Recently in Privacy and security Category
My solar panels haven't quite passed inspection yet (next week?...fingers crossed), but they're producing and the data collection module for the PVPowered inverter is sending data out to the mvpvpowered.com web site.
I want to be able to push the data to my own site though (along with the weather station data). And in theory PVPowered will let me. The PVM1010 module's page states:
Communications options: Standard open protocols that work on TCP/IP such as UDP and MODBUS can be supplied for system users on request.
I've sent in a request and need to email another because I'm not sure the first request went in correctly.
In the meantime I thought I'd have a look at what the module does. First most obvious step was to point a web browser at the IP my router handed out when I plugged in the module. Nothing. Okay...port scan...nothing! Locked down. So next step was wireshark to watch for packets out of the module. And...after a few minutes I catch the once per fifteen minute squirt of data out to dcgateway.pvpowered.com. Amazingly it's an SSL encrypted session!
While this doesn't mean the embedded device is secure, and in theory it shouldn't much matter if it is just collecting data off the inverter's serial port and it can't actually send signals and harm the inverter, it does show that somebody at PV Powered put some proper engineering thought behind this module.
I'm impressed!
Though now I'm really counting on them to hook me up with a way to get at the data from the module.
I find it really humorous that as soon as the iPhone 3G is unshackled ATT starts sending out regular emails and SMS's with tips for travelling internationally with an iPhone. The email says "Tips to minimize international data charges when travelling outside the U.S." What more tip does one need than to unlock the phone and use a country-local mobile provider?
Last I knew Verizon was still a fan of a tiered-internet. On the other hand they're now saying at least when it comes to blocking copyrighted materials they wont tier things.
Their VP of PR specifically has said, “We generally are reluctant to get into the business of examining content that flows across our networks and taking some action as a result of that content."
I'm not sure how they can say that and at the same time be for a tiered internet. Unless they envision that as discriminating against traffic by source and destination only and not content? But some of the other quotes in the NYT article make it seem like Verizon may be moving more towards accepting that they're in the business of selling pipes and the more and fatter pipes customers want because of a thriving internet means more business for them.
Arguably from the Department of You Can Fund A Study To Prove Whatever You Want, but there is now a study claiming that fair use not just adds economic value, but actually adds more to the economy than copyright!
Maybe someday there will be acceptance of the reasoned arguments that holding IP too tightly hurts us, especially in the digital age.
If the press release were dated a day earlier I'd have been sure it was a joke. But it appears the anti-market EMI corporation may be the first major to start getting with the digital future. It might still be cheaper to just buy the physical media though...depends on whether they do $9.99 albums DRM free too.
And it is a bit odd that they'd have the DRM versions at all. Is $0.30/track enough to discourage somebody who wants to pirate music? No. Are people wanting to save a few cents a track seen as implicitly pirate-prone? Must be. The majors sure relate to their customers in strange ways.
I was surprised to stumble on this today. The actual write-up is a good read...thoughtful and written in a way I'd expect a large portion of Apple's critics (eg: esp. the techno-illiterate politicians) as well as their customers to be able to fully understand. And Jobs squarely plants the problem in the court of the big labels (for those who didn't already clearly get the bloc power they hypocritically wield)!
This is exactly the type of message that you'd expect to deflect the European political pressure on Apple around its DRM. And exactly the thing to increase pressure on the majors to catch up with reality. Or the thing to increase political pressure in a more appropriate place (eg: how about these ideas for a start) towards helping the majors get a clue.
Maybe I was on the leading edge in witnessing EMI's attack on OLGA (over a decade ago already?!), but I think the rest of Apple's billion downloaders are starting to get the situation and are beginning to see the anti-market, anti-competitive, anti-creative state of copyright this DRM facade masks.
I can't wait to watch how this plays out! It made the tail end of Marketplace today and I'd expect it prominently in the press tomorrow.
Slashdot's got two good links on the DRM fromt today.
First, Yahoo's actually taking a stand against DRM "protected" music! This is a great quote:
"As you know, we've been publicly trying to convince record labels that they should be selling MP3s for a while now. Our position is simple: DRM doesn't add any value for the artist, label (who are selling DRM-free music every day -- the Compact Disc), or consumer, the only people it adds value to are the technology companies who are interested in locking consumers to a particular technology platform. We've also been saying that DRM has a cost. It's very expensive for companies like Yahoo! to implement. We'd much rather have our engineers building better personalization, recommendations, playlisting applications, community apps, etc, instead of complex provisioning systems which at the end of the day allow you to burn a CD and take the DRM back off, anyway!"
The second article on /. gives a deeper dive into just that. An analysis of DRM and how it has been circumvented.
Wired has an interview with some people from the party. Cool to see them continuing to generate press.
I saw this on BoingBoing following up on their reference the other day to this story. Is Houston Police Chief Harold Hurtt planning to run for president or something? He seems to be working on outpacing President Bush at trouncing civil liberties.
This is one choice quote: "I know a lot of people are concerned about big brother, but my response to that is if you aren't doing anything wrong why worry about it."
The best part is there's now a bounty up for any video of Chief Hurtt breaking a law!
This should be fun to watch unfold...
As if this wasn't bad enough looking a month ago...now it's just sounding like total science fiction is coming out of Congress. And from my own Senator now!
Granted Boing Boing's got a sci-fi writer posting, but the EFF's info isn't exactly heart warming by comparison either.
Time to start making phone calls.
Boing Boing's picked up an excellent example of why we may have more to fear in corporations than in government. Corporations have a huge interest in tracking their customers and aren't necessarily going to care as much about the possible harmful effects that such data can trigger. Sure the government apparently can do anything it wants, but what can an angry mob of citizen aggregators do?
Apparently the Blu-ray consortium is having trouble with their Advanced Access Content System. Wonder how much this has to do with Sony and their recent DRM problems? Its amazing how so much time and money can be put into something that will ultimately not work.
In the flurry of legislative action yesterday was a hidden gem from the House for the content industry in the form of HR-4569. Not too surprisingly with a huge amount of last minute legislation yesterday Thomas is way behind today so it's hard to get much detail beyond the above mirrored text of the legislation and the public outcry and the MPAA chair calling it "very important piece of legislation."
I had to write my Representative the Honorable David Wu a note in response.
Not exactly in the area I'd been worrying about but nevertheless even big, smart Google makes mistakes. Looks like this XSS vulnerability was closed earlier this month and only publicised today and the message makes it sound like Google's security team is good. But still...makes me wonder what other interesting things are happening below the radar with all this scripting.
Thinking about including Google's javascript in my webpages last month (1 and 2) has had me thinking more on how complex interactions happen with software and security implications. The Sony mess with DRM is a good example of complex interactions, but this has largely been interactions on a single machine, possibly with a remote attacker. XSS, email, IM and the like bring in a bit of a network aspect. But it seems like we're getting into a new realm where it's harder to quantify risk or actively manage it as code moves onto other peoples' servers.
That Google was able to "fix" by changing code on Google servers a major security flaw in Microsoft's Internet Explorer that their Google Desktop software exposed is fascinating. Fixing desktop code in a third party's software by putting changes on your server that your user doesn't actually have to download. That's complexity and means problems.
It's been interesting to watch how this story has progressed into the mainstream press and the reactions, from BoingBoing's commentary in the expected pretty pissed off blow by blow fashion to the newswire articles in the print paper that finds its way to my doorstep each day.
Today Bruce Schneier's weighed in with a nice analysis.
Sure Sony's backpedaling right now, but this whole issue starts to set a scary precedent for how the industry will operate in the future. As Schneier points out these big companies will just come to the plate better prepared next time and with the proper collusion they'll succeed at screwing us consumers. Their lawyers are probably already working on legislation to work through their representatives to make this easier.
I've been subscribed to AWAD for many years and noticed today that they have their own bit of javascript for inclusion in your web site.
This and the google one yesterday got me thinking think I'd never even looked at plugins for MovableType. There's a huge list.
One of these days I'll have to play with adding some stuff to my blog. I still owe Jenn a Gallery though and should update mine to the new major release. And I should update our MovableType installs for that matter. Guess I'm slacking on the sysadmin front.
Sure I added a blog entry with a snippet of code recently and was blindly thinking it did something smart and dynamic and then realised that it was just a boring bit of html code. I obviously wasn't really thinking.
But Google Analytics got me thinking a little more. They ask you to include a little script of theirs on your web site. In return you get some magic info about your site.
All well and good except what does that bit of javascript do? I haven't looked at it very closely, but close enough to tell it's not the most clearly written code in the world. What if it has a bug? Or what if one is later introduced?
This brings up an interesting twist of a possibility...a commercialisation of the cross-site scripting class of security holes. How long until somebody comes up with some sort of commercial spyware XSS? Maybe there are already things like this lurking in our web applications.
Marcus Ranum (smart guy and security expert) has an interesting new essay on common falacies in security. This is a good, thought provoking article.
Periodically something pops up in the press about the TSA and their work to secure the US. Unfortunately it doesn't seem like there's much concern for civil liberties or oversight into how and what they do. I'd be curious to find out what dirt they have on me. A few years ago it seemed like I was always the one getting pulled aside for an extra search when flying, but it hasn't happened as much lately.
I've been reading about blog spam but hadn't experienced it until this weekend. Jenn started getting a tonne of bogus trackbacks linking to pron and other crap on her blog. She's been deleting them but has turned off commenting for now to avoid that admin work.
There's a balance between anonymity/privacy and protecting against idiocy to be struck, but this makes me wish there was an established/universal credential system for users. I remember honestly thinking way back when that PGP's web of trust was smart. Personal encryption never really took off and is still viewed by the unwashed masses as something mostly for criminals. In the meantime servers got certificates and ssl out of business necessity.
So half the equation's well established.
On the user auth side it seems like most work is going towards systems geared towards gathering marketing information for big corporations (ie: Microsoft Passport like services), because business is only likely to push a system they view as providing a return on investment. The Liberty Alliance isn't good entirely either. The EFF and other watchdogs seem very quiet on the subject these days. Probably since Sept. 11 it's dangerous to talk about systems insuring privacy and anonymity.
