more.  Health and safety equipment from ventricular devices to help your heart pump blood to more lightweight material that firefighters can wear when entering a burning building.  Cordless tools …

… and much, much more.


Thanks, NASA, for all the work you’ve done not just for our country, but for the entire world.  For inspiring my brother and I to investigate computers, technology, and spacecraft.  For the sense of camaraderie you gave Americans with each other, the rest of the world, and the universe this morning.  For the life changing technology you’ve given us.  Keep shedding more light on the infinite galaxies out there left to explore.

How Well Do You Know Jess and Alex?

Well, the wedding quiz results are in!  First off, we’d like to offer our congratulations to Jacob Waid and Sarah Anderson for earning the highest score of anyone who took the quiz (including family): 106%! There prize has yet to be determined, but when we do think of it, we’ll give it to them over a home-cooked meal at The Laird Apartment on a weekend of their choosing.

Second of all, we feel obligated to congratulate anyone who got over 100%, even if they didn’t technically win, so our congratulations also go out to David and Sarah Benson who received 103% on the quiz.  While you don’t win anything, we’re still pretty impressed that you did so well and happy that you’re obviously reading our blogs.  Also, thanks for the teapot.  That thing is awesome.

If you’d like to know your individual score, comment on this post or shoot one of us an email and we’ll look it up for you.  However, upon grading this quiz we did realize that we apparently made it way more difficult than we had originally anticipated.  But, hey, if the four people above could get over 100%, it obviously wasn’t impossible.

Confused as to what we’re talking about?  Well, during the reception of our wedding we had a quiz we gave our guests: How Well Do You Know Jess and Alex? We also gave this quiz to the guests at our Iowa reception.  Before we get into the more interesting averages and statistics on how well those who took it did, we’ll post the quiz below for those of you who didn’t get the chance to take it.


How Well Do You Know Jess and Alex?

The Friendship

1.) Where did Alex and Jess first meet?
A.) Getting Started Weekend at Cedarville
B.) An Arbor Day Tribute
C.) East Iowa Bible Camp
D.) A Finnish All-Saints Day party

2.) When Alex and Jess were just friends, how regularly was Jess asked if they were dating yet?
A.) Never
B.) Once or twice
C.) Once a week
D.) Daily

3.) What was the occasion on which Alex went to Jess’ house and met her family?
A.) The 4th of July
B.) Jess’ Birthday
C.) The Pumpkin Show
D.) Jess’ mother’s birthday

4.) What did Alex do during Alex and Jess’ first encounter that caused Jess to believe he was not mentally stable?
A.) He jumped off a high roof into a pile of leaves
B.) He ate a cotton ball
C.) He smashed a pop can on his head
D.) He explained why a proof of NP-completeness is theoretically impossible

5.) What was unusual about the circumstances in which Alex professed his (soon to be) love to Jess?
A.) He was seeing another girl
B.) She was seeing another guy
C.) She had already turned him down twice
D.) He knew she refused to date homeschoolers

6.) What was Jess’ first reaction when Alex told her that he “may not be altogether convinced that [he] couldn’t potentially be completely opposed to the idea of sort of maybe possibly dating [her] at some point in the future”?
A.) She burst out into tears
B.) She kissed him
C.) She expressed mutual feelings of interest
D.) She laughed at his joke


The Dating

7.) What did Alex give Jess over Easter that finally caused her to realize her feelings for him?
A.) A promise ring
B.) A plate of pizza rolls
C.) A necklace
D.) A letter

8.) What is the anniversary of Alex and Jess’ first date?
A.) April 30, 2010
B.) October 31, 2010
C.) November 2, 2010
D.) They can’t remember

9.) What restaurant did Alex and Jess go to on their first date?
A.) Chipotle
B.) Chinese Restaurant
C.) Texas Roadhouse
D.) William’s Eatery

10.) What kind of flowers did Alex buy for Jess on their first date?
A.) Daisies
B.) Roses
C.) Lilies
D.) Tulips

11.) Aside from his undying love, what else did Alex use to bribe Jess when he  asked her to be his girlfriend?
A.) A stuffed dog
B.) A promise ring
C.) A bag of her favorite coffee
D.) A Symphony bar


The Engagement

12.) When Alex asked Jess’ father for permission to marry her, where did they go to talk?
A.) Beans n’ Cream in Cedarville
B.) Chipotle in Springfield
C.) The Underdog Café in Yellow Springs
D.) New China restaurant in Xenia

13.) Where did Alex propose to Jess?
A.) On an ancient burial ground
B.) At a Yellow Jackets game
C.) In a hot air balloon
D.) At the top of a tree

14.) Aside from an engagement ring, what else did Jess receive from Alex when he proposed?
A.) A bouquet of roses
B.) A stuffed dog
C.) A poem he had written
D.) A matching pair of earrings

15.) After Alex’s proposal to Jess, they headed back to Alex’s house.  What did Jess think was waiting there?
A.) A wrapped gift
B.) A birthday party
C.) A pile of dirty dishes
D.) Nothing special

16.) Regarding the question above, what was actually waiting at Alex’s house?
A.) A candlelit dinner
B.) A wrapped gift
C.) An old friend
D.) An engagement party

17.) Who helped Alex distract Jess for the afternoon before he proposed?
A.) Emilie Lynch
B.) Joey and Jenna Woestman
C.) Kylee Husak
D.) Kara Rathburn

18.) Who assisted Alex in planning the surprise engagement party?
A.) Emilie Lynch
B.) Joey and Jenna Woestman
C.) Kylee Husak
D.) Kara Rathburn

19.) Where did Alex and Jess have their engagement pictures taken?
A.) John Bryan State Park
B.) Cedarville Park
C.) Indian Mounds
D.) Ellis Park


The Random

20.) When was Alex and Jess’ first kiss?
A.) Sometime before they were dating
B.) On their first date
C.) When Alex proposed
D.) Today, obviously

21.) What is the name of Alex and Jess’ vehicle?
A.) Josué
B.) The J2K
C.) Jaclyn
D.) Jeeves

22.) What is the name of Alex and Jess’ soon-to-be puppy?
A.) Ernie
B.) Henry
C.) Tyke
D.) Maxwell

23.) What is Alex and Jess’ favorite thing to do together?
A.) Going on walks
B.) Coffee dates
C.) Romantic dinners
D.) Staring into each other’s eyes

24.) Whose wedding anniversary will Alex and Jess now share?
A.) Stephen and Ashley Willcox
B.) Joey and Jenna Woestman
C.) Andrew and Laura Laird
D.) Dennis and Vicki Rathburn

25.) What state will Alex and Jess be moving to after they return from their honeymoon?
A.) Iowa
B.) Indiana
C.) Maine
D.) Staying in Ohio

26.) Where have Alex and Jess both worked?
A.) Cedarville University
B.) Rockwell Collins
C.) East Iowa Bible Camp
D.) The Savings Bank

27.) What is Alex and Jess’ mutually favorite restaurant?
A.) Chipotle
B.) Red Lobster
C.) Olive Garden
D.) Texas Roadhouse

28.) Over the course of their relationship, what video game did Alex get Jess addicted to?
A.) Mass Effect
B.) Portal
C.) Commander Keen
D.) F.E.A.R.

29.) What new skill has Alex started teaching Jess since they became engaged?
A.) Cooking
B.) Computer programming
C.) How to do a hand stand
D.) How to touch her tongue to her nose

30.) What is the name of Alex and Jess’ first dance song today?
A.) Mae – Sometimes I Can’t Make it Alone
B.) Mae – Ready and Waiting to Fall
C.) Mae – The Sun and the Moon
D.) Mae – The Everglow


Bonus Fill-in-the-Blank Questions:

31.) In Jess’ bridal outfit, what is “Something Old”?

32.) In Jess’ bridal outfit, what is “Something New”?

33.) In Jess’ bridal outfit, what is “Something Borrowed”?

34.) In Jess’ bridal outfit, what is “Something Blue”?

35.) Where did Alex purchase the ring that Jess is wearing?



And the results are in!  We’ll post the answers to the questions … eventually.  But for now, let’s just get the quiz results out there!

Ohio Results

Highest score: 106.67%
Lowest score: 26.67%
Average score: 60%
Standard deviation: 16.97%

I suppose we could curve it to make those numbers look a little better.  Plus, that’s a pretty large standard deviation … everybody add 10% to your score so we look like better teachers!

Iowa Results

Highest score: 103.33%
Lowest score: 0%
Average score: 36.67%
Standard deviation: 24.84%

The highest score at the Iowa reception goes to Kara Rathburn, who tied the second-highest score at the Ohio reception.  She doesn’t win a prize since she’s our sister.  However, congratulations anyway!

The lowest score goes to the other side of the family:  Jenna Woestman.  Who signed her name at the top and subsequently didn’t answer a  single question.  Come on, Jenna.  We expect you to apply yourself a little more!  It’s also worth noting that Jenna’s husband, Joey, got an impressive 73.33% … and of the questions he answered, he didn’t get a single one wrong!  Unfortunatly, Jenna must have been rubbing off on him, because he left several blank, and that’s why his score was so low.

What we can really glean from these results is that the Ohioans read our blog much more diligently than the Iowans.  Believe it or not, the answer to every question (save two, I believe) can be found in the Once Upon a Cotton Ball series!  The average score was a lot lower, and the standard deviation was way higher … Iowans, you can add 10% to all of your scores as well.  Unfortunately, that doesn’t make it look too much better, comparatively.  We still love you!  And, hey, we live here.  So you have all the time in the world to get to know us and learn the right answers!



Thanks to everyone that participated, came to our wedding, sent us cards, gifts, money, and your love.  Thanks for being a part of our new life together, and thanks for making our wedding, reception, Iowa reception, and moving process such a wonderful occasion!  We love you all.

North American P-51 Mustang

One-hundred-seventeen days.  Almost four months.  What could you build in one-hundred-seventeen days?  Perhaps I should rephrase that: what could you build in one-hundred-seventeen days on a government contract? Certainly not an entire aircraft, from the ground up, from scratch-paper to rolling it out of the hanger?

But it has been done.  The North American P-51 Mustang was ordered just one-hundred-seventeen days before the first prototype was rolled out.  That’s an incredible achievement right there.  Before the aircraft even got off the ground, putting all of its air superiority aside, the entire plane was designed and put together in less than four months.  It was flying less than two months after that.


Why was the P-51 ordered you might ask? In the early 1940’s as World War II was ramping up, North American Aviation (NAA) realized we had no fighters that met the Royal Air Force’s (RAF) strict requirements, and we were in desperate need of an aircraft that could protect daytime bombing formations deep into Germany.  So in March of 1940, 320 new P-51 aircraft were commissioned by NAA.

It wasn’t until 1943 that enough P-51s were available to start doing some good.  Pilots found that the aircraft was an excellent long range escort fighter.  Finally, it was possible for the RAF to carry out their bombing missions at night, and the United States Army Air Force (USAAF) to carry out their bombing missions in the day time with P-51 escort.

As the war wrapped up, jet powered aircraft started to develop.  While many of the earlier aircraft in the Allied fleet couldn’t compete against the faster jet aircraft, the P-51 could.  This allowed the P-51 to be picked as the top piston powered aircraft during the end of the war.

The USAAF consolidated much of its P-51 fleet after the end of the war.  A few upgrades were made to the plane through the 1950’s and the fighter lasted much longer than other piston powered fighter planes.  While much of the world was looking to jet powered fighters, the P-51 continued to have a role even into the 1960’s.  Finally, the last two military P-51s flew in 1968 as chase planes for a military helicopter.  The last P-51 that was downed in military combat flew in 1965.

The P-51 played a vital role in winning Wold War II.


By May of 1945 the top three P-51 groups had shot down 4,950 aircraft; this amounted to half of the USAAF total kills in the entire European theater.  Keep in mind that was only the top three groups, and if you break that down by day, it amounts to over 6.75 kills per day.

The two top scoring aerial combat groups (which exclusively flew P-51s) had 1,229 kills just between the two of them.  During the European campaign, the RAF and USAAF used the P-51 in 123,873 sorties.


Machine guns were the dogfighting weapon in World War II.  The P-51 had four 0.30 inch M1919 Browning machine guns and two 0.50 inch M2 Browning machine guns in its wings.  Two more 0.50 inch M2 Browning machine guns were mounted under the engine of the aircraft and were synchronized to fire between the propeller as it rotated.  This technology was developed in WWI and was known as gun synchronization gear.

The P-51 was capable of carrying ten 5 inch long rockets that were mounted under the wings similar to today’s missiles.  It could also carry 2,000 pounds of bombs under the wings in place of the rockets.  On long range missions the later models could replace the weapons with external fuel tanks to extend their range by 300 miles.


The P-51 Mustang was a top of the line machine for its time.  Powered by the Merlin V-1650 engine, the first models boasted a top speed of 437 mph, which could keep up with the earliest jet powered aircraft.  The final model, the P-51H, could hit 490 mph.  The P-51 would cruise at around 275 mph and at about 41,900 feet.  Its range was over 1000 miles.  When the P-51D was introduced an additional 300 miles were gained with drop tanks on the wings.

How much did a P-51 cost?  In 1945 the government paid $50,985 for each aircraft.  Converting that to 2011 dollars it would cost around $628,000 to buy a P-51.  After the war, the government sold many of their P-51s for civilian use, some for as little as $1,500.

A total of 16,766 P-51 Mustangs were built.  Many of them were sold to other Allied countries.  It was thought of as the top long range escort fighter of its time.  Many still fly today in homage of the original lead fighter of the USAAF.


Sadly, it’s not likely that you’ll be out drinking lemonade on your porch one day and see a formation of P-51s flying over anymore.  You will mostly likely have to go to a museum or an airshow to see one.

There has been a trend over the past few years to do “heritage” flights at airshows with a WWII era plane flying along side one of today’s modern fighters.  Many times the P-51 is chosen for this task.  If you’ve been to a recent airshow and seen one of these “heritage” flights, then it’s possible you’ve seen a P-51.

It’s even harder to see a P-51 in the movies.  There was only one movie made that centers around the P-51 and that was a 1957 film called Battle Hymn.  There are a handful of other movies that you catch glimpses of P-51s: Empire of the Sun, Saving Private Ryan, Memphis Belle, and The Tuskegee Airmen all have a few scenes with P-51s flying.

If you get a chance, head over to an airshow and catch a glimpse of the one of the finest WWII era fighters built.  It will be a trip worth taking.

If you don’t get a chance, buy your own P-51 Mustang model or remote control plane from Amazon! Just follow the links below:

Andrew Laird (usually referred to as “The Brother”) is the sibling of Alex Laird. He shares the same love for airplanes as Alex does and is the guest author of this post.

McDonnel Douglas F/A-18 Hornet

The Fighter/Attack series is one most people are familiar with, and probably the most well-know set of aircraft the Unites States Navy and Air Force produce.  Unfortunately, the understood distinctions between each aircraft are not that well known.  Most commonly, all fighter aircraft are referred to as an F-16.  If you don’t believe me, just look up a few YouTube videos; you’ll be able to see variances in the details of the aircraft, but most of the videos are  will call the aircraft an F-16 … it’s sad, really.

But I digress.

Let’s talk about the second most awesome plane in the Fighter/Attack series (the most awesome being the Lockheed Martin F-22 Raptor, but this aircraft, unfortunately, will not be at the Quad City Air Show): the F/A-18.  And, just to make things interesting, let’s Tarantino this post and get to the interesting stuff first!


Where You’ve Seen It

If you recall, the Fat Albert of the Blue Angels was a C-130.  Well, the most recent bread of Blue Angels themselves happen to fly F/A-18 Hornets.  That’s where this post comes in as relating to the Quad City Air Show—not only will their be ground displays of a standard F/A-18, but the Blue Angels will put on a show flying their F/A-18s as well.

The media?  F/A-18s have made appearances in the following popular Hollywood movies: Godzilla (I’d say the scene is obvious enough), The Rock as they attack Alcatraz, Independence Day (the aircraft that Will Smith is shown flying), Clear and Present Danger where an F/A-18 is shown dropping a laser-guided bomb on a vehicle, Tears of the Sun in the final battle, and the F/A-18 Super Hornet, a two-seat variant of the F/A-18 Hornet stars, in Behind Enemy Lines.

Think you saw the F/A-18 in Transformers?  You’d be right!  The Transformers Decepticon, Starscream, morphs into an F-22 Raptor, and flying through the city (when Starscream smashes them down) are also F-22s.  However, the fighters shown lifting off the carrier part-way through the movie are Hornets, and I actually know the pilot who was flying the F/A-18 shown taking off from the carrier!

Ever seen that video of a fighter jet flying and safely landing after losing a wing?  That’s an F/A-18.  The Hornet was the first aircraft of its kind to have the unique ability to be able to safely fly with up to 80% of a wing removed, thanks to some amazing thrust-control software developed by … you guessed it, Rockwell Collins.  I’m not 100% certain, but I believe that functionality has also been implemented in the F-22 Raptor.

Finally, the F/A-18 is one of the most common fighter jets you see at an airshow, next to the F-16 Fighting Falcon and the F-15 Eagle, so it’s likely that if you’ve been to an air show or two, you’ve probably seen the Hornet or a variation thereof.



The F/A-18 is powered by two massive power plants mounted on its rear.  The power plants are each F404-GE-402 afterburning engines, capable of thrusting over 18,000 pounds.The weight of the F/A-18 at takeoff is 22,000 pounds.  The thrust-to-weight ratio is nearly 1-to-1, which lends to the aircraft’s amazing maneuverability.

The fighter can hold over 11,000 pounds of fuel in its internal tank and nearly 7,000 pounds in its external fuel tank.  On takeoff, the aircraft will be loaded with different amounts of fuel depending on its roll during flight.  For instance, if it is performing an attack mission, the external fuel tank will not be filled.  However, if is performing a longer-range attack mission, the external fuel tank will be filled, and the plane may weigh up to 52,000 pounds on takeoff.

The Hornet is 56 feet in length, only 15 feet in height, and has a wingspan of 40 feet—again, its very close length-to-width ratio lends to amazing maneuverability during combat.  When loaded with fuel and missiles, the fighter can fly just over 1,000 miles non-stop.

It’s hard to talk about a fighter jet without touching its speeds.  You ready for this?  The F/A-18 has a top speed of mach 1.8—that’s 1,370 mph.  That’s less than two hours to fly coast-to-coast in the United States at its widest point (excluding Alaska, of course).


On the Carrier

And while we’re on the subject of dimensions and speed, we should probably talk about the planes use on aircraft carriers, since it was designed with that storage in mind.  Certain later F/A-18 models (E and F) have collapsible wings for better storage on an aircraft carrier, but the standard models (A-D) do not.  This isn’t a huge issue, however, since their wingspan is only 40 feet.  Carriers range in size, but depending on the mixture of aircraft its holding and whether they have collapsible wings or not, a carrier can usually hold anywhere from 85 to 140 fighter planes.

Fighter jets, though extremely powerful, do not have enough thrust to get their aircraft up to liftoff speed before the end of the very short carrier runway, usually around 300 yards or less.  By comparison, United States air regulations require commercial landing strips to be a minimum of 4,033 yards.  So you can see that the fighters are working with a lot less runway here.  So how do they get up to speed?  Four continuous catapults.

A plane cannot lift off the ground until the proper amount of air is moving over the wings to generate lift.  The amount of air needed to generate lift depends on the weight and dimensions of the aircraft, but the catapults on an aircraft carrier, which are entirely steam driven, help lung fighters up to their necessary speed (about 170 mph) before the end of the runway.  It takes that catapults only two seconds to do this.  Usually, they planes don’t quite make it to their necessary speed, which is why you’ll see the heavier fighter jets dip toward the sea just after takeoff of an aircraft carrier.  But don’t worry.  There’s still 240 feet between the flight deck and the thrashing sea, which is plenty of room for the plane to gather the necessary airspeed to gain altitude.

Of course, all of this is just for takeoff.  How does a plane land on such a short runway?  Oh, and you know how a flight deck may be up to 300 yards long for takeoff?  Landing planes come in at a different angle, and they usually only have about 166 yards.  When they lower their landing gear, they also lower a tail hook.  The tail hook is just what it sounds like—a hook that protrudes down from the fighter jet and grabs the arresting wires that are stretched across the carrier’s landing deck.  These wires are pulled tight and screech the aircraft to a halt on the flight deck.

But what if the pilot misses the wires?  Landing on an aircraft carrier is one of the most difficult things a fighter pilot may ever do, so there’s a good chance he may miss the wires.  This means he has to immediately takeoff, fly a loop, and try landing again.  This also means that fighters land on an aircraft carrier at a very high rate of speed compared to a normal runway.  Which also means that as soon as the pilot hits the flight deck, rather than pulling his engines back or slamming on the breaks, he throws the engines to full throttle.  Why?  Because the moment he is signaled that he missed the arresting wires, he needs to be above his 180 mph to take off the other end of the carrier again.  When an aircraft misses the arrest wire, it is known as a “bolter”.  The landing deck of an aircraft carrier is slanting upward at a 14 degree angle from the rest of the aircraft so it can assist bolters in quickly getting back up to a safe altitude after missing the arresting wires.



Unfortunately, the F/A-18 has no weapon systems … I’m just kidding.  But seriously.  The Hornet comes equipped with a nose-mounted 20 mm M61 Vulcan gatling gun that houses nearly 600 rounds.

The F/A-18 can hold up to nine missiles: two on the wingtips, four under the wing, and three under the external fuel tank.  If you see an equipped F/A-18, it may be carrying Hydra 70 or Zuni rockets, or it may be equipped with AIM-9, AIM-132, IRIS-T, or AIM-120, AIM-7 or AIM-120 air-to-air missiles.  There are also five types of air-to-surface heat-seeking missiles that the Hornet may be carrying, or a few AGM-84 Harpoon anti-ship missile.

You think that’s all?  Of course not.  The Hornet can also be used as a bomber.  The F/A-18 can carry up to eight different types of bombs, including Paveway laser-guided bombs, cluster bombs, JDAM precision-guided bombs, B61/Mk57 nuclear bombs, and more.


History and Cost

Boy, after starting with all the cool stuff, the history of the aircraft seems kinda bland, doesn’t it?  If you answered “yes” to that, I question why you’re even reading blogs about airplanes … after all, without aircraft history, we wouldn’t be making bigger, better, faster, and more agile aircraft every decade.

McDonnell Douglas developed the F/A-18 Hornet after gaining the contract from the United States Navy’s Naval Fighter-Attack Experimental program.  The goal of this program was simple:  create an agile aircraft that could replace the Skyhawk, Corsair II, and Phantom II, performing better in every respect than its fighter-series predecessors.  Both the Navy and the Air Force needed a short-takeoff aircraft that was versatile enough to be used on a land-based air base or stored on and launched from an aircraft carrier.

The Navy proposed a design for the aircraft that illustrated a single-man aircraft that could be easily used for bombing and could then defend itself from attacks while it returned to Home Base.  The F/A-18 certainly meets that goal with its superior dog-fighting capabilities, and it proved this ability in Operation Desert Storm, when one aircraft would dog-fight its way to its target, bomb the area, and return to base without a scratch.

The F/A-18 was first tested in 1978 and entered the service in 1983.  The F/A-18 Super Hornet, a two-seater variant of the Hornet developed by Boeing, was introduced in the early 1990s after the Navy retired the F-14 Tomcat, A-6 Intruder, and EA-6 Prowler all at once … without first considering an alternative (oops).

A single F/A-18 Hornet costs just under $40 million.  The F/A-18 Super Hornet costs nearly $60 million.  The fleet size of the F/A-18 family is nearly 3,000 aircraft.

Finally, let’s talk about the cockpit of the aircraft.  Like previous military aircraft I’ve covered, the radio communications and control panel were developed by none other than Rockwell Collins (though, again, we never get credit for this on any of the Wikipedia pages).  Last, but certainly not least, in the late 1990s, Rockwell Collins developed a technology that would automatically adjust engine thrusts in the case of a serious malfunction of aircraft damage.  Originally, the functionality was intended to provide a safe landing for a fighter aircraft if it lost up to 60% of its wing, but the final program allows the F/A-18 to lose up to 80% of one wing and land safely!  Now that’s impressive for an aircraft that may weigh up to 51,000 pounds when filled.

Oh, and here’s a fun fact: though you may think of the F/A-18 as a “heavy” aircraft due to its many pounds by comparison to, say, you’re car, it’s actually classified as a light-weight fighter.  In fact, when the Navy bid the program in the first place, a light-weight fighter was one of their requirements.

Think the F/A-18 Hornet is one of McDonnel Douglas’ finest creations? Buy your own model or remote control version by following the Amazon links below:

Or, if you’re really ambitious, save up a bit for an even bigger scale model: