My Bitcoin Problem

I didn’t get enough of them…. ?tulip-fever-movie-poster-e1505608260306

Back in the good old days, Hikvision NVRs part of an exploit that was used to mine Bitcoin, naturally, that was back when Bitcoin was used primarily to buy heroin and weapons via the darknet. Today, though, everyone and their dog is buying bitcoin like it was pets.com shares ca 2001,  and the hardware needed to mine coins today is a million times more powerful than a cheapo NVR.

First things first; why do we need “currency”. I think it’s worth revisiting the purpose, before moving on. Basically, “currency” is a promise, that someone (anyone) will “return the favor” down the line. In other words, I mow your lawn, and you give me an IOU, which I trade for some eggs at with the local farmer. The farmer then trades the IOU for getting picket fence painted by you (you then tear up the IOU).

Instead of crude IOU’s, we convert the work done into units of currency, which we then exchange. Mowing a lawn may be worth 10 units while doing the dishes is worth 5. In the sweet old days, the US had many different currencies, pretty much one per state. They served the same purpose. To allow someone to trade a cow for some pigs and eggs, some labor for food, food for labor and so on.

But pray tell, what politician, and what banker would not love to be able to issue IOUs in return for favors, without actually ever returning them?

Since politicians and bankers run the show, naturally, the concept got corrupted. Politicians and banks started issuing IOUs left and right, which basically defrauded you of your work. When you mowed the lawn on Monday, you would expect that you could exchange the IOU for a lawn mowing on Friday, but with politicians producing mountains of IOUs, you suddenly find that the sweat off your brow on Monday only paid for half the work on Friday.

This is classic inflation.

By the same token, it would be one hell of an annoyance if you mow my lawn on Monday, and now, to repay you, I would have to not only mow your damn lawn, but also paint your fence on Friday.

This is classic deflation.

What you want is a stable, and fair currency. That work you do on Monday can be exchanged for an equal amount of work on Friday.

You can then wrap layers of complexity around it, but at its core, the idea is that money is a store of work, and that store should be stable.  The idea that we “need 2% inflation” is utter nonsense. In a democracy, the government can introduce a tax on cash equivalent holdings if the voters so desire. This would be more manageable and precise than senile old farts in central banks trying to “manage inflation” by purchasing bonds and stock, with the predictable side effect that it props up sick and useless companies. The idea that you can get work done by just shuffling some papers around is an abomination in my book.

Bitcoin is an attempt at creating a currency that can’t be manipulated by (presumably corrupt or incompetent) politicians and bankers, but I think they’ve gone far, far away from that idea.

The people who are engaging in bitcoin speculation are not doing it because they want a fair and stable store of work (having discarded traditional fiat currency as being unstable and subject to manipulation). Instead, they do it, because, in the speculative frenzy, bitcoin is highly deflationary. You can get a thousand lawns mowed on Friday for the lawn you mowed on Monday. As a “stable currency”, Bitcoin has utterly failed. And we’re not even discussing the transaction issues (200K back-logged transactions, and a max of 2000 transactions every 10 minutes).

This happens because bitcoin is not a currency at all. It’s a simply the object underpinning a speculative bubble. And as it happens with all bubbles, there are people who will say “you don’t understand why this is brilliant, you see… ” and then a stream of illogical half-truths and speculation follows. People share stories about how they paid $100 for a cup of coffee 12 months ago when they used bitcoin to pay for it. But a cup of coffee in dollars cost about the same as it did 12 months ago, so while the dollar is being devalued by very mild inflation, and thus a much more stable store of work, bitcoin is promising free lunches for everyone.

People, for the most part, take part in this orgy with the expectation that at some point, they will settle the score for real currency – real dollars. Very few (and I happen to know one) will keep them “forever” on principle alone.

Furthermore, I don’t see any reason why the Bitcoin administrators wouldn’t just increase the self-imposed 21 million coin limit to 210 million of 2.1 billion coins. They already decided to create a new version, called Bitcoin Cash that essentially doubled the amount of bitcoin. That and the 1300 other cryptocurrencies out there makes it hard for me to buy into the idea that there is a “finite number of coins”. Not only that, to increase transaction speed to something useful, they are going to abandon the blockchain security, opening up for all sorts of manipulation (not unlike naked short selling of stock etc.)

And let’s not forget that before Nixon, the civilized world agreed to peg currencies to gold (a universal currency that could not be forged). In 1973, Nixon removed the peg from the US dollar and since then the number of dollars has exploded, and the value has dropped dramatically. In other words, what was a sure thing pre-1973, was suddenly not a sure thing.

This is not investing advice. You might buy bitcoin (or other crypto-“currencies”) today, and make 100% over the next few weeks. You might also lose it all. I would not be surprised by either.

 

Advertisements

Net Neutrality

You can’t be against net neutrality, and, at the same time, understand how the Internet works.

There is no additional cost to the IPS to offer access to obscure sites; it’s not like a cable package where the cable provider pays a fee to carry some niche channel that no-one watches.

Basically, net neutrality means that the ISP has to keep the queues fair; there are no VIP lanes on the Internet. Everyone gets in the same line, and are processed on a first come, first served basis. This is fundamentally fair. The business class traveler may be angered by the inability to buy his way to the front of the line (at the expense of everyone else), but that’s just tough titties.

It’s clear that not everyone has the same speed on the Internet; I live in an area where the owners association decided against having fiber installed, so I have a shitty (but sufficient) 20/2Mbit ADSL connection. My friend across the bridge, in Sweden, has a 100/100Mbit at half the cost. But that has nothing to do with net neutrality.

If my friend wants to access my server, my upstream channel is limited to 2 Mbit per second. This is by my choice, I can choose to host my server somewhere else, I could try to get a better link and so on, but basically, I decide for myself who, and how much I want to offer. There are sites that will flat out refuse to serve data to certain visitors, and that’s their prerogative.

However, with net neutrality removed, my site may get throttled or artificially bottlenecked to the point where people just quit visiting my site. I would have to deal with several ISP’s and possibly have to pay them a fee to remove the cap. If the site is not commercial* I may not have the funds to do that. I may not be aware that an ISP is throttling my site into oblivion, or even be offered an option to remove the cap.

Clearly, ending net neutrality is not the end of the world. Guatemala and Morroco are two examples of countries w/o net neutrality. In Morroco, the ISPs decided to block Skype, since it was competing with their (more profitable) voice service, so that might give you a hint of what’s to come. They did complain to the King when the ISPs went too far though.

Naturally, fast access to Facebook LinkedIn and Snapchat might be cheaper, and probably all you care about if you’re against NN.

With cloud-based IP video surveillance starting to become viable, this might prove to be another, unpredictable cost of the system. Some ISPs already take issue with you hosting a web server via your retail connection. And they go out of their way to make it difficult for you to do so: Changing your IP address every 4 hours and so on. This is to push you into a more expensive “business plan”, where they simply disable the script that changes your IP. I think it is safe to assume that if you’re streaming 30 MBit/s 24/7 to an Amazon data center, the ISP will eventually find a way to make you pay. And pay dearly. Once you’ve hooked your entire IP video surveillance system into the cloud, what are you going to do? Switch to another ISP? #yeahright

I guess the problem is that the ISP business model used to be to sell the same bandwidth 100 times over. Now that people are actually using the bandwidth, that model falls apart, and the ISPs need other means to make sweet sweet moolah. And that’s their nature and duty. But why cheer them on?

*In the early days, commercial activity on the Internet was banned.

 

Safe, Easy, Advanced

You can only pick 2 though.

Admitting mistakes is hard; it’s so hard that people will pay good money just to be told that they are not to blame for the mistake. That someone else is responsible for their stupidity. And sometimes they’re right, sometimes not.

Anton Yelchin was only 27 when he died, he left his car in neutral on an incline. The car started rolling and killed him. Since it would be unbearable to accept that Anton simply made a mistake, lawsuits were filed.

Another suitor claimed that the lever was too complex for people to operate, therefore the manufacturer is liable for the damage that occurs when people don’t operate them correctly. The car had rolled over her foot, and while there were no broken bones, she was now experienced “escalating pains”, and demanded reparations. One argument was that the car did not have the same feature as a more expensive BMW.

Tragically, every year more than 30 kids are forgotten in cars and die. When I bring this up with people, everyone says “it won’t ever happen to us”, and so there’s zero motivation to spend extra on such a precaution. The manufacturers know this, and since there’s also liability risk, they are not offering it. So, every year, kids bake to death in cars. It’s a gruesome fate for the kids, but the parents will never recover either.

Is it wrong to “blame the victim”?

I think the word “blame” has too many negative connotations associated to be useful in this context. Did the person’s action/inaction cause the outcome? If the answer is a resounding yes, then sure…  we can say that we “blame the victim”.

It’s obviously a gray area. If a car manufacturer decides that P should mean neutral and N should mean park, and writes about this in their manual and tells the customers as they sign the contract, then I wouldn’t blame an operator for making the mistake. The question is – would a person of “normal intelligence” be more than likely to make the same mistake?

In our industry, not only are we moving the yard-post of what “normal intelligence” means. Some of the most hysterical actors are using the bad practices of the layman and arguing that the equipment, therefore, can’t be used by professionals.

It feels like it’s entirely reasonable to argue no-one should drive 18-wheelers because random people bought modified trucks at suspect prices in a grey market and then went ahead and caused problems for a lot of people.

As professionals, we’re expected to have “higher intelligence” when it comes to handling the equipment. You can’t call yourself “professional” if you have to rely on some hack and his gang to educate you online or through their “university”. And you sure as hell can’t dismiss the usability of a device based on what random amateurs do with it.

So what gives? You have a bunch of people who act like amateurs but feel like “professionals” because they are paying good money for this industry’s equivalent of 4chan and got paid to install a few units here and there.

It seems to me that the hysterical chicken-littles of this industry are conflating their own audiences with what actual professionals are experiencing. E.g. if someone suggests using a non-standard port to “protect their installation”, then you know that the guy is not professional (doesn’t mean he’s not paid, just means he’s not competent).

And that’s at the core of this debacle: people that are incompetent, feel entitled to be called professionals, and when they make mistakes that pros would never make, it’s the fault of the equipment and it’s not suitable for professionals either.

So, as I’ve stated numerous times, I have a Hikvision and an Axis camera sitting here on my desk. Both have default admin passwords, yet I have not been the victim of any hack – ever. The Hikvision camera has decent optics (for a surveillance camera) and provides an acceptable image at a much lower cost than the “more secure” option.

And I’ll agree that getting video from that camera to my phone, sans VPN is not “easy” for the layman. But it doesn’t have to be. It just has to be easy for the thousands of competent integrators know what to do, and more importantly, what not to do.

That said; the PoC of the HikVision authentication bypass string should cause heads to roll at Hikvisions (and Dahuas) R&D department. Either there’s no code-review (bad) or there was, and they ignored it (even worse). There’s just no excuse for that kind of crap to be present in the code. Certainly not at this day and age.

 

Debtors Prison

There’s a wonderful term called “technical debt”. It’s what you accrue when you make dumb mistakes, and instead of correcting the mistake, and taking the hit up front, you take out a small loan, patch up the crap with spittle and cardboard, and ship the product.

kid_credit
Yay! Free money!!!

Outside R&D technical debt doesn’t seem to matter. It’s like taking your family to a restaurant and racking up more debt; the kids don’t care, to them, the little credit card is a magical piece of plastic, and the kids are wondering why you don’t use it more often. If they had the card, it would be new PlayStations and drones every day.

Technical debt is a product killer; as the competition heats up, the company wants to “rev the engine”, but all the hacks and quick fixes mean that as soon as you step on the gas, the damn thing falls apart. The gunk and duct tape that gave you a small lead out of the gate, but in the long run, the weight of all that debt will catch up. It’s like a car that does 0-60 in 3 seconds but then dies after 1 mile of racing. Sure it might enter the race again, limp along for a few rounds, then back to the garage, until it eventually gives up and drops out.

Duct Tape Car Fix - 03
Might get you home, but you won’t win the race with this fix

Why does this happen?

A company may masquerade as a software company and simply pile more and more resources into “just fix it” and “we need” tasks that ignore the real need to properly replace the intake pipe shown above. “If it works, why are you replacing it”, the suit will ask, “my customer needs a sunroof, and you’re wasting time on fixing something that already works!”.

So, it’s probably wise to look at the circumstances that caused the company to take on the debt in the first place. An actual software company might take technical debt very seriously, and very early on they will schedule time for 3 distinct tasks:

  1. Ongoing development of the existing product (warts and all),
  2. Continued re-architecting and refactoring of modules,
  3. Development of the next generation product/platform

Any given team (dependent on size, competency, motivation, and guidance) will be able to deliver some amount of work X. The company sells a solution that requires the work Y. Given that Y < X, the difference can be spent on #2 and #3. The bigger the difference, the better the quality of subsequent releases of the product. If the difference is small, then (absent team changes), the product will stagnate. If Y > X then the product will not fulfill the expectations of the customer. To bridge the gap until the team can deliver an X > Y, you might take on some “bridge debt”. But if the bridge debt is perpetual (Y always grows as fast or faster than X), then you’re in trouble. If Y > X for too long, then X might actually shrink as well, which is a really bad sign.

Proper software architecture is designed so that when more (competent) manpower is added, X grows. Poor architecture can lead to the opposite result. And naturally, incompetent maintenance of the architecture itself (an inevitable result of a quick-fix culture), will eventually lead to the problematic situation where adding people lead to lower throughput.

A different kind of “debt” is the inability to properly value the IP you’ve developed. The cost of development is very different from the value of the outcome. E.g. a company may spend thousands of hours developing a custom log handler, but the value of such a thing is probably very low. This is hard to accept for the people involved, and it often leads to friction when someone points out that the outcome of 1000 hours of work is actually worthless (or possibly even provides a net negative value for the product). A lot of (additional) time may be spent trying to persuade ourselves that we didn’t just flush 1000 hours down the drain, as we’re more inclined to believe a soothing lie than the painful truth.

Solutions?

A company that wants to solve the debt problem must first take a good look at its core values. Not the values it pretends to have, but the actual values; what makes management smile and how it handles the information given to them. Does management frown when a scalability issue is discovered, do they yell and slam doors, points out 20 times that “we will lose the customer if we don’t fix this now!”. The team lead hurries down the hallway, and the team pulls out cans of Pringles and the start ripping off pieces of tape.

The behavior might make the manager feel good. The chest-beating alpha-manager put those damn developers in their place, and got this shit done!. However, over the long run, it will lead to 3 things : 1) Developers will do a “quick fix”, because management wants this fixed quickly, rather than correctly, 2) Developers will stop providing “bad news”, and 3) developers that value correctness and quality will leave.

To the manager, the “quality developer” is not an asset at all. It’s just someone who wants to delay everything to fix an intake that is already working “perfectly”. So over time, the company will get more and more duct-tapers and hacks, and fewer craftsmen and artisans.

The only good thing about technical debt (for a coder) is that it belongs to the company, and not to the employees. Once they’re gone, they don’t have to worry about it anymore. Those that remain do, and they now have to work even harder to pay it back.

debt_mountain2

The Parts of an IP Camera

To understand where the IP camera market is headed, I think it’s important to understand how one of these things are put together.

Like most high tech devices, each product is really an amalgamation of parts from different manufacturers. In fact many products are the result of tight, but perhaps unappreciated, collaboration of several (sometimes competing) companies. I’d recommend listening to Freakonomics rundown of the “I, Pencil” essay (starts 7 minutes in).

So, an IP camera is not a pencil, but just like all pencil manufacturers don’t manufacture every single part of the pencil, but instead, they purchase the parts (graphite, brass, paint and so on) and every manufacturer puts the pencil together following roughly the same pattern.

And, so, when it comes to IP cameras, they too are composed of parts that are available to everyone who wants to start making cameras.

You’ll need a couple of things: A lens, a sensor, some circuitry and some code.

You’re not going to start making your own lenses or sensors, are you? Probably not, so you’ll get the lenses from a lens maker (and they may even outsource their manufacturing process even further), and the sensor from either Sony or Canon.

You’re not going to design your own CPU either (unless you’re Axis). Today, you’d be better off grabbing an ARM platform and use that to drive the sensor and interface. The other advantage is that ARM is well supported in the software world, so you’re already halfway there.

Now that you have the basics, you need to write some code to get it all working together. If you went the ARM route, it’s pretty simple to get a linux kernel running. Well.. “simple” is depends on your level of skill, but finding a few geeks who can do this shouldn’t take long. So you grab the Linux kernel, add Apache or perhaps GoAhead, you can add gStreamer too (do check the link, it is a great presentation by Axis) . The next thing you know, you have a jumble of cables and breadboards, burns on your fingers from the soldering iron, you haven’t seen your kids in 4 days and the smell is getting a little hard to stomach.

On top of that, you need to wrap this in an enclosure. There’s regulations to follow, tests that need to be carried out and so on. Then you have the nightmare of maintaining all those pieces of code, and trust me – if you wrote everything yourself, it would take even longer and be much harder to test and maintain.

What if there was a company, that could do all of the above? And just stick my name on the box? After all, my company would pick the same lens, the same sensor, the same board and the same software, so why not do it?

I have no intention of starting production of a Raspberry Pi Zero based IP camera, but I know that I can make one for ~$40 (and that’s buying all the parts retail). Not only will this thing work as an IP camera, it can work as a full fledged stand-alone VMS.

In other words, the question is: if some washed up coder in Copenhagen can build a fully functional “IP camera” for $40, I think you’re going to face a tough time if you’ve based your entire organization around selling your cheapest cameras for $250+ (they may be “even more good enough”, but who cares?).

Obviously, my camera is not going to be materially different from the other guy’s cameras. We’re all going to use the same bits and pieces, including software, even the damn protocols are going to be the same.

So, I think we’re going to see a race to the bottom in terms of prices. The cameras will look and perform almost identically across brands, use the same protocols, and be completely interchangeable, much to the chagrin of the incumbents, so the USP for the brands in this realm will have be something else.

VMS Software, perhaps…

 

 

 

 

 

 

P2P

As with IP cameras, one of the IoT challenges is how to get your controlling device (typically a phone) to talk to the IoT device in a way that does not require opening up inbound ports on your firewall.

All communication is peer to peer, so the term, when used in the context of IoT devices, is perhaps a little misleading, after all, an exposed camera sending a video stream to a phone somewhere is also “peer to peer”. Instead, P2P might be translated to “send data from A to B, even if both A and B are behind firewalls, using a middleman C” (what the hell is up with all the A, B, C these days).

On a technical level, the P2P cameras use something called UDP hole punching, which sounds a bit onymous, but there’s really nothing sneaky about it. What happens is that A connects to C, so that C now knows the external IP address of A. Likewise, B also connects to C, and now C knows the external IP address of both A and B.

This middleman, now passes the IP address of A to B, and B to A. Next step is for A to fire a volley of UDP packets towards B, while B does the same towards A.

The firewall on A’s side sees a bunch of packets travel to B’s address, and when B’s packets arrive, the firewall thinks that the UDP packets are replies to the packets that were sent from A and let’s them through.

You could accomplish the same thing by having A go to “whatsmyip.com” and email it to B, B would then do the same. Then run scripts that send UDP packets over the network, but a STUN server automates this process.

But who controls this “middle man”? Ideally, you’d be in charge of it; you’d be able to specify your own STUN-type server in the camera interface, so that you have full control of all links in the chain. In time, perhaps the camera vendors will release a protocol description and open source modules so that you can host your own middle-man.

The problem might be that you bought a nice cheap camera in the grey market. The camera is intended for the Chinese market, but comes with a “modded” firmware that enables English menus and so on. This is obviously risky. Updating a modded firmware may be impossible and brick the camera, and the manufacturer may be less inclined to support devices that have been modded. You get what you pay for, so to speak (and this blog is free!)

The modder is selling the cameras in the western markets, but the STUN server is still pointing to a server in China. This makes sense if you are a Chinese user, but it may seem very strange that your camera “calls home” to a server in China. A non-modded camera might do the same, simply because running a STUN service is cheaper, and allows the government to eavesdrop on the traffic. If you are Chinese (I am not), you could argue that you don’t trust Amazon, Microsoft or Google because they might work with the NSA. Therefore, using your own server would be preferred.

Apart from the STUN functionality, the camera may follow direction that are sent from B to C to A. This puts a lot of responsibility in the hands of the guys maintaining this server. If it is breached, a lot of cameras will then be vulnerable.

Depending on the end user, P2P may not be appropriate at all. To some users, the cost of a breach is small, compared to the hassle of installing a fully secure system it might be worth it.

While yours truly has abandoned all attempts to appear professional over the years, the truth is that most big installations have their shit together. Unfortunately the volume of DIYers and amateurish installers who don’t really know what they are doing is much bigger (in terms of headcount, not commercial volume), and if there’s one thing we all want to do, it’s to blame someone else.

Caveat Emptor.

this-is-fine.0

 

(Dis)honesty

It’s very hard to differentiate between stupidity and intentional dishonesty. Yesterday, I made a mistake of posting an inaccurate portrayal of statements made by another blogger. I removed it from my blog almost immediately. But subscribers to my blog had received the post, and one reader quickly accused me of “defamation”, and told me that I was “on notice”.

Mistakes are made, I attempt to correct them as quickly and as best I can, but sometimes people just crave confrontation.

I’d like to take the opportunity to talk about true dishonesty. I’m a big fan of Dan Ariely, who studies behavioural economics. When Salty Features wanted to crowdfund a movie about dishonesty, centered around Dan’s work, I did not hesitate to sign up, and I can only recommend that you go watch (Dis)honesty (it’s on Netflix in Denmark and most other places I would imagine).

Dan and his team tries to establish a baseline for how dishonest people are, in general. The experiment is quite simple. They hand out math tasks. The more tasks are solved, them higher the reward (a few dollars). But, instead of handing the papers over for verification, they are to send them straight to a paper shredder. Then proceed to the controller’s desk, and simply state how many tasks were solved. No chance of verification.

The rigid financial theory says that there is 0% chance of being caught, so they might as well say that they solved all the tasks, and reap all the reward.

But that’s not what happens. A lot of people cheat a little bit, some not at all, and some go all in (in accordance with the rigid theory). The completely honest and completely dishonest people are outliers.

How did they know that the students cheated? The shredder was rigged. Some people might have suspected this, but even if they did, there would be no repercussions to go all in on the cheating, so some people are just naturally honest, while some use every opportunity to the fullest.

The experiment was then changed, so that instead of direct payment, the students would receive tokens, that would then be exchanged to real cash. Most people would probably assume that this made no difference at all, but as it turns out, this added abstraction of cheating = cash, increased the cheating substantially. The end result was the same, but one step was interjected that really should have mattered, but it did.

So, what if we look at the business world? Dan argues that the abstraction of money in high finance might be a contributing factor in what he describes as cheating, but it’s not just banks. As Dan’s research shows, a little bit of cheating is common – natural – even.

We can also illustrate the principle in another way:

Here’s an example of something that everyone will agree is problematic:

Company A pays B (who claims “independence”) to write about competitors of Company A.

Anyone in their right mind would say that B is hardly independent, and who would ever trust anything B has to say regarding companies in A’s domain? I know that a few would. There’s always a few. But most wouldn’t.

How about this, then:

Company A pays Company C to sign up to a service from Company D that is owned by B.

The end result is the same, but we’ve inserted a few layers of abstraction between A and B. And as Dan’s research show, there’s always a few that exploit this as far as it can go.

I highly recommend Dan’s books. And may I suggest you visit his sites too.