Grammar 101

February 7, 2010 · Musings, Writing · Comments Off

A recent Slashdot poll asked readers what should be in a 101 course that everyone had to pass, with a wide variety of acceptable options. Like most of these polls, both the question and the options are set up poorly — no context, an option that doesn’t work (“other, listed below” implies an AJAX-y box which one can fill in), vague options (“basic math & science”), etc.

Being a writer, I gravitated toward the “grammar/communication” option. I do admit that I first moved my mouse pointer to “computers,” but like several posters indicated in the poll comments, we already have an overabundance of Computers 101 courses that tend to be nothing more than glorified Microsoft Office training sessions.

There’s nothing wrong with IM/text-speak — it’s acceptable to tell someone “k np” or ask “how r u” because of the short, real-time nature of instant messaging and texting. It’s a different story when a professional level of writing is required, even if it’s an “informal” memo going around the office. In written communication, you want your reader to focus on the message, not spend time deciphering your paragraphs.

Many times it’s because we’re in such a hurry to hit the send or print button. We’re always working on something that was due yesterday, or needs to go out ASAP because the server is going down in 30 minutes. The art of patience is, well, a lost art.

Write once, edit twice. Find a colleague to review your draft — preferably someone who doesn’t know the backstory, someone who will read it the way your audience will. It might delay dissemination for 15 minutes, a few hours, maybe a day, but it’s worth the trouble.

Personally, I think a book like Eats, Shoots & Leaves by Lynn Truss should be required reading. (I know there are shelves of books like this, but Truss’s is one that I’m familiar with and actually have on my shelf.) I’d rather force that on someone than a copy of Strunk & White, which can get into some really mundane, archaic, and occasionally misleading grammar usage. Some of my college-level writing courses used Diane Acker’s A Writer’s Reference, which is a more middle-of-the-road text.

So the next time you’re writing something, take a few minutes to re-edit it twice — even if you’re confident it’s finished — and have someone else take a look at it. And don’t forget some light reading, as suggested above.

Blue glass fountain pen

In Absolute Terms – “Unbreakable”

January 18, 2010 · Musings, Writing · Comments Off

As a writer, proper terminology in both fiction and nonfiction is key — the wrong word can ruin even the best idea. In marketing, the same princple holds. So one would think that the use of the adjective “unbreakable” to describe a product is more than just irresponsible, but outright dangerous. Describing a product in such absolute terms is akin to a dare or posing the question “Will it blend?

This year’s Consumer Electronics Show (CES) featured a mobile phone from Sonim designed to take extreme abuse, much like Panasonic’s Toughbook laptop series. The product is designed to the company’s “Rugged Performance Standards,” one of which includes an unconditional guarantee, which states that if the phone breaks or malfunctions within the warranty period, it will be replaced the same day, no questions asked.

In Sonim’s defense, the marketing materials don’t directly call the phone unbreakable; a Google search of the website proves this. Here are the three results explained:

As a brief aside, we’ll examine the word “unbreakable” with the reference of record, the Oxford English Dictionary. The word “unbreakable” first refers back to the prefix “un,” which in the form “un-” + adjective + “-able” is generally accepted as negation starting the 14th century. Widespread use of “unbreakable” as referenced by the OED began in the mid-19th century, which followed the use of “breakable,” or “capable of being broken, frangible,” starting around the 17th century. “Unbreakable” clearly means something not capable of being broken or frangible.

So now we’ve come to the apex of this story. It appears that “unbreakable” can be entirely attributed to the company’s CEO, in theory leaving the company clear of any controversy. So when a BBC reporter at CES smashed the phone against a fish tank after the CEO said “It is basically unbreakable, and if you find a way to break it, we’re going to give you a free phone,” those words became the joke of CES.

CEOs be warned – do not speak about your product in absolute terms unless you are absolutely sure your product meets all of your claims. And don’t use the adjective “unbreakable,” because somewhere, somehow, someone will find a way to break your product.

Blue glass fountain pen

The Problem With Fan Films

January 2, 2010 · Musings · Comments Off

I have nothing against dedicated fans wanting to make films deriving from a movie or video game. In some cases, the original work gets a PR boost, and it’s hard to argue with free advertising that attracts more fans. However, when the IP holder hasn’t set a clear precedent for fan-created works, that’s when the problem starts.

Fan films, as derivate works, usually make use of trademarked names and characters. For instance, a quick hop over to Nintendo of America’s page for the most recent Legend of Zelda™ game, Spirit Tracks, shows that Nintendo makes  a trademark claim for not only the name The Legend of Zelda, but also for the name and character Link™. So a fan film like The Hero of Time would likely make use of Nintendo’s IP, namely characters covered under trademark.

Some companies are known to be lax in their enforcement of trademarks; for instance, IP holders of the Star Wars and Star Trek franchises, as pointed out in the Slashdot story, tend to permit not-for-profit fan films. But this is not the norm, and most IP holders tend to guard their trademarks closely, so that they can maintain full control over their image.

Why would a company not want their fans to cook up some free derivative works?

  1. Quality: It’s unlikely that fans would pour enough money into a fan film to reach the standards of quality that the IP holder would be satisfied with. The chance of a film with a $1,000 budget looking like a $20m Hollywood-style production is almost nil.
  2. Content: The IP holder might object to the content for various reasons. Nintendo could easily make the argument that a fan film could be “too” adult, e.g. due to violence. The storyline and plot might conflict with the actual games or movies and blur the line between what’s the “true” story and the “fan” story. (This is a particular issue with fan fiction.)
  3. Bad PR: If a fan film ticks off the fan base, the original work could suffer. Someone mentions The Legend of Zelda and the first thing that comes to mind is “that crappy fan film” doesn’t do the original work any favours.

It’s hard to feel bad for the group that put together The Hero of Time. They clearly went along without an explicit blessing from Nintendo and spent years (and an unknown amount of money) producing a film and showing it in theaters.

Fans make the argument that the film’s creators did nothing illegal. It is illegal in that the registrant can, under the Trademark Act of 1946, seek civil action against any person infringing a trademark. They make the argument that the film is free advertising. Free advertising != good advertising. They also argue that the film was “not for profit” and should be protected. 15 U.S.C. Sec 1114 does not exempt these so-called “not for profit” projects, as merely distribution can be grounds for infringement. (The same principle holds for the use of P2P to distribute movies, music, etc.)

Since Nintendo only uses the standard trademark symbol and not the registered (®) trademark symbol, it’s reasonable to assume that the marks are not registered. If this is in fact the case, the producers of the fan film could’ve fought the claim, but I doubt they would’ve had the funds and the counsel to do so, not to mention the negative press they would’ve received.

This is the problem with fan films. Fans dive into projects like these without respect (unintended) for the creators of the works they know and love. It’s unfortunate for those who spend a considerable amount of time and money, but content holders do have the right to protect their work, which sometimes means protecting it from fan films.

Blue glass fountain pen

Last Christmas in Vana’diel?

December 31, 2009 · Uncategorized · Comments Off

As the proprietor of a once-prominent Final Fantasy XI website, The Vana’diel Lobby, I wonder whether this will be the last Christmas that most players will spend in Vana’diel. Square Enix has opened a beta test application period for what will undoubtedly be the heir apparent, Final Fantasy XIV, and with a 2010 launch, it is inevitable that players will make the switch. So how much time does Vana’diel have left?

Square Enix has released a FFXI expansion collection labeled for 2010, and is selling it at a discounted price on Steam into the first part of January. The game is up to four full expansions plus three add-on content packs, after an initial Japanese release in mid-2002 and an initial North American release in late-2003. (Recent press releases by Square Enix indicate that FFXI still has a solid user base of approximately 500,000 players and 2 million active characters.) The last expansion pack, Wings of the Goddess, was published in 2007, and the three add-on packs were released in 2009. According to trade reports, some of the big-name developers who worked on FFXI have moved to FFXIV, suggesting that Vana’diel won’t get another makeover as Square Enix focuses its resources on development of the new MMO.

While it’s clear FFXIV isn’t a sequel to FFXI — much like the single-player Final Fantasy titles are not successive sequels — and the two games appear to have separate “lobby” environments (PlayOnline for FFXI, a “Square Enix ID” is used for FFXIV beta signup), how many players are really willing to cough up two sets of subscription fees a month to play both games? I can’t comment on the effect of Everquest II’s release on Everquest (original) since Sony has not released subscriber or character counts, but it’s fair to say that most players probably subscribe to one or the other, but not both.

So as the holidays draw to a close, those in Vana’diel will celebrate the holidays — the large Christmas tree in Bastok, the music in Jeuno, Moogles in hats — and hope for a year of new adventures before the sun starts to set.

Blue glass fountain pen

Urging Smartphone Users to Browse Less?

December 12, 2009 · Musings, Technology · Comments Off

AT&T’s president and CEO of Mobility and Consumer Markets, Ralph de la Vega, has called out the smartphone crowd in recent comments to the press and investment analysts. In the days of more primitive phones, “mobile” versions of websites were necessary; small screens, small amounts of available memory, and poor image quality all brought forth trimmed-down sites and the .mobi TLD. Then came the iPhone.

Suddenly, carrying a smartphone was considered cool. Crackberries were no longer just for the business traveler, and Google felt threatened just enough to wade into the smartphone market by developing a phone OS. Today we have the Blackberry Storm, the Motorola Droid, HTC, and others as viable (and in certain features, better) alternatives to the Apple iPhone. With their big, vibrant screens came real web browsers and “apps” which could pull data from the Internet. While it’s hard to believe that AT&T didn’t think the iPhone would be a hit and end up in the hands of quite a few subscribers, the other carriers never had an excuse once AT&T woke the sleeping giant known as iPhone.

After the initial success of the iPhone, the carriers knew full well what they were dealing with. Just like the widespread availability of broadband Internet services to the home in the U.S. (cable, DSL, FTTP) caused an explosion in overall bandwidth, the average customer took advantage of the higher throughput rates. Those of us who remember the days of 56.6k or even 28.8k modems know how hard it was to listen to streaming audio, much less watch streaming video. (My sympathies for those who are still stuck with dial-up, out of the range of the CO for DSL.) Now that we have 10Mb, 20Mb, even 50Mb pipes coming to our homes, we don’t think twice about watching a Youtube clip or downloading the latest warez…er, buying the latest game on Steam.

de la Vega’s argument is simple: three percent of smartphone users make up 40% of total data usage on AT&T’s wireless network, and their usage is impacting other customers on the same cell tower. According to a Computerworld report, “We have to get to those customers and get them to recognize they have to change their patterns,” de la Vega said at a UBS analyst conference this past Wednesday, “or there are things we will do to change those patterns.” The Godfather-like tone was clarified by other statements indicating some sort of tiered or pay-per-unit pricing. He was quoted by Computerworld, saying “there’s got to be some sort of pricing scheme that addresses the [heavy] users.”

The New York Times quotes an “independent wireless analyst,” Chetan Sharma, as saying that data usage should be treated like voice usage. “You use more minutes, you pay more,” he said to the Times. And AT&T’s de la Vega said that “The first thing we need to do is educate customers about what represents a megabyte of data[...].”

Therein lies the problem: Sharma has fallen into the trap called non sequitur, and de la Vega wants customers to tally something that a human can’t estimate. The carriers don’t get it, and neither does this one analyst. (It’s hard to say whether the wireless analyst community as a whole gets it, as the Times only quoted Sharma, and Computerworld didn’t interview an analyst.)

First, to address the non sequitur: You use more minutes, therefore you pay more, so you use more data, therefore you pay more. In the U.S., most ISPs do not enforce a hard cap, i.e. a bandwidth limit for each billing period, instead warning high-usage customers and occasionally threatening disconnection or moving them to a more expensive “class” of service (either a faster tier or “business-class” tier). Customers generally pay based on max throughput, with a bigger pipe costing more, and for all intents and purposes the connection has unlimited bandwidth. This is neither what the carriers currently do (charging for a certain amount of bandwidth per month, or for “unlimited” service, without really offering tiers of throughput) nor is it what AT&T is proposing with tiered bandwidth pricing.

Second, de la Vega thinks this is an education problem. Teach a customer what a megabyte is, and they’ll consume less of them. Without pulling out the calculator, tell me how many megabytes the following are:

And how do you provide a real-world definition of a megabyte? A megabyte might get you 7 seconds of a standard-def TV show episode, or it might get you the full front page of Slashdot, or it might only give you the photos on the front page of CNN.com. And a picture at 1 MB could easy turn into 20 MB, if the smaller version from compressed from a RAW format; conversely, it could be squished into 100KB, if turned into a low-quality GIF.

Urging smartphone users to browse less is a bad PR strategy. Think about it: a customer has shelled out $150-$200 for a contract-tied phone, plus a “required” data plan usually costing $30 a month, and now you’re telling them to not use the phone’s features all the time? The natural Internet response is to create an online petition and vote with your feet. Sadly, because of the state of wireless networks in the U.S., hopping to a different carrier may not be viable (e.g. no coverage) and even the threat of a government investigation into text-message pricing hasn’t kept the major carriers from steadily increasing the rates over the past few years.

I call this looming AT&T policy a bad PR strategy because it’s unlikely that implementation will cause a mass exodus to the other carriers. Many customers are perpetually in contract for the subsidized phones, while others won’t budge because of a particular phone (e.g. the iPhone) or coverage areas or employers (work phones only serviced by one carrier, or employees get a special discount with a single carrier).

Captive audiences make a great business strategy. Only time will tell whether this is the future of wireless data plans, or if the carriers realize that metered data with a meter that no one can estimate or predict might draw the ire of legislators and government regulators.

(As a sidenote, if bandwidth caps are implemented, does that mean we get to run Adblock on our smartphones?)

Blue glass fountain pen

Putting Computers on One-Year Layaway

November 15, 2009 · Musings, Technology · Comments Off

A number of tech news outlets reported a Federal Trade Commission memo filed this past Thursday in an ongoing case in U.S. District Court (Southern District of New York) against a firm called BlueHippo. The FTC, which had successfully reached a settlement with the firm in April 2008, alleges that the terms of the agreement have been violated, and attorneys for the FTC are not amused — they are seeking restitution for customers, as well as a ban to prevent the company from offering financing with goods or services, selling consumer electronics, and regulating its refund practices.

BlueHippo touts itself as a consumer electronics seller, offering weekly payment plans and financing options without a credit check. For products which offer the payment plan and finance option, the customer agrees to pay an initial fee plus 52 weekly payments, and after 6 to 13 weeks’ worth of payments, BlueHippo will ship the product, as if it had been traditionally financed. In fact, they even offer to report your payment history to the trio of credit reporting agencies if you want the good karma on your report. Their FAQ states that they are not a rent-to-own or leasing company.

Before getting into the current legal tussle in U.S. District Court, let’s consider a few things:

  • At a minimum, you’re putting up an initial fee plus 6-13 weeks’ worth of payments before they order your computer. This alone is playing with fire — unlike Kmart, you don’t get to hand over the physical product at the store, and you have no way of verifying that they physically have your product as you make the payments.
  • The people at BlueHippo don’t know what the $*&# layaway means. (Clue: get a dictionary.) Consider the following sources:
    • Oxford English Dictionary: the word “lay-away” has a vague definition in the 1997 update, nothing more. Unusual, so we take a quick trip to Wikipedia to see if there might be a geographical (i.e. U.S./U.K.) difference in spelling.
    • Wikipedia: now we find a more specific definition, but it’s Wiki…so not using it as a valid source. However, it does point out that there is a different term for some countries, including Great Britain. Time to head back to the trusty OED with “lay-by”…
    • Oxford English Dictionary revisited: the word “lay-by,” according to definition 2b, specifically states that the customer pays an initial deposit and then pays the full price over time, while the seller holds the product until it is fully paid off. This is not what BlueHippo is doing — it is letting customers have their computer with less than 25% of the product paid off, not to mention they don’t hold the computer while the layaway payments are being made. They do state that they are financing the balance of the purchase price, but that means the customer would never make 52 “layaway” payments, only 6 to 13.
  • They expect users to use their Social Security number and mother’s maiden name as their username and password on their online account system. In fact, they let you retrieve “forgotten” login information given certain combinations of the following:
    • SSN (!)
    • Home phone number
    • House number
    • ZIP Code
    • Bank account number (!)
    • Password (!)
  • Their computer prices are only slightly higher than the manufacturers’ MSRPs. For instance, take the HP Mini 5101, which is sold in two configurations at $399 and $425. The BlueHippo price is $466.76 — it’s unclear which model is being sold, since they don’t provide specific model numbers — which is a 10% to 15% markup on MSRP. Using the cheaper model, HP would finance the same laptop over 24 months with a $1 buy-out option for $19/mo. or $456 total. Since BlueHippo is offering a shorter term, one would expect the BlueHippo price to be lower.

So now on to the legal fight between the FTC and BlueHippo. The firm had previously been sanctioned for not shipping products when promised and not disclosing that installment payments were non-refundable. To ensure that they were in compliance with the settlement, the court ordered BlueHippo to provide a compliance report and various other documents; the court found them in contempt and forced BlueHippo in April 2009 to cough up $12,500 in sanctions (five days) before it filed the compliance report, and $20,000 in sanctions (four days) in May 2009 before providing responsive information to FTC requests. An information request in May 2009 remains unanswered, despite the Court ordering BlueHippo to produce responsive information.

These FTC requests provide insight into why the commission has been so aggressive in pursuing legal action. In the memo filed on Thursday, the FTC discovered that customers “pay an activation fee (generally $99) and then make weekly payments of approximately $35 or bi-weekly payments of approximately $70 for a year.”  You don’t even need to do fuzzy math to realize that those numbers add up to a very expensive computer. (It’s $1919, given the previous numbers).

Of over 36,000 computer orders that the FTC examined through responsive documents, only one was financed. However, the FTC doesn’t even consider that single computer shipment to be accurate — according to the memo, “The shipment of this computer was most likely in error [...]. The consumer [...] only paid $185.32 towards a computer with a total sale price of $2,515.00 and never entered into a financing agreement.” BlueHippo finally shipped computers once the company was found in contempt, ordering most of the computers during the three-month reporting period over the course of just seven days, or over 3,300 computers. Thrown bone, meet FTC and court.

Then there’s the matter of the firm’s return policy. Consider the following policy:

  • Cash refunds within 7 days, store credit after 7 days. Cancellations permitted until order is shipped. Second part is pretty standard; first part is restrictive (usually see 14-30 days on refunds) but not outrageously so.
  • Store credit cannot be used on shipping, handling, and taxes. Anyone who has used a gift card knows this is not standard. This is not disclosed on the website.
  • Costs not covered by store credit must be paid in advance via money order. Yes, they really don’t care that you’re buying a $14 gaming controller and have $300 in credit — you’re paying the shipping, handling, and taxes out of your own pocket, plus the money order fee, and they won’t ship until they receive your payment. Again, not disclosed on the website.
  • Only one order paid with store credit will be accepted at a time; order must be delivered to customer before a new order can be placed. [There's just nothing to be said for this.] Not disclosed on the website.

Like the computer orders, the majority of customers who have store credit didn’t agree to paid the extra fees to use their store credit, and the majority of those who did order with store credit never had their orders fulfilled.

In addition, the FTC alleges that BlueHippo was not permitted to represent itself as a financing company or extend credit on the basis of preauthorized bank account transfers. The company apparently logged revenue of at least $15.1 million on unfulfilled orders, a truly shocking amount. It looks like BlueHippo has hit the end of the road, especially after thumbing its nose at the court multiple times, but then again, consider how long it took for SCO Linux (ding dong, la de da de da) to finally bite the dust.

Computers have become relatively inexpensive in the past year or two, especially due to the success of the so-called “netbook” market segment. (I don’t consider most of the computers in this group to be netbooks, but clearly the retailers disagree. It’s an argument left for another post.) It’s not uncommon to find a laptop in the netbook category for $300, and desktops can still be found in the sales circulars for $400 and $500. You’d be better off saving ahead of time than playing around with layaway and financing if you just need a cheap computer for the Internet, e-mail, and a few documents here and there. It isn’t worth risking your money with firms like this out there, and there are better ways to fix your credit, if that’s the goal.

Blue glass fountain pen

The Paradox of Region-Blocked Internet Sites

October 31, 2009 · Uncategorized · Comments Off

Slashdot carried a story earlier this week about the popular television/movie streaming site Hulu blocking access to visitors coming from the Witopia VPN service, which has multiple endpoints in the U.S. as well as in the U.K. and Hong Kong. Also picked up by Australian site PC Authority, the block is notable because it appears to be the first against a pay-for-use SSL VPN; both stories cite multiple blocks against free SSL VPNs in the past, including Hotspot Shield.

Several technical aspects of the Internet have some sort of regionalization to them. Domain names can sometimes indicate what country the site originates from or is intended for — the main BBC website (bbc.co.uk) originates from the United Kingdom, while Microsoft’s Canadian site (microsoft.ca) uses a different domain name from their U.S. site (microsoft.com). IP blocks can indicate a geographical area — Comcast, for instance, has specific IP blocks for its northern Virginia or Philadelphia markets. In general, though, the Internet is as unbounded and geographically invisible as the underlying infrastructure. If all of the trans-Atlantic links were simultaneously severed, a user in New York could still get to the website of the French Prime Minister (presumably hosted in France) because the traffic would be re-routed through an alternate route, a clever resiliency mechanism which the user would never notice except for a noticeably slower connection.

Region blocks defy the very concept of the Internet — a communications medium meant to eliminate distance and borders, and facilitate the sharing of information. From a technical perspective, they are resource-intensive to implement on even the most basic level, and impossible to enforce accurately. If an IP block gets reallocated and effectively “moves” from one country to another, it could throw off a so-called whitelist or blacklist of allowed or not-allowed IP addresses. Or, as is the above case, the source is hiding his or her true IP by using a VPN or proxy, in which case blocking the VPN or proxy may block legitimate users.

Region blocking, then, is a futile arms race with users. And it is notable that those playing the arms race are media owners — Hulu, BBC (iPlayer), ESPN/Disney (ESPN360.com), among others — trying desperately to maintain control of their content. Television producers have gradually lost sleep over the years, first from the VCR, then from DVD recorders, TV tuner cards for computers, DVRs, etc., and now the widespread availability of broadband Internet and the popularity of Bittorrent mean that people don’t even need a television to watch the latest episode of Lost or House. Considering that the broadcast networks have a single revenue stream (advertising) for their on-air programming and the cable networks have two (advertising and subscribers, generally a cut from the cable/satellite operators), it’s not hard to believe that network executives are scared as crap that torrents of TV episodes are killing their revenue streams. (Yes, they can make money on syndication and DVD sales, but those don’t kick in until after the episode first airs, if not much later.)

So what we have here is a classic case of old school versus new school. As has been shown many times over the past decade and a half, advertising as a primary model for free stuff on the Internet is a very dangerous model to rely on. Ad rates are so vastly different between television and the Internet that there’s no comparison. People want to watch their favourite shows when they want, not on Mondays at 9pm because the network says so, and if you miss it and don’t have a DVR, sucks to be you. Fifteen minutes of commercials are quickly going the way of the dodo, not just due to DVRs and re-edited episodes passed around via Bittorrent, but because the networks realize that Internet users watching on Hulu simply won’t tolerate it.

To be fair, the networks — who generally own licensing and broadcast rights for shows — have a legitimate reason for the geographic limitations. Take, for example, the BBC sci-fi drama Torchwood, which is aired natively in and licensed out of the U.K. The BBC’s sister network in the U.S., the for-profit and non-government-affiliated BBC America, traditionally gets first broadcast rights for Torchwood, though it is not allowed to preempt U.K. viewers. Now imagine that BBC makes a deal with Hulu to offer Torchwood online. Wouldn’t you feel screwed over too? Licensing restrictions can even cause problems for DVD releases, too — for instance, I’ve had the Natalie MacMaster: Live in Cape Breton DVD in my Netflix queue for longer than I can remember, likely a year or more. Why is it still unavailable? The content owner can’t find or refuses to sign an agreement with a distributor in the United States, so no one has rights to the DVD in the U.S. Since intellectual property laws vary from country to country, content owners face a complex route to licensing content in various regions.

Ultimately, content owners and legislators must accept that media globalization arrived some time ago, and laws and industry practices simply don’t work in this age of technology. Region blocking is a type of security, and as any practitioner of information security knows, it is impossible to provide 100% protection — you will either miss some of the outsiders or block some of your insiders, but never achieve the perfect balance. Blocking pay-for-use SSL VPNs is, in my opinion, the nuclear option — now that Hulu et al. are messing with users paying hard-earned money to watch what many of them can’t, I assure you that those users will force them to play whack-a-mole (and we all know how well that game works with technology) or turn to Bittorrent and alternative means that deprive Hulu’s advertisers of eyeballs.

Blue glass fountain pen

Live CDs Not an End-All for Online Banking

October 15, 2009 · Technology · Comments Off

Washington Post computer columnist Brian Krebs posted an October 12 article (picked up by Slashdot the following day) urging small and medium-sized businesses to protect their bank accounts by accessing online banking through a Linux live CD instead of a Windows workstation, due to the abundance of sophisticated malware targeting the Windows operating system. He points out that a live CD eliminates the Windows malware issue, plus it wipes the system RAM clean when shut down. Some commenters correctly pointed out that virtually all Linux OSes only mount modern (i.e. NTFS-formatted) Windows hard drives and partitions in read-only mode, so malicious software and hacking attempts can’t “flow” down to the Windows OS.

I applaud Krebs’ push to educate users about information security. But he may also lead those same users to a dangerous (and wrong) conclusion — that Linux live CDs are an end-all solution to online banking.

The major flaw in this is the MITM attack, and the blame can be placed on PEBKAC. Got it?

Home users may only have one computer hooked up to residential DSL/cable/FTTP, in which case a “man-in-the-middle” (MITM) attack isn’t possible with a live CD; there’s nothing that can be placed in the middle, unless you make the case for one of the ISP’s DNS servers getting hijacked or someone in your subnet spewing spoofed DNS or ARP packets (both are unlikely), and even if the Windows system were hijacked, it’s not active with the live CD running. However, business users (who certainly have multiple workstations) and some home users are at risk; if any computer in the subnet (workstation or server-class) has been compromised and is an active MITM, you’re toast.

MITM is simple — listen to the network, intercept every communication, and force all of the traffic to go through a single point where it can be monitored, analyzed, and even modified. A primitive example: ssume a network has two workstations and a cable/DSL router. The workstations go through the router to get to the Internet, and the workstations use the router as their DNS server, which in turn uses the ISP’s DNS server. A user types in bankofamerica.com — the workstation asks for the address of the router (the way out to the Internet) and then asks the router for the address of bankofamerica.com. Ordinarily, the router asks the ISP’s DNS server and returns an answer, e.g. 1.2.3.4. If the second workstation were compromised and conducting an active MITM attack, that workstation would be flooding the internal network with data stating that it is the router, a tactic known as masquerading. When the first workstation asks for the router’s address, the second workstation pre-empts its response and the first then asks the second for the address to bankofamerica.com. Instead of answering 1.2.3.4, it answers 20.30.40.50, the address of a Russian hacker. Not only is the second workstation redirecting bankofamerica.com, it is getting all of the first workstation’s traffic and can even modify it. Notice that there is no discussion of operating systems or live CDs — that’s because MITM bypasses these issues.

All it takes is a single compromised computer inside the network (specifically, the subnet)  for this sense of security to be torn apart. To make matters worse, it isn’t limited by operating system or purpose. This is where PEBKAC — human error — comes in. Computers get compromised because we intentionally do something risky (download …stuff… on Kazaa while connected directly to the cable modem on Windows XP SP1) or unintentionally circumvent good security practices (place a workstation into a router/firewall’s DMZ before verifying that the workstation’s firewall is configured correctly and turned on) and give the bad guys an easy way in.

There are no end-all solutions in information security. There will always be some level of risk that must be accepted, and in general, a higher level of mitigation yields more complications and annoynaces, leading to a higher chance that someone tries to bend the rules. Just remember: if you can access your data, someone (or something) has to be able to equally access it at the other end to do anything useful with it.

Blue glass fountain pen

Sidekick Trips, But Blame It On the Cloud?

October 12, 2009 · Musings, Technology · Comments Off

Quite a few T-Mobile subscribers are steaming after a recent meltdown of the infrastructure supporting the Sidekick mobile phone, culminating in a dire warning: keep your device powered at all times and do not restart them, or lose all of your data. Apparently Microsoft/Danger, the phone’s developer and data service maintainer, screwed up translating the Mayan calendar, because The End as We Know It isn’t for a few more years.

It’s a classic datacenter horror story — a hardware and/or software failure corrupts data, but by the time it’s noticed, it’s too late; recent backups are toast. Or, to make matters worse, the backups are overwritten so often that there isn’t a backup to restore from. Oh wait, your idea of backups was ten racks of matching RAID-10 SANs to match the ten racks where the production data is stored? Silly rabbit, RAID is for redundancy!

The news coverage keeps calling the Sidekick infrastructure “cloud computing,” that “Web 2.0″ term that’s all about “software as a service” and “thin clients.” One of the cool features of cloud computing is the ability to run applications on the server side — instead of a mail client, word processor, or Photoshop installed on your computer, just hop onto any computer with a browser (though you may need a plugin like Flash here or there) and log on to mail.google.com, officelive.com, or photoshop.com. The application, the data, the processing are all handed “in the cloud,” i.e. through some Internet-facing infrastructure that you only know as the domain name. To you, the user, it doesn’t matter whether they have hundreds of homogenous servers and you’re sitting on (for example) mail1420.google.com versus mail3293.google.com, or if they have separate clusters of application and data servers with clearly-defined tasks; you’re asking for the service, nothing more.

Say it with me: Sidekick is not cloud computing. Never has been, never will. You aren’t free to access it from any Internet-enabled device, which goes against the whole concept of cloud computing being more flexible for the user. So stop calling it a failure of cloud computing.

Where does the blame fall, then? Certainly on Microsoft/Danger, but for a shoddy backup system. As cited in an earlier example, the data corruption would have forced the customer to accept a week-old backup — not acceptable, but at least they could offer a backup. It’s not clear what happened, and Microsoft engineers have told T-Mobile there is an “optimistic” chance of recovery for their users’ data according to The New York Times, but if your first response to a data corruption problem is “I think all of our backups are screwed,” then as the meme goes: Backups, ur doin it wrong. And stop blaming it on the cloud; it wasn’t the one who kicked your kitten and flipped bits on the fiber channel switch.

(By the way, T-Mobile is showing the Sidekick as temporarily out of stock. How surprising.)

Blue glass fountain pen

Woven Glass

August 24, 2009 · Uncategorized · Comments Off

CBS Sunday Morning re-ran a story a few weeks ago on Eric Markow and Thom Norris, two artists working out of nearby Falls Church, VA. Their craft? Woven glass. Some of their pieces featured in the story simply defy all reason.

Blue glass fountain pen
← Older entries