sandipb.net

› yours truly.

Apple Patents Tech to Allow Govt to Block Recording on Mobile Devices

| Comments

A troubling development:

Apple has patented a piece of technology which would allow government and police to block transmission of information, including video and photographs, from any public gathering or venue they deem “sensitive”, and “protected from externalities.”

In other words, these powers will have control over what can and cannot be documented on wireless devices during any public event.

And while the company says the affected sites are to be mostly cinemas, theaters, concert grounds and similar locations, Apple Inc. also says “covert police or government operations may require complete ‘blackout’ conditions.”

And those who think that this is not coming for Android in the future are deluded. If Apple managed to get this technology into the field, it is only a matter of time that Android handset manufacturers are forced to incorporate this as well. If the technology exists, in today's post 9/11 world, it is difficult to resist government pressure on such matters.

Of course, it would be interesting to see the security features for this tech, as this is very likely to be abused - by repressive governments (read, every one) as well as criminal enterprise (recording-free drug zones everybody?)

Apple-touch-icon 404 Errors in Logs

| Comments

Curious about several peculiar Apple related 404 errors for images in my web server logs, I decided to find what is going on, and became knowledgeable about yet another nugget that I really didn't want to know. (sigh)

Use of Tor Will Make You Interesting to NSA

| Comments

Just now read a rather disturbing article from Sophos security. The article describes the interpretation of the law by NSA and some of the internal policies that they use in surveillance.

They also reveal that courts don't always determine who's targeted for surveillance because that discretion is practiced by the NSA's own analysts, with only a percentage of decisions being reviewed by regular internal audits.

To make those decisions, NSA analysts use information including IP addresses, potential targets' statements, and public information and data collected by other agencies.

In the absence of such information - for example, if a potential target is using online anonymity services such as Tor, or sending encrypted email and instant messages - agents are encouraged to assume that the target is outside the US.

This is the part that needs to be emphasized again and again - all this hullaboo in USA about NSA's surveillance is about snooping on American citizens. If you are not one, you have no rights at all and NSA has no limits to what they can sniff out of you and how long they can keep that info. I know, it is pretty much common sense, but when I see Indians getting all worked up about this revelation, I sometimes feel that some of them don't get this.

So coming back to the article, if an American is using Tor or encrypted email or encrypted chat messages, unless the American has been positively identified as an US citizen, he will be treated like a foreign person - essentially with no rights.

And this part is interesting:

If communication is encrypted - particularly if a US person is using certain types of cryptology or steganography known to have been used by "individuals associated with a foreign power or foreign territory” - the NSA is free to collect it and store it "indefinitely" for future reference and cryptanalysis attempts.

That is a loophole right there in my opinion - will they still keep the crypto data if they already have the means to crack it? :-)

Law Enforcement Was Not Supposed to Be Easy

| Comments

Touch of Evil by Pink Cow Photography

A scene from the 'Touch of Evil' (1958)
In this day and age of the surveillance state, a quotation worth remembering from the legendary Orson Welles over 50 years back.

A policeman’s job is only easy in a police state.

– Charlton Heston as Mike Vargas in the movie “Touch of Evil”(1958),
Orson Welles (screenwriter and director)

Curiously, a similar statement was made over a decade back, in fact a couple of years before 9/11, before the world changed, or actually before the United States' war on terror changed the world.

We should not be building surveillance technology into standards. Law enforcement was not supposed to be easy. Where it is easy, it’s called a police state.

– Jeff Schiller, an IESG member and MIT network manager, Wired Magazine, 1999

(via Answer Girl and Steve Worona)

Use Btsync and Owncloud to Create Your Own Free Personal Storage Cloud

| Comments

Stormy storage. #clouds by scattered sunshine

Cloud storage?

High Scalability had an interesting link today about a project that combines Raspberry PI, btsync and owncloud to create essentially a personal Dropbox replacement with none of the costs or the storage limitation. Also very importantly, keeping up with the hot topic nowadays, the peace of mind from knowing that you are not making it easy for intelligence agencies to go through your most important and personal data.

The players in this solution here are:

  1. btsync: A still alpha lab product from the original bittorrent creators, which allows you to securely sync a folder between multiple devices owned by you. Ready to use binaries are provided for all the major platforms (desktop and mobile) as well as several ARM architectures (which is where Raspberry Pi comes in). The UI interface is not great, which is probably why the next piece of the puzzle comes in - Owncloud. But if you really want the basics, this is all the software that you need for a synchronized folder among multiple devices.

"The minimal btsync web ui"

Unfortunately, btsync is not Opensource software. So it is entirely upto you who you trust more - Dropbox or Bittorrent Inc. Btsync is reported to phone home for version check and uploading anonymized stats. I have looked around. btsync doesn't have any open source competition yet.

  1. Owncloud: This is actually a standalone application for sharing your files via a dropbox like web interface. It has an extensive list of features - sync between devices, multiple user support, file versioning, undelete, Lucence based search, shared calendar, tasks, data migration/backup and many more. Most importantly, this is Open source software, with all the code available on github.

One question that came to my mind after reading the feature set is that Owncloud already had a multiple device file sync feature. So why would you need btsync?

From reading over the net, it seems to me that btsync is considered to be more reliable as a file sync client. So the idea is to use btsync everywhere, and on one of the devices, use owncloud to provide the interface to serve/edit files over the web.

  1. So how does Raspberry Pi - the overnight micro computing sensation fit into all this? This is because of the way Bittorrent works. For uploads to happen for a torrent, you need one seed up with the complete data. Since btsync is essentially multiple torrents bunched together, it needs a seed as well. And if all your devices are mobile and not always on, there is a good chance that when you need a file, none of the other devices are up and you are cut off from your data.

Raspberry PI by psd

Raspberry Pi

The solution is simple, have one of the btsync devices to always be running, essentially acting like the seeds for your data. If this always-on computer is a mind-numbingly low 6 watts burning tiny box hanging off a wall socket, well .. you can see the appeal of R-pi.

But I already have an always-on device - my Synology NAS, which also happens to be an ARM device. So to try it out, I downloaded the PPC version of btsync and tried to run it - no luck. The btsync binary is a glibc2.4 binary while the NAS firmware is glibc2.3. btsync uses inotify on glibc2.4 and therefore will never support glibc2.3, so I am out of luck here.

# ./btsync 
./btsync: /lib/libc.so.6: version `GLIBC_2.4' not found (required by ./btsync)

The one thing I am yet not comfortable with Raspberry Pi, is its lack of a shutdown switch. Raspberry Pi is perfect for headless usage and with a USB wifi dongle, the only wire it needs is the charger. However to shut it down properly, you cannot just turn it off. Just like any other Linux machine, you need to execute the shutdown command which will unmount the filesystems cleanly before turning off the machine. Mess this up, and you will end up with a filesystem which needs an fsck on bootup and the machine will not boot without you using a keyboard and console to fsck the filesystem.

Till I get myself a hack to shut R-Pi headlessly in a clean and convenient way, I just am not to comfortable using it for serious applications, let alone touch my precious data. There is a nice discussion on raspberry pi forums that I need to readup to do this, and a few blogs (like this) already provide various ways to do that. I just need to find some time to go through all that.

Being ‘Ramen Profitable’

| Comments

tabata-ramen by food_in_mouth

Ramen!

Another "hey there is a term for it" moment today!

Years ago when I was running a business of my own, my intention was never to be wildly successful. All I wanted to do was to make my ends meet, learn a lot of stuff, do a lot of work on stuff that really interested me, and work in a way that made sense. After giving this some time, and when I am somewhat self-sustaining, the next stage was to organically scale up with a set of productized services (as an Opensource focused company normally does) which will fund the next stage which was to come out with actual products which really rakes in the moolah. Being an overnight sensation was neither my style, nor did I consider it practical.

The common response I got from anybody who wanted to give advice on how to run my company (read everybody) was on the line of:

You working alone? Why? Get some staff, grab a few high profile jobs, approach some VC and then ramp up. That way, you don't have to run around doing collections and focus on your work.

When I put forward my intentions, there were generally two reactions - either one of confusion (what the heck is this guy trying to do?) or smirking condescension(this guy is not serious about business).

Over years, I have met and read about several individuals who think about running a business the same way. Unless you have a brilliant web/mobile based idea which has network-effect friendly features, it really doesn't make sense to me why you would effectively hand over part ownership of your company to someone just because you are impatient and want to get big/rich quick.

Turns out this thought process has been given a name - ramen profitable, by the startup guru Paul Graham (article). He defines it thusly:

Ramen profitable means a startup makes just enough to pay the founders' living expenses. This is a different form of profitability than startups have traditionally aimed for. Traditional profitability means a big bet is finally paying off, whereas the main importance of ramen profitability is that it buys you time.

There are several advantages to this business model.

  1. You are no longer at the mercy of investors, and have a partner who has a different term view of the investment. You invest with your time, effort and money for the long term, they invest with their time and money for their window of investment (which is generally more short term).

  2. You make yourself more attractive to investors by showing seriousness and fiscal discipline. You also show a working model by having paying customers - it is no longer a theory that you need to pitch to investors.

  3. It is great for the morale for both the founders and the staff. Work is lesser of a gamble if you are being paid by company income rather than by the investors money.

This is not a permanent business model as Paul points out repeatedly.

It does not, for example, imply that you're "bootstrapping" the startup—that you're never going to take money from investors. Empirically that doesn't seem to work very well. Few startups succeed without taking investment. Maybe as startups get cheaper it will become more common. On the other hand, the money is there, waiting to be invested. If startups need it less, they'll be able to get it on better terms, which will make them more inclined to take it. That will tend to produce an equilibrium.

Ramen profitability is not the destination. A startup's destination is to grow really big; ramen profitability is a trick for not dying en route.

I believe that if you are starting off on your own, you don't necessarily have to keep the flipkarts and facebooks as your idols. This is much more sane advice if you are in for the long haul.

The Full Extent of Microsoft’s Prism Involvement Exposed

| Comments

In a sensational release yesterday, Guardian has revealed scary details of how Microsoft has been collaborating with NSA to give access to its customer data for PRISM purposes. The extent of privacy breach is shocking:

  • Access to data before encryption for Outlook.com and Hotmail emails and webchat
  • Access to its cloud storage Skydrive
  • Access to not only Skype voice calls but also video calls

Apparently all this data is routinely shared between FBI and NSA.

The information the NSA collects from Prism is routinely shared with both the FBI and CIA. A 3 August 2012 newsletter describes how the NSA has recently expanded sharing with the other two agencies.

The NSA, the entry reveals, has even automated the sharing of aspects of Prism, using software that "enables our partners to see which selectors [search terms] the National Security Agency has tasked to Prism".

The document continues: "The FBI and CIA then can request a copy of Prism collection of any selector…" As a result, the author notes: "these two activities underscore the point that Prism is a team sport!"

Hmm, so I guess nowadays the point of encryption while using mail, Skype, chat etc is only about hoping that bad guys (???) will not snoop on our data. Big brother already has all the access it needs.

Moving From Wordpress to Octopress

| Comments

There is no doubt that Wordpress is a wonderful blogging system. But being a dynamically generated website, all the nightmares of scripting languages kick in. Patches come regularly to Wordpress and until you login and update, it keeps nagging you inside and ruins your happiness.

There is an alternative - hosting on wordpress.com directly. But not only does it cost unnecessary money (I already have a shared hosting account), it is also severely limited by what you can run on it - no plugins or themes or custom javascript other than what is provided.

I manage several WP blogs now, and for a long while I have been looking forward to moving to a static blog generation system. After all, the only dynamic part of a blog is the comments and I anyway outsource it to Disqus.

I looked at Python blog generators first - because such frameworks are often extended by using the same language as the framework itself, and I am most comfortable with Python. I looked at Pyblosxom and Hyde. Not quite satisfied with the current state of these, I looked at generators in other languages.

Github has popularized Jekyll a lot, so I looked at that first. While it was great, it still required you to write a decent blog theme from scratch. And then I discovered Octopress. This used Jekyll, but came with a standard theme which looked good and was also well designed for mobile. All these frameworks use Ruby and since I was anyway picking up the language, it wasn't so bad.

I exported the data from wordpress using its own export tool, and then converted it to Jekyll using the exitwp tool which converted wordpress' html source to markdown format. For a Jekyll utility, amusingly exitwp is written in Python and makes you install a bunch of python libraries to work.

Some layout tweaks here and there and some additonal sidebar content later, my new blog is ready!

The only gripe in this whole process is that many of the images were broken. Wordpress used to upload images into its own uploads directory. I could have copied that directory and fixed my problem, but I wanted a clean break from wordpress so bad, that I decided to move the images to a common blog images directory. I used a quick and dirty perl script to fix the links, but I suspect I will still be finding out some image 404s.

Till then, with static html out there on my blog, some peace of mind.

References:

The “Windows”-fication of Gnome

| Comments

USB drive context menu in Nautilus

For a while I have been puzzled why Nautilus doesn't allow me to simply unmount an USB pen drive from the context menu. The only options I could see for USB pen drives was - eject and safely remove drive, which was puzzling on its own as them meant the same to me.

Selecting "eject" or "safely remove" drive does the same thing for USB drives - it unmounts the drive and powers it down. To mount it again, you will have to physically detach it from the USB socket and attach it again.

This trips up several things - it doesn't allow me to remain in GUI land for any use case involving simply unmounting the volume but not detaching it. Applications like gparted, unetbootin, palimsest which I use frequently cannot access the device after it has been "safely removed".

The only GUI way to simply unmount but not detach the USB device seems to be either using gparted or palimsest itself. While I can do that, it seems silly why I would need to open a different application to do something so basic in an Unix system - unmount filesystems, something which we have always been able to do from the earliest of desktop environments.

After ignoring the issue for months(probably years), I decided to find out why the UI was the way it is. And I found this Gnome bug and this one which gave me all the answers.

Here is the gist of the bug:

  • eject is meant for unmounting and removal of media from CDROM like devices. Unlike "unmount" which works only on a single volume, "eject" will unmount ALL volumes on the devices so that it can be removed physically. However, since USB pen drives sometimes advertise their nature as removable, Gnome cannot find out if the device is really removable or not. So this option is made visible for all USB pen drives. On pen drives, it does the same work as "safely remove" it seems.

  • safely remove is meant for unmounting the media and powering off the device. Using this on USB attached CDROM devices will end up shutting down the CDROM drive in such a way that it would only come back on after a reboot. So, this option will NOT be shown on CDROM drives. It would however be shown on pen drives.

  • unmount: Now this is the most outrageous thing I found in the bug. The opinion of the developers was that this option would be confusing for the users (especially when they are already confused between the previous two options), and therefore removed completely from the UI. In the words of a developer on the bug:

We could also nuke the "Unmount" option and just tell people to use a terminal instead for doing that (or Palimpsest). I don't know if that's screwing over existing users too much though (I'm personally fine with it).

I think what the developers are missing is this - using the GUI is not just for dumb/less technical users. It is also a productivity enhancement for power users! Opening a terminal, finding out the mount point and unmounting volumes can always be done from the terminal, but why should a historically common operation be removed from the GUI which lets us power users get our work done in two clicks? In this particular case, there is already a dead simple way for non-technical users - there is an eject button right next to the device icon!

I am really worried that soon the desktop UI will get so dumbed down that it will be quite unusable for power users on it.