Encryption pt 2

I said this a while ago regarding government backdoors on encrypted devices / services:

To put it another way, the people you're hoping to catch here are the subset of criminals who know that they _should_ use encryption, but don't know that the product they're using has a built-in backdoor. Personally I think that's probably a small subset of criminals, but maybe that's just me being naive.

I guess there's another class of "criminals" that I forgot about: those who don't think they're breaking the law, or at least think that they're safely enough in the grey areas to not warrant a wiretap. Note here - interestingly we don't even know exactly what got tapped - although this article (and every other article on the subject) has "Skype" in the headline, nobody really knows _how_ they got the info - for all we know they had old-fashioned bugs in peoples' headsets.

At any rate, I'm pretty sure that anybody else who makes serious money in the grey is going to start looking more carefully into security...

--Nate

Why I hate Apple (and everybody else)

So, here's our current home gear:
2 Mac laptops running OSX (personal computers) connected via Wifi
1 Linux Intel desktop (also personal, but I like working on a desktop if I'm working from home for the day) connected via Wifi
1 Linux PPC headless server (old G4 under the TV that does a lot of media functions) connected via Ethernet
1 NAS (used to back up all the above) connected via Ethernet
1 G2 (Android, Nate's phone)
1 iPhone 4 (Clau's phone)
1 iPad (for Nate's work, maybe more on that in another post)

1 iPod classic (120GB), which we generally keep in the car

1 iPod touch (8GB), which Clau got from Kraft and would like to use as the "music device" for the kitchen.

1 Altec Lansing sound dock, with an iPod connector. Unfortunately Clau's iPhone can't plug into it because she has a pink case that's ~2mm thick, and the connector just can't get through. The sound dock is very handy for playing music from an iPod / iPhone because it has a water-resistant remote control, and is therefore great for the kitchen while cooking - you don't need to wash your hands just to skip forward or whatever.

Notice that there are no desktops (i.e. permanently powered on) running a mainstream OS and that the one server with a KVM is connected via Wifi.

So, for her birthday, Clau wanted to be able to play music on her computer and her iPhone. A reasonable request to be sure. I've got all my music on the NAS share (which is sharing everything via DLNA) and my own Linux box (which can share the music in pretty much any way I want), so there must be some products that can work with that music available for iOs, right?
Wrong. At least nothing that I was able to find after a lot of poking around.
Part of the problem is that Apple users seem to be totally fine with paying for everything. OK, so everything's cheap - maybe $5, but there don't seem to be trial versions of many things, and I'm sorry but I'm not going to pay $5 just to see if maybe I want to use a DLNA client. The free ones I found were, frankly, not very nice or intuitive. Definitely not what my Apple-happy wife wants.
Another problem is that Apple seems to have kept the masses happy with iTunes. I still for the life of me don't understand why there isn't some massive Apple revolution against iTunes - it's a total piece of crap that needs to go away but just seems to get more and more ubiquitous. It seems that every Apple app _except_ for iTunes is slick, intuitive, and easy to use - I still don't get it.

So, back to my requirement to share my music out - I guess I'll have to find something that works with iTunes (which isn't available for Linux btw). A quick check found that iTunes has a feature called home sharing, which should at least take care of Claudia's computer and iOs devices. My initial solution plan was to create a Windows VM on my desktop that would run iTunes with home sharing, and just have it running all the time. There ended up being a few problems with this:

1) For some reason, the following combination produces serious problems:

• Windows VM with bridged network adapter
• iTunes installed

This combo results in the _entire_ system (not just the VM, but the whole darn box) instantly crashing whenever a music file is copied to the VM. Obviously that's a dealbreaker. I tried everything I could think of to get around this:

--Use a different virtualization platform:

• KVM - doesn't support a bridged interface on a wireless device (theoretically it's possible but I wasn't able to get it to work with an hour or so's worth of poking at it).
• VMWare - VMWare server doesn't really work anymore on later Linux distros, and they've pretty blatantly EOL'd it. There are patches floating around out there on the net, but I had trouble just getting a VM up and running, and decided that this wasn't the route I wanted to take.

--Use NAT networking and just port forward the required Home Sharing ports to the VM: this doesn't work because Home Sharing uses mDNS, which is effectively a multicast, serverless method of name resolution - every device is constantly sending UDP packets to a multicast address with its own name and IP info. I think Apple does this in order to make it really difficult to spoof devices, but it makes my life tough. In the case of NAT, the packets will get from the VM to the iOs devices, but they have the internal non-routeable NAT address instead of the gateway address. I briefly considered trying to do some packet mangling to change the internal IP address to the gateway IP, but that creates a whole new difficulty.

--Same idea, but use a host-only VLAN: this requires forwarding multicast packets between the host-only VLAN and my home VLAN. I tried a few packages (smcroute, pimd, even mrouted) and none of them worked - tcpdump analysis showed that they were configured correctly but simply weren't working. The conclusion I came to was that, even though the apps _thought_ that the kernel was compiled with multicast routing support, it wasn't really enabled, and a kernel recompile would be required. There are many reasons that I don't want to recompile my kernel (too many kernel mods that would have to get recompiled, plus I'd be stuck on that kernel forever, plus it might not work!).

Anyway, all this went on for a long time, till I finally decided to just set up the original way, with the limitation that I couldn't copy music files over the network to the VM, lest the entire system go kaboom. I did my initial import of music by creating ISO images of my music and attaching those to the VM, then importing from the "DVDs". I'm still working on how I'm going to get new music up there :)

So, after all that hassle (which admittedly isn't Apple's fault, although if they weren't using that stupid mDNS then I could have easily worked around the VirtualBox issues), I come to find that:

• With my collection size (about 13k tracks) the initial connection from the iPhone or iPad is slow as molasses - it takes about 3-4 minutes to connect to the music library and load it all. And, since it load the details of the entire catalog onto the iPhone, the performance for everything is sludgy - start searching through the catalog and you have about a 2 second lag between key presses. Definitely not good, and definitely not the way it should work.
• Home Sharing is only supported on new Apple devices. That means that Clau's iPod won't work, despite running the latest version of iOs (and being very sluggish because of it). And, you may recall, her iPhone doesn't fit into the sound dock (which is almost a moot point since the iPhone doesn't handle our collection very well).

I spent about 2 weeks of personal time working on this, and to show for it I have my music sharing working (poorly) on 2 devices, neither one of which is the one Claudia wanted, and neither one of which can be plugged into the sound dock

Which brings me to why I hate Apple. Part of their technological ground rules are:

1) We will make it deliberately difficult, if not impossible, for non-Apple devices to work with Apple programs / devices unless it directly benefits us.

2) We will only enable newer features on newer products, regardless of that product's technological ability to use that feature. This will force consumers to buy a newer version of that product if they want that feature.

3) We will disregard impact of newer versions of firmware on older devices (i.e. iOs 4 on the iPhone 3). (Note: I'm giving Apple the benefit of the doubt, and not assuming that this was actually an intentional breaking of the iPhone 3 - not everybody feels the same way).

I can understand the first point - Apple isn't in the business of trying to make their product work with other companies' products, especially when those other companies are potential competitors. Furthermore, everybody else (Sony, Samsung, and most notably Microsoft) is doing it too, so it's not like Apple's playing dirtier than everybody else.

Points 2 and 3, however, are unforgivable and (imho) unethical.

Anyway, enough ranting. I suppose I ought to edit this before posting it, but maybe it'll help someone else who is trying to do the same thing. Soon enough I'll post my solution (hint: it's a Squeezebox).

Password classification

I've been thinking a lot about my passwords and security, and am changing everything according to the following scheme:

"Unique" memorized password: Google, Password manager(s), home server (exposed to Internet).

• These are "master key" systems - if these are compromised then the hacker effectively has the ability to get my password to anything else. As a result, the password for these is not used on anything else (really, I ought to have a separate pw for each of these, but since they're all so unrelated I've just got one for all 3).

Random stored individual passwords: All things potentially damaging (banks, brokerages, prosper, IRA, etc)

• These are randomly generated 10-character passwords - they might get sniffed, but they're not going to get hacked. These get saved in the Firefox password DB and are also in my password manager program (Keepass, for anyone who cares)
  

Work password: all things work-related

• Everything I do at work requires me to change my password every 3 months - since I have trouble with multiple passwords anyway, I just set them all to the same thing. Only one of them can be accessed from outside the intranet anyway, and my VPN is protected by a keyfob.

Easy (but still relatively secure) non-changing password: social networks and anything else that can't cost me money or too much heartache.

Useless password: sites that I really don't care about and/or don't trust.

This bring my list of passwords I'm required to memorize down to 4. I think this is pretty managable - the only thing that I still have to worry about is accessing gmail from any kind of public computer, but I don't see what I can do about that.

An inspired paragraph

The tenant who is going to replace us is trying to nickel and dime us on the cost of buying our kitchen, which we bought at Ikea; truthfully it's really pissing me off, and I was writing a very long email to him; I ended up eliminating this paragraph, since it didn't fit into the general spirit of the email (i.e. "stop being a dick"). But, I thought it was too good not to share:

Truthfully, it's still by far the best option for everyone if you buy the kitchen; purchasing a new one will cost you a lot of time, money, and inconvenience. I also don't think you realize the depth and pain that was involved in doing it - the weekends lost at Ikea that could have been spent on the slopes or at the Biergarten: the endless hours spent at home using Ikea's software to configure the kitchen just right, only to find out later that a single item has been discontinued and now you need to start over: the soul-crushing lunches spent staring with exhausted, glassy eyes at your lover over a platter of meatballs as you wash down yet another aspirin with generic Swedish cola-flavored soda, too mentally worn out to think about anything except that the day's only half-over, and you've lost count of the number of Saturdays you've wasted in this yellow-blue hell, and you know in your heart of hearts that when you stumble out of those glass doors tonight, looking like a drunkard getting kicked out of a bar after last call, that you STILL won't have purchased a kitchen. THAT is what you are negotiating yourself into.

Of course it's very late, and I've spent the last hour or two writing this email, and the last hour or two before that fuming and trying to calm myself down so I could write the email, and the last many hours before that trying to get all my loose ends tied up for work before we go to EGYPT on Friday (w00t!) for 2 weeks - then it's almost immediately back to NY for an apartment-hunting trip, then we get 2 last weeks in Munich to say good-bye to everyone, then back to NY for good on Nov 22 or so.
Anyway, enough babbling - time to get to bed - our young friend Maike has her Vierteljahrhundertegeburtstag tomorrow, so we're all celebrating, and I don't want to look like too much of an old man.

Poker heartbreak - long explanation of a single hand

Nothing really interesting here unless you're curious about how I think about poker hands while I'm playing them.
Normally I try to stay away from bad beat stories, but this one stung.

Context: $2 rush rebuy tournament, I bought a rebuy before playing the first hand but never busted, so I've invested $4.20, at this point average stack is about 16k chips, I have 45k chips, there are about 250 players left out of a starting field of roughly 2000, with 200 or so spots paying and top prize of something ludicrous like $3k. I've been kicking ass and taking names with a very TAG game (which works really well in big-field Rush tournaments) and have invested about 2.5 hours into the tourney at this point. If I wanted to, I could walk away from the computer and be virtually guaranteed of a modest payout (like $10 or so) without even playing anymore. Then, this happens:

# my comments are preceded with hash marks and hopefully in blue.

############

Blinds are 250/500 with 50 ante. 9 players:

Button (t26498)
SB (t18929)
Nate (BB) (t45179)
Villian1 (UTG) (t62225)
UTG+1 (t49932)
MP1 (t34285)
MP2 (t34868)
Villian2 (MP3) (t20466)
CO (t73117)

Nate's M: 37.65

# "M" is a term for how many orbits you could survive without playing (just paying the blinds and antes) before you go bust. Above 20 and you're sitting pretty, and you can afford to be a little looser in your play. Between 10-20 and you need to be a bit worried and should be playing pretty tight, below 10 and it's about time to think about "all-in or fold pre-flop" on every hand.

Preflop: Nate is BB with 8, J

Villian1 calls t500, 3 folds, Villian2 calls t500, 2 folds, SB calls t250, Nate checks

# J8s is a decent hand but certainly not great from early position, particularly against 3 other players. If someone had raised I probably would have folded, but I'm happy to see a free flop.

Flop: (t2450) A, 3, 10 (4 players)

# At this point I have a draw to what is likely to be a winning flush. Since nobody raised pre-flop, I'm guessing that someone has probably paired his weak ace or T, maybe someone has hit 2-pair, and at best someone might have flopped a set or 3s or Ts. Since there's a flush draw on the board, if someone flopped a set or 2 pair then they're probably going to make a big bet here to discourage people like me from trying to hit that 3rd spade.

SB checks, Nate checks, Villian1 checks, Villian2 checks

# Cool, another free card. I guess the flop either missed everybody, or possibly someone else has a spade flush draw (unlikely, but possible).

Turn: (t2450) 7 (4 players)

# Sweet! Now I'm really hoping that someone has an Ace, maybe 2-pair, or maybe even a smaller flush than mine. It's also possible that someone has the Q or K of spades along with another non-spade card, which means that a fourth spade would make things dangerous.

#Given that I am pretty darn sure that I have the best hand at the moment, I need to bet this - how much? Not so much that everyone's going to instantly fold, but enough so that it's not worth it for someone with that K or Q to call the bet in hopes of hitting the fourth spade. A bit more than half the pot should do it - pot is about 2500, so we'll bet 1500.

SB checks, Nate bets t1500, Villian1 calls t1500, Villian2 raises to t4500, SB calls t4500,

#Well that didn't work out the way I planned. I thought that at least one player would fold and one or two would call or possibly raise. Didn't see this coming. So, what to do?

# Villian1 just called my bet, so I don't think that turn hit him - I'm guessing he either has a flush draw, 2 pair, or maybe just a relatively weak Ace, something like A9. Keep in mind that this guy limped under the gun.

# Villian2 raising really concerns me, because he's indicating that that turn hit him. Best case, he's got a smaller flush or he's making a semi-bluff with the K or Q of spades. Worst case, he's got a better flush than me. Ditto for SB, especially since for him the odds are actually in favor of calling that bet if he has a big flush draw.

# So, what to do? Stats right now:

# Pot: 14500

# My stack: 44629

# Villian1: 61675

# Villian2 and SB both have about the pot size (15k or so) left in their stacks.

# So, possible actions:

# Fold: not gonna happen. If I'm beat by a better flush, so be it, but I really don't think that's happened.

# Call: If I call, then Villian1 is definitely calling behind me, since he'll be getting roughly 4.5:1 odds on his money; there aren't a lot of hands where he wouldn't call that. The big problem with calling is that it gives everybody one more chance to beat me. If someone has the K or Q of spades it gives them a chance on hitting that last spade, and if someone has 2-pair or a set then it gives them a chance of hitting a full house. In any of those scenarios, my opponent has less than a 20% chance of hitting it, and I need to make it not worth it for those folks to keep playing.

# Raise pot (~15k): probably a good option - for Villian2 and SB that's all-in, which they're probably not willing to risk on a draw, but definitely might be willing to risk with 2-pair or a set (which would be very good for me since I have either of those pretty well crushed). However, if Villian1 calls (which he seems to be prone to doing) and the river card is a 3,7,T,A, or a spade, he'll probably be able to take the pot away from me with an all-in bet. If none of those outs fall on the river, he'll obviously have missed, and I won't get any more money out of him. Keep in mind he's got position on me, so if I'm pretty sure I've won on the river, I need to either bet, or check and hope that he bets (and he seems to be playing pretty passively, which means he probably won't bet, and will probably fold if I bet more on the river).

# Raise all-in: puts max pressure to fold on Villian1, and also vastly increases the pot size if Villian1 comes along. My guess is that he'll fold to a shove bet, or else he'll turn over 2-pair or a set, which I currently have crushed. Although I want him to fold, there's an upside if he calls: if everyone calls, the pot becomes about 60k - however, each of my 3 opponents could have a different draw against me - someone could have a set of 7s, someone could have 2-pair, someone could have a flush draw. If any of those hit, then that player is taking the entire pot. However, if Villian1 calls my shove, then he and I have a side-pot which I am most likely going to win.

# So, obviously I'm raising. Let's recap the "how-much question:

# If I raise pot, then we end up having a pretty big pot (somewhere between 30-60k) - if no outs hit then I'm going to win the pot, but it's extremely unlikely that I'll get any more money out of Villian1, and Villian2 and SB will already be all-in

# If I raise all-in, then hopefully I get Villian1 out of the equation, and even if I don't we have a big side pot. In the likely event that I win the whole thing, it also increases my stack to more than 100k, which would put me pretty close to the chip lead in the tournament.

# Sorted. All-in it is!

Nate raises to t44629 (All-In), Villian1 raises to t61675 (All-In), Villian2 calls t15416 (All-In), 1 fold

# Again, not exactly what I expected! But, since everybody's all in, let's turn over the cards:

Nate turns over 8, J (flush, Ace high) (80.95% to win).

Villian1 turns over A, A (three of a kind, Aces) (16.67% to win).

Villian2 turns over 7, 7 (three of a kind, sevens) (2.38% to win).

#At this point I'm pretty proud of myself, and relieved that nobody turned over a better flush. I am, however, astounded at the donktacular play of Villian1. Limping UTG with AA? Checking after the flop after hitting a set, with 4 players and a flush draw on the board? Really?

#According to my handy odds calculator, I now have an 81% chance of winning this. Any card that pairs the board gives Villian1 a better hand than me, but as you can see the odds are definitely against that. Poor Villian2 is really SOL - the only card that can give him the win is the last 7 in the deck, otherwise he's done.

River: (t116124) 7 (3 players, 3 all-in)

#Ouch.

Total pot: t116124

Results:

Nate had 8, J (flush, Ace high).

Villian1 had A, A (full house, Aces over sevens).

Villian2 had 7, 7 (four of a kind, sevens).

Outcome: Villian1 won t49426, Villian2 won t66698, Nate is out

I started this as a bad-beat story, but then thought that I might as well turn it into a "here's what I was thinking" sort of post. Writing these actually helps me organize my thoughts and analyze my game a little bit, so it's worth it to take the time once in a while. So, a couple of final thoughts:

1) For this one, I'm very happy with the way I played it. If presented with the exact same scenario after the turn, I hope that I would make the exact same all-in raise. If you want to enjoy the game, then you need to be able to say "I made the best play, and if I ended up in the exact same situation again, I'd do it the exact same way. Unfortunately, there is also a big element of luck, and in this case it went against me."

2) WTF is up with fools limping in w/ AA? This is like the 4th or 5th time I've seen this lately. Funnily enough, I've seen the aces get cracked every time except the two times it's been me on the receiving end of the AA limp. Add to that Villian1's lack of post-flop betting / raising, and you realize that you just lost your entire stack and gave the chip lead to a truly awful player. That stings far worse than the bad beat...

Encryption

This article caught my eye. I could go on about this at length, but I can boil it down to two points:

1) If you create a backdoor for the "good guys" to access something of value, then it's only a matter of time before it's used by some "bad guys". The time it will take for this to be compromised is inversely proportional to the value of the information. Considering how many corporate secrets are on Blackberries, I'd say it wouldn't take very long (although such a breach might not make the news, or even be discovered at all).

2) Anybody with any brains or resources is going to come up with his/her own way to encrypt communication rather than relying on a Blackberry / Skype / etc. One nice thing about modern cryptography is that you don't need to be an expert in it to use it effectively. To put it another way, the people you're hoping to catch here are the subset of criminals who know that they _should_ use encryption, but don't know that the product they're using has a built-in backdoor. Personally I think that's probably a small subset of criminals, but maybe that's just me being naive.

This is completely ignoring the surety that any such backdoor will be abused by the guvmint, of course, but when I start going down that road I sound like I should be wearing a tinfoil hat.

--Nate

More Android fun and frustration

Ever since I bought a bike, I've been taking rides through the city when the weather is nice: it's a great way to burn off a few beers' worth of calories, while also getting some sun and seeing some parts of the city that I wouldn't otherwise see. Although there are many streets that are a bit dangerous on a bike, Munich is extremely bike-friendly, and there's almost always a pleasant, safe, and scenic route to get just about anywhere.

Android now has an awesome Navigation system that gives turn-by-turn directions. It's theoretically got biking directions (although that's not available here in Munich yet). So, I figure, an obviously great implementation of this tool would be the following:

1) Go to Google Maps and cross-reference it with the Munich bike path map (http://maps.muenchen.de/radlstadtplan_2009/radlstadtplan_2009.html?str=Marienpl.&num=8)

2) Plan out a nice scenic route for the day that utilized bike paths as much as possible, and goes through one or two parks, monuments, or whatever.

3) Export the route in Google Maps via one of the many methods available

4) Pop it into the nav system, pop in one of my headphones, and go!

Instead, there's virtually no integration, which means that I either have to memorize my route (or else keep popping out my phone and double-check my location on the way), or else utilize the default Navigation routes, which always go through the dangerous, ugly, car-priority streets.

Off the top of my head, I can think of many applications for this tie-in:

--When going to your friend's new place, he can send you a route of the best way to get there.

--You're going to a picnic in the park, and you want to send your friends the best route to the closest parking lot.

--You want to publish some of the best walks or bike rides in your favorite cities.

--You found a great shortcut in town and want to share it with all your friends who regularly have to drive through the same area.

Or whatever. What confuses me is that this functionality has got to be really, really easy for Google to build in; the hard part is figuring out the route, and that part's already done! The Nav software only needs to shout out the directions - shouldn't that be easy?

Anybody else find this to be a maddening lack of obvious, simple functionality?