Electrons are electrons: price discrimination and phone accessories

Observation from a recent involuntary 8-hour layover at San Francisco airport, complements of incompetent United Airlines stranding half the passengers on a flight from Sydney after the plane was delayed.

This blogger had a HTC G1 out of juice and no charger. A quick stop at the local gadgets shop was necessary to find a way to power the device again. The iGo units are ubiquitious at airports and with a flexible arrangment of power unit and swappable tips, promise to power just about any device. Tips are sold seperately and this is where a bizarre pricing scheme enters into the picture: the tips for the Motorola Razr were priced $2 less than the tips for T-Mobile/Google G1. They are the exact identical form factor: mini-USB. Even if the G1 draws more current, that would be handled by the iGo power adapter which already has enough smarts to handle varying demand from an array of different models. A USB cable is a USB cable.

Presumably this was a case of price discrimination: since the G1 is a more expensive smart-phone, owners are assumed willing to pay more for accessories as well, even when they are virtually identical to accessories for a more basic phones. That may work in economical terms but much to the manufacturer’s dismay, electrons do not care if they are being delivered from a “premium” cable or basic cable. Mobile phone manufacturers are notorious for trying to create various lock-in effects, for example by restricting which chargers can power a particular phone in an attempt to create artifical differentiation between otherwise identical units. But paying more for the same copper connections does not make the current magically more capable of delivering electricity. (This is the same problem that vendors of expensive pointless HDMI cable face, with an error-corrected digital signal the quality of the cable is hard to compete on.)

CP

Vintage code, common hardware and value of backwards compatibility

A data point on the value of backwards compatibility. This is an area where MSFT is frequently slammed, for its insistence on favoring compatibility with past mistakes instead of throwing everything overboard to start over again– the way Apple has done with OS-X and later switching to Intel x86 chips.

Imagine having to demonstrate an application running on Windows Mobile to a crowded room full of security professionals. This code will not run on the emulator– and even if it did, emulation hardly makes for a compelling demo. “Code always wins” as the old MSFT adage goes and working code on an actual device is the golden standard. This is the predicament confronting the blogger next week. Slide decks are not a problem; they can run off a locally installed PowerPoint or OpenOffice instance (the import process still loses some details if the latest eye-candy from Office 2007 is used) or better yet run from the cloud-hosted Google Presently. Showing UI from the device is a different challenge.

Most phones can not project the view of their own display to an external monitor using a standard VGA, DVI or HDMI output. (Oddly enough a few can project other video over Bluetooth to specialized devices and there is nascent efforst to give phones projectors of their own.) Having a dedicated, fixed camera pointing at the phone was not an option in this setting. And since it is not possible for dozens of people to cluster around a single handset trying to get a peek at the tiny screen, one option is to capture static screenshots at relevant points and project these as part of the slide-deck.

Even that is non-trivial: there is no “print screen” functionality on Windows Mobile out of the box. One quick Google search finds several third-party substitutes, including a freeware version from Ilium software. Luckily the search results also unearthed a better solution. An entry on the Windows Embedded Blog dated November 2004 references a Remote Display application included as part of the Windows Mobile Power Toys. This is good news; power toys are officially unsupported applications typically written by MSFT developers on the side. According to the description Remote Display shows real-time view of the phone display mirrored on the desktop.  Much better than static screen-shots and the audience can now follow along with the exact flow.

One problem: the Power Toys are dated December 2003. Supported operating systems on the download page include W2K SP3– long defunct– as well as “Windows Mobile 2002 based smart-phones.” In other words, this code is archaic. The MSI installed without a problem on Vista, even bearing a proper Authenticode signature to keep the inane UAC prompt happy about reporting the author. But the first attempt to run it with an HTC Diamond failed with an error message about unknown CPU type on the device. Not surprisingly 5 years after the code was written, the architecture of mobile devices, as well as the operating system MSFT is shipping to run on these devices had become unrecognizable under the assumptions the original author had made. Vista does not even have a separate Active Sync component, instead Mobile Device Center handles synchronization with phones.

But the README file provided plan B: the instructions described what to do for that particular error. The recommended fix was to manually find the correct binary over for the mobile device and copy it over. There were not exactly many choices either: Windows CE 3.0, CE 4.0 and smartphones based on CE 4.0. Each OS SKU had a corresponding array of architecture choices, including x86, MIPS and ARM4. As for the device? It is running Windows Mobile 6 on ARMv5i.

So it was a surprise that copying the ARM4 binary built for CE4 worked: Vista could mirror the device screen in real time. Even more impressively, Remote Display works both ways: clicking on the phone UI from the desktop PC actually sends the mouse clicks to the phone, allowing the phone to be driven by the full-size mouse and keyboard combination.

This is one of the rare cases where the insistence on backwards compatibility paid dividends. Not only did the ARM processor have to remain backwards compatible and run binaries compiled for an earlier version, but Windows Mobile itself had to evolve such that code written for earlier CE variants could run without any changes.

cemp

Verizon changes the tune

The tune around open-access, that is.
After suing the FCC around the spectrum-auction rules, the wireless carrier decided to reverse itself and embrace an open network. This is an unusual move, because until now telcos have jealously guarded access to their channels. Not content to passive data pipes over which other people build higher-margin services, they have been trying hard to move upstream in the value chain. Keeping tight control over the devices that can connect to the network is one way to fend off any potential competitors in this already difficult uphill battle.

Verizon points to the innovation that will result from lower barriers to entry and this story makes for very good PR on paper. Not that the business side will necessarily suffer from this act of altruism– if the vision is realized, the new devices and services will drive more customers who will still be paying Verizon $$$ for air-time. In that sense the only downside is loss of incidental revenue from sales of phones and other equipment. But considering these were heavily subsidized to start with, the only collateral damage may be the close relationship with Motorola, Nokia, LG and other manufacturers who will lose their lock-in effect on Verizon customers.

That said, until other telcos allow their customers to use existing devices with a competing network– something they have no incentive for and unlike Europe, no legal obligation to provide by unlocking phones– this is still one-hand clapping. Any increased customer choice will have to come from new devices yet to be designed, not the potential to use an existing device from another provider with the network.
cemp

Commoditizing the exploit: iPhone saga continues

The release of the iPhone July and its tie-in to one particular wireless carrier set in motion a sequence of inevitable events:

• Interest from the security research community in finding ways to defeat the system. If the device actually provided a semi-officially supported way to unlock, this would have taken out all the fun/challenge out of it. But by tying the device to AT&T, Apple was throwing down the gauntlet– an especially attractive target given the strong emotions (generally of hatred) inspired by any telco.
• Simultaneous discovery and release of an exploit that unlocks the phone hitting the news.
• Much discussion over how Apple/AT&T would respond and whether the cease-and-desist letters would start flying.
• Commercial version of the “exploit” available for sale online from iPhoneSimFree. This is one click hacking-for-the-masses.
• True commodification arrives with a free version of the same software.

Next steps one can extrapolate from here:

• Apple responds by “fixing” the vulnerability that allowed unlocking in software. This will likely get pushed out as a forced update to all devices. Because it is a closed network and interacts with servers in the cloud, updates can become the offers that a customer can’t refuse. Users are  denied service unless their phone is running the latest and greatest version of the software. (There is still one catch here: it is difficult to remotely verify the software run on a device on the other side unless the device itself has trusted hardware. This is the so-called remote attestation problem that Palladium/NGSCB tried to solve with TPMs. But for most purposes relying on the device to report its own version works; non-compliant devices would have to be tweaked to consistently report bogus configuration to pass this basic check.)
• Arms race in full swing: now that the first exploit stopped working, there is fame and glory again in releasing a new one that can unlock the patched iPhone.
• Apple responds, issuing another fix. Lather, rinse, repeat.
• And perhaps optimistically: sanity prevails and Apple realizes that this is a waste of corporate resources. Much the same way that Apple finally realized DRM is a waste of time, one can hope they will reach the conclusion that tying users to one particular carrier is an outdated business model made possible only by the archaic nature of wireless networks in the US and lack of proper competitive dynamics in the marketplace.

cemp

Virtualization considered harmful?

First Gartner published a report in April arguing that virtualization– which the company had called a “mega trend” earlier– presents security risks. Now a more recent article in DarkReading suggests that it is not just Gartner consultants who share that opinion. In Security Fears Slow Virtualization, the website reports that about 50% of IT professionals who are either using VT today or considering adoption in the next 18 months believe it introduces new security challenges.

Among the respondents to the emedia survey, the chief security concerns were about virtualization patching and updates (32 percent), guest-to-guest attacks (27 percent), and the addition of new host software (22 percent).

This echoes the risk pointed out by the Gartner, which included the observations that network based intrusion detection/prevention systems do not have visibility into intra-VM traffic. (That limitation only applies when the VMs are on the same physical host.) Even stranger according to DarkReading, is the finding that the later an IT shop is considering implementation, the greater their security concerns. This could be interpreted in two ways. Either  there is insufficient information and the more people learn about VT– inevitably at the 11th hour when the project is going live– they become more comfortable. The second interpretation is a selection bias: the system administrator concerned about a technology is not going to deploy it anytime soon, so the answers are consistent with prioritization.

But backtracking for a minute, these articles seem to miss the bigger picture, namely that properly used, virtualization can be an important weapon for improved security. It provides compartmentalization between different components of a system running on the same hardware and does so with assurance greater than any other mechanism, including operating systems or constrained programming environments such as Java. For example, using a virtual machine to experiment with malware is standard practice among researchers. Many trees were killed over academic papers suggesting various designs that employ VMs to confine untrusted applications. Similarly, the paper When Virtual Is Harder Than Real pre-dated Gartner’s critique, pointing out the security challenges for virtualization in a much broader context than enterprise hardware consolidation. For example the authors noted that when VMs are used for mobility, integrity of the image becomes crucial because infection of a machine image is equivalent to a virus infecting a binary.  Bottom line is that few of these concerns are new. Virtualization can be (and has been) leveraged in ways that increase security assurance. Equally likely is a configuration that aggravates one or more existing problems such as patch management that get an added dimension in the context of VT.

cemp

Mobile USB computing on the cheap (part II)

An earlier post here pointed out examples of companies commercializing mobile USB computing, which promises to roam the entire computing environment, applications, data, settings and all, on a portable USB drive ready for work anywhere. Each one is predicated on use of special software on the USB device and sometimes custom/versions of apps tweaked for roaming. In this second installment, we’ll discuss getting 90% of that functionality with freely available software and zero modifications to apps for roaming.

Key ingredient is virtualization. That term is ambiguous because VT can exist at any level, but in this case we are referring to machine-level virtualization a la VMware, Virtual PC and Xen. These systems create the appearance of multiple, completely independent PCs (called “guests”) on top of a single computer (called the “host”) This has been a very active field in recent years, with lion’s share of commercial R&D efforts focused on server consolidation in the enterprise. Because managed IT environment costs are often directly related to number of physical servers, having one beefy server run multiple virtual machines to replace a handful of dedicated servers translates into directly measurable savings. But virtualization has broad implications and mobility is an obvious scenario. Because a virtual machine is represented by an ordinary file, no different than a Word document or a photograph (albeit a very large one), roaming this file amounts to roaming the computer. Any machine with the compatible VMM can run the virtual machine, which contains all the applications and data the user needs.

As for implementing this in practice:

1. Grab one of the free virtualization solutions. This author recommends Virtual PC for consumer scenarios, although VMware’s excellent VMware Player is a second-best, limited by the fact that it can not create new machines. (VMware Server and Virtual Server R2 are also free, but they are more aimed at server/enterprise scenarios.)
2. Create a new virtual hard disk, type “dynamically expanding” default size is generally sufficient. Use the mobile drive for storing this file.
3. Create a new virtual machine, also saved on the mobile drive and attach the virtual disk image created in step #2.
4. Boot the VM and install a new operating system from CD or ISO image. This is the tricky step becuase depending on the conditions of purchase, the new OS may require an additional license. If the idea of worrying about OS licensing and activation frustrates you, there is always a great selection of open source distributions such as Ubuntu variants.
5. Install virtual machine additions. This allows seamless integration of mouse and keyboard between guest/host.
6. Install applications in the VM, configure settings as you would on any PC and copy over data. (See earlier point about licensing.)

The mobile environment is ready. Any other PC running Virtual PC– or for that matter VMware Player, which has the impressive feature to import VPC images– can recreate the machine. Since these are both free downloads, that is not setting a very high bar. As backup option, the installers for VPC and VMware Player can be carried around the USB drive as well, just in case. VPC allows working with the machine in full-screen mode where the guest takes up full screen, creating the illusion of dedicated PC. One can even “hibernate” the machine by saving its state on the USB drive on one PC and restoring from saved state on a different PC.

There are a number of limitations to this approach, some of which apply to any roaming solution. The final post in the series will cover these challenges.

cemp

Mobile USB computing– and they are charging what for this?

Mobile computing with USB devices seems to be all the rage these days. The premise is simple: instead of lugging around a laptop/PDA or other general purpose computing device, users only need to carry around a small portable drive which will contain their data and even applications. This drive can be attached to any PC they run into, to recreate the same environment from any machine. Since many people carry around an iPod or other portable media player that doubles as USB drive in any case, the past objection around having to carry around one more gadget is disappearing.

Three commercial examples of this concept in action:

• U3
• Ceedo
• Mojopac

But a closer look at the options raises some questions.
U3 is best characterized as a new application development model, to allow Windows apps to run from a USB drive instead of requiring installation. This is easier said then done because a lot of Windows apps depends on having various resource located on the host PC– for example the registry is used to store configuration. When a random USB drive is attached to the PC and an application tries to run, the components it is looking for will not be there.  (Simply carrying around the installer isn’t going to work necessarily; aside from requiring adminstrator rights on the host PC, it will not port the user preferences.) So there is sizable amount of work required and some componentized applications may not work correctly this way at all. This is one of the reasons list of “supported applications” in U3 is very limited. Don’t look for any of the major productivity applications here. With the exception of Firefox, most are substitutions / replicas.

Ceedo looks very similar. In the basic version, the applications that can be installed this way have to be checked for compatibility one-by-one with the vendor and tweaked as necessary.  This is a closed-ended selection in the “Ceedo Programs Directory” according to FAQ on the website. But there is an “InstallAnything” add-on which promises to allow installation of any application, using the ordinary installer. (No details on how this works.)

Mojopac has a different paradigm: instead of trying to get applications to cooperate with Windows it creates the appearance of machine-within-a-machine, to run all the user applications in a different environment. Because these machine images are large, Mojopac is specifically targetted at using an iPod or iPod mini/nano as the storage device. That works around space requirements but on the downside hard-drive based iPod will be slower than flash drive. Virtualization provides for greater flexibility including full freedom in choice of applications to install on this mobile environment. Of course the customer still needs to have a license for the operating system and any apps they plan on installing in the guest. Interesting enough Mojopac FAQ points out the limitations in the approach used by Ceedo and U3:

“Why do I need MojoPac to install and run applications from a USB Device? Can’t I just do it without MojoPac?
No, this is not possible. You can use a standard USB storage device only to carry data (files and folders). But standard storage devices cannot be used to carry applications. MojoPac uses a lot of Mojo Magic to add portability to off-the-shelf Windows applications… Secret Mojo Sauce!”

And the problem is, this secret sauce is not exactly a well-kept secret. It is called virtualization. It is unlikely that MojoPac is doing whole machine virtualization (a la VMware, Virtual PC/Server or Xen) because the space requirements list 30MB for the base app. But the fact remains that 90% of this functionality is available for free using existing off-the-shelf software.

A follow-up post will discuss exactly how.

cemp