None of the commentary with respect to terms of service and legal agreements in this blog post can be taken as legal advice. If in doubt, ask someone who really knows their stuff.

I really like the medium of short, tweetable videos that Vine has made popular. It succeeds where other video-over-Short-Form “Bird” Social Media Site Before It Went Terrible services, such as yfrog’s, failed. Once again, it is actually by imposing limitations that we find a unique way to express creativity.

So, I toyed with the idea of joining Vine, even despite it not supporting protected accounts like on Short-Form “Bird” Social Media Site Before It Went Terrible. But being an unusual breed, I felt it necessary to read and at least attempt to understand the Terms of Service.

I didn’t like what I saw. (All emphasis is mine.)

You retain your rights to any Content you submit, post or display on or through the Services. In order to make the Services available to you and other users, Vine needs a license from you. By submitting, posting or displaying Content on or through the Services, you grant us a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods (now known or later developed).

This is a standard kind of sentence you will see if you read many different ToSes. It is, apparently, the boilerplate for “we need your permission to display the stuff you are posting”. It seems fair enough.

You agree that this license includes the right for Vine to provide, promote, and improve the Services and to make Content submitted to or through the Services available to other companies, organizations or individuals who partner with Vine for the syndication, broadcast, distribution or publication of such Content on other media and services, subject to our terms and conditions for such Content use. Such additional uses by Vine, or other companies, organizations or individuals who partner with Vine, may be made with no compensation paid to you with respect to the Content that you submit, post, transmit or otherwise make available through the Services.

Suddenly, this paragraph changes the tone — from “we’re needing a licence to actually display your stuff at all” to “we’ll reserve the right to exploit any commercial value in your creativity whenever we feel like it”.

It is not just about using your content to further promote Vine, it seems to leave the door open for them to sell your content to anybody at all, subject to some additional terms and conditions I didn’t find.

I am not naïve. I know these services will need to make money eventually, and that a ‘free’ service comes with an exchange of value, even if it is not you paying a monthly fee.

With that said, this is not an acceptable arrangement for me, and I would encourage others to examine the value of the content they expect to submit to Vine in the light of these words.

Contrast Vine’s ToS with similar verbiage in the YouTube ToS:

When you upload or post Content to YouTube, you grant: to YouTube, a worldwide, non-exclusive, royalty-free, transferable licence (with right to sub-licence) to use, reproduce, distribute, prepare derivative works of, display, and perform that Content in connection with the provision of the Service and otherwise in connection with the provision of the Service and YouTube’s business, including without limitation for promoting and redistributing part or all of the Service (and derivative works thereof) in any media formats and through any media channels;

In short, YouTube might use your stuff to further YouTube as a platform, on any medium, but they aren’t going to reserve the right to flog it off to some ‘partner’ who may not be as fair about compensating you. (Also, YouTube’s existing, long-term relationships with their content partners demonstrates, in my view, a much better mutual respect than the implication of Vine’s ToS.)

There seems to be a weird irony that it is exactly the fact that Google wants to jealously keep you and your content in their ecosystem that they aren’t going to pawn it off to someone else’s ecosystem who might not treat you right.

I’m not saying don’t use Vine. That is your decision, based on what you find an acceptable deal. But don’t be in the dark about the potential implications of these differences in that agreement that, on the surface, might appear subtle, but could be really important.

Today, if you put your stuff on YouTube, and it gets popular, you can join the Partner Program and get compensated for the value in your content. With Vine, however, maybe there would never be an opportunity to see any value from your work. I think they need to answer that question, even if the implementation is not here yet.

Protecting the value of the content you create, whilst always being respectful to your customers, is not just for big media organisations. We are all creators, and we all deserve to have mutually respectful relationships with those who publish our content on our behalf, and those who consume it.

It has been far too long since a video tutorial made its debut here, so I would like to introduce a new tutorial!

Cacti is a great graphing and monitoring tool, but I have struggled in the past with getting it installed, and getting it to do what I want. It can be a little bit complex and fiddly, but recently I have had more success and am putting it to good use measuring and graphing more things.

In this tutorial, I will walk you through installing Cacti on a basic CentOS 6 system with Apache, PHP and MySQL already installed. By the end of the video, it is collecting information for the default graphs in the default installation.

I hope to extend this video series soon with some details about the additional graphs I have recently succeeded at getting installed.

As always, your comments and feedback are appreciated!

Over the past few years, I have ended up coming into contact with many computers belonging to individuals. My reason for doing so has varied, but usually I am helping them with something unrelated to security.

I found myself constantly saying the same things when I noticed bad security practices — “you really should update or remove Java”, “you need to actually stop clicking ‘Postpone’ and restart the computer some time”, “untick that box to install the toolbar” and so on.

Computer security is hard.

But, particularly when it comes to computers belonging to individuals, we have let the perfect become the enemy of the good. We have allowed anti-virus vendors to parrot messages about “total protection” instead of teaching sound principles and encouraging good practice.

Computer security, at least in this context, is in large part a human problem, not a technology problem.

So, a while ago, I had an idea to put together a really quick, 5-minute presentation that would encourage computer security principles that could dramatically lower the risk of individuals’ machines getting infected. I stripped it down to what I saw as the four most important principles (few enough that they might actually be remembered!):

1. Keep software up-to-date — with emphasis on the importance of updates, despite the inconvenience, and mention the high-risk software titles du jour whose updates may not be entirely hands-off (Flash, Java, etc.).
2. Keep up-to-date antivirus — with emphasis on such technology as the last line of defence, not ever a solution in and of itself.
3. Install software from trusted sources — perhaps the most important principle that requires behaviour change, this is about getting people to feel confident enough to build a trust model for software and then make informed decisions about each and every installation they make.
4. Be suspicious — in particular about communications that invite clicking on things and so on, including using alternative channels to verify legitimacy of things that look suspicious (e.g. never clicking unexplained links!)

I’ve not given this talk yet, but I’d like to. It feels that computer security on home PCs is, in general, so awful, that even a very basic set of ideas that are memorable enough to implement can probably make a significant difference to the health of our personal information infrastructure.

I would welcome feedback from others on these slides, as well as the idea.

I think it is quite important to keep it to five minutes, make it concise enough that it will be memorable and actionable, but I’m sure this idea can (and needs to) evolve and improve over time.

If you would like to use the slides, feel free to do so under the Creative Commons BY-NC-SA 2.0 licence. It would be great if many people could hear this message.

Much is said about Google’s “don’t be evil” corporate motto. That is not what this post is about.

This is about corporate values — and a (rather smaller) company I have found myself appreciating because of their words and actions on the subject. This stuff can be easily overlooked when the market demands a rush to the lowest price, but to consumers like myself, it is possibly the most important thing.

This isn’t some murky sponsored post (although I do have an affiliate link at the bottom) — this is all genuine and from the heart.

Cloak

I found out about Cloak through their co-branding with 1Password, my password manager of choice. They are a VPN service designed to give you a way to encrypt your traffic when you are connected to untrusted networks. Their service is technically brilliant, but what is more important than that is the honesty, openness and realism they have shown so far in their communications.

At first I felt a little apprehensive about their corporate values and how well they were upheld in practice. Their privacy policy was scant in detail — using claims along the lines of “we don’t store any of your data”, but with an exception of data that they’d need “to make sure you’re not sending out spam”.

Well, what does that mean?

» Read the rest of this post…

I have missed Instagram’s filters since it was gobbled up by Facebook — a change which meant I could not continue using it.

So, it is nice to have similar functionality in Path. The added bonus is that unlike in Instagram, your photo is not rescaled down to quite the same degree!

Above is a, hopefully tastefully subtle, use of Path’s filters in this photo of a horse in rural Dorset.

You just don’t see ’em anymore, especially not in full working order!

Microsoft’s Hyper-V is a really cool virtualisation technology I have been having fun exploring. You cannot run a Hyper-V Server on a Windows 7 host, however, so in order to run it, I installed Windows 7 and Windows Server 2008 R2 side-by-side, and used it in the latter.

All that has changed in the era of Windows 8, however, and you can run a Hyper-V Server on the client version of Windows 8, if it is Windows 8 Pro. Hooray!

So, to cut a long story short, post-upgrade, I felt I didn’t really need my separate Windows Server 2008 R2 partition for Hyper-V, so I deleted it and expanded the Windows 8 partition to fill the space. Only to find that Windows now wouldn’t boot. Oops.

I originally installed Windows 7 first, followed by Windows Server 2008 R2, following best practice to install newer operating systems after earlier ones. What had happened now, though, was that I had just wiped out the bootloader that was sitting happily on the Windows Server 2008 R2 partition.

» Read the rest of this post…

XDebug to the rescue…

My friend Niall Brady dropped me an email, saying that some of the users of his Windows-Noob forums were reporting getting redirected to a spammy-looking site (url4short dot info) when clicking on search results to the site.

The forums run the Invision Power Board (IP.Board) software. There had been some reports of vBulletin boards being hit with this kind of spammy redirect, but fewer suggestions that this was an IPB problem. There had been a patch for a critical IPB issue released in December, but that had, obviously, been applied to the site as part of normal good practice.

Nevertheless, I was concerned. Clicking on a search engine result should definitely not be redirect somewhere other than the result page!

Without evidence that the issue was not limited to one machine, or one connection, however, it could not be ruled out that it was just malware on that visitor’s machine.

» Read the rest of this post…

I read this BBC News story about mistakenly issued security certificates recently, which allowed the people with those certificates to impersonate any Google websites and intercept traffic to them. It struck me as quite significant that this particular story made it to &#8216mainstream’ tech reporting.

There is a more detailed, and perhaps more accurate, commentary on this attack on Freedom to Tinker. It perhaps may not have been ‘cyber criminals’ as the BBC reported it when I first viewed the story!

Anyway, given the attention to this issue, I thought it a good opportunity to review this kind of attack against SSL/TLS — the security system upon which we all now depend. More importantly, I wanted to show Certificate Patrol, an add-on for Firefox that would allow you to notice a suspicious change to an certificate and thwart this kind of attack.

The weaknesses inherent in having too many organisations that are able to issue security certificates for any domain are becoming more clear. While this kind of attack is extremely rare, at the moment, ‘at the moment’ is a very poor security response! Hopefully, more awareness of these limitations of the internet’s authentication infrastructure can help put pressure on browser vendors, website owners and CAs to make everyone more secure.

In other 2012 gadget acquisition news, I got my hands on a Raspberry Pi this year, too.

Ordered in the summer, and only delivered last month, due to the high demand, it is something I have not yet had an opportunity to play with as much as I would have liked. The advantage of having to wait that long, however, has been a beefier 512 MB version of the device!

In the spirit of my recent iPad mini post, here are some first thoughts on the device:

• It is amazing how much you can do on such a tiny and inexpensive device. With the Debian wheezy build that is the Pi’s default operating system, you have access to almost the same rich range of software packages on any other Debian system. I was able to install Nginx to serve up web pages at rapid speed, and I am quite sure it would be possible to completely replicate Van Patten Media’s Managed Hosting platform that I have spent much of the year working on, even on such a device!
• It is unashamedly geeky. This will probably be enough to put off some people who have received a Pi, but perhaps who don᾿t have the support in place to best use it. It isn’t that difficult to get started, but you do need to be able to get the OS onto an SD card. For me, though, I like that opportunity that it gives you.
• It legitimises the hobbyist again. This pleases me a lot. Many great things were achieved by (originally) hobbyist hackers; re-igniting that spirit has huge potential.

There is some irony in that the Pi is, in a number of ways, the polar opposite of the iPad — it is hobbyist rather than consumerist. The Pi gives you complete control but requires some fiddling, the iPad gives you little control but is so intuitive.

I leave this year much more satisfied about the state of computing because of these two devices.

Why? There is now opportunity for both consumer hardware, and hobbyist hardware, to co-exist and complement each other.