The oh-so-geeky Apple Watch is not ready for my life yet.

I really want the Apple Watch because it’s so shiny, but I’m having trouble imagining how I’d actually use it. blog.mindrocketnow.com

So which Apple Watch are you going to get? The one with the rubber strap and retails at £299, or the one with exactly the same innards, but retails at £13,500? Put in those terms, it’s a bit of a trivial question, isn’t it? In value-for-money terms, the top-of-the-scale just doesn’t make sense – but then again neither does a top-of-the-scale Breitling.

Traditional watch manufacturers extol the complexity of their complications, that these feats of engineering excellence cannot be matched, and therefore justifies the price. Apple very much justifies its place in this rarefied club, as it too has achieved feats of unparalleled engineering excellence, but in its ability to mass-produce. The atomic delights blog does a great job of explaining the innovation that Apple has put into its manufacturing.

Gold is soft, deforms easily, and is a dumb material to want to make a heavy-wear item like a watch case. But it’s bling, so engineers have the problem of how to make something soft into something hard. The 18k gold that Apple uses for the edition cases is made hard using a new work-hardening technique: rolling precisely milled gold cases to flatten them by a few microns each time, in order to disrupt the crystal lattice structure with just enough dislocations to make them hard, not enough to make them snap. Ultrasonic testers ensure that there aren’t any density variations beneath the surface that could fail in time. A Coordinate Measuring Machine measures that the final case is within 0.05mm of its design.

A lot of decades have gone into developing stainless steal alloys that are hard, whilst ensuring that the nickel in the alloy doesn’t irritate the skin. The clever part is how to create the exceptional strength that Apple required. The Apple Watch innovation is to use cold forging. The steel billet is placed under such immense pressure that it flows into the shape of the case. Using cold forging, the crystal lattices remain intact and the case is immensely strong but not brittle.

Aluminium is a metal that we now associate with Apple, used in its MacBooks, even remote controls, and always to an exacting quality of finish. These techniques are further improved upon for the aluminium watch case. The extrusion process perfectly produces one of the edges for the case, so it’s one less surface to mill. Cases are anodized in densities that are beyond most manufacturers in order to achieve the production volumes. Lasers are used to remove burrs from machined edges so that the precision of the edge is not lost. A laser is also used to cut the serrations on the crown for the same reason.

Apple has deliberately chosen to go way beyond the normal manufacturing processes in making its watch. It is possible to make a gold case without work-hardening, a steel case without cold forging or an aluminium case without lasers.  The huge cost reflects that “good enough” wasn’t good enough for Apple. So by buying an Apple Watch, I’m saying that “good enough” is not good enough for me.

Let’s flip that around a bit: by buying an Apple Watch I’m demonstrating that I’m prepared to spend on something that is far beyond fit-for-purpose. To me, that’s the nub of my cognitive dissonance with the product. You see, I can’t figure out how it’ll fulfil any use case for me. It’s therefore simultaneously beyond fit-for-(Apple’s)-purpose and not fit-for-(my)-purpose.

The negatives outweigh the positives at the moment: the battery won’t last all day, it can’t do anything beyond the abilities of my current bevvy of gadgets, it’s expensive, I’ll irrevocably scratch it within days, and it’ll be obsolete when the next version comes out in 6 months. Which is why I’ve bought the Jawbone UP24 to measure my personal telemetry – I’ll report back on it in a later post.

However, there is one last trick up the sleeve of the Apple Watch that will change my mind, and that’s its apps. The experience of the iPhone showed that a billion possible apps can make a phone that’s terrible at making phone calls indispensible. I’m convinced that the right combination of apps will make the Apple Watch must-wear. Let’s see how long my nerve holds.

Published 13^th March 2015

Why deliberately weakening internet security is plain stupid.

Deliberately weakening internet security has been tried before. It was stupid then, and it’s worse now. Let’s not repeat the same mistake. blog.mindrocketnow.com

I recently posted about how proposed changes to the UK counter-terrorism bill to create a back door for breaking encrypted traffic wasn’t a good idea. It turns out that the super-critical internet security flaw of the week vindicates this view, as it is directly due to an earlier attempt to deliberately weaken internet security. (For a more comprehensive yet accessible explanation, I encourage you to read Matthew Green's blog.)

To understand what’s happened, we need to go back in time to the early 1990s. In the bad old internet days, when Netscape was the best browser in town, do you remember that it was available in two variants – domestic US and international? The reason was a hangover from World War 2, that the NSA didn’t want the version that used the “super-strong” 128-bit key length being used by foreigners because it wouldn’t then be able to eavesdrop in the name of keeping the US safe. Therefore, the export version used an export key limited to 40 bits.

As we know, time makes a fool of technology limitations, and the 40-bit limit was shown to be very foolish in very little time. The Washington Post does a good job of putting this into context: a 512-bit key length encryption can be broken by a skilled code breaker and about 7 hours of computing time from the equivalent of 75 computers. This computing power can be bought for around $100.

Fast forward to year 2000, and the US finally realised that their e-commerce economy was hamstrung compared to the rest of the world because of the negative public perception of its weak security. So security legislation was relaxed, and full strength encryption was available everywhere (subject to usual restrictions of international commerce). The current standard key length is 2048 bits, and will no doubt increase as computing power increases. However, the export key length has remained 512 bits because it’s legacy and nobody cares. The law of unintended consequences of this didn’t surface until this week, 15 years later.

In order to make figuring out whether to use domestic US or export-grade encryption, web clients negotiates which cipher key length to use. In the past, this negotiation would have included whether the secure conversation was to be in US or foreign, however now nobody cares. Therefore the same client and server software could be deployed around the world. However the OpenSSL client (as used in Android) and SecureTransport client (as used in iOS and OSX) have a bug: they will accept an export-grade key even if they didn’t ask for one. This makes them vulnerable to a particular type of Man-In-The-Middle attack.

Imagine the client asks an e-commerce server for a standard cipher key length. Imagine also that a nefarious MITM has inserted itself into this transaction. The MITM, being in the middle, replaces this request with one asking for an export key length, thus tricking the e-commerce server. The server will happily initialise the transaction using the weakened key, and the client will accept this weakened key, neither of them thinking anything is amiss, and so won’t notice the MITM. The MITM can now crack this 512-bit key in 7 hours for $100. Once cracked, the MITM can intercept all communications that uses this key.

Perhaps you’re now thinking: surely the servers won’t bother with export keys and only serve standard keys. Well, some recent scans have found that 36.7% of trusted sites can be tricked into serving weakened export keys. Sites which include some of the biggest trafficked sites in the world: http://connect.facebook.net/ (although I read that the Facebook server configs have been updated since the flaw was publicised).

Perhaps you’re also thinking: my e-commerce transactions never take 7 hours, so I’m safe from this attack. It turns out that it’s expensive (in compute terms) to generate a new key, so keys are routinely re-used. One of the widest-used web server software, Apache, uses the same key for the uptime of the server. So after that first 7 hours of compute, the MITM can intercept all communications from that server to all subsequent clients. That’s all subsequent financial transactions and confidential information.

This flaw isn’t at all theoretical and in the imagination. There has been a Proof of Concept test successfully completed by researchers, which has demonstrated that this is possible. It’s out there and it’s a big deal. So what can we do?

I’m afraid it’s the usual advice for consumers: keep your software up-to-date, especially OS, anti-malware and browsers. And keep an eye on your credit card transactions – not just when you see the statement but regularly. Google, Apple, Apache, everyone with big resources, will be scrambling to put out a patch. Some patches are already implemented, like for the Firefox browser. But fundamentally, there’s little for the consumer to do except be vigilant.

Internet security is now more important than national security – it now underpins global commerce. Let the magnitude of that statement sink in a bit. That’s why deliberately weakening internet security in the name of national security is plain stupid. We need our governments to find a better way to keep us safe.

Maybe we’re not all web 3.0 after all.

Trying to separate our online identity from our real-life selves may well be futile. blog.mindrocketnow.com

Welcome back to the blog, from my winter break. I returned to writing this week, and saw an article in the Wall Street Journal claiming that YouTube didn’t make a profit last year, despite having more than a billion viewers per month. I find it instructive to compare this with traditional networks: one billion views is the same order of magnitude as all US viewings across all networks in any one month. Imagine if ABC and CBS and FOX and NBC and HBO and CW and and and weren’t making any money at all – that’s the scale of Google’s profligacy.

Of course, there’s bound to be some aspect of funny money accounting here – YouTube presumably pays the Google mothership a big chunk for infrastructure hosting and CDN, more than the actual cost. However, even if we take this at face value, there’s an interesting conclusion we can make.

WSJ reports that the lack of ability to convert views to revenue is in part due to searches that find YouTube content is from other sites and so YouTube doesn’t earn ad revenue (but presumably the key site driving traffic is Google search?). More interestingly is WSJ’s assertion that YouTube’s audience reach is quite limited; it quotes that 9% of viewers account for 85% of views. Or looking at the flip side of that statistic, most viewers aren’t regular viewers.

Much of this blog has been about the changing TV viewing habits, going from traditional terrestrial networks to online streaming. But these numbers from YouTube tell me that the story isn’t actually that simple; it seems that we’re moving from a single predominant content delivery methods to enjoying a bouquet of delivery methods. We’re not changing wholesale from a traditional viewing personality to a web 3.0 digital identity. Instead we’re augmenting our identity with web 1.0, 2.0, 3.0 whatever makes sense with that particular use case contextualised to our own lives. What’s more, we’re not jettisoning the traditional when we add the digital. Our digital identity is becoming more complex because it’s not distinct from our real-life identity. To treat them separately is futile, and the most successful digital offerings will be able to reconcile the two.