iPads as in-flight entertainment

11 January 2014

I’m writing this whilst sitting on a Qantas flight from Perth to Sydney, heading home after attending the fantastic linux.conf.au 2014.

The plane is a Boeing 767, and unlike most flights I have been on in the last decade, this one has no in-flight entertainment system built into the backs of seats.

Instead, every passenger is issued with an Apple iPad (located in the back seat pocket), fitted with what appears to be a fairly robust leather jacket emblazoned with the words “SECURITY DEVICE ATTACHED” (presumably to discourage theft).

There are a few observations I have made about this setup.

At first glance, using a portable tablet device to deliver audio/visual entertainment instead of using a more traditional fixed setup seems like a good idea.

For one, the cost reduction for replacing faulty or out of date devices immediately becomes obvious.

And people by and large are reasonably capable these days when it comes to interacting with a tablet touchscreen interface, even if they don’t own one of those devices themselves.

However, I did notice quite a few passengers having issues with the iPads. The cabin crew spent roughly the first 30 minutes after takeoff dealing with support issues, which mainly involved pointing out user interface buttons, assisting with plugging in headphones, or replacing the occasional non-functional iPad with spares they had on-hand.

The iPad assigned to me initially had only 62% charge at the start of the flight, and had no Wi-Fi connection. Safari was the only app allowed, and due to the lack of Wi-Fi, the predefined home page could not load, resulting in an error. Due to the interface lockdown, I could not manually tell it to reconnect. The seat next to me was empty, so I was able to use the iPad assigned to that seat, which worked without a problem.

The fact that there were no charging ports or cables provided, suggests the iPads are charged elsewhere, perhaps off-plane and loaded on prior to boarding.

The entertainment system was delivered entirely through the web browser, which provided TV shows, movies, and some radio content. Unfortunately the system provided no flight information (e.g. location, altitude, or flight path), so I had to rely on spotting landmarks out the window to get a rough idea of where I was.

Because the iPads had an airplane mode symbol with a Wi-Fi indicator, it was obvious that the media was delivered wirelessly. That raises interesting questions about delivering streaming media to hundreds of devices at once. Presumably either they have been careful to distribute a substantial number of access points throughout the aircraft, or they are relying on not too many passengers using up all the bandwidth at once.

Running a site survey on my laptop (iwlist wlan0 scan), I was able to detect 13 access points within range of my seat (53K, just a few rows from the very back), each of them with a hidden SSID. There was a mixture of 2.4 GHz and 5 GHz frequencies in use. Because I did not have airodump-ng installed on my laptop at the time, and not being familiar with wireless sniffing with other methods, I was unable to find out the name of the hidden SSID used.

At this point I was wondering why Qantas have issued iPads, rather than any other non–Apple tablet device. Presumably the lockdown features that Apple provides works well enough for 90% of Qantas’ use case, but I can’t help but wonder whether a customised system, e.g. a custom built Android on a more generic tablet, would provide better lockdown security, and easier management.

I don’t think that a customised Android or other Linux–based system is outside Qantas’ reach, especially given that fixed setups in some of their other planes already appear to sport a similar amount of customisation.

Presumably the decision to deploy iPads was made by executive management, perhaps even being first drafted on a bar napkin, rather than being a technical decision that was made by objectively weighing up the benefits and disadvantages of various systems.

At this stage, I should probably point out that Qantas is a largely brand-oriented company, relying on a strong corporate identity to justify their markedly higher prices. For example, in my dinner serving, I was given brand-name Arnotts crackers, Bega cheese, Dairy Farmers milk, Mount Franklin water, Just Juice, and Coca-Cola. Perhaps given this, it is unsurprising that Apple iPads were chosen.

From a power perspective, given that the iPads run on battery power for the duration of the flight, and the only gear required to be powered by the aircraft are the access points and file serving infrastructure, rather than the fixed entertainment consoles as well, we are probably seeing a reduction on the aircraft’s power strain as a result of this. How significant this is, I am not sure, as I would imagine power is not a particularly scarce resource on an aircraft on the scale of a Boeing 767.

I wonder how much this idea will catch on. Assuming the Wi-Fi based approach continues to perform well, it makes a good retrofit solution for replacing older generation entertainment systems in current aircraft.

Given that what was once a cutting edge premium feature aboard aircraft has now become standard, and demonstrably delivers customer satisfaction whilst being built atop of commodity consumer hardware, I feel we will see more of this in aircraft in years to come.

SPA525G with ASA 9.1.x

28 October 2013

At work, we have a staff member who has a Cisco SPA525G phone at his home that has built-in AnyConnect VPN support.

Over the weekend, I updated our Cisco ASA firewall (which sits in front of our UC500 phone system) from version 8.4.7 to 9.1.3 and the phone broke with the odd error “Failed to obtain WebVPN cookie”.

Turns out the fix was very simple. Just update the firmware on the SPA525G to the latest version. The broken firmware was 7.4.9c, and the firmware I’m using now that works is 7.5.5.

Preferably you’ll update this before updating your ASA (unlike me). If you can’t be bothered navigating the horrible Cisco Configuration Assistant, and have obtained the spa525g-7-5-5-bt.bin file from Cisco.com, just do the following:

workstation$ scp spa525g-7-5-5-bt.bin cisco@uc500:/phones/525/spa525g-7-5-5-bt.bin

! Set up TFTP alias so it finds the firmware at the root
cisco(config)# tftp-server flash:/phones/525/spa525g-7-5-5-bt.bin alias spa525g-7-5-5-bt.bin

! Associate uploaded firmware with phone load config
cisco(config)# telephony-service
cisco(config-telephony)# load 525G spa525g-7-5-5-bt
cisco(config-telephony)# load 525G2 spa525g-7-5-5-bt

! Shouldn't be necessary, but just in cnf-files aren't updated
cisco(config-telephony)# create cnf-files

And there you have it. Oh, and if you’re wondering how to update the firmware once it’s already broken, you can simply log on to the phone’s web interface (obviously only locally, as you’ve already broken the VPN) to update the firmware manually.

Want a take-home message? Update your SPA525G firmware before you update your ASA firewall.

(By the way, I also got an error after the firmware update: “Auth Group setting is invalid”. Turns out I had misspelled the “Tunnel Group” field in the VPN settings. It also turns out that it doesn’t like tunnel group names that contain spaces.)

Restore ASA 5500 configuration from blank slate

28 September 2013

The Cisco ASA 5500 series (e.g. 5505, 5510) firewalls have a fairly nice GUI interface called ASDM. It can sometimes be a pain, but it could be a lot worse than it is.

One of the nice things ASDM does it let you save a .zip file backup of your entire ASA configuration. It includes your startup-configuration, VPN secrets, AnyConnect image bundles, and all those other little niceties.

But when you set up an ASA from scratch to restore from said .zip backup (i.e. you’ve erased your startup-config, or you’re on fresh hardware), the ASA operating system boots up with no networking/ASDM set up, and the documentation for setting this up strangely assumes this already to be the case (I guess ASA’s ship differently to how their blank slate works).

Because I always forget, here are the basic commands you need to enter at the serial console in order to bootstrap the ASDM environment:

ciscoasa> enable
Password: (blank)
ciscoasa# configure terminal
ciscoasa(config)# interface Management0/0
ciscoasa(config-if)# nameif Management
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config)# http server enable
ciscoasa(config)# http 192.168.1.0 255.255.255.0 Management

Plug your PC into the Management0/0 port, set your IP, and browse to https://192.168.1.1/. Log on to ASDM with blank username/password, and restore the backup config.

ABC iview and the ‘Australia tax’

30 July 2013

Unless you have been living in a cave, it is probable that you heard about a federal parliamentary inquiry into IT pricing (somewhat aptly entitled “At what cost? — IT pricing and the Australia tax”) which reported that, amongst other things, online geo-blocking can as much as double pricing for IT products in what is blatant price discrimination.

Not only do Australians pay, on average, 42% more than US’ians for Adobe products, and 66% more for Microsoft products, but music (such as the iTunes Store), video games, and e-books (e.g. Amazon) unashamedly have geo-tiered pricing as well. The concept of DVD regions is also a primitive form of geo-blocking.

The ABC’s fantastic series The Checkout, aired earlier this year, explored the iTunes Store specifically in episode 10, in a segment named “High Tunes”. In the episode, they told consumers to “not actually do this” (due to unforeseen legal consequences), but if they “sign up for a US–based iTunes Store account”, they can access cheaper iTunes music pricing. Their website links to a how-to guide by Choice on doing exactly that.

The simple answer to why companies such as Adobe, Microsoft, and Apple charge so much more in Australia is because they can get away with it. (And Australians are gullible enough to continue paying these outrageous premiums.)

The logic presented by The Checkout, in relation to achieving US prices on the iTunes Store, is a cheeky form of civil disobedience. Perfectly legal, but very likely violating the iTunes terms of service.

The report presented after the parliamentary inquiry echoes this, in its recommendation that stated: (hyperlink is mine)

Recommendation 5

The Committee recommends that the Australian Government amend the Copyright Act’s section 10(1) anti-circumvention provisions to clarify and secure consumers’ rights to circumvent technological protection measures that control geographic market segmentation.

And also:

Recommendation 10

That the Australian Government investigate the feasibility of amending the Competition and Consumer Act so that contracts or terms of service which seek to enforce geoblocking are considered void.

That strikes me as being a sudden outbreak of common sense. Geo-blocking is abused by corporations to gouge higher prices than the free market would otherwise allow. (I hereby authorise anybody who claims geo-blocking is necessary for copyright reasons to punch said ‘anybody’ in the face.) While it is true that corporations play by the system (in the same sense that tax minimisation by routing funds via tax havens is often perfectly legal while being ethically questionable), this gives one quite good reasons to fix the system.

Let’s line up what we have discovered thus far:

  • Corporations make products available in Australia for vastly higher prices than other countries (especially the US), and unethically so
  • Consumers have a moral right to circumvent DRM that enforces geo-blocking, and thus gain access to reasonable pricing
  • Existing terms of service may be violated by doing so, but if the inquiry recommendations are implemented, these terms of service would become null and void anyway

Anyway, where am I going with this? I’m going to draw a parallel with ABC iview.

I’ll be up-front and say it’s not the same thing. The ABC doesn’t charge money for their iview service (well, we taxpayers still pay for it, but anyway), so it’s not price discrimination. ABC iview does implement geo-blocking, but again, this is not for price discrimination — instead, for (dubious) copyright reasons.

So where’s the parallel? Quite simply, civil disobedience in violating the unfair terms of use. The ABC iview terms of use state, amongst other things: (emphasis mine)

5. Digital Rights Management

The ABC and its suppliers, authorised platform providers and content partners may embed digital rights management security in ABC iview or certain ABC Content and/or use other technical content protection measures as required to protect ABC Content from unauthorised access, and in order to meet obligations to third parties who own rights in ABC Content. You must not, and must not authorise, allow or provide the means for others to, adjust or circumvent or try to adjust or circumvent these technical measures.

It gets better. The iview FAQ states the platforms that are supported:

ABC iview operates on platforms that support the very latest version of Adobe Flash. iview works on: (emphasis mine)

  • Macs that can run OSX 10.6 or above with Flash version 11.7
  • PCs running Windows OS with Flash version 11.7
  • Linux systems that are able to run Flash version 11.7 ([Only] Available with Google Chrome) Adobe has stopped Flash Player support for Linux at 11.2

Use of Adobe Flash is required by the ABC to implement and enforce the aforementioned digital rights mangement (DRM) restrictions outlined in the terms of use. The problem for users is that to watch ABC iview content on a platform not supported by Adobe Flash (i.e. anything other than what is listed above), one must circumvent technological protection measures, and thus violate the terms of use (and, allegedly, the law, but not being a lawyer, I’ll not be tackling that argument).

I wrote a program called Python-iView that did exactly that. At the time, I did not realise that it violated the terms of use (to be honest, I hadn’t even read them by the time I got Python-iView to a working state — who reads that drivel anyway?) and I did not think it was illegal. I still don’t think so, but evidently the ABC disagreed, which is why they sent me a cease and desist letter on August 7, 2012 asking me to take it down.

Since I took Python-iView down, not wishing to be the subject of further legal action, the community has taken over the ownership of Python-iView. This was not of my doing — rather, it was due to the inherent culture of openness and sharing common to most of my users. In spite of (or perhaps because of) my lack of involvement, Python-iView has sprouted a Python 3.x port with some many new whiz-bang features and is commonly found on GitHub.

This community behaviour is in clear defiance of the ABC iview terms of use. While the ABC also claimed copyright infringement in their cease and desist, what I find encouraging is that the parliamentary inquiry recommended changes to the Copyright Act to assist with combating geo-blocking. If Python-iView had a less niche user base, it is conceivable that similar positive modifications could be made to law to further exemplify legitimate scenarios for Python-iView’s use.

My view is that if we cannot make the ABC receptive and friendly to a DRM–free and open system for iview, we may be able to build on the work done in this parliamentary inquiry in order to influence the lawmakers to make this happen from the legislation end. Legislation would have to be clarified to allow the use of circumvention techniques when technological protection measures cause discrimination or other issues that are against the public good.

One final note. While I believe that the community which has taken over the reins of developing Python-iView (in deference to the ABC’s wishes) is in fact not breaking any laws, even if they were, they have a moral obligation to continue do so. In the words of Martin Luther King:

There are just laws and there are unjust laws. I would agree with St. Augustine that an unjust law is no law at all… One who breaks an unjust law must do it openly, lovingly…I submit that an individual who breaks a law that conscience tells him is unjust, and willingly accepts the penalty by staying in jail to arouse the conscience of the community over its injustice, is in reality expressing the very highest respect for law.

I only wish I had the courage of King when dealing with the ABC nearly this time a year ago. Many legal victories have been possible in the past by being courageous enough to break the law, which is just as applicable to us today in opposing DRM as it was for Martin Luther King in opposing racial inequality.

We do not tolerate bugs; they are of the devil

19 July 2013

I was just reading an article entitled “Nine traits of the veteran network admin”, and this point really struck a chord with me:

Veteran network admin trait No. 7: We do not tolerate bugs; they are of the devil

On occasion, conventional troubleshooting or building new networks run into an unexplainable blocking issue. After poring over configurations, sketching out connections, routes, and forwarding tables, and running debugs, one is brought no closer to solving the problem. This is the unholy area of networking inhabited by the software bug. Network admins think of switching and routing software bugs as personal attacks, and they will usually excoriate a vendor when one is discovered. This is because before the determination is made that the problem is due to a bug, nothing makes sense whatsoever. It completely violates years of experience and knowledge, throws waste to logic, and causes immense amounts of stress and turmoil. You might think of it as if you spontaneously transmogrified into a difference species. Everything you’ve ever known suddenly does not apply, yet here you are.

I can’t agree enough with the above. If you develop software that I use, I have probably hated your guts at some point.

I’m not a software developer. Slapping me in the face with a snide “patches welcome” is neither constructive, nor likely to get you said patch. If you are a software developer (whether in the free software community or otherwise), you must learn to take personal responsibility for your own bugs, whether you do it for free, or as part of your payroll.