Small Fish, Big Pond

Lala was recently acquired by Apple and now everybody is wondering how Apple will bring it to bear on the market. Michael Robertson makes a post at TechCrunch with some interesting tidbits on how this will play out.

Almost everybody assumed that iTunes would integrate lala’s 1 full play, then 30 seconds for every replay after that. However:

Lala will play a critical role in Apple’s music future, but not for the reasons cited above. Lala’s licenses with major labels are non-transferable, so they’re not usable for any new iTunes service. The 10 cent song rental model never gained traction and does not cover mobile devices thus is of little value to Apple.

That is an excellent point.

I am was a long time lala user and when the new streaming features came I really wasn’t interested in it. Last.fm handles all my music streaming, and even Pandora has a better service IMHO. Lala is a bit more on demand but I don’t like taking the time to make playlists and usually listen to my own music on shuffle anyway. Last thing I’m going to do is rent songs for 10 cents.

And the fact that the streaming license doesn’t carryover is something I totally overlooked. Of course the big labels would never let their music be streamed free over the net to a mobile device, it’s so obvious now that it was never a possibility.

That just leaves the odd ability for lala to work as a cloud storage for your personal music as a potential benefit to Apple.

When this first came out on lala I was skeptical about the legalities and the privacy concerns for individuals uploading the music. Here’s how it works (or how it worked when they rolled it out).

Everybody doesn’t upload their full collections. There doesn’t need to be 1.5 million copies of “Toxic” by Britney Spears, just one copy that is registered to 1.5 million people. So when you’re uploading your music you’re really only uploading what music isn’t already in the cloud, it makes things easier on lala and is actually quite logical. Much like multicast vs. broadcast it makes use of the design of the internet to make more optimal use of data. Unless the uploaded copy is crap, in which case everybody with good music is forced to make do with bad music because somebody didn’t know how to rip.

All this works great if you listen to top 40 radio. If you’re like me and 20,000 of your 40,000 songs are from overseas and not available in the US, you’ll be uploading a lot of music. Which is how I found out that you can only upload 5000 songs before it quits (hopefully they removed this cap, or else you may only have A-C of your library in the cloud).

Add to this the fact that the lala software didn’t ask me to upload my music, it just assumed and started uploading without my consent. Now we see where my legality suspicions come in.

-First off I’m not sure from their description but they made it should like this pool of uploaded music was where their streaming service pulls from. Thus if I upload a Japanese indie band that is not available anywhere online, lala now has a copy and can stream their music in the radio (in addition to me and others who “upload” their libraries).

-Second, it seemed shady to take peoples music without their knowing. It’s like what got Kazaa shut down but in reverse, automatic sharing.

-Third a lot of people have music on their computer that they didn’t acquire legally. So if I rip my legally purchased copy of “Cosmogenesis” by Obscura, another person with a downloaded copy will be able to listen to my nice legal rip free of charge. Also people who download illegal music will be able to upload it to lala for themselves and others to listen to, thus lala is streaming illegal music.

The first point may not be illegal based of the way music royalties are paid, which contrary to logic or common knowledge is so backwards and double handed that it makes RIAA’s arguments against piracy seem incredibly hypocritical. So long as you pay your royalty to Sound Exchange you can play any music you want no matter what or who the artist is because theoretically the artist should get paid for it (but often doesn’t).

The second and third point may get under peoples skin when it comes to privacy. Basically lala’s cloud storage is creating a giant list of what music you have, and previously was doing this even without your knowledge. If a virus ran without your knowledge and catalogued your system’s files, then uploaded the info to a private business to use for their monetary gain would you approve of the action?

This doesn’t really bother me, but the “Tin Foil Hat” part of me doesn’t want to give that info out to a company. Especially a company that is so desperate to keep its license for streaming that it may make a deal with the record industry to share its database of ownership.

That is that valuable market research data that I don’t like being given away without letting me wet my beak with the money it makes. And imagine if you’re unfortunate enough to be one of those people who are served with a cease and desist or are sued for illegal downloading. A simple subpoena to lala and the record industry has proof that not only were you on a torrent tracker for a new album, but you downloaded it, kept it, and listen to it regularly.

Still, for apple to harness the power of every iPod, iPad, and iTunes connected device into a giant online cloud of accessible music is a massive achievement. This doesn’t just cement its position as a media provider it sets Apple up to be the media hub for the distribution of content to the world.

Considering that advertising while distributing is traditional media’s bread and butter this has to be have content holders shaking in their boots. Or at least they will when they realized that jobs can clinch even more control than he has now.

I used to be a big lala user when they were a CD trading service. I got a TON of CDs in my now pretty extensive collection by buying interesting looking bargain bin CDs, matching up with a lala user that wanted them, then trading for a CD I wanted.

Now all my trading is mostly on Swap-A-CD and MusicBoomerang but not nearly as much as I traded on lala.

What’s interesting is that lala fueled my collector nature and got me a to go out an purchase 1000+ physical CDs, the ones that music labels make all their money off. The ones that are steadily decreasing now because online track sales though iTunes and it’s brethren are outpacing them.

How ironic that lala that once touted itself as a method for keeping physical music moving and supporting artists in that way is potentially getting into bed with iTunes the force that many people attribute with destroying the age of the physical CD.

Just food for thought.

A picture of my current collection while I was putting it in order.

Tech Cruch has revealed the specifics of the Twitter leak/crack and there isn’t really anything new (previous posts here and here. It’s basically simple searching social networks of the net to gather data on people so you can crack their info. The timeline of the crack is pretty cool though:

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
6. Even at this point, Twitter had absolutely no idea they had been compromised.

Pretty interesting. A lot of people point out that the hack was all through initially hacking email and that the Google Cloud was never compromised directly (thus cloud computing is secure). The fact that the data was this easy to get even when the Cloud is secure only proves how vulnerable cloud computing is. If the servers with proprietary information were kept on an internal LAN more security measures could have been brought to bear and MUCH more would be needed besides simple login name and password.

What this attack really proves is that this new web 2.0 social networking world allows strangers to create nearly complete profiles of us simply by aggregating information we post about ourselves. It’s an identity thieves’ paradise and were all happy to divulge all of our personal life onto the internet.

The future is going to be a lot more open, and for many people that may not be a good thing. If you do a lot of online social networking always assume you have a bunch of stalkers and post accordingly.

Google made a blog posting in response to recent security concerns since Twitter’s data in the Google cloud was illegally hacked.

Password strength and account recovery options

Google basically states that they provide info on how to make better passwords, and different ways to make password recovery a bit more secure. Interestingly for Google Apps they also support advanced login methods that use “certificates, smartcards, biometrics, one time password devices, and other stronger tokens”.

All cool stuff but I’d like to point out that all of this only addresses login issues. In the medieval castle analogy I made yesterday I pointed out that security is layered like an onion. The inherent problem with cloud computing is that you eliminate almost all physical security options available to you; and believe me there are a lot of amazing, very secure, network level security options available. All you’re left with is having a strong password.

A lot of people including Twitter are saying that there was no flaw in Google Apps, and in a way there wasn’t. It worked as strong as it possibly can and it was the password that was hacked. But that’s my point! Your security is only as strong as your password, and with that as your only line of defense there are no additional security checks between your data and every hacker and script kiddie on the internet.

From a business standpoint I’d never advise moving all data over to the cloud, it literally goes against all the lessons in computer security we’ve learned in the last few decades. And even as cloud technologies mature I can only foresee a hybrid-cloud business model where private confidential company data is stored onsite in a traditional manner, and public or publicly safe documents are stored in the cloud (similar to our traditional “DMZ” zone in network security).]]>

Techcrunch is running some stories on Twitter based off of some information given to them by a hacker. Reading how much data was gathered is shocking, some documentation I didn’t even know people would save on a hard drive; which in itself is a pretty interesting insight into how everything we do is digital now. It makes sense, it just doesn’t usually hit home so hard.

But the main thing that I noticed is how easy it is for all this information to be stolen in the first place. This is not at all shocking to me since I was on a networking security team at Cisco I’m well versed on what it takes to secure digital content. And one thing that was constantly driven home is that no matter how many firewalls, network detectors, and anti-virus/malware programs you use to plug holes and backdoor access if you leave the front door open it’s all worthless.

It’s not our fault that Google has a ridiculously easy way to get access to accounts via their password recovery question. It’s not our fault that Twitter stored all of these documents and sensitive information in the cloud and had easy-to-guess passwords and recovery questions.

This is why I’m wary about a hypothetical future where all our info is stored and processed in the cloud. The majority of security holes develop internally within a company when an employee leaks sensitive info, luckily becoming an employee serves as an initial layer of security. Think of it as a castle with a wall around it, to see what’s within you need a password to get through the gate and then you have to physically enter that castle. The real live situation is using a login on a computer on the internal company network to access the servers; you have physical security on the computer and servers in addition to logical security via authenticated login.

In the cloud our medieval castle analogy is distributed through the surrounding peasant community, you still need the password to gain access but you can gain access from anywhere. In the real world there are a few tricks that you HOPE your cloud provider is taking to mitigate this problem but the reality is you don’t have physical security over the devices storing your data anymore. All you have is a simple login standing between you and every malicious user on the internet.

In the security world your security should be layered like an onion, only having one pathetically weak layer protecting your business is what we on the internet call an “Epic Fail”.]]>

Big news in the arena of computer technology, and with all the buzz I feel compelled to comment.
Google is pushing on developing a full OS, not just their smartphone OS Android. It will be centered around the Chrome Browser which is already built to greatly integrate a lot of the features on the desktop.

Some bloggers predicted Chrome was the first step into the foray of desktop OS and are patting themselves on the back. Many others are now claiming that this will be the game changer that will destroy Microsoft and destabilize the OS playing field forever! In a word, the people who say that are wrong.

There are a few buzz words that cause all tech pundits and bloggers to claim the beginning of a revolution in the tech world and this news has the three of biggest: “Open-source” “Linux” and “Google”) Every time these buzz words come up the tech world creams themselves shouting about how it will kill the Microsoft giant and leave Apple shaking in it’s boots; regardless of the fact that this has never happened in the many times people predicted it will (Android, Chrome, etc).

Before you continue please read the Ars Technica article about this. They write good levelheaded articles and give some good perspective on the situation as it stands. Many blogs on the other hand flip out in an orgy of Linux/Open-source delusion that comes from being too plugged into tech and not knowing how real people react to these developments.

Let me expand on that. Many tech people believe that the buzz-word “cloud computing” will lead to a revolution in computers where all PCs become dumb terminals that simply plug us into the net and all computing, apps, and storage will be done offsite and piped to us via the browser and it’s many plugins. Google is a big proponent in this, thus the development of all Google apps and now the ultimate OS to plug you in. The problem is that this fully online scenario will never happen (or at least not for a long time). Here’s why:

Some programs don’t run in a browser or are too big to run across a WAN connection. Basic word processing is a piece of cake as are most MS Office style apps, but what about photo editing? Photoshop is a beast and will be a PITA to run over the net, as well as any video editing software. A lot of my computational power goes to fingerprinting audio files; finding a way to do these high demand processes over the net is going to be hard and network intensive, or the cloud will have to load a lot of programs onto my computer remotely so I can process that data locally. In that case you’re just duplicating the traditional computer architecture with the extra step that my computer has to constantly download remote apps to run.

Also, people are loath to store all their data online (simple backups are one thing), first of all there is the issue of size; I have multiple terabytes of data stored on my network, multiply this by the millions of computer users and even Google’s massive storage can’t keep up. Then there’s the privacy issue. There is some data I want to keep local even if it means it may be lost in a computer crash (although I keep good backups), I’d rather lose it than read in the paper that my storage company had a massive internal breach of security and now anybody could have my personal files.

Next the WAN (internet) infrastructure isn’t as robust enough to handle everybody doing all their computing in the cloud. A good broadband connection is 1/1000 the size of a good LAN connection; and most people don’t have that and are still on dial up which is about 1/1500 the size of a 100Mbps LAN connection. Simply put we can’t handle everybody doing cloud computing right now because instead of a distributed system where 1 million computers do 1 million tasks we’d have a centralized system where one computer would have to do 1 million tasks on behalf of those 1 million users.

How about the reliability of one site/company being responsible for providing all your computing? If Google’s apps go down your hands are tied. But they don’t even need to go down, you just need to be in an area with a bad network connection.
Ever been cut off from the net due to a downed communication trunk? It drives me up the wall not being able to surf the net but I can always fall back to doing local work with installed apps and local files till the net is back. With an online app dependant OS your computer becomes useless if you have a bad connection. Many argue that Google will provide resources so that you can work offline (they better!) but in that case you’re back to the traditional OS infrastructure and Google isn’t really breaking any new ground.

Lastly, most of us personal users don’t realize it but it’s the Businesses that drive the market on computer OS’s. Why do you think MS has weathered all the bad press and hardships it has had and maintained over 3/4 of the OS market? So the simple question is do you think a fortune 500 business is willing to change to an online format where they are dependant on another company for computer usage and uptime, paying for an internet pipe big enough run all their computers across the WAN? Plus will they keep all their company secrets stored in remote sites by other companies, and train all employees to learn google apps for all processes all so they can have their computer startup a little faster?

Admittedly the Google OS won’t be this extreme and will likely be a hybrid of online and offline content and apps. Google will make money with this, and they will gain more market share; especially where they are starting out in the netbook market. But don’t be fooled that this is a new groundbreaking option for computers that will change the way computers work. Asus already has its “Express Gate” system that quick boots Firefox and Skype, and the number of Linux flavored quick-boot versions is too numerous to count. And Apple and Windows OS’s are already lowering boot times and creating hybrid boots that can do a quick boot to basic programs then a long boot to the full OS. Google is taking a good idea and improving on it but it will take a year before we see an actual product that may or may not live upto the hype. By then the competitors may have closed or eliminated the gap Google OS will try to fill.

Bottom line. Don’t drink the kool-aid, the Google OS may be a nice new entry to give us more choices in what OS to use, but its not going to kill the computing status quo. And far from “shaking in their boots” I’m sure MS and Apple are simply making a few course corrections to adapt their already proven browsers to make use of many of the benefits Google OS may provide.

Sorry that evolved into more of an anti Cloud Computing gripe, but the Cloud and the Google OS are being so intertwined in the new I think both need to be addressed.