Hubris

As more and more details come out about this week’s security breakdown at Sony, one thing is becoming clear:  even if you think you’re safe, add a couple of more security layers.  Because you are not safe. 

According to the New York Times, the hackers made off with a database that included customer names, addresses, usernames, passwords and as many as 2.2 million credit card numbers.  Reuters is running a story that covers the number of class action lawsuits being filed on account of the breach.  The price Sony could eventually pay out in time, legal fees and lawyer costs are on the clock. 

Why? 

VentureBeat tracked down George Hotz, aka “GeoHot”, who recently settled a lawsuit with the company over hacking into the PlayStation 3’s hardware. While Sony may consider him as public enemy number one, Hotz relies that he had nothing to do with the attack.  Considering the fact that he recently settled with Sony rather than go through years of legal wrangling, (plus the fact Hotz’s main gig is hardware hacking, not database cracking), it would tend to exclude him from the line up.  But his reaction sums up what is going on nicely:

“The fault lies with the executives who declared a war on hackers, laughed at the idea of people penetrating the fortress that once was Sony, whined incessantly about piracy, and kept hiring more lawyers when they really needed to hire good security experts. Alienating the hacker community is not a good idea.”

And therein lies the point.   Companies feel it is easier to hire another lawyer rather than to fix the problem.  That the threat of lawsuits is a deterrent to hackers.  It isn’t.  You have a database with the names of customers and and their credit card numbers.  Threatening legal action with a room full of empty suits doesn’t matter, especially when the chance of catching the bad guys is slim. 

As Hotz points out, engaging the hacker community may be the best option.  Hackers are, for the most part, highly intelligent and creative people who are usually more than happy to point out the failures of your system. Make it a once a year game – give the money you would pay an overpriced lawyer to write nasty letters to the first person who can crack your system and show you where to fix it.  Admit you don’t have all the answers. 

After this fiasco, it might even be seen as a huge cost savings.

Can’t Drive 55? Blame TomTom

People love to drive fast.  The police love writing speeding tickets to people who do.  Fact of life in the driving age.  So upon hearing this morning’s story I had to chuckle.  You see, the fine folks who make the GPS units known as TomTom have been selling their data to the Dutch police.  The Dutch police have been using the data, primarily the speed of driving data, to set up speed traps throughout Holland.  When people found out about this, they were not amused.  And TomTom publicly apologized for the sale. 

Now before we go any further, according to TomTom, the information is totally anonymous.  The speed data is used  by TomTom to help people avoid bottlenecks, accidents and school zones. And in a world of fastly shifting revenue streams, as more smartphones offer GPS navigation service, TomTom has been forced to compensate for declining profit by increasing sales in other areas, including the selling of traffic data to government sources.

The traffic data helps police and government planners know where the usual bottlenecks and safety problems are so they can plan accordingly.  But the side effect is that data also lets you see the areas where people speed.  The police are unable to see just who was speeding, only that there is speeding occurring in certain places on a consistent basis.  When you know that, you know where to set up your speed trap.

The main concern here is about privacy.  Even though TomTom has said the data is completely anonymous, in the world of data, it rarely is.  It’s not hard to fathom a scenario in which data supplied by TomTom could be used to figure out sensitive information about its users, such as where they live and work.  All it takes is someone dedicated enough to do so.  That is why people are upset. 

Of course, drivers in the US have had the site speedtrap.org to let them know where the usual speed traps are.  The site has been up for years and provides you with exactly where the police regularly set up their speed traps.   No GPS unit required for that one.  Just good, old fashioned information sharing on the message boards.  The thing the internet was originally set up to facilitate. 

I Will Not Be Ignored, Steve…

Q: Steve,

Could you please explain the necessity of the passive location-tracking tool embedded in my iPhone? It’s kind of unnerving knowing that my exact location is being recorded at all times. Maybe you could shed some light on this for me before I switch to a Droid. They don’t track me.

A: Oh yes they do. We don’t track anyone. The info circulating around is false.

The hew and cry that has circulated around the fact that the iPhone is indeed recording your approximate location has increased in the last few days, and during this time, Apple has kept relatively quiet.  So someone decided to ask Steve directly.  And as always, Steve’s brief answer asks more questions than it answers. 

Of course there has been the blowback that Android does it too. Yes, Android has been shown to also gather location information, but the database is limited to a much smaller list of entries and is regularly wiped by the system. But to use Steve’s own logic, Google is not tracking you either. 

So, no one is doing anything with that unencrypted by default database on my phone showing basically where I’ve been.

So, why is it there?

Of course all of this could easily be bypassed with some simple common sense.  Over the last ten to fifteen years, our privacy has morphed due to all the wonderful little gadgets out there that allow us to be the attention whores we have become.  Some of us, however, still cling to the notion that what I do, where I go and what I think is no one’s business but my own.  And there is a large number of us that really do not like the idea that people, companies, and governments are just getting bits and pieces of our lives without out immediate knowledge.  So I propose to all companies out there a simple solution.  You want to know how I am living my life?  You want to know everything about me, even the bits you really didn’t want to know? 

Pay me.

Money soothes a lot of psychic wounds.  You offer enough cash and people will allow you to set up cameras in their bathroom.   Call it “The Magic Christian” effect.  After all, Steve, you are making money off knowing more about me; all I am suggesting is a real time partnership.  You pimp me out to as many companies as you want, and I will live my life like a Kardashian.  You want to know more, pay me more.  I know, why buy the cow when you’re getting the milk for free, but time’s are changing, Steve.  The more people come to dislike the fact that this is being done without their knowledge, the more my little scenario will make good business sense. Why face a revolt, especially in times like these? 

A Perfect Storm?

The outage at Amazon over the last two days now has been more than disconcerting. Many businesses have been sorely affected, and unfortunately at the time of this writing still are.  The social news site, Reddit has now been under “emergency read only” mode for over twenty four hours. Quora was hit hard yesterday, but seems to be slowly coming back.  All Things Digital has a list of companies that were hit, and opened up comments so that readers could add others they missed.  The list is impressive.

But unfortunately, the big question is still unanswered.  What is going on?  Amazon has been tweeting and posting as to the fixes and status, but no one has answered the basic question.  In fact, reading the messages coming from Amazon, it felt as if the public is hearing “Don’t Panic”, while all hell is breaking loose behind the closed door. As people have pointed out, it sounds more like damage control rather than a full blown explanation to their customers as to the real problem.  And for companies who are using AWS, a lack of a real explanation to what was going severely hampered their own disaster recovery efforts.  Roman Stanek, CEO of GoodData blogged:

My ops people were ready at 1:00 am PT to start our own disaster recovery, but status updates completely failed to indicate the severity of the situation. We relied on AWS to fix the problem. Had we had more information, we would have made a different choice.

The guest commentary in Geek Wire by Keith Smith, CEO of BigDoor, a Seattle startup that builds game mechanics into online publisher’s Web sites was precise about this.  BigDoor relies on Amazon Web Services for their business.  And Keith’s comments echoes the thoughts of every manager of every company hit by this outage.

There are a lot of really obvious and relatively easy things that any startup can do to avoid an all-out reliance on any single cloud provider, but those things take additional time and money – two of the most important things that every startup is constrained by.

We absolutely love AWS because of the pace of innovation and scale that it has allowed us to accomplish. But after today’s episode is over, we will have a big decision to make.

We can spend cycles designing and building technical belts and suspenders that will help us avoid a massive failure like this in the future, or we can continue to rely on a single huge partner and also continue our break-neck pace of iteration and product development.

I can’t tell you today which option we will choose. But I’m sure it will be the question on the mind of many startups across the country.

Amazon’s lack of transparency is remindful BP’s mishandling of the Gulf oil spill.  One reason why people were angered then was because officials within the company were not forthcoming about what was going on.  Companies using IaaS rely on technical communications written by technicians, not lawyers.  The idea of the internet is about transparency.  This is what happens when it isn’t. 

Why Apple Is Your Psycho Ex

Ah yes, the Ex who had to know everywhere you were going.  Some of us have had the displeasure of dealing with someone who feels as if they have to track our every move.  But I bet you didn’t think that it was Apple .  You see, in the Guardian today there was a really great story about how Apple keeps tabs on where you are and when you were there in a secret file on your iPhone (and iPad) that hooks up with a file on your computer when you sync your files.   

How bad is this? Let us start with what is tracked by going to radar.oreilly.com where they first broke the news: 

All iPhones appear to log your location to a file called "consolidated.db." This contains latitude-longitude coordinates along with a timestamp. The coordinates aren’t always exact, but they are pretty detailed. There can be tens of thousands of data points in this file, and it appears the collection started with iOS 4, so there’s typically around a year’s worth of information at this point. Our best guess is that the location is determined by cell-tower triangulation, and the timing of the recording is erratic, with a widely varying frequency of updates that may be triggered by traveling between cells or activity on the phone itself.

Up to a year’s worth of unencrypted information.  Yes, unencrypted.  Which means that basically anyone could get in and see.  That is not good from a privacy standpoint.  Now, the cell phone companies all ready have this information available to people in the law enforcement sector, but in order to get it, they need a court order to do so.  If the information is on your phone, well, what’s to stop a techno-savvy officer from “accidently” seeing what should not be seen? 

Of course, the first rabid argument is that Google tried it first.  Oh, yes, the great Googly-Moogly tried the “Latitude” system, which allowed people to enable their mobile to give out details of their location to trusted contacts and ran afoul of privacy mavens for that as well.  But here’s the slight but most important difference: Google allowed you to opt into the service.  If you wanted to let the world know where you were in your private reality show, you could.  With Apple, there is no choice.  You are being tracked, whether you like it or not.  And so far, Apple ain’t talkin’.  No word as to why this was created or if this can be disabled.  So there are various theories as to the whys and wherefores, which comes back down to marketing and advertising. 

But in case you want to get mad about this, you may well be out of luck, as you forgot that ever present 15,200-word terms and conditions agreement for Apple’s iTunes program, used to synchronize with iPhones, iPods and iPads.  In it  is an 86-word paragraph about "location-based services".

“Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services.”

In other words, you might want to consider alternatives in handsets if you want to keep your life private. 

T-Mobile Bobsleds Into Facebook

If you’re T-Mobile, you can either sit and wait for the US Government to OK the sale between you and AT&T or you can actually do something big.  T-Mobile opted for Big.  As in Facebook’s 500 million users big.  And Skype may have taken the mortal hit because of it. 

You see, today, T-Mobile announced their new Facebook application, Bobsled.  Teamed with developer Vivox, Bobsled is a web-based voice chat app that runs in Facebook .  That’s right, this lets you start voice chats with your Facebook friends from within Facebook’s chat window. All you need is a mike and speakers. You can leave a voice message for your friends and family when they are not available. You do not need to have Bobsled in order to receive a voice message. Did I mention this was free? And since approximately 88 percent of Facebook users have said that voice chat is something they want, that’s a lot of users.

How does it work?  The app is natively integrated into Facebook’s chat system. When you pull up a Facebook chat window, you can see a phone icon. If you click on that, you can call your friend. It’s instantaneous. I’ve been playing with it this afternoon.  The call quality is OK. 

So what does this mean for Skype? A previously announced partnership between Facebook and Skype has left many people expecting the two would be taking care of intra-Facebook calls, which makes the announcement by T-Mobile all the more interesting.  Apparently, someone wasn’t moving fast enough.  A possible 500 million plus users, and you know that T-Mobile is going to expand into video chat, the ability to place VoIP calls to mobile and landline U.S. numbers, and apps on all devices.  T-Mobile appears to be getting aggressive and fast.  This does not bode well for Skype. 

But besides the business of business, this is a nice to have. 

The More You Know (And Shooting Star)

Time for the weekend wrap up.  And to start, let’s look at the law, shall we?  First the firm Righthaven appears to be in some hot water.  You see, Righthaven, that wonderful law firm that sues first and asks questions later, is a little perturbed over the judge’s ruling concerning their lawsuit over Brian D. Hill, an autistic blogger from North Carolina.  How perturbed?  Enough to defy the federal judge by refilling commentary the judge had stricken from the record.  Why would they do that?  To have the 58 other bogus lawsuits assigned to another judge.  If so, they better hope they do not get the federal judge in Las Vegas, who just unsealed the company’s heretofore confidential agreement with the Las Vegas Review-Journal in a related lawsuit against political blog Democratic Underground.  This is really the one everyone should watch, because if the Democratic Underground wins, it means that every other lawsuit Righthaven has brought in regards to the Las Vegas Review-Journal could be thrown out.  Grab some popcorn and stay tuned. 

---

Staying with the law, The Supreme Court will hear Microsoft call to change patent law in a way that could help both the Windows developer and many other technology firms fend off patent troll lawsuits. The move is partly a self-interested one for Microsoft, which is hoping to use the change as a way of escaping its loss to i4i in a patent lawsuit over XML in Word. Microsoft had been found violating i4i’s patenting and unsuccessfully challenged the verdict in front of the Supreme Court. However, this has the support of some of the largest companies in the industry, including Apple, Cisco, eBay, Facebook, Google, Intel, and Verizon. 

Opponents have mostly included 3M and pharmaceutical companies that are worried their patents, on which they base most of their business, will be overturned. The Pharmaceutical Research and Manufacturers of America group argued the incentive to develop new drugs would be "substantially reduced."  Patent trolls will be watching this.

---

And finally, a story of lawsuits would not be complete unless you had an outraged parent.  It seems like even after Apple included parental controls over in-app purchases on games for iPhones and iPads, some parents are saying that it isn’t enough.  Earlier this week, Garen Meguerian of Pennsylvania filed a lawsuit against Apple that says the company’s policy for in-app purchases doesn’t go far enough to prevent children from buying currency or points inside apps and games. The lawsuit, filed in the U.S. District Court for Northern California, requests class-action status and asks for unspecified damages and legal fees.

You see, Meguerian brought the suit after his nine year old daughter racked up a bill of $200 after buying virtual currency for the free games she had downloaded.  While Meguerian makes the point that even though Apple requires a password not only to in order to purchase anything within the app store, but also anything within an app, it is the same password.  To which all I can do is offer a pro-tip: You should become familiar with the product you just gave your child before you do so. This is Apple, not Fischer-Price.  Somewhere along the line, you need to be responsible. 

The Ballad of George and Sony

“Christ you know it ain’t easy,
You know how hard it can be.
The way things are going
They’re gonna crucify me.”

John Lennon, The Ballad of John and Yoko

George Francis Hotz is a highly regarded 21 year-old who first came onto the scene by jailbreaking iPhones, causing a great deal of hullaballoo amongst the population. 

In the end of 2009, Hotz announced his efforts to hack the Sony PlayStation 3, a console widely regarded as being the only fully locked and secure system of the seventh generation era. He blogged about his progress, announcing that he had successfully hacked the machine by enabling himself read and write access to the machine’s system memory and having hypervisor level access to the machine’s processor. Sony announced firmware updates; Hotz then announced plans of a custom firmware, similar to the custom firmware for the PlayStation Portable, to enable Linux and OtherOS support, while still retaining the features of newer firmwares.

I will take a step back here to say at this point, Hotz was simply a home-brew hacker showing off all this gee-whiz stuff to the public. This was not anything major, nor should it have been.  In fact, the pool of those people who would actually do such a thing within the entire pool of PS3 users could fill an auditorium.  A small auditorium.  Given the fact that this population is mainly dedicated enthusiasts, what happened next is a lesson in how not to run a business.

On January 2, 2011, George Hotz posted the root keys of the PlayStation 3 on his website. Sony immediately filed a lawsuit and demanded social media sites, including YouTube to hand over IP addresses of people who visited Geohot’s social pages/videos. Paypal granted access to Sony for them to view Geohot’s PayPal account. The judge of the case has given permission to Sony to view the IP addresses of everyone who visited geohot.com (George’s website).  Two things here.  Yes, Hotz was wrong to post the keys on his website.  But Sony forgot the one law of the internet: once it’s out there, it’s out there. Better to contact George and, I don’t know, hire the kid in order to make a better product.  After all, he’s doing more for the product than their engineers at that point. 

People were outraged over the heavy handedness of Sony’s lawsuit and contributed to George’s legal defense.  Then Anonymous (that band of merry internet pranksters, God love ‘em) got into the act, pronouncing

"Your corrupt business practices are indicative of a corporate philosophy that would deny consumers the right to use products they have paid for and rightfully own, in the manner of their choosing," continues the pronouncement. "Perhaps you should alert your customers to the fact that they are apparently only renting your products? In light of this assault on both rights and free expression, Anonymous, the notoriously handsome rulers of the internet, would like to inform you that you have only been ‘renting’ your web domains. Having trodden upon Anonymous’ rights, you must now be trodden on."

And then, as they say, it was on.  It really looked like this was going to be a real fight.  Add then this article from Ars Technica this morning:

“The legal action between Sony and George Hotz has come to a close, with both sides seemingly happy with the results. Sony has Hotz agreeing not to do bad things to its hardware, and Hotz gets to be left alone and continue with his life. Neither side has admitted any liability in the matter…”

What happened?  Two things.  This was going to be a legal Battle Royale. Could you see the next five to ten years of your life being consumed by this?  I can’t.  If you’re Sony, even though you have a room full of lawyers, you have just take a massive hit publicity-wise, right when you really did not need it.  Are you willing to throw what little reputation you have left on the altar over some smart kid showing you up?  Doubtful.  Is it better that both sides take a step back, and take a breath?

Yes and no. 

The fact is, while George can now go back to his life, some of the legal questions that needed answering will not be answered.  The fact is there are lawsuits of this nature every day. The non-fight only goes to show the world that Sony will spare no expense in suing anyone over their product.  But it points to a larger problem.

I still think the worst part of this is that the copyright owners come down on relatively law abiding citizens like a ton of bricks, while the real criminals remain free to pursue their criminal enterprises. Regardless of whether you think George’s actions were right or wrong, he’s basically a regular citizen – works, goes to school, pays taxes, etc. He was there for Sony to sue, operating under his real name and with real contact information available, and not living on the proceeds of illegal activity.

On the other hand, the guys who run illegal factories turning out millions of counterfeit games, DVDs, or whatever generally go free. What is worse is that these people are known to officials who claim to be protecting copyright.  Sony is pursuing regular people like Hotz, who almost surely lost money on this whole venture, while seemingly not even attempting to pursue the acutal criminal violators who are driving around in Bentleys.

That is the real criminal act here.

i! True Hollywood Story – Steve Jobs

A few years ago, there was a really great made for TV movie titled “The Pirates of Silicon Valley” starring Noah Wylie as Steve Jobs and Anthony Michael Hall as Bill Gates.  The movie was based on the book Fire in the Valley: The Making of The Personal Computer by Paul Freiberger and Michael Swaine.  Very good book, by the way. 

Anyway, I bring this up as there were rumors when both the book and the movie came out that Mr. Jobs was not very happy with his portrayal in either.  Although Woz states that the movie portrayal was honest, the rumor was that Steve did not like being presented as a Type A tyrant whose drive to be the alpha male in the computer world could be seen as somewhat sociopathic at times. 

So, after years of prodding, Steve will have the chance to put to rest those rumors.  According to the Associated Press, Simon & Schuster announced Sunday that Walter Isaacson’s "iSteve: The Book of Jobs" will be published in early 2012. Just in time for the apocalypse. Isaacson has been working on the long-rumored biography since 2009 and has interviewed Jobs, members of his family, colleagues at Apple and competitors. 

Now I think we all know by now what the difference is between an “authorized” biography and one that is not.  It means authoritative access to those people around the biographical person of interest as well as the center of attraction.  It means getting to the bottom of matters, to find out exactly what it is that drives a person to do the things that person has done.  It means finding the truth.

I’m sorry; actually it doesn’t mean anything like that.  Lately, it means airbrushing a person until it looks nothing like them.  In his defense, few biographers are better connected than Isaacson, a former top executive at CNN and Time magazine who has written best-sellers about Benjamin Franklin and Albert Einstein. But we’ve seen a few unauthorized biographies on Jobs to realize that if this comes out as a gee-whiz, boy genius True Hollywood Story, that the unauthorized bios are probably true.

Where’s Kitty Kelly when you need her? 

After Hours Music Club – Pet Shop Boys

The song is a protest song about the introduction of biometric ID cards into the UK and the National Identity Database.And, given the Pet Shop Boys, extremely well executed.