Month: February 2007

Recording industry: full-steam ahead on P2P whack-a-mole

Many problems on the Internet today resemble the game of whack-a-mole: a pointless arms-race, a futile gesture, a Sisyphean task that nevertheless draws investors and commercial interest against all reason. Some of them are arguably necessary and server some social good: one example is blacklisting of zombie PCs used for spamming or the takedown of phishing websites. As soon as the ISP taken down the offending site, five more are already opening for business. This is the sad state of the art when it comes to phishing and breaking up botnets.

Then there are other games of whack-a-mole played on global scale with far more dubious social benefits. Our friendly content industry has been at the forefront of one: the war against peer-to-peer file sharing networks. RIAA and MPAA (collectively dubbed the “copyright thugs” by Stanford’s Larry Lessig) have engaged in a no-holds-barred battle against piracy online. The original Napster was the first casualty of this crusade. Later P2P systems such as Gnutella, eMule, Kazaa, Morpheus and most recently BitTorrent found themselves in the cross-hairs. Unlike Napster these ultimately proved far more resilient and difficult targets because of their  true distributed architecture. Napster ran a centralized index, its Achilles heel, one  that could not exist without the corporate entity keeping the service. It was no match for the lawsuit. More lawsuits followed: Kazaa was forced into operating out of a front company located overseas,  to seek better jurisdictional protection but the P2P genie had been unleashed. Grokster went all the way to the supreme court, only to be held accountable over its users’ actions. Over time RIAA/MPAA feeling increasingly indignant and wronged, started  going after users instead of technology, often resorting to questionable tactics such as injecting bogus content into networks, remote tracking and surveillance of P2P users. In late 2003 and all throughout 2004 came the highly publicized cease-and-desist letters to users. (Usually on target, occasionally giving rise to comical cases of mistaken identity.)

Now an article on CNN/Money says this game of whack-a-mole is not working. Quoting the new RIAA president:

“P2P remains an unacceptable problem. […] The folks engaged in the practice are doing more of it.”

iTunes has sold about 2 billion tracks since inception. By comparison,the article cites an estimate that every month half as much songs are traded on P2P networks. Way to go, Apple.

cemp

Winds of change for Prius demand

Interesting article from CNN/Money comments on the fact that after 3+ years of robust demand, it is now a buyer’s market for the Toyota Prius.

Prius was the second hybrid released in the US, second to Honda’s now discontinued and largely impractical 2-seater the Insight, although it was originally first in Japan. Apparently sales are now slowing right after Toyota committed to increasing inventory by 70%, no doubt prompted by the surge in interest last year as oil prices climbed out of control. Economists were vindicated: there is price elasticity after all, even when price fluctations in the late 1990s showed no signs of stemming the consumer fascination with SUVs. This time the spikes following 2005 hurrican season did lead to renewed focus on fuel economy– when GM Is advertising one of their trucks as “best fuel economy V8 full-size in its class” you know that expectations have been reset. (Is that akin to being the fastest unicorn?) Prius was there to capitalize on the demand. According to the statistic from the article, in its halcyon days the average Prius sat on the dealer lot for 5-11 days compared to 33 days for Toyota average across US and industry record of 66 days. As one who participated in a Prius search last fall, this blogger can attest that in metropolitan areas that figure was closer to zero-days: most vehicles were already spoken for by the time they were loaded on the 18-wheeler for transit.

What is different now? Part of it is the car became a victim of its own success, an arguemnt also rasied here. The tax incentive for hybrids is a function of the sales and after Sep 30 it was cut in half last year, because Toyota exceeded the target. It will go down another 50% again in April and October of 2007 based on projected sales volume. Other hybirds have not enjoyed nearly as robust sales and maintain the full credit. (Tying the amount to units moved does make sense: after all the incentive exists to motivate consumers to buy and healthy volumes indicate that consumers need little extra convincing.)

On the economics side, fuel prices retreated and the initial over-reaction corrected itself. On the other hand as critics pointed out, extra cost of purchasing hybrid technology is unlikely to be recouped in fuel savings, suggesting that for most consumers the decision was one of ecological statement– or a case of bad mathematics.

What does this mean Toyota? Advertising for one– that would be a first since 2000, as it never required much publicitiy for a niche vehicle aimed at buyers already in the know. There is also incentives, 0% financing and probably an end to price gouging by Toyota dealers who were capitalizing on demand last year. In short, shrinking profit margins across the board and more Priuses on the road. In this case what is bad for Toyota, is good for the environment.

cemp

Latest distraction from an operating system

First it was Minesweeper, in Windows 3.x days. Often unstable and not very good at multi-tasking, the operating system nevertheless came with the ultimate addictive simple game that could easily get the user distracted while waiting for some CPU intensive task to complete– such as opening a word document in the good old days. (This blogger even wrote an Amiga port of the game, so he could play on his primary machine.)

XP had Solitaire. Vista ups the ante with a simple chess program called Chess Titan. It is not exactly a tribute to AI or likely to defeat Kasparov, but the game is perfect for short 5-10 minute runs of speed chess. The application responds quickly in a matter of seconds, even at the higher levels, on a relatively middle of the road PC rated 4.2 on the Vista experience index. At the low levels (adjustable 1-10 scale) it plays like a coffeehouse player, with no sense of theory or opening book. In the upper range it shows better grasp of standard chess but has a penchant for unusual opening lines. When playing black it appears to avoid King’s opening at all costs, preferring the Sicilian, French defense, obscure gambits, anything but a standard e4-e5 exchange.

Chess Titan, 2D view

2D view, in wood and black/gold pieces. This blogger has white, and the computer is just about to get 0wned after Bf4.

3d-frostedglass.JPG

3D view, looks decent but not great for actually seeing board position well.

cemp

Kim Zetter on carders

Kim Zetter has an excellent series of articles on Wired about the underground “carding” industry responsible for the wave of phishing and Internet-based identity fraud. It is available as a single PDF file or four-part series:

The meticulously documented article– featuring screenshots of conversations with carders, with much redacted information including Paris Hilton’s social security number– follows the exploits David Thomas as he is recruited by the FBI to work undercover after his arrest. Thomas ends up running one of the major gathering sites for carders called “The Grifters”, a rival to the Shadowcrew taken down in 2004. Great reading.

cemp

More bad news on the phishing front

Situation is not looking good for the good-guys combatting phishing.

Various toolbars and browser plug-ins were the heralded solution against the plague of emails arriving from Eastern Europe, urging unsuspecting users in badly mangled English to visit a random website and provide personal information. At first it even appared to be working. Then came the signs that not all was well.

One study commissioned by MSFT showed that IE7 was best-of-breed among existing solutions. (Full disclosure: this blogger is employed by Microsoft.) Not to be outdone, the Mozilla foundation, the non-profit organization behind the open source Firefox web browser, conducted its own study and not surprisingly crowned the anti-phishing feature of Firefox 2.0 as the winner. Either study would have been easy to dismiss based on the funding/affiliation.

But then academia took interest in the problem and a group at Carnegie Mellon published a study showing that in effect none of the technologies were very good. Even the best one missed 15% of confirmed phishing pages at least 24 hours into the life of the scam. (Because the average site stays up 4.8 days according to the Anti-phishing Working Group, most of the damage is done very quickly and it is imperative for defenses to kick into action promptly.) Surprisingly the best toolbar in this study was 2004 vintage, an open-source solution developed at Stanford University which relied purely on heuristics and without the benefit of a costly-to-maintain blacklist of known phishing sites. Unfortunately SpoofGuard had its own Achilles heel: it had a very high false positive rate, or classifying legitimate websites as phishing. This is equally damning because a security warning that cries wolf all the time is the one that will get ignored when it is justified.

But there is hope, the optimists could argue. After all the CMU study only considered phishing filters that integrate into popular web browsers and attempt to warn the user when they are lured to a phishing website. That’s not the only paradigm for combatting phishing: a more promising approach gaining popularity involves personalizing legitimate websites for each user. For example, users can choose an image that will appear on their login page, allowing them to recognize whether a given site is the correct one at a glance. PassMark was one of the first companies to commercialize this approach, now use by Yahoo! in SiteKey, as well as Bank Of America and Vanguard.

At least that was the theory. A new paper from Harvard/MIT team appropriately titled “The Emperor’s New Security Indicators” suggests that it does not work very well as deployed. As reported by the New York Times (the fact that this is even covered in NYT suggests how main-stream internet security has become) the researchers found that the majority of users were happy to ignore missing images and provide their credentials anyway.

cemp

TiVo angling for a Big Brother award

“I promise with my hand on a Bible that your data is not being archived and sold, […] We don’t know what any particular person is watching,” he said. “We only know what a random, anonymous sampling of our user base is watching.”

So says the CEO for Tivo, according to a recent article in San Francisco Chronicle. The data in question is whether subscribers are skipping commercials. This is a classic case of having to place blind faith in hardware, or at least in the marketing proclamations of the vendor. The TiVo device sitting in the consumer’s living room certainly has visibility into what is being watched and how often the commercial skip feature is used to avoid going postal over that lame beer commercial again. But what is not clear is whether this information is shipped off the box to headquarters, for data mining purposes and if it is, to what extent it is sanitized to strip identifying information about the original user.

Problem is only Tivo engineers can know for sure– and even they may not have it right. One person’s “anonymized data-set” is another’s treasure find of personal data waiting to be correlated against just the right database to reveal the identity behind each record. For everyone else Tivo is a blackbox. The only sources of information are:

  • Vendor claims, to the extent they are complete and accurate
  • Third-party claims, such as privacy advocates assuming they have better sources of information
  • Information gathered by reverse engineering the device. This is costly and returns on investment can be low. Often vendors intentionally obfuscate their protocol in order to protect their intellectual property. (Conspiracy theorists would argue obfsucation only serves to hide nefarious purpose.)

Tivo is neither unique or particularly significant. The question of whether a device owned by the user is acting against their interests comes up all the time. A deceptive short-cut is that open source software is better because anybody can verify it is working as intended. MythTV instead of Tivo? True– in the trivial sense that, if you went over every line of code and built it from scratch yourself. (Otherwise you are at the mercy of the authors, download sites etc.) That approach does not scale and better trust mechanisms are called for. Marketplace reputation of an established company in principle serves as a check: too many eggregious data collection practices equates to lost revenue. But such dynamics can only operate when there is transparency and competition: when users know exactly how 2 different PVR vendors use their data, and factor this into their purchasing decision. We are far from that level of awareness.

cemp

Mobile USB computing on the cheap (part II)

An earlier post here pointed out examples of companies commercializing mobile USB computing, which promises to roam the entire computing environment, applications, data, settings and all, on a portable USB drive ready for work anywhere. Each one is predicated on use of special software on the USB device and sometimes custom/versions of apps tweaked for roaming. In this second installment, we’ll discuss getting 90% of that functionality with freely available software and zero modifications to apps for roaming.

Key ingredient is virtualization. That term is ambiguous because VT can exist at any level, but in this case we are referring to machine-level virtualization a la VMware, Virtual PC and Xen. These systems create the appearance of multiple, completely independent PCs (called “guests”) on top of a single computer (called the “host”) This has been a very active field in recent years, with lion’s share of commercial R&D efforts focused on server consolidation in the enterprise. Because managed IT environment costs are often directly related to number of physical servers, having one beefy server run multiple virtual machines to replace a handful of dedicated servers translates into directly measurable savings. But virtualization has broad implications and mobility is an obvious scenario. Because a virtual machine is represented by an ordinary file, no different than a Word document or a photograph (albeit a very large one), roaming this file amounts to roaming the computer. Any machine with the compatible VMM can run the virtual machine, which contains all the applications and data the user needs.

As for implementing this in practice:

  1. Grab one of the free virtualization solutions. This author recommends Virtual PC for consumer scenarios, although VMware‘s excellent VMware Player is a second-best, limited by the fact that it can not create new machines. (VMware Server and Virtual Server R2 are also free, but they are more aimed at server/enterprise scenarios.)
  2. Create a new virtual hard disk, type “dynamically expanding” default size is generally sufficient. Use the mobile drive for storing this file.
  3. Create a new virtual machine, also saved on the mobile drive and attach the virtual disk image created in step #2.
  4. Boot the VM and install a new operating system from CD or ISO image. This is the tricky step becuase depending on the conditions of purchase, the new OS may require an additional license. If the idea of worrying about OS licensing and activation frustrates you, there is always a great selection of open source distributions such as Ubuntu variants.
  5. Install virtual machine additions. This allows seamless integration of mouse and keyboard between guest/host.
  6. Install applications in the VM, configure settings as you would on any PC and copy over data. (See earlier point about licensing.)

The mobile environment is ready. Any other PC running Virtual PC– or for that matter VMware Player, which has the impressive feature to import VPC images– can recreate the machine. Since these are both free downloads, that is not setting a very high bar. As backup option, the installers for VPC and VMware Player can be carried around the USB drive as well, just in case. VPC allows working with the machine in full-screen mode where the guest takes up full screen, creating the illusion of dedicated PC. One can even “hibernate” the machine by saving its state on the USB drive on one PC and restoring from saved state on a different PC.

There are a number of limitations to this approach, some of which apply to any roaming solution. The final post in the series will cover these challenges.

cemp

Secret to being “cutting edge” in IT

… is having 5% of market share.

Apple has proven this axiom time and again, by being a marginal niche product with the Mac but successfully maintaining the cutting edge, hip image verses the mainstream PC. (Latest example being the series of hilarious commercials where Tonight Show contributor John Hogman plays the stody PC characters against a hipster Macintosh.) In an interview with Newsweek, Gates railed against the over-simplifed comparison, perhaps for the first time not sparing any words about Apple. Quote:

“I don’t think the over 90 percent of the [population] who use Windows PCs think of themselves as dullards, or the kind of klutzes that somebody is trying to say they are.”

Aside from the inevitable questions about the Mac/PC cultural divide, most of the interview focuses on actual comparisons of Vista verses available functionality in Mac OS X. Predictably the comments drew heavy fire on Slashdot and elsewhere on the blogosphere.

cemp

Searching for database pioneer Jim Gray

Turing award winner Jim Gray disappared off the coast of San Francisco last Sunday and has been missing for 5 days.

Attempts by the Coast Guard to locate him so far have been unsuccessful. A large online community of people from different organizations is trying to help. The blog Tenacious Search coordinates one such effort. Another series of independent efforts center around capturing imagery of the area, both satellite and planes, including Microsoft’s Virtual Earth service which Gray contributed to in his career at MSFT Research.

According to news reports, NASA chipped in by having a civilian version of the U2 spy plane alter its route to provide new pictures of the area. There is also satellite imagery provided by Digital Globe service, which has been uploaded to Amazon’s Mechanical Turk service. Visitors are asked to examine images and mark those that may indicate the presence of an unusual object on the ocean surface, for further examination. Image resolution is about 1M/pixel and the boat would be 10 by 4 pixels.

cemp

Vista, energy and ecological impact of computers

UK Green Party is not happy about Vista.  According to this article from Treehugger, they criticize the hardware upgrade cycle (required to get full benefits) will lead to millions of perfectly usable PCs being discarded in land-fills, complete with their toxic internals.This follows a recent trend of heightened awareness of the impact of IT, an industry that one does not generally think of polluting. After all we are not leaching gold in cyanide pits, anxious to drill the Arctic National Wildlife Refuge or trying to convince consumers they need a 8000lb SUV to remain safe on the road.

But this is not the first time the issue of greenness has been raised. Andrew Shapiro, a law professor at Harvard’s Berkman Center made this point, of all places at an invited talk at Microsoft campus. Pointing out that Linux can run on less powerful hardware than Windows (and therefore achieve better utilization of existing computing resources) he posed the question of whether that makes it a greener operating system.

There is another, recently emerging area where IT has clear impact on the environment: energy consumption in data-centers. With the rise of large scale web-based services, companies have taken to setting up data centers packed with thousands of servers. A server looks nothing like the PC sitting on the typical end-users desk; in order to save space, they are typicall in very compact “rack-mounted” form factor. (Example from Dell website.) This means not only is each server hungry for power, the close proximity places significant demands on the HVAC system to prevent the whole assembly from going up in smoke. Roughly 50% of electricity in the US generated from coal, so the data-center is one example of how straightforward it can be to translate the scale (and efficiency) of a service to its carbon emissions.

cemp