Netflix rules, ok?

Netflix Rocks — It’s Hollywood that’s the problem.

I recently heard on my favorite podcast that Netflix is, by bandwidth, the biggest site on the Internet. This is very comforting, as it proves something that I have always believed in my spirit; that the majority of people would rather not pirate movies if they were given a convenient, reasonably-priced alternative. For this reason, Netflix’s $8-per-month video streaming service is one of the best bargains (I refuse to use the word “value”; it just sounds wrong) on the Internet. It even works on my phone!

But it’s not all wine and roses. While there is alot of good stuff out there, there are many movies that do not feature on Netflix’s streaming service. Here are some of them:

• Avatar (2009)
• Star Wars (all six movies, 1977-2005)
• Indiana Jones (All four movies)
• Back to the Future (Trilogy)
• Iron Man I and II
• Spider-Man (all three)
• The Chronicles of Narnia (all three)
• Fantastic 4 (both)
• How to Train your Dragon
• Schindler’s List
• The Hurt Locker (One movie I will never watch or buy — here’s why)
• Almost anything from Walt Disney

In most cases, you have to pay more for the DVD-by-mail service. This is understandable for a recent movie like Avatar, but Star Wars (IV) is thirty-four years old!

As with most disputes of this nature, if you go far enough down the rabbit hole, you will find an obstinate publisher (Director/Producer/movie studio/media conglomerate etc.) at the bottom of it. These folks honestly believe, deep down in their souls, that copyright is ownership; they have told themselves and the rest of us that lie long enough that it has become universally accepted as fact.

Copyright is, and always has been, a bargain between creators, publishers and consumers, intended to give those who create a “limited and exclusive right” to make money out of their creations, after which they fall gracefully into the public domain. It is not, and has never been, ownership. Repeat after me: “Loaned, not Owned”. Got it? Great.

These folks have got the “exclusive” right down pat, but the “limited” part seems to elude them: Assuming there are no more retroactive copyright term extensions, Avatar will enter the public Domain on Jan 1 2105 — how “limited” does that sound to you? Why do they need 95 years? Personally I say five is enough, with an option to purchase an extra five years for, say $100,000.

I blame Mickey Mouse; but that’s another story. But Netflix rocks.

Three Days of the Android

I have spent three days playing with my new toy. It has been a voyage of discovery, excitement, and, in places, outright confusion.

The Good:

• Bee-yootiful screen. How they managed to pack a 960×540 screen into a hand-held device is beyond me. The fact that 960×540 is a perfect 16/9 ratio (the preferred ratio of movies) is an added bonus.
• It is a lot faster in operation than I expected, probably due to the 1GHz dual-core processor.
• When you connect the phone to a computer, it gives you four options: PC Mode/Windows Media Sync/USB Mass Storage/Charge Only. Brilliant!
• “There’s an app for that”. In fact, there’s an app for everything.
• It interfaces beautifully with Google everything (mail, contacts, calendar etc.). Not so good if you don’t like Google though…

The Bad:

• The Notification Light (a little round LED at the top left of the phone) doesn’t work as advertised.
• Motorola really should have included a little carrying pouch in the package — to tide you over until you buy a case/pouch/holster/screen protector.
• The phone comes with a BH5X 1500mAh battery. A 1880mAh extended capacity battery — BH6X — is available. Given that battery life is a problem on all Droid phones, this should have been included as standard. It would have made the phone slightly thicker (by about 1mm), but with 30% more battery life.
• The phone comes with 8GB on-board memory (which is good), and an 8GB Micro-SD, which is not so good. Nothing wrong with 8GB, but it is too large for casual users and too small for power-users. They should have left it out and dropped the price by $20.
• The built-in Gmail App does not allow you to save certain attachments (such as MP3s)… but if you log into Gmail through the browser you can do so just fine.

The Ugly

• When upgrading to this phone, a $30/month “unlimited” data plan is required. An examination of the small print shows that this covers web and e-mail but not text messages. So I am paying $30 for data and you want more for text messages? This is definitely some kind of a joke.
• Here’s another: Two-year contract, one-year warranty. Wassup wid dat?
• The first time I used the phone, it went from 100% charge to 40% over the course of a day… and then abruptly dropped to 15% and started yelling for a plug-in charge. Fortunately this happened when I was on my way home. I assume that this was just a glitch; time will tell.

As you can see, most of my likes are aimed at the phone and Google, while most of my dislikes are aimed at the Manufacturer or the cellphone carrier.

But what of the phone? I’m glad you asked. I’m loving it. I’ll write more soon.

Unboxing Day

The phone arrived today.

On the way home I stopped at my local Verizon store to buy a holster. They were selling a face-out holster for $30. Given that I have a tendency to walk into things, a face-out holster would not be a good idea; I wanted a face-in one (to protect the screen), so I ordered one on eBay for $3.55, along with a screen protector for $2.90.

In the box: Phone (with battery and back cover), a tiny “manual”, charger (wall-to-USB + USB-to-phone).

Plugged the phone in to charge. A green light came on. Nowhere in the manual was this green light explained. I had to research the web to find out that the green light would go out when the phone was fully charged. This should have been explained in the manual.

Put the phone to charge overnight…

Biting the bullet

Like many old-school geeks I have a dislike of telephones — particularly cellphones. For years I swore that I would never carry one of those things.

Her Ladyship finally persuaded me to get one on the sensible grounds that 1) the phone was free 2) The service was $10/month and 3) In-Network calls were free.

That was six years ago. Since then, an iPod and a PDA (Tungsten T3) have joined it on my belt. Three devices on one belt are all well and good if your are a geek, but for those of us who care about style, that is two too many.

I finally bit the bullet today and purchased a Droid X2. Those who know me know that I am not an early adopter, but by a curious coincidence today was the day that the X2 came out. You can’t get it in the stores yet, so I ordered it online. It was normally priced at $199, but today it was $149 (either a pricing mistake or a first-day discount) with free second-day delivery. With a $50 upgrade bonus, I was able to snag one for the princely sum of $99…

One thing that was rather odd was that the site refused to take my Debit Card (even though that is the card I use to pay the bill every month); eventually I took the “add-it-to-my-bill” option and it want through. When I checked with my bank, they had placed six “just-checking” $1 temporary holds on it. Major screw-up there, and one that deserves an explanation from Verizon, though I doubt that one will be forthcoming.

My only other criticism is that their “Second-Day Delivery” does not include weekends, so an order placed on Thursday will not reach me until Monday. As a result, instead of having the weekend to try out my new toy, I won’t be getting any sleep on Monday night if it arrives on time. Verizon, if you are going to be delivering to residential addresses, use a service that delivers on Saturday.

The LastPass Breach, and why I’m not worried about it

Years ago, when the net was young, I, like many others, used one password for everywhere I went.

Before long, I realized that this was not a good plan, so I went to Plan B: a handful of passwords; one for “Important” sites (i.e., where money is involved), a second one for less important sites (such as shopping and utility-billing sites), and… a third password for anything else.

The problem with this approach is that if ONE of your “Important” sites is breached, and they try your password on a bunch of banks… there goes your life savings.

I needed a better approach, and I found it… in LastPass.

I was first exposed to LastPass in Episode 256 of the Security Now Podcast, hosted by Leo Laporte and Steve Gibson. Steve loved it, and after trying it out, so did I.

That was almost a year ago. I had been toying with the idea of writing a piece in how good LastPass is, but something more interesting happened.

LastPass got breached

And I am OK with that. Here’s why:

1. The breach was a relatively minor one — LastPass noticed some anomalous traffic — “we saw a network traffic anomaly for a few minutes from one of our non-critical machines” — and investigated. they went public in short order, (unlike, for instance, Sony, who shut down a compromised network for a week before telling us why). They “also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs” — the amount of “leaked” data corresponds to the encrypted information for a few hundred users. The chances that my data was part of that leak was therefore quite low.
2. I use a strong master password, containing all four classes of character (upper, lower, numbers, special characters). This would make a brute-force attack very difficult.
3. LastPass has gone to great pains to point out that no plain-text data is stored. Everything that is stored on their servers is encrypted. In fact, NOTHING unencrypted leaves your machine.

LastPass’ responses were laudable. They informed people early on — if anything they overreacted. They required verification if users were logging in from “unexpected” IP addresses. They encouraged people to change their passwords.

Some users were inconvenienced, claiming that they were locked out of LastPass as a result of a password change that went wrong, or being unable to get into their e-mail because the email password was stored in… LastPass.

There are two solutions to this: First, regularly take an encrypted backup of the password database and keep it on a flash drive with a copy of the “LastPass pocket” program (this allows tou you get to your password when you have no Internet Connection). Secondly, NEVER store the password to your master e-mail address (the one LastPass uses as your username) in LastPass. If something goes wrong with LastPass, you will need to get into this e-mail.

The press have had a field day with this one, and like newsies everywhere they have overplayed the sensationalism and underplayed the facts.

But the security-conscious will still worry, and rightly so. So what are you worrying about? For me, the worst-case scenario is that they have gotten my entire blob and hammer it offline until they figure out the username and password.

LastPass’ advice — change your Master Password — is certainly good advice, but it does not help in this situation; if they have decrypted the blob, they now have all of the passwords for every site without having to go to LastPass.com. Here’s what I recommend:

1. Use LastPass to generate new passwords for those sites that involve money (Financial Institutions and Web shopping sites that store payment info, such as Amazon). I use PayPal to purchase stuff online wherever possible. This took me less than an hour, and means that the important passwords in the stolen blob are now useless. Most other sites aren’t that critical — if someone wants to go online as me and pay my bills, I say let ’em.
2. Use two-factor authentication for all non-trusted machines. LastPass supports two types: Grid (free) or Yubikey, that will make it impossible to get in using a non-trusted machine without an extra piece of information or hardware that the bad guys simply will not have. I use a Yubikey, which costs $25 to buy, and requires LastPass premium, which costs $12/year. Well worth it, in my opinion.

Bottom line: LastPass Passes, Sony Fails

Rest In Peace

Her Ladyship loves chicks.

Let me rephrase that, lest you get the wrong idea. Her Ladyship loves baby birds. So when a couple of birdies built a nest outside our window and started a family, there was much excitement.

The chicks grew at an alarming rate, and we were looking forward to their leaving the nest in the next few days.

But it was not to be. Sometime during the night, the nest was attacked.

Whodunit? We don’t know, but I suspect one of the neighborhood cats. I’ve got my eye on a particularly shifty-looking gray moggy that always seems to be on the prowl.

This morning, when Her Ladyship checked in, the nest was full of dead birds.

Why, God, why? It is easy to say “these things happen”, but that does not take away the pain.

Today, we mourn.

Why?

This morning I filled up my tank at $3.77.

This afternoon I noticed that the price had risen to $4.15.  By an amazing coincidence, that was the price for every filling station I passed on the fifty-mile drive home.

So… why did this happen? There was no news of calamity or doom of which I am aware, and no major fluctuation of the price of crude. Some say “shortage”. “Bull”, say I.

Here’s my theory:

PALPATINE: It is time for us to extract our TRIBUTE!

VADER:Yes, my Master.

In entirely unrelated news, Chevron reported annual profits of 30.4 Billion Dollars.

As they say down south, “somebody’s got some ‘splainin’ to do”

(Additional: by the following morning it had dropped to $3.99)

Did I miss something?

Exhibit A:

Is it me, or is that apostrophe in the wrong place?

Ebonics for beginners

Spotted this on a Asus A8V Deluxe with the latest BIOS…

Not much that I can say, except: “What it be like, blerd?”

Stupid as well as evil

My antipathy towards Sony is well documented, and should come as no great surprise to regular readers of this blog.

My experience with their customer service was less than salutary. I ordered a $20 item online that was mis-priced at 1c. That they canceled the order doesn’t bother or surprise me, but they did so without taking the trouble to notify me, and they gave me the Customer service run-around for three months before finally coming out and telling me that they had no intention of honoring the price. They were willing to lose a customer for life over twenty dollars.

But that’s not all. Their hardware has a tendency to sport expensive proprietary interface that ignore established standards — insisting on Memory Stick while the rest of the world was happily using SD, for example.

In the past they have surreptitiously installed rootkits on their customers’ computers, removal of which could render the computer unbootable. That’s right; they believe that they have a right to fry your computer in order to protect their “content” is more important than your right to a working computer.

They have also paid graffiti artists to create fake graffiti of kids on skateboards playing with PSPs. Graffiti that municipalities had to remove at the taxpayers’ expense

Having established that Sony is Evil, it is now time to move onto the stupid part.

I got a chuckle when I heard that the PlayStation Network was hacked, and the miscreants gained access to names, e-mail addresses and passwords — and potentially credit-card details as well — for up to 75 million users.

The reason that this is particularly egregious is that the passwords were apparently stored as plain-text. In web security circles, this is a HUGE no-no. In the real world, passwords are put through a one-way function, and the resulting “hash” is stored. That is how passwords are stored in the real world, and how, for instance, Windows stores its passwords. A small-scale web application that I build went from plain-text passwords to hashes five years ago.

Sony will probably try to downplay this; to tell you that everything’s fine — to admit otherwise would be to open themselves to huge lawsuits. But I can think of at least two significant problems.

1. Millions of Credit Cards on the loose — nuff said.
2. Millions of e-mail address/password combinations. Let’s try those on the world’s major banks, shall we? Given the average user’s tendency to re-use the same password everywhere, there’s bound to be a few (thousands to millions) hits. And bank accounts will suddenly be emptied, their contents shifted overseas and untraceable, because while banks can turn off wire transfers for accounts, the default is ON.

But Sony couldn’t be bothered to do it right. And now heads should roll.