colophon technical

Achievement unlocked: Padlock

The COVID19 lockdown here in Singapore gave me some time to dig into an issue that has been bugging me about for a while. Since before browsers started indicating sites which don’t use HTTPS it’s been in my to-do list. I looked into it when I first moved the site to AWS but didn’t get it done. So the other day I sat down and figured it out. Wasn’t that hard. I originally thought I would put the SSL on a Elastic Load Balancer on AWS but given that you have to pay for the ELB and this site hardly justifies any infra based on visits… I decided not to worry about the fact that my first try didn’t work and I kept digging into ways to enable HTTPS on the site. In the end I found [] which is dedicated to helping sites move to HTTPS.

I stumbled again trying to follow their simple instructions because their automated tool, certbot [] from the Electronic Frontier Foundation, didn’t know what to do on a Amazon Linux 2 box. It told me I would need to install all the dependencies and such myself and directed me to documentation which was a dead link… (see here: [], nice 404). So… back to Google, or actually DuckDuckGo [] in my case. And after a few permutations of terms I found this tutorial on AWS: Configure SSL on Amazon Linux 2 []. And that worked like a charm.

But still, no padlock…

Screenshot of Chrome address bar showing with "Not Secure" indicator.
HTTPS but no padlock

Lucky Let’s Encrypt directs you to SSL labs‘ [] SSL Server Test page where you can check on your site. A few minutes later the problems were listed on the report page. A couple of hard failures where I was loading things from other sites over HTTP, font libraries from Google. and a bunch of soft failures related to old images what were linked with HTTP not HTTPS. A quick edit of the site header page fixed the Google font libraries link and a quick search and replace on old posts, using the Search Regex plugin (which I installed long ago to fix some other things) and viola! Achievement unlocked, site locked:

Screenshot of Chrome address bar showing with secure indicator icon - a locked padlock.
Shiny new padlock
quotes technical

Why Public Cloud

The fact is that cloud service providers (CSPs) at any kind of scale have more network engineers, security engineers, compliance experts, and operational personnel than most companies that run their own data centers. 

John Purrier quoted in The Roles Cloud and DevOps Should play in Your Digital Transformation [] on The Enterprisers Project

This will be the single biggest driver in moving to the cloud in the future. Even large enterprises have proved how bad they are at security —looking at you Sony! The big cloud players will be the ones who can bring these services at the most capable, most professional and most cost effective level to all companies from startups to mega multinationals. Why should every company have its own IT Security team?

ranting technical

Low Friction User Identification on Shared Devices

Long ago I worked on advertising when mobile advertising was not a solved problem and startups still had a play. Early on that work branched out to other possible advertising channels for CSPs. I spent much time studying and discussing the complications around advertising on “Shared Device”. The attraction of mobile advertising from the CSP point of view was the ability to know the consumer. Since there is a tight correlation between a user and a mobile phone, i.e. you don’t tend to share a mobile between two people, the profile a handset usage and other attributes is, or was and I assume still is, highly valuable as it enables better targeting of ads. The big discussions about shared devices came when started to extend the ad models to pay TV CSPs. Can an individual user be identified to better target ads and to avoid showing inappropriate ads to users? At the time the general answer was no. The primary reason being that outside the US TVs are a shared resource in most households (in the US the trend was more towards a one-to-one relationship due to the higher number of TVs per household). On a shared device a lowest common denominator needs to be taken when selecting ads. I’m massively oversimplifying here, and I assume the big brains at the successful advertising companies have a better solution here but let’s take an extreme example to illustrate the point.

Imagine a CSP build a profile for an end-customer based on their viewing habits via the CSP’s pay TV service. This particular profile shows that the end-customer consumes programing targeted at “kids and families” on a regular basis — cartoons — the consumer also consumes more adult, male oriented content — mixed martial arts — (not to be sexist here but teenage and twenty-something guys are the main audience right?). There is no good way on this information alone to know if the household includes kids and adults or just adults who like “kids cartoons” — see brony []. Assume for a second the TV is owned by a single male who does in fact enjoy watching “kids” cartoons. The advertisers for kids products are most likely wasting any advertising spend on this user.

Targeting and personalization is hard, and it harder on shared devices. It’s all about confidence and heuristics and blah blah blah… It’s much more complex than my example but anyway, I told you that story to tell you this one so stay with me.

I have an Apple TV and I recently downloaded the Vevo [] app. Vevo is an app version of MTV from the 80’s — it actually shows music videos. The cool feature that led me down the roundabout train of thought, is that you don’t need to log in on the Apple TV. Instead you just open the Vevo app on your mobile on the same network and presto! You’re in. It does not matter if the mobile is mine or my wife’s, just that the app is on the device and turned on (in focus). This means that, theoretically as I have not seen it in practice in my limited use, my wife’s profile can be different from mine and attached to her personal device and not the shared Apple TV. This could be a good way to link a shared device with an identified end-user. Bake this method of login into a CSPs set-top box and your can offer better personalization of content and a lower friction path to protecting user information.

For example, Netflix allows multiple user profiles, include kids specific profiles which block inappropriate content but users just have to select an icon to use the other profile so kids could select the parents account and watch all the zombie apocalypse they want. Now Netflix could, and maybe the do, add a PIN or password to secure the non-kids accounts but entering PINs and/or passwords via remote controls is limiting and downright annoying on the Apple TV remote with is lack of buttons. Linking the Netflix app on the parent’s mobile allows Netflix to rely on the user authentication mechanism on the device, such as PIN or Apple’s TouchID.

Anyway. It’s a half-formed idea and I see many things to confirm, clarify and comment on as I type this but it struck me as a cool feature I had not seen before that could have potential. And now it’s past my bedtime.


A silver lining

Building on our previous rant on data caps killing The Cloud []; I do think there is an opportunity for service providers in The Cloud, but it’s not really about them offering anything new or exciting in terms of technology. It’s about utility. The thing that the service providers have that over-the-top (OTT) players, like Apple, Google and Microsoft, don’t have is how close they are to the consumer. For my data to get to Apple or Google or Microsoft it has to traverse the service providers network and then some backbone providers network before ending up in some Microsoft, Google or Apple data center half way around the world. On the other hand The Cloud operated by my service provider is just down the road (in internet terms). This is where the opportunity lies.

If I was a service provider I’d put together a cloud service that was designed around using that advantage. Rather than trying to be the be-all-end-all provider of the content itself — a nasty low margin business (which has sidetracked me before [] — I’d be the best cloud for the consumers. Since I’m close and own the network, transmission quality is within my control for streaming media. So I’d sell the customer a cloud service that allowed unlimited upload, download and streaming of any data they want; I don’t care where it came from. My cloud cost you a flat rate and you can do what you want with that data over my network. At the same time there is still a cap on your out-of-network data traffic, so using someone else’s cloud could cost you, and if you want to stream a lot of data it could cost you a lot. One more thing that is needed to make this work, at least for me, is a guarantee that I can take my media back out as easily as I can put it in, so there is not data lock-in only the typical commercial lock-in of a contract.

This is the cloud service I want – open (in terms of where I buy the content does not matter; unlimited upload/download and streaming, high speed and good quality. I would pay for that.


Social Graphing for fun and profit

The whole ‘iSpy’ issue (iPhone’s logging your location — see here []) reminded me about the data. What good is the data?

According to Gizmodo;

Security expert, Kevin Mitnick says he’s “Quite shocked and disturbed” by the revelation, noting that the logged data could be of great interest to a variety of entities—prying spouses, private investigators, and, he reckons, the government. He speculates that the existence of the log itself “could have been at the request of the government,” as such data “can’t be used for advertisements. It seems to me more to be a governmental request.”

Sam Biddle in Your iPhone is Secretly Tracking Everywhere You’ve Been [] on Gizmodo

The story has been defused somewhat since a few people have suggested that the logging of location data is a bug [].

But… let’s say it’s not a bug. Lets say it’s invitational. Let’s go further and say that there are similar files showing who you called and who you messaged. All of this can be correlated with the timestamps so we can see who you called, when you called them and where you were. Now Apple has the same data that your phone service provider has about you (well, they have billing address too if you’re not pre-paid. The again Apple most likely has a credit card on file for iTunes or the App Store so they know where you live too…)

Why would someone want all this data? I said it was most likely for advertising before. But Mitnick says that can’t be what it’s for. I disagree. First of all because location is one of the basic data points for traditional ad selling; Age, Sex and Location or ASL is the triumvirate of advertising. It’s the minimum info you need to attract advertisers. So if Apple could get your Age and Sex — maybe from your credit card data — and combine that with your location (I know that your credit card gives them an address but they can make a more detailed determination of where you actually frequent from the log data than just your home address. For example; if you live in Brooklyn but are actually in Manhattan from 8AM to 8PM every day then maybe your a better target for Starbucks in Manhattan than Einstein Brothers Bagels in Brighten Beach.)

The second and more compelling reason I think the data could be good for advertising is related to Social Graphs. A Social Graph is basically a digital representation of you, the people you know, the people they know and so on. Facebook, and all social networks are Social Graphs. And the reason Facebook launched Places is because it can add location to the graph. And every additional data point added to the graph allows it to profile users better and sell more targeted advertisements. The better the targeting the more it can charge for ads.

Facebook’s Social Graph is founded on the friends that each user has. Then Facebook adds additional layers of data on top of this; everything your ‘Like’, every place you check in to, etc. etc. All of this is used to provide a richer set of profiling data to improve the targeting of ads. But all of it is based on who you say your ‘friends’ are. This is the Explicit Social Graph.

There is another type of Social Graph however, the Implicit Social Graph. This would be a Graph built up not by who you say your ‘friends’ are but by who you actually interact with. This Graph would be developed not by asking you but by observing you, and while hiring a PI to follow everyone around would be expensive there are more passive ways of getting this data. Your phone service provider knows who you call and message and who calls and messages you, as well as were you where any time your phone is turned on. This data could be used to create an Implicit Social Graph showing who you actually interact with in the real work better than who you ‘friend’ online. This Implicit Social Graph could be augmented by other data in the same way that Facebook augments their Social Graph and for the same purpose, better profiling; better advertising.

So maybe Apple is not using the location data and it’s all just a bug. But I think they will want it if they can get it, and they want those call logs and messaging logs. Once they build their Implicit Social Graph for you they will augment it with purchase data from iTunes and maybe Safari Browser history and any other data point they can get no matter who trivial it seems. All to sell more ads.

One final note; To get this data Apple would have to jump through some hoops; collecting it on the handset and sending it back to them from time to time. And I don’t doubt that they or some one else will do it at some point. Your phone service provider has the data already, it’s a byproduct of providing your mobile phone service. They don’t seem to be doing anything with it. I’ve seen several project discussed over the past few years about how to use it, how to create these Explicit Social Graphs and sell advertising, but I am not aware of any that have come to fruition yet. I think it’s only a matter of time till someone like Apple beats the phone companies to the prize. As usual the culture of phone companies will get in the way and they will let another revenue stream slip past them because they just can’t do it. They’re too risk averse, to cheap and to old-fashion. Silicon Valley is going to have their lunch and the ISPization of the phone companies will be one step closer.


The stalker in your pocket part two

Stalker in our pockets

What’s the difference between the image on the left and the image on the right?

The image on the left is the recently posted map [] of the data that is being stored in your iPhone (and your computer that your iPhone syncs with). That data amounts to all the locations you have taken your phone since you upgraded it to iOS 4.

The image on the right is basically the same type of data — though it’s presented as an animation so you only see one spot in the image above. That data is from the your phone company — and it does not matter what phone you have, just having a phone on the network is enough for the operator to collect the data, and in many places they are required by law to keep this data for some period of time. (The map on the right also shows all the calls and messages to and from the phone; in this case stripped of the details but be assured the raw data that your phone company has does show who you are calling, I wonder if Apple is creating a log of this data on your iPhone too? I bet they are.) I ranted about this map a while back [].

There seems to be a lot of concern about the fact that your iPhone is logging this type of data. The FCC want’s to know why. Congress wants to know why. (See here []). But there does not seem to be anywhere near as much concern about the fact the your phone company has the same data, more detailed data in fact. There should be. In fact, if privacy is your concern, or fear of Big Brother, you should be much more concerned about what your phone company knows than what Apple might know.

The big difference to me between the two is that the historical data that Apple is collecting is on the device and backed up to your computer. While the data that is collected by your phone service provider is on their servers and therefore subject to Lawful Intercept. According to Wikipedia Lawful Intercept [] is:

obtaining communications network data pursuant to lawful authority for the purpose of analysis or evidence.

That means that all that data; including locations, calls made, calls received, messages sent and received, as well as who those calls and messages where to or from, is available to law enforcement if needed. This is generally a good thing; if it helps to catch murderers or sexual predators or other criminal types. But it’s not hard to image it being used for less savory purposes like tracking dissidents or in more authoritarian places tracking political opponents or protesters. This is the kind of data that warrantless wiretapping was collecting, and it’s done by just making a request to your phone service provider —if the provider or the government is good enough they could collect this data in real time. Meaning we are all carrying around Big Brother approved “bugs” in our pockets.

It’s also worth noting that the data collected by your phone company is required for it to provide the service you are paying for. There has been speculation about what Apple wants this data for; I imagine it will come down to advertising or something, some way to make more money off of iPhone owners; in the end Apple is a company interested in making money. In this case consumers will quickly forget the issue while privacy advocates piss into the wind about for much longer.


The cloud is useless

What good is the cloud? I don’t get it. This article on PC Mag [] talks about how all the new cloud services will change our concept of content ownership but I think it’s bullshit. I don’t disagree with anything in the article but I think it’s all a dream, a crack dream, until one issue is solved. One issue which is outside the scope of the cloud service providers: bandwidth!

At the same time as we are seeing all these new cloud services providing us storage and access to our purchased content 24/7 streaming to any device, anywhere, any time, we are also seeing the death of unlimited bandwidth. Even for home access. How am I supposed to stream my content all over the place if I don’t have any bandwidth?

Take this scenario from the PC Mag article:

The parent whose child wants to watch “Dora the Explorer: Big Sister Dora” over and over and over again doesn’t have to own the DVD or even the digital file. Cloud-based ownership and access means that their child can see Dora play big sister at home, on the iPad, in the car, and on mommy’s smartphone. They own the movie or, more likely, have an all-you-can eat subscription service, so each viewing costs nothing except the price of Internet access.

The emphasis is mine, because it’s the part that kills the whole scenario.

I might be a strange consumer by today’s measure — I’ve digitized all my content. I’ve got more then 1200 CDs that I digitized before I started buying digital music; 200+ DVDs that I have digitized and 7 years worth of digital photos and video that alone amount to more then 12 gigs worth of keepers. All in all I have more than a terabyte of digital content. All happily sitting on my 8TB NAS server mirrored and stripped high up on the shelf in the back room.

To get streaming access to all this content today I can jump through a bunch of hoops and make it work. But… I would max out my mobile data plan every month — 12GB — due to my daughter streaming Dora, and Toy Story 3 and Kai-Lan and whatever new, or old, show it was this week (actually currently it’s My Neighbor Totoro), to the iPad while we are driving or shopping or wherever. So for now she is restricted to the content that is actually on the device, and I fill up the devices quickly. I can’t even put all the Pixar movies on the iPad and have the family photos on there, 64GB is just not enough.

While I may be the exception today this will be normal one day when every piece of content we ever buy is stored on the cloud, ready for on-demand download or streaming to any device over any network. But until the bandwidth issue is solved it will be any network accept the mobile one and only till the service provider throttles me or cuts me off for exceeding my bandwidth cap for the month. Bottom line; the scenario from the PC Mag article is pointless without unlimited bandwidth. Memory is cheap — bandwidth is the new memory.


The stalker in your pocket

Sometimes it’s easy to wonder what all the privacy advocates are screaming and yelling about all the time. While I agree with much of what they say, I find it hard to explain why privacy is important to Joe-not-a-geek. Enter the power of visualization:

Tell-All Telephone

This is from an interactive feature at Zeit Online []. Very cool. They took data collected by a mobile operator about a specific person and linked it with data taken from his public internet sites (such as twitter) to create scary — very cool, but scary — timeline of his activities. Now what’s missing is who he called and messaged, that data was not released but you can bet the mobile operator has it.

Now imagine this, in real-time, for every one on every mobile operator running on a big screen in a secret room somewhere. The technology exists. Imagine the CIA tracking ‘suspected terrorists’. Imagine being on that list. Imagine Bin Ali’s, Mubarak’s or Gaddafi’s secret police using this to anticipate protests and sending in the thugs before the protest even begins.


Why cloud backup for your mobile will not be provided by your operator

This article [] and several others making the rounds in the past few days point to Microsoft re-branding the cloud backup service it included with its’ short lived Kin line of mobiles. The cloud backup – Kin Studio – was the coolest feature of the Kin phones, maybe not the most sexy but the most useful. Now it looks like Microsoft may add it to Windows Phone 7 handsets – if they combine it with the Windows Live service, providing 25GB of free cloud storage connected to the users Hotmail/Windows Live and Office Live accounts then they may have a compelling offer.

Of course Microsoft is not the only mover, Apple has long had its’ MobileMe service which has significant overlap. To date this product has only attracted hardcore Apple fan-boys, but for over a year now there has been a rumor that Apple will drop the subscription fee and include as a free service for all iOS devices (more recently there has been a rumor that Apple will drop the subscription fee to $20 a year, I think maybe it will be free for 1 year with your iOS device and then $20 a year unless you buy a new iOS device). Link this to the rumored iTunes media cloud service that will run out of the billion dollar datacenter Apple has built in North Carolina. Again this could be a very useful service providing automated backup and streaming of all of your media (movies, photos, music, contacts, messages) from the cloud.

Google wouldn’t have to move very far to offer the same sort of service with Android.

In my time in the telco industry I’ve seen several projects at mobile operators around the world try to provide this type of data backup service. Unfortunately I’m not aware of any that actually succeeded. They died for many reasons —customers not willing to pay for the service, limited features, crippled features, lack of marketing, lack of handset support…

All in all I think the data-backup-as-a-service boat has already set sail and the telcos will be left behind due to their own dithering on how to make money on the offering. The same thing that happened to them with Location Based Services —they could not figure out how to make money on it so they never launched it, the phone makers opened the on-device location services (initially mandated for emergency number calling) to application developers and they figured out how to make money from it. So the telcos are left with LBS systems that cost them money but generate no revenue and don’t provide any value even in generating ‘customer stickiness’. And

All in all I think the data-backup-as-a-service boat has already set sail and the telcos will be left behind due to their own dithering on how to make money on the offering. The same thing that happened to them with Location Based Services —they could not figure out how to make money on it so they never launched it, the phone makers opened the on-device location services (initially mandated for emergency number calling) to application developers and they figured out how to make money from it. So the telcos are left with LBS systems that cost them money but generate no revenue and don’t provide any value even in generating ‘customer stickiness’. And

All in all I think the data-backup-as-a-service boat has already set sail and the telcos will be left behind due to their own dithering on how to make money on the offering. The same thing that happened to them with Location Based Services —they could not figure out how to make money on it so they never launched it, the phone makers opened the on-device location services (initially mandated for emergency number calling) to application developers and they figured out how to make money from it. So the telcos are left with LBS systems that cost them money but generate no revenue and don’t provide any value even in generating ‘customer stickiness’. And if you need a computer network that connects smaller networks, it’s imperative that you learn what is WAN.

C’est la vie. Real consumer service innovation in the mobile market continues to move away from the telcos and towards the internet. It’s one more step on the road to mobile dumb pipe networks.


iPhone OS 4.0 UI Enhancement Request

I would like to make a request to Apple for a new UI enhancement to be released in the upcoming iPhone OS 4.0 update.

See, here’s the thing. I use WiFi and Bluetooth all the time. But turning WiFi on and off and switching networks (I do this often as Singapore has municipal WiFi and shitty though it is, I use it until I’m somewhere with a better network, like home or the office, then I need to switch), or changing Bluetooth devices is not convenient. For example to change the WiFi network I am attached to I have to 1. Go to the home screen, 2. Open “Settings”, 3. Select WiFi 4. Choose a new network. This is too many steps for something that I use multiple times a day.

Now, one way to fix this would be to add two more hardware switches like there is for audio on. You could switch WiFi and Bluetooth on and off and flipping it on would bring up the selection box. OK. But Apple has a thing about buttons. So maybe not.

On the other hand… The iPad has a “tap and hold” gesture, that has shown up in the latest OS SDK for the iPhone/iPad. I’d like to use this as an easy way to get to the pertinent WiFi and or Bluetooth settings. First we need to make a small change in the title bar; today if WiFi or Bluetooth are turned off you don’t see their icons:

iPhone title bar with no WiFi or Bluetooth Icons

I propose to change this. I’d like to see the WiFi and Bluetooth icons always on the title bar:

iPhone Title Bar with WiFi & Bluetooth off Icons

This necessitates a new icon: WiFi off. I based this one on the Mac title bar’s WiFi off icon. I’m sure the UI guys at Apple can make it beautiful.

Now that we have icons let’s use them! Let’s look at WiFi. Using the “tap and hold” gesture I just tap and hold on the WiFi icon would bring up a dialog allowing us to turn on WiFi:

iPhone WiFi dialog suggestion, WiFi Off

Then I can turn on WiFi and see a list of available networks:

iPhone WiFi dialog suggestion, WiFi On

That seems much faster and easier to me.

I’d do something similar with Bluetooth, but I’m too lazy to mock it up.