DNS Rebinding Attacks: “Lions, and tigers, and bears – oh my!”

July 10, 2018August 22, 2018 Lorin Olsen

What’s a new day without a new attack vector being published? Yesterday, Google, Roku, and Sonos all announced that they will be updating their home devices in order to address DNS rebinding attacks.

So what is a DNS rebinding attack? According to BleepingComputer.com,

The purpose of a DNS rebinding attack is to make a device bind to a malicious DNS server and then make the device access unintended domains. DNS rebinding attacks are usually used to compromise devices and use them as relay points inside an internal network. A typical DNS rebinding attack usually goes through the following stages:

1) Attacker sets up a custom DNS server for a malicious domain.

2) Attacker fools victim into accessing a link for this malicious domain (this can be done via phishing, IM spam, XSS, or by hiding a link to the malicious domain on a malicious site or inside ads delivered on legitimate sites).

3) The user’s browser makes a query for that domain’s DNS settings.

4) The malicious DNS server responds, and the browser caches an address like XX.XX.XX.XX.

5) Because the attacker has configured the DNS TTL setting inside the initial response to be one second, after one second, the user’s browser makes another DNS request for the same domain, as the previous entry has expired and it needs a new IP address for the malicious domain.

6) The attacker’s malicious DNS setting responds with a malicious IP address, such as YY.YY.YY.YY, usually for a domain inside the device’s private network.

7) Attacker repeatedly uses the malicious DNS server to access more and more of these IPs on the private network for various purposes (data collection, initiating malicious actions, etc.).

In short, an attacker can hijack your DNS queries and provide invalid (and malicious) responses.

So what should you do in response?

Actually, that is a tough question. This truly affects home users. It is not nearly as big a threat for enterprise administrators. Yes, every enterprise should mitigate this vulnerability through appropriate maintenance. And yes, if you place products/services within your customers’ home, then this is a current issue for you. But even if you are not involved today, it is important to note that as more devices in the home are becoming Internet-aware, this problem will become larger.

As a customer, update your client software as soon as updates are made available by the vendors. This is a default answer for most things. But in this case, it applies as well. Fundamentally, the issue is with the client software. So the client software is where the fix must be applied. Google, Roku, and Sonos have already committed to bringing forward appropriate fixes.
Press other product vendors to provide updates to their software. This includes: Amazon, Netgear, TP-Link, Phillips, Ikea (Tradfri), Blink, GE, and many others. As a professional, this is probably not your call to resolve. After all, do you really want to get involved in the dealings between a customer and another premise-device provider? Usually, I’d recommend keeping your nose out of other people’s business. But in this case, this is a matter of domestic hygiene. Your products and services will never work optimally if the entire home ecosystem is “polluted”. Of course, the biggest reason to be involved is to provide more mass in order to affect the “gravitational” effect upon these vendors. As an advocate for your customers, encourage your peers to “do the right thing”.
As a homeowner, I would recommend running your own DNS, if you can. Maintain its currency to ensure that its software does not become the next attack vector. Unfortunately, this step won’t resolve the current problem. But it will resolve many other problems – especially problems imposed by lax ISP maintenance procedures. If you can’t run your own DNS, then use a logical (or physical) “proxy” for your DNS queries. This will resolve many of these issues. For example, your SmartThings hub can deal with the internet-based DNS services for your devices. But whatever technical steps you may take, please be a counselor and advocate for your customers. At the same time, maybe it’s time for your company to provide a DNS appliance solution. Maybe this isn’t just “table stakes” for the OEM router providers and the ISP’s. Maybe your company can economically provide a cool product that bundles DNS, ad blocking, and proxy services.
If you use your own DNS, then use DNSSEC. This won’t be the short-term solution. Indeed, most IoT clients won’t have the processing power to provide authentication and encryption to a secure DNS infrastructure. But if you can bake this into your products, then do so – soon. Please, and thank you.

In the final analysis, this problem is an “edge” problem. So all solutions must occur at the edge. But if you are a service provider, then you have an obligation to your customers to act as a trusted advisor. Help them to be successful and they will help you to be successful.

https://www.bleepingcomputer.com/news/security/google-roku-sonos-to-fix-dns-rebinding-attack-vector/

Get Ranked to Become More Secure

July 10, 2018August 22, 2018 Lorin Olsen

I’ve been in the business world for a few years. And in the past two decades, the forced ranking of employees has been used by most HR departments. These ranking systems have generated both great advantages and equally great disadvantage. But the motivation for implementing such competitive systems is quite clear: as humans, most of us are driven to compete. So it is theorized that this imperative can be channeled to “inspire” maximum performance while on the job.

We want to be the “best” in whatever we do. This includes having the best house (or car), maintaining the best yard, encouraging the best students (or student/athletes), or being the “best” member of a great team. These kinds of systems inspire us to be the best that we can be. Such reward-based systems are nothing new in technology either. For a generation, game designers have built reward systems into their products. It is no longer just about beating the “big bad”. It is also about wearing the best armor or having the coolest spaceship. And social media systems have often devolved into follower counting or “influence” ratings.

So how can such comparison and esteem systems result in a stronger security posture?

The folks at LastPass (which is owned by LogMeIn) have been using a “security challenge” program to motivate people to be more secure than they have ever been. While such a system does not work for everyone, it has always worked for me. As a result of this system, I remained dissatisfied with being in the top ten percent of LastPass users. The test inspired me to work hard in order to join the top one percent of users. And this week, it inspired me to implement any and all recommended areas of improvement.

I’m not certain whether the aforementioned example speaks to the power of motivation systems or to a fundamental facet of my personal psyche. But for the sake of this article, I’ll assume the former while considering the latter at some point in the future. After cleaning up (and locking down) all of my credentials, I decided to turn my focus towards household vulnerabilities. And my tool of choice to evaluate vulnerabilities is Nessus (http://www.tenable.com).

I’ll probably write a follow-up article about my findings – and my subsequent actions. In the meantime, I will tell you that the very first thing which I started to do after seeing the most recent results was to triage the important vulnerabilities. I looked at the items that Tenable noted as most important. I then researched and worked towards remediation of all of the highlighted vulnerabilities. Bottom line: I was motivated to be better than my nearest neighbors. This “better than the Jones’s” compulsion is driven by my fundamental view that to be a survivor, one cannot be the slowest antelope in the herd. Consequently, I am using an incentive-based system (and some fear-based motivation) to further strengthen my security posture.

In the final analysis, I am convinced that harnessing ego rewards and highlighting real risks (i.e., letting people know of the possible punishments for not addressing vulnerabilities) are a winning strategy – if you have a company with employees like myself.

http://smallbusiness.chron.com/employee-motivation-reward-systems-15978.html

Trading Privacy for a Little Convenience

July 10, 2018August 22, 2018 Lorin Olsen

Benjamin Franklin once wrote, “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.” The quote (and its source) is often disputed (see https://www.npr.org/2015/03/02/390245038/ben-franklins-famous-liberty-safety-quote-lost-its-context-in-21st-century). But it is clear that modern privacy advocates see this quote as a proof text for the shortsightedness of exchanging your privacy for your security. Indeed, I too have used this quote as a rallying cry. But in candor, my use of this quote is more of an “appeal to authority” rhetorical argument rather than a reasoned defense of unfettered freedom.

But how should we respond to HART (the Homeland Advanced Recognition Technology project)? DHS is building a massive repository of identity information. This is, ostensibly, for ensuring our security. From the Electronic Freedom Foundation (at https://www.eff.org/deeplinks/2018/06/hart-homeland-securitys-massive-new-database-will-include-face-recognition-dna-and),

DHS’s plans for future data collection and use should make us all very worried. For example, despite pushback from EFF, Georgetown, ACLU, and others, DHS believes it’s legally authorized to collect and retain face data from millions of U.S. citizens traveling internationally. However, as Georgetown’s Center on Privacy and Technology notes, Congress has never authorized face scans of American citizens.

Despite this, DHS plans to roll out its face recognition program to every international flight in the country within the next four years. DHS has stated “the only way for an individual to ensure he or she is not subject to collection of biometric information when traveling internationally is to refrain from traveling.”

On its face, this is repulsive. And for most Americans, this kind of assault on our freedom and our right to privacy is unthinkable. But the federal government apparently hoped that this effort would gain little public attention.

But while we chafe over such obvious governmental incursions, why do we embrace the same incursions when they come from a private company? Most Apple users applauded the availability of facial recognition as part of the new Face ID feature. And I daresay that Android users would welcome the very same technology, if they knew that it already existed on their phones.

So what’s the problem with a company doing this?

There is little problem if you trust the company and if you read your grant of license. I daresay that miwe do trust companies and we don’t read license agreements. Of course, it should be the other way around. If we read the grant of license, then we would realize that most companies will use whatever they can leverage to increase profits for their owners/shareholders. And if we give away our rights (as well as personally identifiable information), then we are worse than those who gave away freedom for security. We’re doing it to save a few seconds of login time.

I Remember When…

October 10, 2011August 22, 2018 Lorin Olsen

…remote control was either difficult or expensive.
You could choose the Microsoft approach. You could use the RDP solution from any client. But if you wanted to actually connect to a desktop, that system needed to be running a “professional” version of the OS. That meant that you could have remote control from Microsoft if you paid them first.
But if you refused to pay the Microsoft tax, you could always pay Citirix for the right to use their remote control tool. Yes, it worked well. And it didn’t require a special version of the operating system. Instead, you just paid a license to Citrix and you could help whoever you wanted to help. But licensing was horribly complex. You had to have a license for a certain number of supported desktops or every desktop had to have a license of its own. So if you wanted to get help, you had to set stuff up BEFORE you had a problem.
Fortunately, you could always roll your own solution. You could install a VNC client and server on the systems that you wanted to access remotely. And if you wanted real security, you could always use an SSH client and server to make sure that your connection was encrypted. It was so easy to do that… OK, it wasn’t that easy to do. If you had an uber-geek for a spouse (or any teenage child could substitute), then you could brute force your way through the maze of complexity.
So the choice was simple: build a terribly complex solution or pay for someone else to do it for you. Now you have another option: Chrome Remote Desktop.
Google is building the Chrome OS. And they need to have a way to provide for remote desktop administration. It has to be secure and it has to be simple to use. So how do you do both? You build a tool on top of other infrastructure that already exists.

You need a rendering engine that can run anywhere. So build it on your browser.
You need a transport mechanism that is easily secured and can pass through almost any firewall. So build it on secure HTTP (https/443).
You need an extensible platform that can encode almost anything into an XML stream. So use jabber (i.e., xmpp) as the transport and stream platform.
Finally, you need a well known means of connecting users to each other. So use GTalk as the central nexus for interconnecting people.

In the end, what you have is a secure infrastructure that can easily be implemented via Google accounts and extensions to the Chrome browser.
I’m still a little leery of anything that is so simple and easy to use. But I think that this one may be a real winner.

Which One Will I Choose?

May 30, 2011August 22, 2018 Lorin Olsen

Over the past several weeks, I’ve spent time and money on assessing a variety of streaming audio solutions. My assessment has considered many factors. But chief among those factors was the mobile experience. When I was at home, I used iTunes. It’s not that iTunes is necessarily the best. Indeed, I’ve used dozens of tools at home. As a general rule, I have always favored things that also provide for metadata management (e.g., MediaMonkey). But iTunes has always been the “gold standard” for both “look and feel” as well as for application compatibility. Everyone is “compatible” with iTunes because it IS the de facto market leader.
But that market may be shifting – at least for me. Over the past few weeks, I’ve assessed two different audio streaming tools: Amazon Cloud Player and Google Music. Both have their pros and cons. Google has much more storage available that is (currently) free of charge. Amazon has a pre-exisiting (and built-in) retail channel that allows for easy (and impulsive) music purchasing. Both have good web clients. And both have good Android clients.
But both suffer from one key problem: I can’t capture and record my listening data on Last.fm. Yes, I can scrobble data from the web client (if I use third-party scripts to do the job). But neither product has any native capability to scrobble from an Android device. There are music players that do scrobble from Android. If you use the Android Music player, you can use tools like ScrobbleDroid. And if you are a fan of Winamp, you can scrobble through the Last.fm Android app. But neither of these players can stream audio from my library. So I was stuck in a quandary. Should I store music on my phone and utilize a player that scrobbles? Or should I use a cloud-based music player and forego the ability to scrobble my music?
The only solution was to either code up my own solution – or use something that already does both. Since I still have another wedding in five weeks,I chose the latter approach. Based upon some searches in Google and Twitter, I decided that I would try out the Audiogalaxy product. Based upon its marketing, the product provides streaming audio (from your home and through their servers) and the product scrobbles via the Last.fm Android app. So I began yet another quest in search of a mythical chalice.
Audiogalaxy is relatively simple to install. The site provides the step-by-step instructions that will get you going. But the basic process is as follows:

Create a free account on the Audiogalaxy site.
Download and install the Audiogalaxy “helper” application.
Point the “helper” application at your music files.
Wait for the helper application to collect metadata and send it to the Audiogalaxy service.
Install the Android app on your phone.
Start listening to your music.

The process is relatively straightforward. And I had no technical issues with the setup. I can now listen to my music library from my phone. And as I listen, my listening habits are recorded at Last.fm.

Unfortunately, Audiogalaxy has the same privacy issues that are present in Amazon’s service and also present in Google’s service: all of your music is streamed through a third-party service. So the architecture of all of these products is an architecture of control, not anonymity.
As I’ve said before, this doesn’t pose a problem for me at this time. After all, my music is positively pedestrian. But what would happen if my musical tastes were more scandalous? Or what would happen if the government decided that rock music was not to be tolerated at all? Then where would I be? I would need to rethink my listening habits. Of course, if something that draconian ever happened, then I would rethink my need to scrobble at all! And for those kinds of over-the-top situations, I might need to assemble a BOB (bug out bag)! 😉
After this exercise, I now have a streaming solution that I can utilize. And I think I know what to look for when it comes to government snooping into my private life. And there is one more option that has to be noted: Apple has not put its offering on the table yet. Maybe that offering will be announced this week. If so, I suspect that my options will grow even broader.
Finally, I really ought to point you to a vey fine comparison of all of these options. David Ruddock (and the folks at AndroidPolice) put together a great comparison of music apps on the Android platform. Check it out for a comprehensive view of all of the Android options.
-Roo

Google Music Is A Real Beta

May 28, 2011August 22, 2018 Lorin Olsen

I have spent a great deal of time this week working with the new Google Music Beta. And I am finally at a point where I can speak with a degree of confidence. What do I think of the new Google service? I think it is a real beta. It has some very rough edges. But it is chock full of promise. It has some unique and innovative features. And there are some things that are simply undone or they are incomplete.
The Good
There are a lot of outstanding features in the Google offering.

The current Google offering provides for storage of up to 20,000 songs. This is outstanding. If this model is carried forward, Google Music will destroy the competition by starving the market. My song base alone is over 12GB. So if I stay with Amazon, I will need to pay for a 20GB allotment. That will mean ~$20 per year. That’s not much. But when it’s compared to a free product, I will always take free – unless free doesn’t meet my minimum feature requirements. [Note: Google may get themselves into some trouble with such a generous storage limit. The government might choose to bring a case against Google for anti-competitive practices. I don’t think that I’d agree with such a claim. But I can see where Amazon and Apple might support someone else bringing such a claim to the federal courts.]
The service itself is stable and the music streams reliably. While I have had some challenges with streaming to my phone, most of my experience has been outstanding.
The user interface on the phone is beautiful. It is a joy to work with the mobile tool. While the “look and feel” of the Amazon tool is eminently functional, it is positively clunky. Google has obviously spent some time making the mobile experience very appealing.

The Bad
Despite all the good features, there are some serious shortcomings in the initial offering.

The tool that loads music onto the service is positively anemic. As noted in my previous post, loading music is an all-or-nothing proposition. To load individual songs (or new sub-folders in a nested hierarchy), you have to reconfigure the music loading tool to point to specific folders. Then you have to find the option in Settings that allows you to manually load music. Then you have to push the Start Now button. Google really needs to spend some time working on this process. You can “stretch” the tool to do your bidding. But ease of use in music loading is a definite weakness.
The view options are really limited. Yes, you can navigate around in the web client. But it is not a beautiful and robust client: it is a functional client. That said, the Android client is beautiful. And it has some of the view options that I like. But it would be nice to have similar options between dissimilar clients. Whether for good or ill, the Amazon client has a common appearance across every platform – including the Apple platform.
There is no music store interface. When I went through the process of loading files, I noted that some of the songs (that I had on my hard drive) came from questionable sources. In my case, I had gotten a copy of “Riders on the Storm” (by the Doors) from the web. I had used the song for a video that I had made for my son a few years ago. But I had never gotten around to buying a copy of the song. So I used Amazon’s service to buy the “Best of…” album from The Doors. Having an integrated service (from any vendor) would be most welcome. I have found that since using the Amazon client, I’ve probably purchased a half dozen albums that I would have otherwise not purchased. This is especially true of impulse purchases. Having an electronic wallet and an “always on” connection has allowed me to experience impulse buying in a whole new light.
There are no tag searching or tag editing options at all. For some folks, ID3 tags are vitally important. And there is no attention to this subject at all.
There is no support for scrobbling music to Last.fm. Yes, there are ways of scrobbling when using the web client. Dan Slaughter has put together some excellent scripts that work with both Google Music and Amazon Cloud Drive. You can find information about these tools here. But it must be noted that there is no support currently available for the mobile (i.e., Android) client.

The Ugly
Finally, there are some ugly issues that really need to be resolved before this product can become a traditional Google beta (i.e., a complete product).
It took me almost a week to get the product to work on my phone. The product would install successfully. And I could see all of the local music, but I couldn’t see anything that was on my cloud drive. At first, I thought that this was a problem with my custom ROM. I use Liberty 2.0. And some apps have trouble with some of the things that jrummy does with the ROM. But that was not the case.
I was about ready to give up on it when I had an unforeseen (and problematic) product upgrade for LauncherPro. My entire LauncherPro config was wiped out and needed to be rebuilt. Once I solved that problem, I went back to the Google Music service. And what to my wondering eyes did appear, but my music collection (but no tiny reindeer). I have to assume that the cleanup of LauncherPro solved my issues – though I have no way of proving it. Either way, the Google Music product now works superbly – though I wish I really knew what caused the trouble in the first place.
But to me, the most troubling aspect of this service (as well as the Amazon service) is the issue of privacy. It is one thing to believe in the safety and security of your own home. But when you store your media on an external service that is not within your home, do you have any degree of privacy? Perhaps you do. Then again, perhaps you don’t.
Part of me is very troubled that I have my musical tastes (and my reading tastes) exposed to any corporation. But it would be even more troubling if that same corporation made my content tastes accessible to the government. Do I have anything to fear currently? No, I really don’t. I try to ensure that all of my content is licensed. And I am pretty darned pedestrian in my reading and musical tastes. In fact, most people call me a prude. But I don’t want the government to know what I think. It’s none of their business. Finally, I broadcast (via blog, tweet and scrobble) all of my media-related activities. So am I concerned that anyone will use this information against me? No, I’m not. At least, I’m not concerned currently.
But what happens if corporations (or the government) change and become more insidious? Or what happens when they try to use my data for their own selfish marketing needs? For me, this possibility is real. And it gives me reason to pause. I don’t want to see the firemen break down my front door and seize my copy of the Bible (or the sonnets of Shakespeare, or the music of The Doors).
Bottom Line
I am impressed with the Google service. I really like their Android client. I hope that they will create a common client interface across all platforms (including Apple’s iOS). And I really hope that they take time and care in developing their EULA. There are some real challenges that must be solved. Nevertheless, the “all you can drink” service is far more compelling than a “pay per gigabyte” service.
But for now, I’m leaning towards the Amazon platform. It is a little more polished and a lot more ubiquitous. Moreover, the Amazon case for privacy is a little more comforting (given Google’s historic willingness to work with the repressive Chinese government). Finally, Amazon’s integration with a working retail channel is far more compelling. But if Google can overcome some (or all) of these hurdles, they do have a chance to win my business.
-Roo

Clouds: Just Water and Particulates

May 8, 2011August 22, 2018 Lorin Olsen

What is cloud computing? There are so many definitions. I won’t trivialize the subject by recounting a litany of terms. But I’ve been in computing for over thirty years. And “the cloud” looks a lot like data center computing in the mainframe era or data center computing in the client-server era.
I find it curious that cloud computing emphasizes “the cloud” rather than the client. We used to draw diagrams with a cloud that represented the network and the services that weren’t under our control. We controlled the things at the edge. We were the client. And then we connected clients to “the cloud” that linked one set of users with other users (or servers). So the cloud was something that we didn’t dare describe. It was fluffy and “out there” for someone else to deal with. We trusted someone else to ensure its maintenance, availability and security.
Microsoft tells us to take our computing “to the cloud.” Their slick ads are fascinating – especially when you consider that they are just repackaging Windows Live. They want us to trust their services to fulfill our needs. That means Passport. That means storage. That means chat and mail. And that means trust. We should trust them to do what we need to have done.
Amazon has launched its “cloud” services in the form of the Amazon Cloud Drive. I’ve written about this one before. And I really like it. And Amazon has a killer retail purchasing and fulfillment infrastructure. To Amazon, a “cloud service” is anything that they control. Hmmm. That sounds a lot like Microsoft’s definition. Of course, we trust Amazon – because they aren’t someone “nefarious” (like Microsoft). And when we use Amazon’s cloud services, we buy things from Amazon. In my case, I’ve recently bought all sorts of music from Amazon. I don’t even want to tell my wife how many dollars that I’ve spent.
And Google has always had cloud-based services. They include web mail, web chat, web images, web apps, and even web printing. I like a lot of Google’s services – especially since I use a Google Android-based phone. And like Amazon, Google can claim some followers just because they aren’t Microsoft. The claim is simple: “we know you can’t trust Microsoft – so trust us instead.”
[Note: The silly claim that we should eschew Microsoft reminds me so much of the “anyone but IBM” crowd that emerged during the PC era. Or was that the “anyone but Sun” crowd that emerged during the early client-server era. Or is that the “anyone but Google” crowd that is starting to gain steam these days.]
With that background, let’s charge to the premise: there are good and bad aspects to “cloud computing.” Like real clouds, good things come from the sky. Rain comes from the sky. Rain is needed for life and health. But there are also bad things that come from the cloud. All you have to do is see a lightning storm or read the recent reports from the South: storms can kill.
Cloud computing shares this zen view of things. The cloud offers great advantages. You can “outsource” lots of mundane tasks to someone else. They can do the heavy lifting. Microsoft can do the legacy PC work. Amazon can do the retail purchasing and fulfillment work. Google can do the search and data mining services. And Rackspace can meet your hosting needs. [Note: You can also buy all sorts of services from service providers like WordPress. For example, I just bought a premium theme from them.]
But along with the needed “rain” that comes with the cloud, there are some fierce downsides with cloud computing. If you trust someone who makes mistakes (uh, like everyone does), then bad things can happen. For example, you could have your gaming data compromised when PSN is compromised. Thankfully, I don’t have a PS3. And I’m not on the PSN network. But I do use LastPass. So who is the bigger fool? Is it my future son-in-law who lost things via PSN or is it me?
My bottom-line is simple. If you trust someone else, you are risking the violation of that trust. That violation can be intentional or unintentional. Do not consider anything as safe. From my vantage point, everyone can fail. Indeed, the only way to ensure the safety of your valuables is to store them where moths and rust cannot attack them. The only secure investment of trust is an investment in our Savior. Here’s my tired, old motto: In God we trust. All others pay cash.
But between now and the hereafter, I have to make daily trust decisions. My current trust decisions are as follows:

I trust Bank of America with my cash flow.
I trust Fidelity with my investment portfolio.
I trust Amazon for purchasing and delivery.
I trust Google for authentication, search and generalized web-services (like mail, voice and remote services).
I trust the government for defense services (both locally and internationally).
I trust local governments for traffic services.
I trust my wife for almost all meta-services. I also trust her as my most intimate financial adviser/partner. And while I can cook, I really do trust her to give me a better standard of living. [Note: I trust Bailey for cookies.]

In summary, the cloud is nothing new. It is simply the investment of trust in an external provider. In the past, we trusted everything to a small number of providers. Today, that circle of trust is much wider. So we have to be more savvy as we manage an ever-widening trust ecosystem. Be prepared to switch providers quickly. Be prepared to do periodic reviews of anyone who provides you with trusted services. And please remember that the only person who you can truly trust is the one who created you and the one who died for you.
Finally, let’s talk analogies and symbolism. God created you and He died for you. Easter was the ultimate reminder of that simple fact. But the example you should remember today is your Mom. She carried you and she nurtured you. And she would surely die for you. On this Mother’s day, remember to thank your Mom for being the foundation of your trust ecosystem.
-Roo

Amazon Cloud Drive Musings

April 2, 2011August 22, 2018 Lorin Olsen

After uploading all of my Amazon MP3 purchases to my Amazon Cloud Drive, I used almost all of the 5GB that Amazon provided. I felt a little cheated because I made these purchases through Amazon. Amazon is even making you offers of additional storage for new MP3 purchases. Since I can see the record of all of these “legacy” transactions on my Amazon account, why couldn’t Amazon honor these purchases?
And then it struck me: Amazon is killing many birds with a single stone.

If you purchase and leave your music on Amazon, then Amazon saves a lot of money. They can keep a single copy of the song in their storage farm. And then they just point your Cloud Drive pointer to this original content. If you have a really popular album, then they save multiple instances of storage. And these savings apply to transmission costs as well. Why download 100 or 1,00 or 10,000 copies of a song to thousands of customers? Cut out the storage costs and cut out the download costs. [Note: The transmission costs do occur on the back-end whenever you listen to the music. In fact, each time you listen to the music, you and Amazon are incurring that download.]
Amazon can layer any number of services back into this offering. They can include cover art, and all sorts of other metadata. And they can add things over time.
Amazon is storing the content – so they control it. This may not sound like much. But I suspect that this is a big deal to their content partners. For content that Amazon vends and stores, there is no real issue. But if a customer uploads content and it turns out that the content is obviously unlicensed, then Amazon has rights regarding content embargoes, content filtering and even content elimination. In fact, I wouldn’t be surprised if Amazon does content analysis on behalf of their content partners.

And none of these benefits accrue for older purchased content that would need to be reloaded back to Amazon.
But Amazon is risking very little by not addressing legacy purchases. They have a much bigger issue that they must address head-on: customer perception. Amazon is risking a lot based upon their belief that customers won’t mind having their content stored for them. I’m not certain if this is a good bet or not.
People get positively possessive about things that they have purchased. They want to use it in all sorts of ways. For example, I like to include song snippets in videos that I’ve bult for the kids and their sports teams. I would be upset if I had paid for content and couldn’t use it. In fact, I would consider that a violation of fair use. Not having access to this content in any way that I want (and at any time that I want) may result in some very dissatisfied customers.
For my part, I am still unsure about having “rights” to something without having anything substantial. Thus far, I only have two movies purchased via Amazon Video on Demand. [Note: I’ve also completed my first Amazon MP3 purchase that is stored exclusively on Amazon’s servers.] Yet I have dozens of digital movies on my media server. And I have hundreds of DVD and Blu-Ray discs in a cabinet. And I have thousands of digital music files on my media server. I could certainly buy more “rights” to other content that is stored off-site. But it just doesn’t seem the same to me. Proximity equals control and control equals confidence.
As I think about it, I like the Amazon Kindle model a little bit better. I do have the rights to books I’ve ordered. And I can view them anywhere – as long as I download them first. [Note: I do wonder why Amazon isn’t streaming book content as well as music content as it is less bandwidth intensive.] Either way, I feel very connected to the Kindle content – wherever it is. I think that this is because I have something to touch – i.e., the Kindle itself.
But I’m sure that Amazon customer studies have been through all of this. I am sure that they have recent data that suggests that younger customers are more comfortable with less concrete content. It’s just old farts like me that want to have something that is a little more tangible.
In a few years, all of this will be moot. Content will be stored in the cloud. And you won’t have direct and personal access to it – except via a technology broker (like Amazon). And that situation has the little “Lost in Space” robot (that is inside my head) screaming “Danger, Will Robinson.”
I am also reminded of the Doctor Who episode entitled “The Long Game.” In this episode, people have to pay for “access” to important information. The more you pay, the more “access” you receive. Surely this is not the future of computing. I certainly hope not.
-Roo

The Egyptian Crisis Proves the Need for Anonymity

January 29, 2011August 22, 2018 Lorin Olsen

I had a very interesting conversation at work yesterday. Someone I work with asked me about the “cool tools” that I really believe in. After thinking long and hard about the question, I told him that I believe in freedom of speech and I believe in anonymity as a bulwark to ensure both the freedom of speech and the freedom of thought. He nodded his head at the blandishment. Then I told him about TOR (the onion router). After a few minutes, he asked for a URL. So I gladly pointed him to http://www.torproject.org.
Most of the time, I am greeted with crickets when I talk about TOR. In fact, most people recite the old rubric that if you have done nothing wrong, then you should have nothing to hide. While I often agree with this sentiment, I always cringe when I hear it. Why? Because Americans have a fundamental right to think and speak whatever is in our hearts and minds. But in some places, the definitions of right and wrong are horribly twisted. During times of great crisis, freedoms are routinely challenged. And that is exactly what is happening in Egypt today.
I am not informed enough to know whether President Hosni Mubarak is or is not a tyrant. He is unelected. And he has been the unelected leader since the death of Anwar Sadat (over thirty years ago). And he has suppressed speech – especially the speech of the extreme minorities (like the Muslim Brotherhood). Do I want a stable regime that is peaceful towards Israel to be replaced by some unknown group that may be hostile to peace? Absolutely not. But I can’t read the future. So I won’t comment on what I would like to see. Again, I am not familiar enough to pick “right” and “wrong” in a complex multinational struggle.
But I do know this: when freedom is challenged, geeks turn to technology. And there are geeks in Egypt that are turning toward TOR. When President Mubarak shut down cell phones, messages came from alternate sources. And when folk feared that their browsing and their postings would be monitored, they turned to the tools of anonymity.
TOR usage has skyrocketed. There are now four times as many people using TOR to ensure their anonymity. And the number of relays supporting these users has also skyrocketed (see below).
This spike in relays is across the globe. And geeks everywhere are bombarding Twitter and they are deluging Facebook. And folks are starting to march in America. I am so glad to see that people are engaged and active. I am not certain what outcome I want to see. But I do want to see freedom of speech and freedom of thought flourish in times of turmoil. So count me in.
-Roo

Why Root Your Android Phone?

December 21, 2010August 22, 2018 Lorin Olsen

Over the last three months, I have repeatedly told myself that I would not root my Droid 2. I made this choice because I wanted to use the same kind of phone that the average customer would use. After ninety days, I am completely satisfied that the “average customer” can have a warm, inviting, robust and feature-complete experience on an Android phone. And after ninety days, I can also confirm another simple fact: I am not an average customer.
For those who have followed my blog for a while, you will remember that I used custom firmware on a variety of Windows mobile phones. And you will remember that I have run custom firmware on my broadband router for over seven years. So many of you have probably taken bets on when I would break down and deploy custom firmware on my Android phone.
Well, I hate to disappoint you. But I have not yet loaded a custom ROM onto my Droid 2 – at least, not yet. But I have rooted my phone. And I did not take this action lightly. Before I was willing to forever say goodbye to the safe shores of carrier-based support, I needed to have some concrete reasons for the change. So here are my reasons:

I need to backup my phone. This includes my customer data, my applications and the system itself. And my carrier does not provide a means to do this. So if I want to back up key files on my system, I need to have escalated privileges.
I need to control the firewall that is on my phone. I want to say which apps can use which ports. And I want to say which external hosts I will allow threw my defenses. To do this with the builtin firewall (i.e., iptables), I need to have escalated privileges.
I need to be able to proxy access for a selected set of applications. Unfortunately, most Android apps do not use proxy settings. In the future, I am sure that most good apps will have this feature. But for now, few have this feature. So I need a way to “impose” a proxy on apps that I choose. In short, I need a transparent proxy. Since I use Privoxy and Orbot, I need to have escalated privileges.
I really want to block ads from a number of applications. I do think that ads are a good way to generate revenue for small software companies. But if I have paid for an app, I don’t want the adware. Indeed, I consider some ad services to be real crapware. So I want to blacklist some ad servers. To do this, I need to update my local hosts file. By pointing some of these ad servers to my local loopback, I can negate the nastiness of many of these advertisers. To do this, I need to have escalated privileges.
I really want to control the tunneling tools that I use to connect to my home systems. I use ssh to tunnel VNC/RDP traffic into my house. And I need to have full control of these tunnels. You can use some of these tools in user mode. But kernel mode tools are much better for some of these core services. To do this, I need to have escalated privileges.

Should you root your phone? That one is up to you. I will take no responsibility for supporting you. And there is no warranty, either explicit or implicit, when you decide to take control of your phone.
But if you are willing to accept the responsibility to support yourself, there are thousands of people who would be willing to help – including myself. There are hundreds of sites that can help you on this journey. But one of the best places is the xda-developers forum.
If you decide to take your first step into a brave new world, good luck on the journey – and I can’t wait to see you on the other side.
-Roo