WirelessMoves

When I was a teenager it took me two years to convince my parents to buy me a computer. I would have taken anything, big small, TV output, LCD display, whatever, just programmable please. I finally got one but it took too long, mostly because even home computers were expensive at the time. Well, times have really changed, haven't they!?

Yesterday, Eben Upton, one of the creators of the Raspberry Pi, announced the $5 Raspberry Pi Zero. It's much smaller than a "normal" Raspberry Pi, has fewer connectors but is more powerful than the first Raspbery Pi and can act as a fully functional as a desktop computer as it has an HDMI (mini) out and old fashioned TV interface (for which a connector has to be soldered onto the board). Even better, to get one, just go around the corner to a newsstand (at least in the UK) and pick up the latest edition of the Magpi magazine for 6 pounds in which the Raspberry Pi Zero is included as a supplement. Wow, I just imagine myself as a boy having done that instead of having had to preach to my parents for years about the need for having a computer.

I wasn't quite sure when I started writing this article but while writing it, I found this video in which Eben confirms that the Pi Zero is the first "real" computer ever shipped as a magazine supplement! True, an SD card is needed as a mass storage device in addition to an HDMI cable to connect it to a TV as well as a mouse and keyboard which easily exceed the price of the Pi itself, but hey, compared to two years preaching that's a hurdle that can be overcome easily as all of these things are available in abundance and can probably be gotten second hand for next to nothing.

A "real" computer as a supplement in a computer magazine that can be bought at a news stand! I'm sure the late Steve J. would agree, this is insanely great!

When I was recently in China a number of my fellow travelers asked me if I could access the Google Play store. Over a Wi-Fi connection without a VPN I couldn't. I wasn't really all that much surprised, most Google services, Facebook, etc., etc, and most VPN services with servers outside of China are blocked as well, so why should the Play Store be accessible?

Well, for one thing I thought at first, because there are said to be 700 million Android based smartphones and tablets in China. As we are all taught how important it is to download software only from a carefully controlled App store these days, how are those 700 million devices getting software and updates? So I asked one of my local friends with a Chinese Android device if Chinese Android devices can access the Google Play store. As expected I got the answer that the Play store does not work in China and that people just search for Apps on Baidu (the local Google search equivalent) and install it right from a web page. Baidu offers and app store for Android as well but direct installation from web pages seems to be quite popular as well. So much for security screened apps and automatic updates.

Perhaps 700 million Android devices without access to the official store is one of the reasons why Android still makes it easy to download apps from, what is called, "unknown sources" in the user interface and allows to use alternative App stores (of which there seem to be quite many in China). If I were a cynic I would probably be thankful for the censorship so I have more freedom.

Which makes me wonder what kind of concessions Apple had to make as their app store can be accessed in China…

Incredible, I made my first video call only or already a decade ago, depending on how you look at it. At the time I was convinced it would become a mass market phenomenon once more people had 3G phones. It didn't really work out like that, however, and I have to admit that the service never really became popular, perhaps because most network operators massively overpriced the service and failed to continuously innovate and evolve the service.

Today, 3G video calling is still in the same state as it was 10 years ago. For today's devices the resolution and frame rate of the video is far too low and picture quality on the large screens of today's devices is far from what people expect. In the meantime some network operators have even given up on the service entirely and have begun blocking the service for new subscriptions.

But I'm glad that others haven't given up and have continued to innovate. Facetime on mobile has reached some popularity, e.g. see my post from New York from back in 2011. Personally, I use Skype for smartphone and tablet video telephony. Over LTE and even 3G, the video resolution and frame rates are fantastic. These days, I'm seeing more and more people engaged in video calling, especially at airports. Still a niche when compared to the billions of voice minutes generated every day, I agree, but nevertheless quite mature and useful today.

Optical DVD drives are getting out of fashion in notebooks these days. In theory, that's not a bad thing as it saves space and weight and one can always buy an external USB DVD drive for a few euros should one really need one. The problem is that those I tried in recent weeks are of such bad quality that they fail to read many of the DVDs and CDs I wanted to read.

Read issues often do not appear at first when inserting a CD or DVD but only later when I'm already halfway or two thirds through the content. Sometimes, a DVD that can't be fully read in one drive but works o.k. in another and vice versa. Sometimes a DVD fails in both but at different locations. Quite a mess.

But then I remembered that I have a 15 year old PC still standing around in the corner with 2 DVD drivers from back then, solidly built and quite expensive at the time. Despite their age, though, they've so far been able to read each and every DVD and CD that was partially unreadable on those crappy USB connected DVD drives for a couple of euros.

Perhaps it's time to convert my CDs and DVDs while that computer still works…

A couple of months ago, Chrome, Firefox and perhaps other browser have begun to 'pin' the HTTPS certificates used by Google, Twitter and others for their web pages. This significantly improves security for these web pages as their certificates can no longer be signed by any of the hundreds of Certificate Authorities (CAs) that are trusted by web browsers but only by one or a few select ones. So far, this functionality was part of the web browser's code. Recently, however, most desktop and mobile browsers have added support for the generic HTTPS Public Key Pinning (HPKP) method standardized in RFC 7469 that enables any HTTPS protected web site to do the same. Time for me to add it to my Owncloud and Selfoss servers too to protect myself from man-in-the-middle attacks.

HPKP works by adding a public key pin header string to the HTTP response header section that is returned to the web browser each time a web page is loaded. On first request, the web browser stores these and whenever the page from the same domain is loaded again afterward compares the hashes of the HTTPS certificate it receives with those previously stored. If they don't match the page load process is aborted and an error message is shown to the user that can't be overridden. For the details of how to generate the hashes and how to configure your webserver have a look here and here.

The first screenshot on the left (taken from Firefox'es Webdeveloper Network console) shows how the public key pin looks like in the HTTPS response header of my web server. In my case I set the validity of the pinning to 86400 seconds, i.e. to one day. This is long enough for me as I access my Owncloud and Selfoss servers several times a day. As I don't change my certificate very often I decided not to pin one of the CA certificates in the chain of trust but be even more restrictive and pin my own certificate at the end of the chain.

On the PC I successfully verified that Firefox stores the pin hashes and blocks access to my servers by first supplying a valid certificate and a corresponding public pin hash and then removing the pin header and supplying a different valid certificate. Even after closing and reopening the browser, access was still blocked and I could only access my Owncloud instance again after I reinstated the original certificate again. Beautiful.

On Android, I tried the same with Firefox Mobile and Opera Mobile. At first I was elated as both browsers block access when I used a valid certificate that was different from the one I pinned before. The second screenshot on the left shows how Opera Mobile blocks access. Unfortunately, however, both browsers only seem to store the pin hashes in memory. After restarting them, both allowed access to the server again. That's a real pity as Android frequently terminates my browser when I switch to other large apps. That's more than an unfortunate oversight, that's a real security issue!

I've opened bug reports for both Firefox and Opera mobile so let's see how long it takes them to implement the functionality properly.