Turing award winner Jim Gray disappared off the coast of San Francisco last Sunday and has been missing for 5 days.

Attempts by the Coast Guard to locate him so far have been unsuccessful. A large online community of people from different organizations is trying to help. The blog Tenacious Search coordinates one such effort. Another series of independent efforts center around capturing imagery of the area, both satellite and planes, including Microsoft’s Virtual Earth service which Gray contributed to in his career at MSFT Research.

According to news reports, NASA chipped in by having a civilian version of the U2 spy plane alter its route to provide new pictures of the area. There is also satellite imagery provided by Digital Globe service, which has been uploaded to Amazon’s Mechanical Turk service. Visitors are asked to examine images and mark those that may indicate the presence of an unusual object on the ocean surface, for further examination. Image resolution is about 1M/pixel and the boat would be 10 by 4 pixels.

cemp

UK Green Party is not happy about Vista.  According to this article from Treehugger, they criticize the hardware upgrade cycle (required to get full benefits) will lead to millions of perfectly usable PCs being discarded in land-fills, complete with their toxic internals.This follows a recent trend of heightened awareness of the impact of IT, an industry that one does not generally think of polluting. After all we are not leaching gold in cyanide pits, anxious to drill the Arctic National Wildlife Refuge or trying to convince consumers they need a 8000lb SUV to remain safe on the road.

But this is not the first time the issue of greenness has been raised. Andrew Shapiro, a law professor at Harvard’s Berkman Center made this point, of all places at an invited talk at Microsoft campus. Pointing out that Linux can run on less powerful hardware than Windows (and therefore achieve better utilization of existing computing resources) he posed the question of whether that makes it a greener operating system.

There is another, recently emerging area where IT has clear impact on the environment: energy consumption in data-centers. With the rise of large scale web-based services, companies have taken to setting up data centers packed with thousands of servers. A server looks nothing like the PC sitting on the typical end-users desk; in order to save space, they are typicall in very compact “rack-mounted” form factor. (Example from Dell website.) This means not only is each server hungry for power, the close proximity places significant demands on the HVAC system to prevent the whole assembly from going up in smoke. Roughly 50% of electricity in the US generated from coal, so the data-center is one example of how straightforward it can be to translate the scale (and efficiency) of a service to its carbon emissions.

cemp

That’s what FTC appeared to be doing when they finally settled with  Sony BMG over the rootkitted-CD incident. (Or as the proponents of DRM might say, “aggressive copyright protection” technology.)

According to one version of the story from Information Week, Sony did not admit to any wrong-doing– standard operating procedure for these deals– but will replace any infected CDs purchased before 2007 and also agreed to compensate customer upto $150 for damages caused by the malicious software. By one measure of market pricing, this is a hefty penalty for root-kitting a machine, considering that PCs by the thousands can be purchased for remote control botnets at better price points in the underground economy. (And at least Sony did not “exploit” the rootkitted machines the way bot-herder will.) On the other hand, one could argue Sony got off the hook too easy considering that a reputable company should never have engaged in practices that exposed users’ computers to risk. It is not clear what consumers will have to do to claim damages. Some users may have receipts from tech support services, others may have wasted hours of their own time trying to uninstall the rootkit and mitigate the vulnerability it creates. How can that loss of productivity be quantified?

cemp

Most websites dependent on advertising do not disclose detailed information about their userbase. The demographics, number of active users etc. is arguably a key indicator of the business.

LiveJournal takes  the opposite approach with being completely transparent:

http://www.livejournal.com/stats.bml

On this page for example, everybody can learn that out of a total of 12M accounts only about one-sixth are “active” (not defined) and of that fraction only about one-third have updated within the past 7 days. They can also learn that LJ has a very young audience, the distribution peaking at 19-20, women outnumber men two to one, and US residents outnumber bloggers from every other country. For advertisers trying to decide if this is a good way to reach their target demographic, this is very useful peek at the audience.

cemp

Peter Gutmann’s comments on Vista DRM.

Also, the response on the Vista blog.

cemp

It is not very often that a new gadget comes along that promises to change the way existing services are viewed. Tivo already had this impact on TV viewership. Slingbox is promising to be another disruptive technology, but for very different reasons.  It is also ahead of its time: unlike the DVR which would become an instant winner in the marketplace, limited only by the usual reluctance in adoption of new technologies, Slingbox has fewer applications today.  But it does fundamentally change the way one views their cable subscription.

This becomes clear for those of us with multiple residences or who end up racking up frequently flyer miles for business. It used to be that if one wanted to watch TV in a new place, they needed a subscription associated with that new physical address. That meant your new location, whether it is another home, friend’s place or the hotel room had better have its own subscription via cable or satellite. Slingbox changes that equation: once you have a subscription, the right to watch that content effectively roams with you. If Tivo enabled time-shifting as the contemporary digital successor to the analog BetaMax revolution, Slingbox enables space-shifting in real time. Short of carrying around those bulky tapes, there was no good analog for that in the analog world.

For now this comes in handy in a few unique circumstances: if your hometown team is playing the Yankees and you are travelling on business, chances are the local TV will not carry that game. (Strangely enough the MLB does have a paid online subscription offer for watching games in streaming 350K  video, but it includes black-out provisions based on region for billing address.) Another example involves maintaining multiple residences in different cities. Until recently it was a foregone conclusion that each needed its own cable service, in the same way each one unit has independent electricity and water. But the Slingbox creates an alternative: provided both places have high bandwidth lines, all the content in one location becomes available at the other one. In fact SlingMedia even includes a mobile client for Windows CE based smart-phones. This worked remarkably well on a Motorola Q device, coupled to a Verizon data subscription.

Granted there are significant obstacles. First this requires broadband, which is particularly scarce on the source side. Residential net service in the US has developed on the assumption that consumers need a lot of downstream bandwidth to download those big multimedia files, but very little upstream bandwidth for pushing anything out. It’s debatable if that asymmetry is technical limitation or relic of the mass-media mindset where subscribers sit glued to their TV screens, as the all-knowing broadcasters pipe hand-picked message through their channels. Either way, service providers are not going be too happy about this usage of bandwidth any more than they welcomes P2P swamping their network. Image quality is highly dependent on the available bandwidth during streaming. SlingMedia uses a proprietary streaming protocol, which by itself is not a good thing– using an existing format such as MP2 would help interop and allow for greater choice of applications to use on either side. But the custom protocol has smarts to optimize video quality based on bandwidth use, its redeeming virtue. On the remote side, you still need a computer running the SlingPlayer client connected to a display. Huddling around a desktop PC will do but this is far from approximating the original TV watching experience. Making it one step closer  to couch-potato ideal requires either a full time media-center PC permanently sitting in the living room or a more temporary arrangement  that involves conneting a laptop to the TV– assuming the television is a recent vintage unit with VGA or DVI input.

Biggest unknown may be the content owners themselves. There were rubmlings from MPAA about seeking legal action, but these appear to have calmed, down for the moment. In the near future legal concerns will be the dark cloud on the horizon for this fledgling technology. It may have been a good idea for SlingMedia to have sponsored the EFF Pioneer Awards ceremony at the CFP 2006 conference after all.

cemp

Working on computer security can lead one to become very risk averse.

When is it safe to give out a social security number?That question was impressed on this blogger recently on an excursion for a new wireless service provider. Walking into a store at a mall in Chicago area, everything started out on a good note: new phone, better conditions and finally good-bye to Verizon incompetence. One catch: applying for this service required completing an applicaiton that involved providing SSN. Nothing unusual about this–in the US service providers are dependent on the monthly subscription fees. Customers pay only a small fraction of the cost of the actual device, which is why that fancy unit can retail for $50. Few subscribers notice that the offer comes with strings attached, typically in the form of a 1-2 year commitment to that provider. The massive profit margins on wireless service easily offset the subsidies for the device. (This is also the reason that phones in the US are “locked”; they can only be used with one provider’s network. Europe places much greater emphasis on customer choice and preventing lock-in opportunities; phones are typically unlocked and IIRC there is a requirement that providers unlock phones if the customer chooses to. Bad news for providers and good news for hand-set manufacturers: consumers walk into a store asking for the latest Nokia model and they do not have to worry about which provider it can work with. US mobile phone service is still archaic by comparison.)

For this business model to work, the providers must be able to count on the customer making good on their payments for the 2 years they are locked in. And what better way to gauge that probability than a credit check?  This is where the SSN comes in: major credit bureaus will not do a credit check without SSN, for good reason.

That brings us back to the scenario in that Chicago mall: consumer is supposed to recite his/her SSN to the salesperson, who is typing that information into a computer. This is an improvement over filling out a form, where the data also exists in paper copy but still there are too many attack vectors to list: do you trust that person? What about fellow employees watching over her shoulder, as the SSN sits on the screen while we work through the application? (and customer for that matter because the layout of that particular store featured “islands” in the middle of the store where the terminals were located.) Even if the employees are diligient, is that computer infected with spyware? It is a general purpose PC and it has Internet connectivity for sure, because the application data is shipped to Verizon. Were they keeping up with the patches? Did one of the employees use this PC for surfing the web, clicking “yes” to everything along the way?

In the end, this blogger decided against signing up for the service. The staff were very courteous and tried their best: the representative helping us asked if we would be more comfortable if I got to type in the SSN directly in to the application. No dice. (Buying the phone only without a subscription was not an option, because of the economics of subsidized units alluded to earlier.) Greatest irony: after I walked out to browse a completely unrelated store, she tracked me down in another part of the mall, and said that her managed decided it was OK for me to sign up without providing an SSN! Why? Probably because they had decided looking at me (and my significant other, she was present the entire time) that we were a good credit risk. It could have been the way we were dressed or more likely the fact that we were even worried about identity theft enough to pause over providing our SSN suggested we had something to lose. Either way, being concerned enough about providing SSN removed any doubts that a credit check would be necessary. That’s one bit of unintended social engineering to keep in mind for future use.

cemp

Returning to blogging after a break.

In the next fews day, we will shift gears and focus on home entertainment– specifically the problems of getting devices from independent vendors to cooperate and stream music to a standard home stereo system. Along the way there is going to be plenty discussion of gadgets and flashbacks to the book “Why things bite back” by Edward Tanner. It turns out a good chunk of the problems can be traced to identity management.

Recap: speaking of “digital distribution” in music, what we mean is the content is delivered in digital format over the Internet, instead of stamped on physical media the way LPs and CDs were. This shift creates a gap between the computing and the home entertainment camp of devices. The typical high-end stereo system is connected to decent speakers and boasts a receiver with multiple digital inputs, such as optical or coaxial ready to receive noise free binary. But when it comes to networking, this system is a complete Luddite: it has no connectivity to speak of, no notion of iTunes or downloading. By contrast, the average PC is loaded with music editing software, peer-to-peer file sharing and smarts to go download track information from an Internet database when the user inserts a CD into the tray. This smart device however is stuck with a sound card made out of cheese, and lousy speakers that make Edith Piaff sound like Britney Spears.

Many solutions have come up over the years to fix the problem, to bridge this gap. Appropriately enough one of the first ones was the Soundbridge by Roku. Soundbridge can connect wirelesly or via Ethernet to a home network and stream music from a device supporting UPnP and HTTP, such as Windows Media Connect. More importantly, it could use the coaxial input on a standard receiver, avoiding analog losses on the way. Expected set up is a PC running Windows Media Connect hosting the music, the Soundbridge connected to the home network and feeding its output to the receiver. There is one problem and it is one of authentication: M1000 only supports WEP for wireless security. For the paranoid ones running their wireless network on WPA, that is a deal breaker. (Adding a second wireless router on WEP to create a subnet does not help: if the Soundbridge can access your music, so can the adversaries that break WEP. And the RIAA would be very upset if your music collection became world-readable.) A simple work around is to use an Ethernet bridge such as the excellent Buffalo Wireless-G Ethernet Convert, which supports WPA to connect to your home network and then acts as bridge to allow other devices to connect using the standard Ethernet ports.

(Continued)

cemp

Back to blogging, picking up an older story from New York Times Sep 24.

After losing the to the Tigers in the AL Division Series on Saturday, the Yankees have extended their not-winning a World Series streak to 6 years. There may be no joy in the Bronx, but online sleuthing and going after season ticket holders remains a strength, according to an article by Richard Sandomir. Fans are on notice. A handful already lost season-tickets for attempting to sell individual game seats online. Quote:

“The Yankees troll the online resellers looking for tickets with seat numbers attached, but fans tend to avoid being so easily detected.”

The stalking does not stop online:

“Pate [spokesperson for online reseller StubHub] said guards have stopped fans who visibly carry StubHub envelopes and questioned them about where they got their tickets, which would help to pursue the season ticket holder.” 

Yankees’ COO confirmed this questionable tactic. Discouraging scalping is understandable and one could argue that fans looking to make a quick buck over scarce season tickets were not the fans a team wants to cultivate in any case.  But the club’s policy has no reference to charging over face value or the number of tickets available for sale. Fans unable to attend a game and trying to recover some value for their tickets are in the same boat. This leads to an interesting arms race: fans attempt to hide their identity when selling their tickets and the Yankees will attempt to unmask them. Not being able to put the exact seat number already creates an impediment as potential buyers have to bid on seats with at least some uncertainty. The more precise the seller can be– deck, infield/outfield, section, row– the smaller the number of suspects.

There is a more subtle conflict of interest: Yankees want to enter the online resale market with their own official website. The article points out that 2 other teams already hosting their exchange sites have learned to coexist with independent auction sites. One of those teams is the San Diego padres, the other one is the New York Mets– who will be contending for the National League pennant against the St Louis Cardinals next week. Amazing what clubs can accomplish when they prioritize baseball over monitoring online auction sites.

cemp