The wrong sort of radio, redux
Almost a couple of years ago (shortly before taking a role that put me back under the yolk of corporate web filtering) I wrote the wrong sort of radio to describe how ridiculous and counter-productive such things are. It simply doesn’t make much sense to cut off the Internet at the desktop when everybody has it in their pocket anyway. I was reminded of this by a tweet from Sean Park over the weekend:
TL;DR version
For the last year or so I worked around the corporate web filters by having a PC on my desk connected to the real world via a VPN – an immobile version of bring your own device (BYOD). The VPN moves the point of origination for my web traffic (and the liability that goes with it) from my employer to me, so this was a compromise that everybody could be comfortable with. It was however technically challenging to set up, and performance/reliability was often poor. With a few simple tweaks the whole setup could have been made much more accessible for others, and that would be a good thing.
The Law
SEC Rules 17a-3 and 17a-4 oblige brokers and dealers to keep archives of electronic communication for trading staff, and similar rules have been enacted in most jurisdictions. It’s fairly easy for organisations to keep a regulatory archive of their own email using various bolt on solutions to their mail servers. Private (web)mail was however seen as a way to circumvent archiving[1], and hence had to be blocked. At the same time private webmail was being blamed for malware finding its way onto corporate desktops, so it seemed to make sense to block webmail for everybody, not just trading users (and anyway it seemed like it was too hard to keep track of who should be archived/blocked and who shouldn’t – so much easier to just cast the net over everybody[2]).
The law didn’t tell Wall St. to shut down webmail, but that’s what happened.
The Lore
Once webmail had been blocked on corporate networks it then became part of security and risk management culture that anything that allowed an employee to access webmail (or social networks with similar communications capabilities) must be banned. It was by this perverse logic that when guest and employee wifi were introduced (to allow people to work as effectively as they might in a local coffee shop) those services were then subjected to the same filters as the corporate network.
I used to have this written at the top of the whiteboard behind my desk:
The Lore != The Law
It was there to remind me that pretty much everything evil done in Enterprise IT is done at the behest of ‘compliance’, and it’s part of our job to push back as hard as possible to get a good experience for the users.
The liability argument
Corporate liability was a frequently touched upon issue in discussions about filtering networks. The argument runs something like this:
If we’re providing a service (like employee or guest WiFi) then we’re liable for what’s done with it
It’s a fair point, and the best answer is to get out of the business of providing the service. Get a telco to do it instead. The whole point of ‘wrong sort of radio’ is that telcos aren’t expected to be liable for traffic across their networks in the same way.
In many other cases the liability issue is dealt with using an acceptable use policy, and we pretty much all click through such agreements when accessing the Internet from a hotel, coffee shop, airport, train or whatever. That doesn’t work for Wall St. though. Wall St. has (internal) auditors to ensure that things are done properly. It isn’t good enough to have policy (ask nicely for people to do the right thing). There must be technical measures – make sure that people do the right thing – by actively stopping them from doing the wrong thing.
This is when The Lore kicks in badly. Employee WiFi must have the same filters as the corporate network, otherwise employees will use it to dodge controls; and guest WiFi must have the same filters too, because employees will cheat and create guest access codes for their own use. All that filtering means that traffic can’t just escape out onto the Internet, it needs to be routed through to the filtering place, meaning more hops, more expense and less performance.
VPNs to the rescue?
Virtual Private Networks (VPNs) move the point of egress to the Internet (and hence the perceived point of liability) from the WiFi service provider to the VPN provider. VPNs therefore provide a strong technical argument to the issues around liability; guests and employees should be allowed to use VPNs, because what they do on the Internet tracks back to them, not the company providing WiFi.
If only it was that easy.
The trouble is that the filters can only work on a narrow stream of traffic, and the expectation is that people are just surfing the web; so things get locked down to port 80 (HTTP) and port 443 (HTTPS). Whilst it is possible to run SSH and OpenVPN over port 443 it’s a none standard configuration; and web filters range from actively hostile to simply not designed to work well for such a setup.
VPNs therefore can be useful for moving the point of liability, but things only work well if the network is configured to allow VPNs (rather than VPNs being a workaround).
The gory technical details
The PC on my desk (and the iPad in my bag) were able to connect to virtual private servers I had using SSH and OpenVPN. Most SSH clients (including iSSH on iOS) can work as a SOCKS proxy, though of course this means that the SSH session must be established before surfing begins (which is a nuisance on the desktop and a downright pain on a SmartPhone or Tablet). Not everything gracefully pays attention to proxy rules, which is where OpenVPN can be helpful, but you can’t run SSH and OpenVPN on port 443 at the same time – so I needed two VPS boxes[3].
Call to action
Firms that are making widespread use of web filters[4] for guest and employee WiFi should actively support the use of VPNs by opening the appropriate ports and advertising the VPN capability (maybe even suggesting some services that people can use if they don’t have a VPN already).
Conclusion
Web filters at work get in the way of doing business in a (socially) networked society. I found ways to deal with these that worked for me, but they only worked for me because I was able to deploy resources and expertise that aren’t at everybody’s disposal. Virtual Private Networks provide a sensible workaround for the perceived liability issues, and should be technically facilitated and encouraged.
Notes
[1] Solutions at the time weren’t sophisticated enough. That has changed, but the approach pretty much everybody takes hasn’t.
[2] This is the same logic that gets us full disk encryption.
[3] Though I could have got by with a single VPS and an extra IP address.
[4] It would be remiss of me to finish without mentioning that the rule management for those filters is a nightmare. The default filer rules are normally created for oppressive regimes in the Middle East, and commercial users then need an exception process for stuff they don’t want to filter (because filtering harms their business). Exceptions are normally granted on a firm wide or individual basis. Exceptions are normally only managed for the corporate network (not guest or employee WiFi), leading to much fun getting exceptional exceptions for new services.
Filed under: technology | 1 Comment
Tags: BYOD, censorship, filter, vpn, web
The best conference bag
I get to go along to a lot of industry conferences, and goody bags are pretty standard fair. I expect that most of them quickly find their way to landfill, which is always a shame. A couple of years ago I was visiting somebody who I’d met at a conference, and I had one of my old bags with me and he commented ‘oh yeah – that one was a keeper’. I’m travelling again, and like a faithful companion it’s with me once more. So what makes a good conference bag?
- Light weight. Most people will have come with their own bag anyway, so they don’t want to carry much extra stuff back with them. This applies doubly so if people have travelled by air and face the ever more stingy check in and carry on allowances.
- Pack flat. If the bag can be put on top of other stuff in some carry on then it’s more likely to make it home. This means no padding.
- Large capacity. A useful bag should be able to hold a laptop, chargers, a couple of tablets, a bottle of water, an umbrella, sundries like boxes of tea and a coat (i.e. the minimum viable leave the hotel for the day kit).
- Robust. It’s no good if it falls apart.
- Shoulder and hand straps.
- Business card holder (so that it can find its way home if lost).
My old faithful was made by Leeds and given away by Burton Group at their 2004 Catalyst Europe conference – I think the sponsors on the other side have got more than their money’s worth by (somebody) choosing a good quality product. I’ve managed to break one of end pouches, which turned out to be not quite strong enough to hold a 500ml bottle of water, but it’s otherwise held up well to years of travel, and often gets thrown into my carry on empty (so I can bring home some extra stuff) or with the gadgets I want on a flight (so I don’t have to mess around with my luggage too much). I’ve also held onto a few 24esque ‘Jack pack‘ bags I got from QCon as they’re great for holding shotgun cartridges and other shooting paraphernalia.
Filed under: did_do_better, travel, wibble | Leave a Comment
Tags: bag, conference, travel
Tablets for Christmas
I remember a Christmas in the late 90s where it seemed like everybody got a mobile phone. This year it’s looking like we’re going to see the tablet equivalent, so I thought I’d do a quick round up of what I’m expecting to see.
The home front
If I include my in-laws then there will be at least three Nexus 7 devices coming for (or before) Christmas. My wife was quite taken by the advertising for the Kindle Fire HD, but when my brother showed her his Nexus 7 she was sold on the Google alternative[1]. I was personally something of a Nexus 7 sceptic when it launched, feeling that the lack of memory and 3G options made it weaker than my existing (original) Galaxy Tab, but both of those issues have now been fixed[2].
For the kids
I got an email from a friend this morning saying he was getting iPad minis for his two daughters (and asking if that made him an Android traitor[3]). This makes sense to me, as iOS still has the lead on games, which is one of the main things that kids use these devices for. I’ve got my own daughter one of the new iPod Touches for exactly the same reason.
Differentiation and market sizing
The iPad has had a good run as the main attraction in the tablet marketplace, but I see this coming to an end. I expect the iOS ecosystem to continue differentiation in two ways:
- As a premium product, in the same way that Macs were during the PC era. It’s clear that Apple is still going for a marketing based approach to the devices themselves, with a line up that starts with the iPod Touch, and goes up in size via the iPad Mini to the full size iPad. There’s still big margin in each of these. Google and Amazon on the other hand are going with very thin margins on the devices, so any price differentiation in the line up comes pretty much straight from the bill of materials. This will likely be the area where Apple will continue to differentiate in the long term.
- As the preferred gaming platform. Developers in general will go where the numbers are, and whilst iOS has had the lead on sales it’s also been the develop for first platform for games. This is less of an issue for many (older or first time) tablet users who just want to surf the web and read emails and ebooks, but remains a big deal for people that want games, particularly if they’ve already bought a bunch of stuff in the AppStore.
The contrast between the Apple approach and Google/Amazon is on device premium. Apple (at least for now) get to make money on the device and on the rent payer they get in the AppStore, whilst Google and Amazon are clearly willing to give up the device premium to attract rent to their ecosystems. This almost certainly plays out as Android having a major growth spurt into 2013, and it’s then only a matter of time before the balance tilts for gaming etc.
What about Microsoft?
The Surface looks like (yet another) brave try, but the reviews I’m reading suggest that it’s too expensive and the software’s too flaky to justify the price tag. If this really is MS showing their OEMs how it’s supposed to be done then I’m not expecting too much from the rest of the field.
The wider tablet with keyboard category[4] looks to me like a well intentioned attempt to close the gap between tablets and laptops from a functional perspective, but it’s important to look at how people spend their time. If 90% is consumption of content and 9% is curation of content then that leaves the creation gap at 1%, and 1% does not a healthy market segment make.
Conclusion
This Christmas is going to be the turning point for Android based tablets, and the gaming and enterprise markets will need to react accordingly in the New Year. Apple is going to have a great Christmas too, as they get to double dip by making money on devices as well as content. I fear a bad New Year hangover for MS and anybody getting a product from their stable over the holiday season.
Notes
[1] I had previously suggested that the Nexus 7 might be a better choice than the Kindle Fire HD, but holding one in your hand can make all the difference. In practice the differentiation is less about the devices and more about whether you want a shopping cart from Jeff Bezos or Larry Page parked in front of you.
[2] I use my Galaxy Tab a lot on the train when in the UK, and it’s often my main source of connectivity when I’m in the US (courtesy of the AT&T SIM that came with it) so 3G connectivity is pretty important to me. If I was buying something for myself this Christmas then it would be a 3G version of the Nexus 7. I’m not buying because although the Nexus 7 is all three of better/faster/cheaper the original Galaxy Tab is still perfectly adequate for my needs. There might be some important inferences here for tablet upgrade cycles.
[3] He has been an Android smartphone user since the early days, and more recently got himself an ePad Transformer tablet.
[4] Intel seem to have labelled this ‘Ultrabook Convertible’, though it’s not clear to me that there’s a rigorous base specification for this like there is with the Ultrabook branding. I’ve seen at least 6 different physical approaches illustrated, which suggests to me that nobody has yet figured out what customers actually want.
Filed under: technology | 3 Comments
Tags: amazon, android, Christmas, convertible, Fire, google, HD, iPad, kindle, Microsoft, Nexus 7, Surface, tablet, ultrabook
When I first created an automated build system for OpenELEC I had two reasons:
- Official releases from the OpenELEC team were infrequent
- There were no official SD card images (just .bz2 release bundles)
Looking now at sources.openelec.tv I don’t think point 1 is true any more. I’m going to keep my own system going for the time being, but in parallel I’ll try to provide images based on the official builds. I will also continue to provide release bundles with media_build for those using DVB receivers that aren’t properly supported with existing drivers.
Filed under: Raspberry Pi | 14 Comments
Tags: build, card, image, media_build, official, openelec, Raspberry Pi, Raspi, release, RPi, SD
Broken netbook media player
The screen on my wife’s Lenovo s10e gave up the ghost last week. I thought it might be just a loose connector and that I could fix it, and an initial attempt at strip down and rebuild seemed to work. Sadly my fix didn’t hold.
I’ve been using my own s10e mostly to play videos on a bedroom TV[1], so I switched over the hard drives. This got my wife working again, and also gave me the opportunity for a project that I’ve had in mind for some time (in anticipation of this eventuality).
With the broken screen removed from the netbook I mounted it, its power supply and the TV power supply onto the back of the TV with velco pads:
This got the netbook and tangle of wires out of the way, but left the challenge of how to control it. I dealt with that by getting a Kogan Wireless Keyboard and Trackpad. It’s about the size of a regular TV remote, but is surprisingly easy to use.
So now I have a very tidy setup that I can control from bed.
Notes:
[1] Sadly the bedroom TV I bought a little while ago didn’t come with HDMI, so I can’t just use a Raspberry Pi with OpenELEC.
Filed under: making | 2 Comments
Tags: keyboard, Kogan, netbook, remote, trackpad, tv, wireless
OpenELEC with media_build
Update (13 Nov 2012): Since OpenELEC is now on a recent kernel there’s no point to media_build any more, and I won’t be doing any further builds. Some DVB drivers aren’t enabled, but this is easy to rectify (it didn’t take very long to get CE6230 support mentioned below sorted out).
Update (10 Nov 2012): Since newer kernels were included in OpenELEC at the end of October I’ve not been able to create new releases with media_build. The good news is that it913x DVB adaptors (like mine) now work just fine with regular OpenELEC. The bad news is that various other DVB adaptors (e.g. CE6230) are missing from regular OpenELEC. If I figure out some other way of including missing drivers I’ll create some new builds – but don’t hold your breath.
A lot of people have been having issues with driver support for digital TV devices that can be fixed with the media_build drivers. I’m pleased to announce that I’m now publishing release bundles that include media_build using the same automated mechanism that I put together for regular release bundles and SD card images (NB I have no plans to do SD card images for media_build as it’s relatively trivial to copy a release bundle onto an SD card).
Filed under: Raspberry Pi | 10 Comments
Tags: build, ce6230, driver, dvb, image, it913x, media, media_build, openelec, PiChimney, PVR, Raspberry Pi, Raspi, RPi, SD
Moving house
For a few months now I’ve been offering OpenELEC release bundles and SD card images at openelec.thestateofme.com, and more recently I set up resources.pichimney.com to host a broader range of Raspberry Pi related downloads. The servers that I’ve been using were part of the BigV.io beta, so I’ve not been picking up the tab for VMs and bandwidth.
BigV has been great. Fast servers, expandable disks and plenty of bandwidth. Unfortunately it would cost me too much to stay there now that they’re starting billing (bandwidth alone would be around £40/month), so I’ll shortly be moving the URLs over to a new virtual private server in the US that I found via LowEndBox offering 3TB/month inclusive bandwidth.
The new server comes with 60GB of disk space, so I’m not going to fill things up by moving over the entire back catalogue of builds and images. I’m also going to have to prune things as the storage fills up.
No loop devices on OpenVZ
The one gotcha that’s already caught me out is that loop devices don’t work (due to security issues) on the OpenVZ platform that my VPS is hosted on (I knew there would be something to justify the premium for KVM or Xen). This means that I can’t make release images on the server itself. For that reason I’m going to keep a VM on BigV for the time being and make the images there (shipping them over to the main web server with rsync).
Filed under: Raspberry Pi, technology | Leave a Comment
Tags: bandwidth, BigV, build, device, hosting, image, loop, openelec, OpenVZ, Raspberry Pi, Raspi, release, RPi, rsync, SD, VM, VPS
Wales ape and monkey sanctuary
Our family holiday this summer was in Wales, and one of the great attractions that we visited whilst we were there was the Wales ape and monkey sanctuary. I had a bit of trouble finding it online, so I thought I’d give it a bit of link/tag love here. I also had a struggle finding it on my satnav, so the coordinates are:
Latitude: N 51° 47′ 47.4317″
Longitude: W 3° 41′ 25.4675″
OS Grid Ref: SN834122
We called in at the sanctuary after a visit to the nearby show caves, which made for an excellent all round day out.
Filed under: travel | 1 Comment
Tags: ape, centre, monkey, primate, rescue, sanctuary, Wales, Welsh
One of the great disappointments for me in last week’s launch of the iPhone 5 is that it doesn’t come with near field communications (NFC) capabilities. This was explained in an interview with Senior VP Phil Schiller:
It’s not clear that NFC is the solution to any current problem, Schiller said. “Passbook does the kinds of things customers need today.”
Phone as token
This comment seems to concentrate on using a phone as an NFC token, which is typically used for low value applications like buying a lunch or taking a short train ride. In this case the phone is used as the key to somebody else’s lock. Where NFC like payments systems are already popular (e.g. Octopus in Hong Kong) then many people achieve this already by putting a card (or the electronics from it) inside a phone case/cover.
Phone as terminal
It’s quite right that using a phone as an NFC token adds little value (maybe you get to have a transaction record on the device). The real missed opportunity is using the phone as a terminal – the lock for somebody else’s key. This opens up a number of additional possibilities:
- The phone can be touched against an NFC card to authenticate an individual or a transaction they’re carrying out (rather than clumsy hardware based two factor authentication systems that might be fine with desktop PCs but don’t work well in a mobile environment). This allows very high value transactions to be addressed.
- The phone can be used as a point of sale terminal – think something like Square, but without the need for a magnetic stripe reader. This would of course be the route to solving the problem of NFC point of sale equipment being expensive to roll out.
Conclusion
Apple seems fixated on phone as token use cases and how these can be tackled with software only based approaches like its Passbook. This means that it’s missing the opportunity to grow the ecosystem for phone as terminal applications (and that ecosystem is far more fragile with Apple keeping outside).
Filed under: could_do_better, technology | 1 Comment
Tags: apple, authentication, NFC, payments, terminal, token
OpenELEC keeps getting better
I’m on the road right now (heading out to San Francisco for an Open Data Center Alliance event before IDF), which means that I can’t play with all the great new stuff happening with OpenELEC on the Raspberry Pi. The team have a blog post covering the changes, which include PVR support and the Raspberry Pi build moving into the main stream.
The OpenELEC team have also accepted some changes I made to the create_sdcard script to use loop devices to make image files.
As ever, head on over to resources.pichimney.com for the latest release bundles and images. My build bot will keep churning out the new stuff even if I’m too busy to try out new features for myself.
NB if you’re updating to r11904 or later then make sure to change the 3rd party boot loader stuff as well as kernel.img and SYSTEM.
Filed under: Raspberry Pi | 19 Comments
Tags: build, image, Media Player, openelec, PVR, Raspberry Pi, Raspi, release, RPi, XBMC
Chris Swan's Weblog 