What the fsck is up with removing tethering support for unauthorized carriers in iPhone os 3.1.2? Seriously, what could possibly excuse this lameass stunt? Oh wait, the Apple folks are probably making good on some backalley promise made to authorised carriers.

Maybe it’s time to try out the Nokia N900 with its sweet Qt support, even if it does look and feel like a brick.

I am not going to go into details about the procedure, as it has been, well, excruciating.

Suffice it to say that I am one of the few to have had to follow courses after successfully defending my masters thesis.

Now, I’ll be over here waiting for the prince of darkness to call me up requesting by diploma back. This time around, he will have to pry it from my cold dead fingers though.

For a few years now, I haven’t really bought any new music, so a few weeks ago I decided that I was getting seriously tired of listening to the same ~1000 tracks over and over again. To get things rolling, I initially bought a few albums through the iTunes music store (ITMS). I then realised that I was getting screwed with my pants on: prices on the iTunes music store are way above prices at stores like cdwow.com in spite of the facts that the quality is much poorer, I don’t get the physical album and the tracks will only play on a very limited number of devices. If it wasn’t because ITMS is so damn convenient, it’s difficult to see why anyone would want to buy anything through it.

What to do instead I wondered. The answer: Order CD-ROMs from virtual shops like cdwow.com. So, I went ahead and ordered a few albums (Apollo 440 and Eminem). The cdwow website estimated delivery within 10 days. Yesterday, after 4 weeks of waiting, the CD’s finally arrived in my mail box. It was always my intention to simply rip the CD’s to mp3’s. Who really wants to tote around a stack of CDs these days? But, lo and behold, the Eminem disk appears to be DRM-protected to the extent that my PowerBook refuses to even read it, let alone rip it. (The Apollo 440 ripped fine, though).

Compare this (and the associated exorbinant fees) to pointing your browser at sites such as isohunt.com or thepiratebay.org and you have a very uncompelling alternative to pirating (big label) music.

I all fairness I feel compelled to point out emusic.com, which provides an extremely streamlined interface to loads and loads of indie-label music at very modest prices.

Long story short: The big-label industry is not going to overcome their problems with pirating any time soon. At least not as long as pirates get a better product for free, than what paying customers can even begin to hope for.

He writes:

C’mon people, do you actually think a company would just hand over your data to anyone with a badge that walks in the door?

(…)

Of course Mozy’s TOS says that they will comply with a court order to hand over your data if subpoenaed. That’s the law.

That’s fine. Don’t make statements to the opposite at the top of your privacy policy then. If I was suspiciously inclined, I would suspect that the company bets that nobody bothers to ready beyond the first promising paragraph. Also, I find it interesting that this guy completely ignores this excerpt from the privacy policy:

Mozy, Inc. may disclose Personal Data, including the data you back up with the Service, with or without notice (…) (c) at our sole discretion, where we deem it necessary to protect the safety of any individual or the general public or to prevent violation of our User Agreement or the rights of Mozy, Inc. or any third party.

As far as I can tell, that allows Mozy, Inc to disclose your personal data under any circumstances, not just when subpoenaed to do so.

Finally, Ryan makes some rather clueless statements about cryptography:

• He states that “(blowfish is )impossible to decrypt”. No it is not. There are no known attacks on the the algorithm, except, obviously brute force. That is not the same as it being impossible to decrypt.
• To my knowledge, Mozy, Inc’s blowfish implementation is not publicly available, which makes it impossible to determine if trap doors have been placed in the algorithm implementation.
• Mozy, Inc. actively suggests (in fact it is the default configuration) that users allow Mozy to select the encryption key used. This obviously allows mozy to decrypt any sensitive information contained in user backups. Couple that with Mozy’s statement about disclosing backup data at their discretion, and you have an interesting definition of privacy.

All in all, I am hoping that Ryan is neither in charge of PR nor security at Mozy, Inc.

I must say, the Mozy client works beautifully, and the 2GB free storage plan makes it easy to test the service without spending anything except the time. It took me less than 2 minutes to download and configure the mozy client to do remote incremental backups of a few select directories on my mac book. No problems.

So there I was, pretty impressed, until I decided to ready the Mozy privacy policy. It starts with the following:

We will not sell or market the email addresses or other collected personal information of registered Users to third parties.

We will not view the files that you backup using the Service.

We may view your file system information (file extensions, sizes etc. but not your file contents) to provide technical support.

So far, so good. Further down, however, I encoutered this:

Mozy, Inc. may disclose Personal Data, including the data you back up with the Service, with or without notice (a) if required by a subpoena or other judicial or administrative order, (b) where required by law, or (c) at our sole discretion, where we deem it necessary to protect the safety of any individual or the general public or to prevent violation of our User Agreement or the rights of Mozy, Inc. or any third party.

Now, I am not a lawyer, but that seems to be in direct contradiction with the first set of statements. The way I understand is this: At our sole discretion we may violate the privacy of the data you choose to back up.

Hmm. I am not sure I like that.

Additionally, it turns out that Mozy is based in Utah in the US. Again, I am no lawyer, but from what I can tell, the US have all but abandoned the idea of due process in their precious war on terror. For all I know, any old US government agency could waltz into Mozy’s data center and make a copy of whatever data they damn well want to.

Whoops. I just uninstalled the Mozy client.

Only this morning in my car, I listened to the DR radio show Harddisken. Harddisken is broadcast on DR P1, and as such must people consider it to be a reasonably well researched show, run by competent journalists. The show that I listened to this morning (as a podcast), among other things, discussed the use of OpenID. During the show OpenID was touted as being inherently secure, since with OpenID people won’t have to come up with insecure passwords for every obscure site that they decide to use.

Now that is just shallow and wrong on so many levels.

First, why should the average user become any more capable of choosing useful passwords with OpenID? OpenID will ensure that users use the same crappy password for every site they they log in to. This may be an improvement usability wise, but I fail to see how it improves security.

Second, I am not really sure that I like the idea of providing my OpenID credentials to any old site claiming to support OpenID. As far as I can tell, a single malicious site will be able to collect OpenID credentials of its users, and use these to access any other OpenID based site as these users. This is in spite of the fact that OpenID is specifically designed to avoid this, since once you have submitted your authentication credentials to a given server, they may essentially do anything they want with them, in addition to authenticating the user.  Having random crappy passwords at each site at least goes some way toward preventing this.

Finally,  although I haven’t fully read the specs, it seems that OpenID is basically a way for some semi-random OpenID provider to accept or deny some authentication token. The specs don’t appear to make clear what qualifies anyone to become an OpenID provider in the first place. This is similar to the key exchange problem in ordinary encryption schemes: The identity of the source must be somehow established by a trusted third party or through direct interaction with the source. I will have to dig deeper into the specs when time permits.

Anyway, the guys at Harddisken, given their intended audience, really need to recruit someone with sufficient technical insight, to help them avoid relaying inaccurate or downright false information. Or they could have just used Google or wikipedia.

On a general note, I find it quite disturbing how often newspaper articles turn out to be wrong, when I happen to know a little about their subject matter beforehand. I wonder if this is representative of the average newspaper article.