Categories
colophon technical

Achievement unlocked: Padlock

The COVID19 lockdown here in Singapore gave me some time to dig into an issue that has been bugging me about Confusion.cc for a while. Since before browsers started indicating sites which don’t use HTTPS it’s been in my to-do list. I looked into it when I first moved the site to AWS but didn’t get it done. So the other day I sat down and figured it out. Wasn’t that hard. I originally thought I would put the SSL on a Elastic Load Balancer on AWS but given that you have to pay for the ELB and this site hardly justifies any infra based on visits… I decided not to worry about the fact that my first try didn’t work and I kept digging into ways to enable HTTPS on the site. In the end I found letsencrypt.org [letsencrypt.org] which is dedicated to helping sites move to HTTPS.

I stumbled again trying to follow their simple instructions because their automated tool, certbot [eff.org] from the Electronic Frontier Foundation, didn’t know what to do on a Amazon Linux 2 box. It told me I would need to install all the dependencies and such myself and directed me to documentation which was a dead link… (see here: letsencrypt.readthedocs.io [readthedocs.io], nice 404). So… back to Google, or actually DuckDuckGo [duckduckgo.com] in my case. And after a few permutations of terms I found this tutorial on AWS: Configure SSL on Amazon Linux 2 [amazon.com]. And that worked like a charm.

But still, no padlock…

Screenshot of Chrome address bar showing Confusion.cc with "Not Secure" indicator.
HTTPS but no padlock

Lucky Let’s Encrypt directs you to SSL labs‘ [ssllabs.com] SSL Server Test page where you can check on your site. A few minutes later the problems were listed on the report page. A couple of hard failures where I was loading things from other sites over HTTP, font libraries from Google. and a bunch of soft failures related to old images what were linked with HTTP not HTTPS. A quick edit of the site header page fixed the Google font libraries link and a quick search and replace on old posts, using the Search Regex plugin (which I installed long ago to fix some other things) and viola! Achievement unlocked, site locked:

Screenshot of Chrome address bar showing Confusion.cc with secure indicator icon - a locked padlock.
Shiny new padlock
Categories
quotes technical

Why Public Cloud

The fact is that cloud service providers (CSPs) at any kind of scale have more network engineers, security engineers, compliance experts, and operational personnel than most companies that run their own data centers. 

John Purrier quoted in The Roles Cloud and DevOps Should play in Your Digital Transformation [enterprisersproject.com] on The Enterprisers Project

This will be the single biggest driver in moving to the cloud in the future. Even large enterprises have proved how bad they are at security —looking at you Sony! The big cloud players will be the ones who can bring these services at the most capable, most professional and most cost effective level to all companies from startups to mega multinationals. Why should every company have its own IT Security team?

Categories
ranting technical

Low Friction User Identification on Shared Devices

Long ago I worked on advertising when mobile advertising was not a solved problem and startups still had a play. Early on that work branched out to other possible advertising channels for CSPs. I spent much time studying and discussing the complications around advertising on “Shared Device”. The attraction of mobile advertising from the CSP point of view was the ability to know the consumer. Since there is a tight correlation between a user and a mobile phone, i.e. you don’t tend to share a mobile between two people, the profile a handset usage and other attributes is, or was and I assume still is, highly valuable as it enables better targeting of ads. The big discussions about shared devices came when started to extend the ad models to pay TV CSPs. Can an individual user be identified to better target ads and to avoid showing inappropriate ads to users? At the time the general answer was no. The primary reason being that outside the US TVs are a shared resource in most households (in the US the trend was more towards a one-to-one relationship due to the higher number of TVs per household). On a shared device a lowest common denominator needs to be taken when selecting ads. I’m massively oversimplifying here, and I assume the big brains at the successful advertising companies have a better solution here but let’s take an extreme example to illustrate the point.

Imagine a CSP build a profile for an end-customer based on their viewing habits via the CSP’s pay TV service. This particular profile shows that the end-customer consumes programing targeted at “kids and families” on a regular basis — cartoons — the consumer also consumes more adult, male oriented content — mixed martial arts — (not to be sexist here but teenage and twenty-something guys are the main audience right?). There is no good way on this information alone to know if the household includes kids and adults or just adults who like “kids cartoons” — see brony [wikipedia.org]. Assume for a second the TV is owned by a single male who does in fact enjoy watching “kids” cartoons. The advertisers for kids products are most likely wasting any advertising spend on this user.

Targeting and personalization is hard, and it harder on shared devices. It’s all about confidence and heuristics and blah blah blah… It’s much more complex than my example but anyway, I told you that story to tell you this one so stay with me.

I have an Apple TV and I recently downloaded the Vevo [vevo.com] app. Vevo is an app version of MTV from the 80’s — it actually shows music videos. The cool feature that led me down the roundabout train of thought, is that you don’t need to log in on the Apple TV. Instead you just open the Vevo app on your mobile on the same network and presto! You’re in. It does not matter if the mobile is mine or my wife’s, just that the app is on the device and turned on (in focus). This means that, theoretically as I have not seen it in practice in my limited use, my wife’s profile can be different from mine and attached to her personal device and not the shared Apple TV. This could be a good way to link a shared device with an identified end-user. Bake this method of login into a CSPs set-top box and your can offer better personalization of content and a lower friction path to protecting user information.

For example, Netflix allows multiple user profiles, include kids specific profiles which block inappropriate content but users just have to select an icon to use the other profile so kids could select the parents account and watch all the zombie apocalypse they want. Now Netflix could, and maybe the do, add a PIN or password to secure the non-kids accounts but entering PINs and/or passwords via remote controls is limiting and downright annoying on the Apple TV remote with is lack of buttons. Linking the Netflix app on the parent’s mobile allows Netflix to rely on the user authentication mechanism on the device, such as PIN or Apple’s TouchID.

Anyway. It’s a half-formed idea and I see many things to confirm, clarify and comment on as I type this but it struck me as a cool feature I had not seen before that could have potential. And now it’s past my bedtime.

Categories
technical

A silver lining

Building on our previous rant on data caps killing The Cloud [confusion.cc]; I do think there is an opportunity for service providers in The Cloud, but it’s not really about them offering anything new or exciting in terms of technology. It’s about utility. The thing that the service providers have that over-the-top (OTT) players, like Apple, Google and Microsoft, don’t have is how close they are to the consumer. For my data to get to Apple or Google or Microsoft it has to traverse the service providers network and then some backbone providers network before ending up in some Microsoft, Google or Apple data center half way around the world. On the other hand The Cloud operated by my service provider is just down the road (in internet terms). This is where the opportunity lies.

If I was a service provider I’d put together a cloud service that was designed around using that advantage. Rather than trying to be the be-all-end-all provider of the content itself — a nasty low margin business (which has sidetracked me before [confusion.cc] — I’d be the best cloud for the consumers. Since I’m close and own the network, transmission quality is within my control for streaming media. So I’d sell the customer a cloud service that allowed unlimited upload, download and streaming of any data they want; I don’t care where it came from. My cloud cost you a flat rate and you can do what you want with that data over my network. At the same time there is still a cap on your out-of-network data traffic, so using someone else’s cloud could cost you, and if you want to stream a lot of data it could cost you a lot. One more thing that is needed to make this work, at least for me, is a guarantee that I can take my media back out as easily as I can put it in, so there is not data lock-in only the typical commercial lock-in of a contract.

This is the cloud service I want – open (in terms of where I buy the content does not matter; unlimited upload/download and streaming, high speed and good quality. I would pay for that.

Categories
technical

Social Graphing for fun and profit

The whole ‘iSpy’ issue (iPhone’s logging your location — see here [confusion.cc]) reminded me about the data. What good is the data?

According to Gizmodo;

Security expert, Kevin Mitnick says he’s “Quite shocked and disturbed” by the revelation, noting that the logged data could be of great interest to a variety of entities—prying spouses, private investigators, and, he reckons, the government. He speculates that the existence of the log itself “could have been at the request of the government,” as such data “can’t be used for advertisements. It seems to me more to be a governmental request.”

Sam Biddle in Your iPhone is Secretly Tracking Everywhere You’ve Been [gizmodo.com] on Gizmodo

The story has been defused somewhat since a few people have suggested that the logging of location data is a bug [gizmodo.com].

But… let’s say it’s not a bug. Lets say it’s invitational. Let’s go further and say that there are similar files showing who you called and who you messaged. All of this can be correlated with the timestamps so we can see who you called, when you called them and where you were. Now Apple has the same data that your phone service provider has about you (well, they have billing address too if you’re not pre-paid. The again Apple most likely has a credit card on file for iTunes or the App Store so they know where you live too…)

Why would someone want all this data? I said it was most likely for advertising before. But Mitnick says that can’t be what it’s for. I disagree. First of all because location is one of the basic data points for traditional ad selling; Age, Sex and Location or ASL is the triumvirate of advertising. It’s the minimum info you need to attract advertisers. So if Apple could get your Age and Sex — maybe from your credit card data — and combine that with your location (I know that your credit card gives them an address but they can make a more detailed determination of where you actually frequent from the log data than just your home address. For example; if you live in Brooklyn but are actually in Manhattan from 8AM to 8PM every day then maybe your a better target for Starbucks in Manhattan than Einstein Brothers Bagels in Brighten Beach.)

The second and more compelling reason I think the data could be good for advertising is related to Social Graphs. A Social Graph is basically a digital representation of you, the people you know, the people they know and so on. Facebook, and all social networks are Social Graphs. And the reason Facebook launched Places is because it can add location to the graph. And every additional data point added to the graph allows it to profile users better and sell more targeted advertisements. The better the targeting the more it can charge for ads.

Facebook’s Social Graph is founded on the friends that each user has. Then Facebook adds additional layers of data on top of this; everything your ‘Like’, every place you check in to, etc. etc. All of this is used to provide a richer set of profiling data to improve the targeting of ads. But all of it is based on who you say your ‘friends’ are. This is the Explicit Social Graph.

There is another type of Social Graph however, the Implicit Social Graph. This would be a Graph built up not by who you say your ‘friends’ are but by who you actually interact with. This Graph would be developed not by asking you but by observing you, and while hiring a PI to follow everyone around would be expensive there are more passive ways of getting this data. Your phone service provider knows who you call and message and who calls and messages you, as well as were you where any time your phone is turned on. This data could be used to create an Implicit Social Graph showing who you actually interact with in the real work better than who you ‘friend’ online. This Implicit Social Graph could be augmented by other data in the same way that Facebook augments their Social Graph and for the same purpose, better profiling; better advertising.

So maybe Apple is not using the location data and it’s all just a bug. But I think they will want it if they can get it, and they want those call logs and messaging logs. Once they build their Implicit Social Graph for you they will augment it with purchase data from iTunes and maybe Safari Browser history and any other data point they can get no matter who trivial it seems. All to sell more ads.

One final note; To get this data Apple would have to jump through some hoops; collecting it on the handset and sending it back to them from time to time. And I don’t doubt that they or some one else will do it at some point. Your phone service provider has the data already, it’s a byproduct of providing your mobile phone service. They don’t seem to be doing anything with it. I’ve seen several project discussed over the past few years about how to use it, how to create these Explicit Social Graphs and sell advertising, but I am not aware of any that have come to fruition yet. I think it’s only a matter of time till someone like Apple beats the phone companies to the prize. As usual the culture of phone companies will get in the way and they will let another revenue stream slip past them because they just can’t do it. They’re too risk averse, to cheap and to old-fashion. Silicon Valley is going to have their lunch and the ISPization of the phone companies will be one step closer.