I am definitely an old school gamer. My son plays games like Modern Warfare 2 and Left 4 Dead 2. But I started when games required thought and not just lightning-fast reflexes. And one of the very first computer games I remember was Colossal Cave. I first played it on an IBM S/370 that ran MVS and TSO (i.e., Time Sharing Option). But some of my most favorite memories of the game were when I played it on the Heathkit H89 PC that I soldered together with my own hands.
And there was one part of the game that always fascinated me: the maze of passages. Actually, there were two such mazes: one had twisty passages that were all alike and the other had twisty passages that were all different. And in these tunnels, you could either become lost forever or find the pirate’s treasure.
So what does this game have to do with anything? It’s simple: the use of tunnels can lead to frustration or it can lead to treasure. For today, I’m going to talk about tunnels that can be used for treasure.
Most of us know about one form of tunneling or another. Many people use (or know about) SSL tunnels and/or IPSec tunnels. These kinds of tunnels are commonly used by many folks who must use VPN technologies to access resources that are secured behind corporate firewalls. Most people have no real idea of what is going on “behind the scenes” when they use their corporate VPN’s. But the basic premise is simple: one kind of data that is commonly blocked can be “wrapped” within another kind of data that can be allowed to pass. Think of this as the knife in the birthday cake. The guards won’t allow the knife to be given to a prisoner. But the guards can be fooled if the real payload is hidden from sight.
Of course, this analogy is simplistic – and somewhat deceptive. Tunnels are not used just to hide nefarious objects from the prying eyes of the world. They are more commonly used to control the kinds of data that passes the sentry points in a system. Think of it this way: if the cargo hole in a ship is shaped like a square, then valid cargo must also be shaped to accommodate the size and shape of the square entryway.
For those who have a little more knowledge, there are other forms of tunnels that are commonplace. For example, SSH tunnels are de rigeur for most system administrators. SSH tunnels can be associated with commercial tools (like VanDyke’s Secure Shell or BitVise’s Tunnelier). But they can also be used with open and freely available tools (like sshd and PuTTY). I use SSH tunnels for so many things. SSH is used to secure my router. It is also used to securely access my home systems from any location on the Internet.
But amongst those who work with security for a living, there are many other forms of tunneling – some widespread, others obscure. For years, TOR (The Onion Router) has been used as a means of anonymous (and encrypted) browsing. And TOR has often been used with local proxies that ease the burden of tunnel configuration and workload separation. But recently, the use of TOR and local proxies has gotten a whole lot simpler. You can now downlod a single package that will install and configure a browser, a proxy and TOR onto a portable platform (i.e., a USB key). In this kind of configuration, you can insert a USB device into almost any system connected to almost any public hotspot. Once the browser is launched, you can commence anonymous and secure browsing of the Internet.
And these tools can now be combined with all sorts of other tunneling tools. For example, you could tunnel TOR traffic within SSH and then forward it across a DNS tunnel. This would allow you to bypass most content filters established on the networks to which you might be connected.
Is this cool technology? Most definitely it is. Can this technology be used for good things? Of course it can. Consider an evangelist within a repressive country. Such a person can connect and communicate with others within his country or with those who are outside his country.
But can this technology also be used for nefarious purposes? In candor, it certainly could be used for illegitimate purposes. But I think of these kinds of technologies in the same way that I think of freedom of speech. We must allow gross and unseemly speech if we want to have any freedom of speech. Otherwise, our speech (however comely and delightful it might be) could be considered objectionable – and hence, controllable.
So what should we do about the maze of twisty passages? In my narrow view, I must come down on the side of allowing such technologies. They can be used for good or “twisted” into unacceptable uses. Of course, the same thing is true about guns. They can similarly be used for unsavory purposes. But the protection of our liberties will lie in our ability to use tools that allow us to secure and protect individual liberties – even when this means that the state will have a more difficult time dealing with the criminals.
-Roo
Month: July 2010
Calibre, With Coverflow?
Over the past year, I have slowly (but inexorably) become more and more excited by e-books. I think the real turning point came when my wife gave me a Kindle for Christmas (and my mother-in-law gave me a generous gift certificate at Amazon). This post won’t be about e-books, e-book formats or even portable readers, per se. Instead, I want to focus on a PC-based management tool: Calibre.
The Calibre team bill their product as a complete e-book manager. But it is far more than that. For me, it is the Swiss Army knife for digital books. I started using this tool when I needed to convert some books from one format into another. Specifically, I wanted to convert a bunch of Mobipocket books (obtained from the Internet) into EPUB format. While I like Mobi, I am beginning to think that EPUB will drive the market a little faster (due to Apple’s adoption of EPUB). [Note: For a complete comparison of digital book formats, take a look at the Wikipedia entry here.] So I’ve used Calibre for certain specific needs. But that may be about to change.
I discovered a curious new feature of Calibre when I loaded the latest version (v0.7.7). Specifically, Calibre provides a visual browser experience that is decidedly familiar: it looks just like CoverFlow. [Note: This feature actually appeared in Calibre with v0.5.1] Of course, this kind of browsing paradigm is not just limited to iTunes. It has shown up in other music products – most notably, it can be found in the Songbird player.
But is this a copyright or DMCA infringement? I have no idea. [Note: There is an excellent discussion on this subject here.] But it is a welcome addition to my toolbox for digital books. Does it provide a feature that I really need? Not really. But it is so cool to see it. And it may very well herald an increasing need for metadata management tools.
I look forward to even more metadata editors for my e-book collection. And I really welcome a universally adopted e-book stadard. For music, the MP3 ID3 tag system was the least common denominator. So who will step up and create the cool product that will necessitate the standardization of metadata for e-books? Some people are betting that it will be Apple. But I think that it just may be Kovid Goyal (the author of Calibre).
So here is my final question: which e-book vendors is Monsieur Goyal currently talking to? For my money, I would love to see someone incorporate Monsieur Goyal’s designs into a more broadly accepted reader. For me, I wouldn’t be surprised if the new Kindle for PC incorporates these kinds of features.
-Roo
Password Managers – Bleh or Yay?
How many of you remember the scene from WarGames when Matthew Broderick slides the desk drawer open to reveal a list of passwords? Yeah, that movie is twenty-seven years old now. But the message is still apt: don’t store passwords where people can find them.
And after twenty-seven years of computer development, we have single signon systems, strong passwords, multi-factor tokens, and all sorts of cryptographic wizardry. But despite all of this, we have competing rules for password strength, differing password expiration durations, and even more different types of accounts that demand different strengths of security. For example, most people are very concerned about password strength for their financial transactions. But these same people are probably less concerned about the password for their PetCo account.
The result of all these new rules and password differences is the same: people either store their passwords somewhere, or they use the same password root with variations in prefixes/suffixes, or they periodically must go through the password change/challenge dance.
Amidst this reality, there are a plethora of solutions. But two such solutions have captured my attention: Roboform and LastPass.
Roboform is an excellent tool that will store passwords in an encrypted, local password store. It seamlessly integrates with most browsers – especially Firefox. It is actively developed. And most importantly, it is secure by design. Specifically, passwords are stored in a private place under YOUR control. Of course, this means that if you access online accounts, you will need to have access to your password store. This usually means storing passwords on a portable USB key. For these and other reasons, Roboform has a large and devoted following.
But there is a new gunslinger in town. Over the past few months, LastPass has garnered a large and growing user base. It has a very attractive UI. But more importantly, it is flexible and very powerful. Like Roboform, it has the ability to store and exploit multiple identities. And it is tightly integrated with every browser – including Chrome. Indeed, the Chrome plugin is one of the best features of LastPass.
But unlike Roboform, the LastPass team has chosen a different path for its success. LastPass exploits cloud-based technologies for customer password storage. This is excellent if you will be mobile and you can’t carry your identity in a mobile fashion. Of course, this means that your critical password store is publicly available. So if you want to use LastPass, you need to understand how they store your passwords and how they control access to your passwords.
What is Roo’s recommendation: I have switched over to LastPass. And I use a very complex and totally unique password for this store. Do I trust the team at LastPass to protect my password store? I must grudgingly say that I trust them – for now. Do I know these people personally? No, I do not. But I do trust them enough by virtue of the people and organizations that have publicly endorsed their technology.
That said, I am reminded of something that President Ronald Reagan once said: trust – but verify. So I am now keeping a mindfl eye on the continuing performance of the LastPass team (including its financial supporters).
-Roo