Friday 18 April 2014

Unboxing Broadband, part 3: Even more TV, Now!

The breaking point was Game of Thrones. Sky has convinced us to pay for more TV than we can possibly watch. blog.mindrocketnow.com

The breaking point was Game of Thrones season 4. Until that point, we were happy with our thriftily constructed entertainment choices. We had cancelled LoveFilm (£9.99 per month for 2 discs + streaming) and took up the introductory Amzon Instant Video offer (£49.99 for Amazon Prime for first year). We were going to cancel our NowTV movies subscription before the introductory offer expired (£15 for 6 months). We were going to be happy with Freeview for regular TV (£0 per month). Our TV cost was going to be £50 p.a.

But then DW presented the business case that the NowTV entertainment subscription introductory offer of £4.99 per month was cheaper than buying the box sets of Game of Thrones, plus we could watch the new episodes live. And if we’re going to have the entertainment package, we might as well keep the movies package at £8.99 per month, because the children do so love watching the Disney catalogue. (And I admit, I was enjoying watching year-old movies as opposed to “classics”.) So now our annual cost has jumped up 436% to £218 p.a., all because of DW needing to see how the House of Lannister try to dismantle the House of Stark.

The lesson I take away here is that content is still king. Moreover, it’s not any one particular genre of content that is king, but the best of all genres. After all, my family is not interested in the most lucrative content type in the UK, premiership football (especially the way this season has turned out). But Sky still has enough of the best of the rest to make it compelling to our household.

Interestingly, it’s not the channel brand that is king, but the content itself. It is not the Sky Atlantic channel that we value. As far as branding is concerned, BBC is probably the only brand we follow. In other words, if we want a corporate recommendation, we’re more likely to choose something that is broadcast on a BBC channel, than any other branding. If we were to rank all our TV choices, it would go like this:

  • 1.     NowTV – either our current series obsession or a new movie
  • 2.     Something recorded on our PVR from Freeview
  • 3.     BBC iPlayer
  • 4.     Amazon Instant Video
  • 5.     Blu-ray or DVD or ripped movie from our private collection
  • 6.     BBC Four
  • 7.     Randomly finding a broadcast programme from the EPG

(As an aside, it’s the expectation of kingly content that makes technical outages all the more frustrating. The season opener of Game of Thrones broke both NowTV in the UK and HBO Go in the US. We were actually quite put out; DW and I had put the children to bed, we had a glass of wine in hand, and dark chocolate to hand, all ready for a quality night in. Instead, DW was on social media complaining and figuring out what was going on, and I was rebooting everything just in case the problem was at our end.)

That kind of stunning ARPU increase (average revenue per user, how the industry measures how successfully it extracts money from its subscribers) isn’t achieved by snapping up content rights alone. The second decision factor is always price. For us, Sky competed with free (Freeview) and still won, because the cost burden seemed a bargain. A monthly subscription of £14 seems cheap when Sky has set the expectation so high with its satellite pricing. To get an equivalent package by satellite would cost us £59 per month.

(Because the NowTV box was so cheap (£9.99), we’ve forgotten the infrastructure investment that we’ve made: STB, fibre broadband (£20 per month), and BT’s “tax” (line rental of £15 per month). Putting it all together brings our entertainment bill to £650 p.a.)


To make us take the plunge, Sky has been very clever and changed the narrative. Through its product positioning, Sky has convinced us that the discussion isn’t about whether we have enough TV through our current (cheap) means, but that we can have better TV with only a little bit more money. And in doing so, we get to feel like we’ve gone from Aldi basics to Waitrose finest. The funny thing for me is, even knowing that we’re being manipulated, doesn’t change the validity of our decision at all.


More in this series: part 2, part 4.
Posted by at No comments:
Labels: ,

Tuesday 15 April 2014

Change your password. But not just yet.

Another password crisis on the internet. This time, changing my password may not be the best thing to do. blog.mindrocketnow.com

The heartbleed virus has brought my vulnerability on the internet into sharp focus. Through a faulty implementation of code, my confidential information could be obtained by someone with nefarious intentions. And it’s not my fault this time.

The issue is due to a common error in server-side implementation of an open source security protocol, OpenSSL. There’s a very good explanation on the Symantec site:

The Heartbleed vulnerability in OpenSSL allows an attacker to spoof the information on the payload size. How an OpenSSL server deals with this malformed Heartbeat message is key to the danger this vulnerability poses. It does not attempt to verify that the payload is the same size as stated by the message. Instead it assumes that the payload is the correct size and attempts to send it back to the computer it came from … [and will] automatically “pad out” the payload with data stored next to it in the application’s memory. This [padding] could include the login credentials of a user, personal data, or even, in some cases, session and private encryption keys.

The data the application sends back is random and it is possible that the attacker may receive some incomplete or useless pieces of data. However, the nature of the vulnerability means that the attack can be performed again and again, meaning the attacker can build a bigger picture of the data stored by the application over time.

Because it’s a server-side issue, it’s got nothing to do with how secure our password is. If the people who coded the server made this error (of not verifying the size of the payload), the server could be vulnerable. And which servers typically use cryptographically-protected communication?

  • ·      Anything to do with spending our money – those millions of little online shops – the exact sites that are highly attractive to thieves.
  • ·      And anything to do with our identity, especially those social media sites we so love – best not put up your dating profile just yet as it’s the perfect intersection of money and personal information.
  • ·      As a side note, banks are probably safe, as they spend a disproportionate amount of money on internet security, and as a rule do not use standard open source SSL implementations.


Mashable has a good summary of sites that could use refreshing your password. Before you stop everything to change that password, it may not be a good idea to do so. If you change your password before the server side has implemented the Heartbleed fixes (and it’s not just a simple patch, it could require revoking and re-issuing digital certificates), then your newly changed password may be nefariously obtained. So you should ensure that the web site owner has done their work before you change your password.

But if you receive an email confirmation that the web site owner has fixed the problem, it still may not be a good idea to go change your password. Security experts expect that there will be an increase in phishing to try and obtain passwords through the reset process. By phishing, I can get you to give me your reset email address on a bogus site that looks close enough to the real thing to pass cursory inspection. Then I can probably reset your password through social engineering – guessing the answers to the additional personal questions through paying attention to the digital footprints you’ve left all over the internet. So don’t just click through the link in the web site – type in the URL into your browser, and make sure the https symbol is showing, before you reset your password. Here are some other good rules for passwords:

  • ·      Don't reuse passwords
  • ·      Don't use a dictionary word
  • ·      Don't use standard number substitutions
  • ·      Don't use a short password
  • ·      Do use two-factor authentication
  • ·      Do give bogus answers to security questions
  • ·      Do scrub your online presence
  • ·      Do use a unique email per online presence


My password manager tells me I have 300 passwords. Plus all those sites where I connected using Facebook or Google login. This could take a while… I leave you with Symantec’s advice on what to next:

Advice for consumers:
       You should be aware that your data could have been seen by a third party if you used a vulnerable service provider
       Monitor any notices from the vendors you use. Once a vulnerable vendor has communicated customers that they should change their passwords, users should do so
       Avoid potential phishing emails from attackers asking you to update your password – to avoid going to an impersonated website, stick with the official site domain
       Stick to reputable websites and services. They are most likely to have immediately addressed the vulnerability
       Monitor your bank and credit card statements to check for any unusual transactions


Posted by at 2 comments:
Labels: ,
Subscribe to: Posts (Atom)