Movie Quality, Piracy, and the Cinema Experience

Movie theaters are way too expensive. Ticket prices, concessions, the whole nine. I deal with the cost of concessions by not buying them. I deal with the cost of tickets by being very picky about which movies I'll see in the theater.

I used to download movies on bit torrent a lot. Despite being able to download movies for free, eat my own food, sit on the comfort of my couch and pause it when I wanted I would still go to the theater a couple times a month.

I stopped torrenting movies when Netflix came into my life. A lot of people say that piracy is really a content-delivery problem and there's definitely some truth there. As Netflix's streamable library has grown, torrents have gotten further from my mind. To be clear, I would rather pay for access to Netflix than torrent movies for free.

Netflix fills several roles for me:

• Killing time: I will not buy a movie ticket for this
• Television shows: I can't buy a movie ticket for this, nor would I
• Movies I missed in the theater
• Movies long out of the theater
• Movies I don't think are worth seeing in the theater

If Netflix disappeared with no replacement I still wouldn't go to the theater for any of the above reasons. What does bring me into the theater? A good movie on a big screen with great sound. If the reviews for a movie are mixed I'll usually wait to watch it via Netflix. A key point to emphasize is that "new release" is not something that brings me to the theater.

I'm optimistic that theaters are starting to get that last point. Locally, "Titanic" and "Star Wars Episode I (in what's-the-fucking-point 3D)" have made trips back through the theaters. Say what you want about the films, if you're going to see them at all, the big screen is the way. We need lots more of this with cheaper ticket prices.

Dear Hollywood,

You don't have to lose money by making another shitty romantic comedy or Resident Evil movie. You can show us movies we've already seen and if you pick good ones we'll pay to see them. We will pay to come to theaters to see movies we already own. You can even draw people in by showing director's cuts and the like. Bring the older movies in a series back into theaters before the next sequel comes out. Put "The Godfather", the Indiana Jones movies, "Blade Runner", or "Airplane!" in theaters and I'll see them all in a week.

What's critical is that you stop making terrible movies. Instead, give us consumers real reasons to come to the theater and make the theater experience something meaningful. Given the digital projection systems it seems unlikely to me that distribution is a significant hurdle to this. If bandwidth is a concern for getting the extremely high resolution movies out to theaters perhaps you can utilize something bandwidth-efficient for the distributor... like bit torrent.

Xoom LTE Upgrade

A bought a Motorola Xoom android tablet the day it came out and from the beginning there was the promise that it would be upgraded for free to 4G LTE. Last week I got the notice that I could upgrade. Here's how it went:

• I signed up on Nov 2nd and quickly got a shipment traffic email from Motorola.
• Nov 3rd I received a pre-labeled FedEx box with instructions and packing materials.
• Nov 7th I got around to shipping it out.
• Nov 10th I received the upgraded tablet.

The turnaround time for this was pretty staggering. I'm guessing the recognize that a lot of people depend on these things and wouldn't be happy having to be without their's for long.

The instructions with the returned tablet said I would have to turn it on and when I got logged in I would get a prompt for turning on 4G LTE after a few minutes. Somehow I had cancelled the prompt when it appeared. I found the settings (clearly indicated in the instructions had I cared to look) and then it was a waiting game.

The instructions said it might take a few hours for OTA registration to complete. I was occasionally checking the network connectivity indicator in the lower right to say "4G" instead of "3G". After three hours nothing happened so I went to reboot the device to try again. When it booted back up it immediately said "4G". It worked!

I haven't really played with the 4G much yet as I'm pretty much in WiFi range all the time during my week. I did turn WiFi off for a few and pulled up maps just to see if it was fast. Man those map tiles loaded fast. I even got a free OEM standard dock (power and audio connectivity, no speakers, USB, or HDMI) as a "while supplies last" deal. In theory they could have upgraded my Android Market to a newer version but my tablet was encrypted so I had to do it myself. I'm more comfortable with the encryption and an extra upgrade step.

Overall, Motorola did a fantastic job with this. The instructions they provided were clear and described exactly what would happen with the upgrade process. I was pretty floored by how fast I got my upgraded device back. If you bought a 3G Xoom from Verizon you should definitely take advantage of this.

On Google+

I'm trying out this Google+ thing.

I have a Facebook that I maintain for people to find me. Every time I log in my mind recoils in horror.

I previously used tumblr for blogging and really liked the asymmetrical sharing model. Hopefully Google+ incorporated the good bits of everything.

Go Language Compile/Link/Launch Script

I've started playing around with the Go language and I think it's pretty neat. I have a security-related project I'm working on to help me learn the language that I'll share soon after it's finished.

I found myself slightly annoyed when I would compile, link, and launch my program while editing it. It was fast but the command line was long:

bin/6g whatever.go && bin/6l -o whatever whatever.6 && ./whatever -arg1 blah -arg2

To make things a little easier when switching between source files I wrote a simple script:

#!/bin/bash
#gogogo.sh <program_name> [<args>]

progname=${1}
shift
bin/6g ${progname}.go && bin/6l -o ${progname} ${progname}.6 && ./${progname} ${@}

Now just run:

./gogogo.sh whatever -arg1 blah -arg2

There's probably a smarter way using gomake or something similar but I haven't dug it up yet.

evilbitchanger

I've been learning scapy, which is an awesome tool. I have a colleague who is doing some research and had a need for a tool that could modify IP packets in arbitrary ways either from a pcap file or on packets in real time. The prototype sets the IP evil bit, recalculates the checksum and forwards the new packet.

Web page here.

Code hosted here.

Management vs Leadership

Management Skills != Leadership Skills

IMO:

People management: concerned with the career growth, compensation, work satisfaction, etc of your reports. In a sense, this is a local extension of HR. Not a technical role. Must be well-versed in the issues related to employee effectiveness.

Project/Product/Program Management: concerned with planning, development, execution, and maintenance of products, services, etc. Should be technically competent but somewhat isolated from implementation.

Leadership: Inspires a team and fosters a culture optimized toward producing the desired result. Leadership skills are independent of other skills but complement them. Sometimes the action indicated by good leadership is contradicted by good management.

People managers deal in carrots, project managers deal in sticks, leaders deal in aspiration.

PS3 Rootkit

Official PS3 firmware v3.56 has a rootkit
It is imperative that someone create a PS3 worm.

Remakes

There's been a trend over the last couple years where old movies are remade and handed to us as something new.

When IPv6 becomes common place, the same thing is going to happen with network vulnerabilities.

Altism

Altism -noun:

The mental deficiency wherein on believes that something is superior because it is uncommon.

Move Complete

My blog move has been completed! In the future I'll write up notes about the process and share the python code I used to do the migration.

Adobe Anagram

Anyone else notice that Adobe is an anagram for “B O-dae”?

Adobe: Productive Media Tools

Adobe should incorporate some of the security buzz into their marketing:

Adobe media tools increase productivity, giving you 0-day turnaround.

The SEO opportunities are endless.

Advanced Evasion Techniques: A Long-Winded Explanation of the Threat

Recently a company called Stonesoft launched a website called http://www.antievasion.com/ with videos warning us about the threat of Advanced Evasion Techniques that can float right through your network security and attack systems you thought were protected. The videos on their site are worth watching, if for no other reason that they approach self-parody.


Their concern lies mostly in Intrusion Detection/Prevention System (IDS/IPS) software and appliances. These devices observe traffic passing through looking for behavior indicative of an attack in a fashion conceptually similar to antivirus/antimalware. IDS systems merely “observe and report” while IPS systems intervene, trying to cut connections or otherwise stop the attack. The limitation of these types of systems is that they’re primarily signature-based; they are looking for a specific set of indicators to determine that something is an attack. They cannot say with certainty that anything is safe.


Compare this to police mugshots. You can use them to identify known bad guys but you can’t use them to identify unknown bad guys or bad guys with convincing disguises. Modern IDS/IPS (and antivirus) are smarter. They’re better at recognizing fake beards, hats, and changes of clothes. These kinds of attack disguises have often been referred to as “IDS/IPS evasion techniques” and they’re almost as old as IDS/IPS technology itself. As is always the case on the Internet, the good guys cause the bad guys to evolve and vice versa. IDS/IPS technology gets better, IDS/IPS evasion techniques get better.


These “disguises” involve changing the properties of the transmission in ways that are still valid (enough) but violate the IDS/IPS product’s assumptions about how the data should be transmitted. For example, some IDS/IPS products can only look at one packet at a time. If you break the attack transmission into small enough pieces, the IDS/IPS won’t be able to see the signature. For IDS/IPS products that are a little smarter, transmitting the pieces in the wrong order might fool them. There are lots of permutations at various levels.


To build an analogy, IDS/IPS systems are like TSA personnel. They scan through your luggage looking for things that might be dangerous. They can’t possibly know every possible threat and disguising a threat, like hiding it in your underpants, can potentially get through the screening process (in all fairness, the underwear bomber didn’t go through TSA screeners, he might have got caught but that demonstrations a point about security; you attack through a channel with weaker defenses).


TSA screeners could be incredibly effective against a known threat. If we knew attackers were going to carry a weapon onboard a plane in a red stuffed unicorn, TSA personnel would have a clear thing to search for. If the weapon were moved to something else, maybe it would be found, maybe not. In the same vein, when a new vulnerability is discovered, providing a good signature for your IPS could provide adequate detection until a patch becomes available. That is, unless an attacker decides to put a moustache on it.


So what are Advanced Evasion Techniques? Simply put they are IDS/IPS evasion techniques that are applied at more levels of the network stack. Where previous techniques might manipulate the transmission at the IP and TCP/UDP levels, advanced techniques might also manipulate the application layer. It’s an evolution on the attackers’ part that many vendors didn’t anticipate but it’s not really breaking new ground.


What does this mean to your network? Hopefully, nothing. The conditions for a successful attack are that a service has to be exploitable and the attacker has to get the attack passed the IPS and… it has to get passed the firewall. The inability of your IPS to stop an attack is moot if the target is not vulnerable or if there is no path from attacker to target. If either of those cases hold you can be pretty confident. The “The Principles of AntiEvasion” video seems to presume that your IPS is the only thing protecting your unpatched services. If you’re relying on your IPS in that fashion then you probably are at risk. If your firewall is configured sanely and your patches and configuration are solid, that video is mostly just FUD.


To tie this up I’ll return to the “human screener” analogy. An IPS is like a person looking at people entering and leaving a building, trying to guess at motive. The building itself is like a firewall: it limits points of entry with walls and locked doors. Relying on your IPS to protect you is like foregoing walls and trying to guard a valuable resource in the middle of an open field with only a handful of guards.

On Saturday we adopted our second cat: Sam. Please forgive the mediocre photo. I was thoroughly impressed by the Silicon Valley humane society. Their facilities were excellent and I felt that the staff were genuinely interested in helping us find the right cat. If you’re thinking of adopting and you’re in the area I definitely recommend them: http://hssv.org/

Graffiti Analysis App

http://vimeo.com/13327615

Graffiti Analysis App

Nikon D90

I got my first DSLR and I’m having a blast with it. On my third day with the camera I managed to get some awesome shots:

From Random

From Random

From Random

I think they’re awesome, at least. I’m having fun with it.

Got Froyo on My Incredible

This morning I found that Froyo was available for my Incredible. =D

After the update, I found that the crapware previously available in the Verizon section of the Market was “preinstalled”. D=

Granted, I haven’t tried VZ Navigator so maybe it’s super awesome. But the reason I’ve never tried it is because Maps works great and I have no need… for any of this software.

High-Def for the Internet

I think I missed my calling in Marketing/PR. If we want to sell people on IPv6, here’s the slogan:

IPv6: It’s High-Def for the Internet.

True to the spirit of Marketing/PR, I make no statements about the truth of my slogan.

Guerilla Feature Request

You want a feature in a piece of software but you don’t want to implement it yourself. Luckily, you have access to the repository.

Don’t bother actually working on the feature. Don’t bother putting in a feature request. Instead, add a unit test that checks for the feature and check that in. When the software starts failing unit tests the maintainers will have to decide to toss the test or fix the test by implementing the feature. This would be slightly more effective if the checkin included other tests that were actually useful.

I think this may be apex of Test-Driven Development.

Web 2.0 has killed all the bullshit gatekeepers and put us directly in touch with the bullshit authors.

"Web 2.0 has killed all the bullshit gatekeepers and put us directly in touch with the bullshit authors."