Towards an Internet of slaves?

Or the way Internet Giants are mastering the network

A few years back, in France, the national and unique telecom company invented a system based on “low power terminals” connected to central servers. The company rented (for free) those terminals to their consumers. These terminal connected to central servers using plain old telephony standard (1200 baud/s modem) on overpriced phone numbers. You had no choice of content, and many services were only based on time (they tried to keep you online as long as possible to charge you as long as possible).

This was called Minitel (for mini small tel terminal). It had no data storage, no upgrade possible, everything was run on the remote side.

Internet has broken their business

Then, around 1999, users could buy POTS modem (up to 56KBaud/s) and connect to non-overpriced telephone number, and get access to free (as in freedom) internet content. As expected, this killed the Minitel business.

The main reason why this happened was not the price (price was reduced for Minitel’s services yet it did not survive), but the opportunity for people to connect to any service they wanted, not one of the few thousands that were offered.

The lesson to learn was “people want to master their content and services”

Internet is now becoming a Minitel 2.0

A small shift fifteen years later and a global look to current internet system present abnormal similarity. You are presented a limited number of “servers” to contact to, your data is in their hands. Your browsing session is made as long as possible for you to watch their advertisement, and for them to earn from your time spent. You pay for bandwidth (you rent it from your ISP).

It was not like this five years ago, and there is no sign of returning back to the previous state. Worse, they are making it harder for you to do so.

Loss of freedom

At some point in time, we have experienced a very large access to freedom. Freedom to learn, to hack and to express ourself. This fire is being extinguished with the help of big companies.

You shall become Advertisement slave…

You probably remember the “pop up hell” that internet users of year 2000 used to live with Internet Explorer. Then appeared Mozilla Firefox with an automatic pop up killer.

Popup had the advantages of not breaking the content you were reading.

A few years later, pop up have disappeared, but advertisers filled the content with, well, ad.

Ad blocker appeared, and killed they practices (at least, for power user who installed an ad-blocker)

Long story short, there’s a war between advertisers and users who want their web uncluttered.

Back to current year, we are seeing a large increase of mobile based browsing. Chance are high that you are reading this page on a “smartphone” running Android or iOS (or Windows Phone). You are probably using a browser called “Chrome”, “Safari” or “Edge / Internet Explorer” (or for the most adventurous, “Firefox”).

Yet, do you realize that the browser you are using is as naked as the browser you used in 2000 ?

Sure, your browser is doing 3D acceleration, audio, etc. But mobile browser from Internet Giant, by default, offer no extension system. This means no Adblock, uBlock, Ghostery, Greasemonkey, whatsoever…

Do you think it’s an oversight from the three main browser vendors ?

How does Google earn money ? Or Microsoft ? Right, they are advertisement-delivery provider. They earn each time you waste a second reading an useless ad (worst, they earn each time you download an ad)

You probably experience those pesky Javascript based popup that you must click to go away. Doesn’t it smell a lot like the 2000s ?

Why aren’t they providing the technology to kill that pest (that’s easy since you can spot that a content with external resource is having a z-index higher than the main page, and this happens after the page loaded) ?

You shall use the content on our servers only…

Recently, all browser vendor are locking in their users. The choice is simple, it’s the very usual strong-against-the-weak principle. Major browser vendor implement a closed source technology for video and audio playing of DRM content (yes, even Firefox). If you don’t do that, your users will not be able to watch the content they asked for. The power balance is inverted here, we, as users, we should impose our will to the providers, and not the opposite. The move from Firefox is the exact example that something is wrong.

It’s like when you order to a pizza shop a pepperoni pizza, and get a mozzarella one instead. I don’t want your mozzarella pizza. You can keep it, no way I’m going to accept it.

Why in hell should I accept this video if you don’t let me watch it ? I’m watching your advertisements here, you earn money, each time I watch your stuff. Are you really sure you’re completely clear in your mind ?

Recently, major browser vendors are “agreeing” toward “certifying” the content of what you are watching. At first, that might sound a good idea (as usual, devil is in details).

When you look to it more closely, the browser can now prevent a website from loading content from any other website. Yes, that’s right, this prevents you to run your favorite bookmarklet that removes the clutter from the actual interesting content, this prevents you to publish some content from any non-approved website, etc…

This also means that any cross domain, cross-browser, compatible code you might have be used to (or written) will now have to be re-written for every different browser, every different platform, and so on, as an “browser extension” or add-on.

Nice move to prevent other browser provider to appear, since the work done by unpaid developers for writing extensions for the major browsers will have to be done again for the new browser.

This “technology” is called CSP (for content security policy, the usual security-removes-freedom mojo is running at maximum speed). Basically, a website tells the browser that the content is allowed from X or Y but no-one else.

Tomorrow, if I want to post a picture of my cat hosted on my server on any of such website, it will fail silently because it’s very unlikely my server will be listed in the CSP. Obviously, Google Photo, Flicker, etc will all be listed here, so I’ll be locked out because I’m not using their service.

Remark: It’s not Google that forces the website to use their service, it’s the pressure of users that want to link their pictures hosted on Google’s server that force the webmaster of the site to allow Google’s servers. Again, it’s the strong against the weak.

Mozilla is not reacting to this whatsoever, because, well, Mozilla is bollocks-less, they are struggling to stay “competitive” in the browser market, and they depends for this on ad revenue from the big Giants.

You shall not change the content…

If this wasn’t enough, a new “security scheme” is being implemented that allow website to lock their CSS so that a browser will not load the stylesheet if it’s being modified (by who? ).
Technically, the CSS is hashed, and the hash is stored in the link referrer.

How often does a malware comes from a stylesheet, really ?

However, how often does a CSS contains a link to advertisement’s resource ? Isn’t it like… every time ?

Whose who work for maintaining a network will tell you how hard it is to intercept and modify something on the network without being caught, and with SSL/TLS (HTTPS), it’s even harder.

They start with CSS, and soon they’ll do the same for Javascript, so what you’ll get is a web application that you can not modify, that you must trust, that you can’t analyze for correctness, who’s only able to manipulate your data on their server. It’s using your time for them to earn money by having you watch their advertisement.

There’s another word for this, being unpaid for doing some work, while (few) others earn the benefit of your work, it’s called a slave. In fact, it’s even worse, because in the ancient time, slave didn’t have to pay to get access to slavery.

Using Best-Of-Vox SAPI voices with Linux x64

What device ?

Only x86 Linux since we’ll be using Wine to run a SAPI server.

Under which conditions ?

On Debian Linux Jessie

What to expect ?

An excellent quality Text to Speech (later on TTS) for any textual input, in French (English would do too, but it’s more frequent) without Internet connection, using Best-Of-Vox voices.

What were the pitfalls ?

Wine & XvFB will have to run (but it takes almost no memory nor resident CPU).

Best-of-Vox voices are 39$ in SAPI version, while only 3$ in Android version. Why ?

Continue reading

Image format for the web, a real world example

Well, we all know about JPEG image format. It’s good, but not perfect. Yet, there is not much competitor to replace it. Why ?

Let’s see.

Advantages of JPEG

  1. It’s old, so all software know how to deal with it.
  2. The picture quality vs file size is good
  3. It’s what comes out of your digital still camera, so, like me, we don’t have time to rework the picture
  4. It can store metadata

Bad features of JPEG

  1. It’s lossy. Very lossy (and yes, I know there is a lossless profile in JPEG standard, but nobody use it)
  2. No alpha channel, no transparency possible
  3. No animation

Continue reading

Hacking the SABRENT low cost AirPlay/AirTunes dongle for speakers

What device ?

SABRENT WIFI Audio Receiver (WF-RADU) is a small, low cost (< 20$) WIFI AirPlay / AirTunes receiver used to transform any audio system with a 3.5″ line-in in a AirPlay compatible device.

Under which conditions ?

No hardware modification to the device.

What to expect ?

More control on the (chinese) device. Login in a remote shell, and be able to change parameters to the device, use it as a very limited but always-on server.

What were the pitfalls ?

The CPU used is very low end (MIPS 24K V4.12, with 240 Bogomips😉. Very low onboard DDR (32MB).

Continue reading

Password woes

Currently, in our digital life, we use plenty of secrets to identify ourselves to the services we are using.

The most common form of secret is… password.

But password are a pain to use (safely), to remember (long term), and to share.

The higher we use services the lower our security. Why ?

Continue reading

Detecting main grid voltage – The efficient way

What is the goal ?

You have a low power device (typically battery powered, or on UPS) that need to detect if the main power is lost. How do you do that efficiently ?

What is the difficulty ?

When dealing with alternating current and a microcontroller, you’re out of the blink led tutorial. If the voltage on the line is higher than than 50V, it becomes hazardous to handle, you MUST TAKE ALL POSSIBLE CARE ELSE YOU’LL BE KILLED.

You don’t want to spend a Watt for detecting if power is there, since each Watt, 24/7 costs you more than 1€ per year.

If you need to monitor more than a single line, then the most efficient solution is preferred.

Continue reading

Hacking the Huawei E587 for custom applications

What device ?

Huawei E587 is a 3G modem with battery appearing as an access point. It enumerates on the USB bus as VID: 12D1, PID: 14FE

The device runs Android (a very minimalist Android system).

Under which conditions ?

No hardware modification to the device.

What to expect ?

I’d like to run any Android based application on this device.

What were the pitfalls ?

The CPU used is very low end (iMX28 from Freescale), Huawei put very low onboard DDR (32MB), the android system is very streamed down, the filesystem contains numerous useless scripts and tools, but lacks required tools.

Continue reading