Yusuf Motiwala’s Blog

This week was full of events and action. I was attending BCB5 on Sunday and NASSCOM Product Conclave 2007 on Monday and Tuesday. It felt privileged to be part of NASSCOM sounding board panel – mobile technology panel on 19th and Web technology panel on 20th. The enthusiasm and the amount of energy flowing throughout both the events were very contagious. Meeting bright minds, discussing ideas and challenges and attending interesting presentations were some of the key highlights for me.

Two very recent Bangalore based startups from these events caught my attention:

Muziboo, It’s a platform to share your original music. I am not a die-hard music lover and I did not expect myself to spend much time there but it was a pleasant surprise.  Their website is simple, fast and easy to navigate with tons of social features (wouldn’t it be better to use existing social networks than to recreate?). I was glad to find some real quality music from hobbyists and amateurs there and I may comeback to it if quality is maintained.

While it is a good job to start with, I did not find Muziboo to be much different from other similar websites (except some nice Hindi songs). IMO, few differencing features may turn them into a killer website, for example (with my limited background in music):

• Song request – Nothing better than to hear good recreation of my favorite songs. It will also help creating a demand and supply chain in addition to random music. 
• Platform for musicians to meet singers and vice versa. A singer can upload songs and musicians can compose music to create best remixes based on their liking. I guess that would be a fun and will get more users who can either sing or compose music but not both.

Anyway, if you love music then I am sure you can spend great time there.

MyDuniya plans to provide a hosted platform for connecting web and mobile. Currently they have not published enough details on their website. Hence, I cannot disclose anything now from my discussions with them. However, it might turn out to be a good service for Indian web developers. Let us see.

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (0)

What do you see in two overs of live cricket on television? 12 balls and some batting action? No, it’s more than that - thanks to our television channels.  It’s whopping 25 advertisements that is taking away nearly 50% of your viewing time.  Unbelievable?  Just watch a small-unedited clip from today’s India-Pakistan match below (two overs) and see how Indian television viewers are taken for a ride by BCCI and television channels. Some rough statistics from the clip: 

Total time for two overs :  677 seconds
Full screen advertisements (between the overs): 12 advertisements – total 252 seconds - each advertisement taking  100 % of your television screen (list)
Overlay/banner  advertisements:  5 advertisements – total 31 seconds – each advertisement taking 6.5% of your television screen and up to  11% in one case (list).
Large overlay (the most irritating ones) :  52 seconds in 7 advertisement – each advertisement taking  extreme  44% of your television screen (list).
Total advertisement time:  approx 280 seconds

Out of 677 seconds, almost 280 seconds taken by advertisements excluding logos, visible hoardings and advertisements on ground itself. In Indian television, it is not the commercials between the cricket but the cricket between the commercials. Someone rightly said, in India cricket is all about finance.

Click To Play

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (2)

Is BSNL Blocking VoIP? All of a sudden, my SIP devices failing to connect to my SIP server starting today morning.

Initially I thought it was my firewall. Due to a power surge yesterday, flash of our linksys router (running DD-WRT) was corrupted and hence I suspected some problem there. However, it wasn’t. After some debugging, it turned out that it was BSNL which was maliciously blocking port 5060 and above.

I tried calling BSNL with no response on their ‘great’ customer service numbers.

Has anyone else experienced the same behavior? If ports are blocked deliberately then this is going to a big issue for subscribers. Not sure if there is a regulation to stop ISP from such anti-competing practices.

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (7)

How to bridge the distance between business strategy and design

| View | Upload your own

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (0)

In recent VoIP conference, someone pointed out a nice video…nice to watch.

 http://www.aclu.org/pizza/

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (1)

“In order to protect intellectual property, you must first be able to define what the property is“.  [DDJ]

However, defining the property is not always simple – especially in the binary world of code. The code theft is a continuous concern for many companies in ‘either’ way – whether it is Cisco or Microsoft. Unfortunately, detecting and proving the code theft for owner is not so easy. In most situations, binary comparison will be the only way to identify the code theft, and this task becomes complicated when it involves different compilers, languages, obfuscation etc.

There are more reasons to compare the code in binary domain. It is often helpful to know the changes in a newer version of the program while reverse engineering to make reversing substantially faster. Last year, there was an entire training session on versioning analysis in Blackhat 2006. Another interesting use would be to check for code similarity with malware variants. However, simple binary comparisons will not help due to obvious reasons. It requires an intelligent tool that can compare the structural properties and behavior of a program to identify the possible similarities between the codes.

One such tool is BinDiff from SABRE Security GmbH. Last week they released BinDiff version 2.0, a long pending update. It uses graphical approach to compare the executables by identifying identical and similar functions. BinDiff even claims to detect the similarities between the code compiled using two different compilers (VC++ and gcc), that’s incredible.

More screenshots and details are here. They also have a few interesting papers here.

Co-incidentally, last week there was another paper on same subject by researchers at Saarland University, Germany. They developed a tool called Birthmark that can measure the degree of similarity between the binary codes by analyzing the program behavior. Details and paper are here.

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (0)

 Nice branding Presentation by Idris Mootee:

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (1)

An informative presentation on XML Security by Brad Hill – Black Hat Briefings USA 2007.

[Source: iSec Partners]

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (0)

Image restoration is a fundamental problem in image processing. How many times has it happened to you, that a possible candid shot came out to be blurred and you cannot shoot the same shot again. Image processing might be a solution.

Image restoration and deblurring has always caught the attention of researchers and industry including practitioner like me. Direct inverse and Weiner filtering are classic methods for restoration in image processing texts as well as few new techniques using wavelet. In latest MATLAB image processing blog, Prof Stanly Reeves explains deblurring with examples, in his introductory and first in series article on deblurring .

This reminds me of another very nice paper presented by Massachusetts Institute of Technology researchers in SIGGRAPH 2006 titled Removing camera shake from a single image.

Both sources will be a nice read for those interested in Image Restoration. For me it’s both, image restoration and photography.

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (1)

VoIP is a new mantra for startup. VoIP companies are in race for offering almost free calls to subscribers. I shall not be surprised if a new startup comes up with an idea of offering complete free calls to non-VoIP phones supported by advertisements, something similar to free ISP model with advertisements. Say Alice is calling Bob and before the call is connected, Alice is targeted with voice advertisement. BTW, this is not a VoIP spam but customer chosen way of making free phone calls and if reasonably controlled, it could be acceptable.

Business model is workable. Let’s look at Google AdWords that charges minimum 1 cent per click (average charges are much higher - practically 10 cents per effective click). VoIP advertisement can definitely fetch comparable or more. Infrastructure and running expenses of VoIP are not high; consider the fact that Yahoo and many other VoIP providers charge 1 cent per minute for US calls. Key here is to maintain a good ratio of advertisement vs. call length.

There are several possibilities to maintain a good ratio, the length of each call can be limited OR can be made proportional to the length of advertisements a user has listened to in the past. Some kind of credit system is possible. Random length advertisement can ensure that the user does not automatises advertisement skipping.

There are many possibilities – one is context specific or targeted advertisements (think of gmail). While targeted advertisement cannot be placed in the current call, it is always possible to place them in next call(s). Say Alice is talking to Bob about buying a new camera; this information can be used by system to target Alice with the camera advertisement next time Alice is making a call. An advertisement based on calling pattern is another possibility. Off course, privacy could be a concern however, it might be possible to address it. The targeted advertisement and various relevant deals can also be sent to user’s voice mail or email if user opted for it.

VOIP companies are flooding the market & investors are looking for ideas in VoIP space. Possibly someone may find this idea interesting enough to fund, check out Jeff’s call for innovation in VoIP

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (2)

I was looking at Linksys’s CIT310 phone with yahoo messenger support and wondering if it was possible to use normal SIP phone or ATA with Yahoo Messenger.  Since it is well known that Yahoo Messenger VoIP service is based on SIP; my guess was that it should not be very difficult and at the same time I did not expected it to be straight.

To get more insight, I sniffed into Yahoo’s VoIP protocol. As I assumed, it is not straightforward to use normal SIP phone to connect to Yahoo’s SIP service. However, IMO it might not be very difficult if someone can spend time on it.  Here is some insight I gained from it.

1. Yahoo uses standard SIP call procedure with authentication (both for REGISTER and INVITE).
2. Yahoo uses SIP over TCP/SSL. Hence, one needs SIP client that supports TCP/SSL in order to connect to Yahoo’s VoIP service. Most SIP client use UDP.
3. Yahoo uses SIP digest authentication.  Yahoo might be using secret key in creating response hash that might make it difficult to use with other SIP clients.
4. Yahoo sends Y-cookie header in second REGISTER request (post challenge).  While it is not difficult to get this information, it requires that the SIP client integrates with YMSG protocol (say by using libyahoo2).  This information can be obtained by registering with yahoo messenger service (not the VoIP service) using Yahoo’s YMSG protocol. Yahoo sends this information in Cookie (and YMSGRCookie) header after successful authentication (see headers below).
5. Yahoo uses few more proprietary but simple to implement headers.
6. Yahoo uses standard codecs  -  ISAC, Speex, G.711 and iLBC

Below is sniffer dump of REGISTER and one of the YMSG messages, both are self-explanatory (compare fields in bold).

Overall, it does not appear to be difficult. I will be very interested if someone tried to integrate SIP phone with Yahoo messenger.  One known implementation (?) appears to be GTalk2VOIP though it is my guess only.

REGISTER sip:68.142.233.149:443;transport=tcp SIP/2.0
From: <sip:ymotiwala@68.142.233.149:443>;tag=6ffbaf8-0-13b4-839-15f223f-839
To: <sip:ymotiwala@68.142.233.149:443>
Call-ID: 1462cd0-0-13b4-839-13f9d91-839
CSeq: 2 REGISTER
Y-User-Agent: intl=us; os-version=w-2-5-1; internet-connection=lan; cpu-speed=2309; pstn-call-enable=true;
ip-call-enable=true
Y-Cookie: Y=v=1&n=8j74ajq3il4cc&l=ocecom0b0/o&p=m27ccinb130d0476&jb=21|36|3&ig=0oidr&
iz=560038&r=2b&lg=en-IN&intl=in&np=1; path=/; domain=.yahoo.com;
T=z=NMyzGBNSHwGBjy4Ce8uwFBPMjU7DjZOTjVPNxQyAg–
&a=QAE&sk=DAANt4m2hzHdV4&d=y2wDTlRJeUFURTVPVEk1TURNMU1RLS0BYQFRQUUB
aWcBVnBXQUFBAXp6AU5NeXhHQmdXQQF0aXABN3dsb1BC; path=/; domain=.yahoo.com;  AT=2; CRUMB=ybvFM63H0D2e4mFTqAKf7Q–
User-Agent: Yahoo Voice,1.7
Max-Forwards: 70
Supported: timer
Via: SIP/2.0/TCP 192.168.0.111:5051;branch=z9hG4bK-82b-1fe668-7091e09b
Contact: <sip:ymotiwala@127.0.0.1:5051;transport=tcp>;q=0.5
Expires: 3600
Authorization: Digest username=”ymotiwala”,realm=”sip.yahoo.com”,nonce=”noIJGOid957iYjfL7YuLXY5tVSxb”,
uri=”sip:68.142.233.149:443;transport=tcp”,response=”73ad73bf23b3c8e9bb198e2×20230e37″,
algorithm=MD5
Content-Length: 0

GET /external/client_ad.php?p=409640 HTTP/1.1
Accept: */*
Accept-Language: en-us
YMSGRCookie: T=z=NMyzGBNSHwGBjy4Ce8uwFBPMjU7DjZOTjVPNxQyAg–&a=QAE&sk=DAANt4m2hzHdV4&d=y2wDTlRJeUFURTVPVEk1TURNMU1RLS0BYQFRQUUB
aWcBVnBXQUFBAXp6AU5NeXhHQmdXQQF0aXABN3dsb1BC;path=/; domain=.yahoo.com;
Y=v=1&n=8j74ajq3il4cc&l=ocej8m0b0/o&p=m27vvinb13020200&jb=21|36|3&ig=0oidr&iz=560038&r=2b
&lg=en-IN
&intl=in&np=1; path=/; domain=.yahoo.com
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; InfoPath.2)
Host: messenger.yahoo.com
Connection: Keep-Alive
Cookie: B=1si4vj53bpic3&b=3&s=ge; Q=q1=AACAAAAAAAAAAA–&q2=RsJ3Tg–;
YLS=v=1&p=0&n=0;F=a=MCGEA6IMvT6BeQWrG25smhBMqu_8IqqZtpGTV4l7R7.qRrOCFtetYlckFUI29hpec0St94
ZfolQCUnKjrZ0KJVtfOw–&b=bbOw; PH=fn=Qvp.9ON3a2SCqBM-&l=en-US; C=mg=1;
I=ir=i5&in=53fab5cc&i1=AAATAEA2EIERETFxF5F8GAGLJ8MiQBmToypEtQ3T5BCqAJ5u516S6o6q6×7G7z8D;
Y=v=1&n=8j74ajq3il4cc&l=ocecom0b0/o&p=m27ccinb130d0476&jb=21|36|3&ig=0oidr
&iz=560038&r=2b&lg=en-IN&intl=in&np=1;
msgrY=v=1&n=8j74ajq3il4cc&l=ocej8m0b0/o&p=m27vvinb13020200&jb=21|36|3&ig=0oidr&iz=560038&r=2b&
lg=en-IN&intl=in&np=1;
T=z=NMyzGBNSHwGBjy4Ce8uwFBPMjU7DjZOTjVPNxQyAg–
&a=QAE&sk=DAANt4m2hzHdV4&d=y2wDTlRJeUFURTVPVEk1TURNMU1RLS0BYQFRQUUB
aWcBVnBXQUFBAXp6AU5NeXhHQmdXQQF0aXABN3dsb1BC;

Write to me if you are interested in obtaining sniffer dump of entire call flow though you can dump it yourself using a sniffer.

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (13)

Scott Berkun on his book “The Myths of Innovation” at Google Campus

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (0)

Product branding has always amazed me.  A successful branding requires much more than the product itself and most of the time customer psychology plays much more important role than product itself.  Most amazing biscuits from Baygon are likely to fail in the market, not because of a product quality but because of market and consumer’s perception of Baygon being a pest control company. One of the reasons for New Coke failure was consumer emotions and bonding with the classic Coke.

Last week I picked up Matt Haig’s book, Brand Failures: The Truth about the 100 Biggest Branding Mistakes of All Time, for in-flight reading on my way back to Bangalore. It was an awesome read, despite of some debatable things.

It is interesting to see why certain brands fail – even those backed by deep pocketed corporate. Some famous examples of classic failures are New Coke, Sony Betamax, Hallmark in France, initial Kellogs launch in India, etc. Sony Betamax failed despite of it being a superior product compared to VHS. Sony faced same failure with MiniDisc (MD) by CD’s. Smokeless Cigarettes made by RJR’s is another classic example of brand failure; smokers simply did not enjoy the absence of smoke.

Strong brand and bad PR are also cited as reasons of brand failure. Xerox failing to get itself into information technology business or failure of Colgate into food products, are classic examples of failure because of their strong but completely irrelevant brand (as a photocopier or toothpaste maker). 

This book describes such 100 failures with reasonably detailed analysis of each. It is a must read if you have even slightest interest in product branding.

Btw, there is a movie made by HBO on RJR (mentioned above) – a nice watch - Barbarian’s at the Gate.

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (1)

Time has come to upgrade my computer. I made a list of utilities which I frequently use in my current computer. Here is a list of all everyday use utilities which I use and highly recommend – all freeware.

• Agent Ransack - Freeware file searching utility that supports regular expressions. Much better and lighter than windows default file search.
• TreeSize Free - tells you where your precious hard disk space has gone to. I often use it when reorganizing files on my PC.
• Wordweb - free English thesaurus and dictionary for Windows. Extremely good and light weighted. However, I recommend unchecking an option to install it in system tray.
• Vim - text editor, needs no introduction.
• PrimoPDF - PDF printer driver to create PDF from any application. Nothing special but it does the job nicely what it is supposed to do.
• DAEMON Tools - virtual CD/DVD-ROM emulator which allows you to keep your original CD’s safe. It works with nearly all common types of file system images and almost all known protections.
• AVG Free - Free Antivirus for Personal use. I have been using McAffe so far in my long corporate career but never looked back after installing AVG.
• GreatNews - An offline RSS reader.
• Process explorer, originally a sysinternals utility, now part of Microsoft.
• Opera - Browser of choice for me.
• Personal software Inspector (PSI), detects installed software and categorizes as either Insecure, End-of-Life, or Up-To-Date.
• Tugzip Freeware replacement of WinZIP or WinRAR
• Putty – Free SSH client
• FileZilla - Excellent FTP Client

What do you use? I shall be happy to know better alternatives, if any.

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (3)

People often obfuscate javascript for protecting their designs and also to shrink it in size. This is a legitimate use of obfuscation. However, there are ‘bad guys’ who use obfuscation for completely different purposes – to hide their exploits OR to make it difficult to analyze. Here is an interesting presentation by Jose Nazario of Arbor Networks – a must read for anyone interested in web technology and security.

Download Presentation

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (3)

Jeff Peck from OOMA tried to answer some of the questions which I raised in my earlier post. Jeff, thanks for your time reading and answering the questions. However, IMO answers appear to be misleading, at least to me. Let me explain why. 

Jeff> the ooma customer whose device is making the call is not selling the call or the device

Irrespective of a user getting paid for, it can definitely be classified as commercial usage and subleasing. 1) User is letting use OOMA their phone line which in turns a commercial company 2) User is getting services in exchange of letting OOMA use his or her phone line (see your answer). As I see it, the business model is based on infrastructure laid by someone else (telephone companies) and it is not wise to assume that they will not object without getting paid for. In fact, the first sufferer of such objection could be user itself.

Jeff> when a call is terminated through another user’s ooma Hub, caller ID is suppressed

Suppressing the caller ID is not supported on all the networks, it is moreover operator controlled and no way can OOMA have complete control over it. Also, irrespective of suppressing the caller ID, there always be call records and user can get into a trouble for any illegal usage of phone line by OOMA box. Now think of an exactly opposite situation where a user making an illegal call and claiming that it was made by OOMA box. It will be difficult to defend that situation.

Jeff> ooma has developed technology that detects attempts to listen-in to a call and prevents other ooma subscribers from listening to your calls (so it is more difficult, not simpler)

That’s wonderful; however unbelievable without any details. There are ways to detect phone tapping and ways to defeat detectors. Active and non-intrusive tapping is almost undetectable and well within the reach of normal users. Even if you can defeat those (which I believe is not possible), there could be other devices connected on line like parallel phone, answering machine and recorder which could be impacted by OOMA’s technology. In fact, by this, OOMA may make legitimate use of phone more difficult and impractical for customers.

Overall, in the world of terror in which we live, OOMA appears like an insecure (though innovative) solution. As far as I am concern, I will have strong concerns to let anyone use my phone line. Let me refer to a recent case where a guy was arrested for misuse of his phone by his brother and landed up in a big problem, well that’s an extreme case but possible. Irrespective of CALEA, it can be a big hassle for a user if a situation arises. 

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (3)

A privacy bug in Orkut was discovered which allows any user to see anyone’s private messages. Click demo link below to see one of my private message. You just need to be logged in to Orkut to see the message.

Demo

Btw, it is not trivial to exploit this bug due to the random nature of URL. However, those using public or shared computer can be impacted from this bug. So if you are using public or shared computer, ensure to clear your browser history.

This bug was reported here and here. Seems like an old bug but yet to be fixed by Orkut (Google).

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (0)

Imagine a device which allows wireless connectivity to your USB enabled gadgets like digital camera, mobile, flash disk, printer, webcam etc. with your computer. There already are a few WUSB devices in the market. However, here I am referring to USB over Wi-Fi.

Any such device could be revolutionary. It may pose serious threat to many specialized Wi-Fi devices, say EyeFi etc. One can virtually make any imaginable USB gadgets wireless and live on the network.

Although, Wi-Fi offers less data rate than WUSB (480MBPS), it should be sufficient for many home applications. Advantage is unified communication mechanism, interoperability, price and larger range.

Range is definitely a big plus. WUSB is short range device and I can’t possibly use it with a webcam as my front yard wireless security camera. However, it could be possible with such a USB over Wi-Fi device. Also, imagine using such device with a Wi-Fi hot spot which allows you to use your webcam as surveillance camera for car, USB disk as on the spot file server, whenever and wherever required. Possibilities are endless.

What essentially requires is USB host emulation over Wi-Fi or IP with some kind of security. A related USB/IP project here. A related post here.

Prices of Wi-Fi chips are on decline. I am sure that there will be a good market if someone comes up with such a device in low price range.

Share This

del.icio.us Digg Furl Reddit StumbleUpon OnlyWire

Readers of my blog are invited to join me on Facebook.

• Comments (0)

OOMA is yet another VoIP startup that offers unlimited free domestic US calls. It seems promising and it is already covered by TechCrunch and few other places. However, I have few questions that appear to have not raised elsewhere.

OOMA uses peer-to-peer technology to route the calls (similar to Skype). One of the features of OOMA is that instead of using normal telecom interconnection and termination, it uses other user’s normal phone line to terminate someone else’s call (if available). This makes me wonder:

• Most importantly – will that be legal? Wouldn’t this fall under commercial usage rather than resident usage and violate usage terms which phone companies are certainly not going to like and may object.
• What about caller ID? If a call is routed through my phone line, called party will see my number in their caller ID instead of actual callers. This may have serious privacy concern, for example, I could be held responsible for someone else’s crime.
• Security, wouldn’t it be easy to listen to calls routing through my phone line – phone tapping is not new and OOMA may make it just simpler.
• What will a user get for letting OOMA use their phone line for routing other subscriber’s phone call?

It would be interesting to see how OOMA addresses these concerns.

Upate: here is an interesting claim from OOMA that called party will receive the actual caller party’s ID and not the intermediate one. Any one with telephony/ss7 knowledge knows that caller id is purely controlled by the exchange and it is technically not possible to spoof OR insert caller ID by a CPE (for example, OOMA box). Again no details from OOMA and appears to me as a phony claim or a technical breakthrough – readers can decide.

Share This

del.icio.us