The Downside of a Spotify’s Free Google Home

Spotify is giving away a free Google Home Mini to any account with the family plan. That’s pretty neat. And they are doing it for new and existing users, which is great because it doesn’t make the mistake of punishing existing customers in the pursuit of acquisition.

It makes sense for Spotify – get folks to upgrade from the $10 personal plan to the $15 family plan. It makes sense for Google – they are throwing tons of money to be the smart speaker/display platform in your home. (Aside: I have a half-written blog post about why I switched from Alexa to Google Home, but the tl;dr is that being able to Chromecast Spotify was the deciding factor)

There’s no catch – a Google Home Mini ostensibly costs $50 and you get it for $0. So what’s the downside?

A person at my coworking space just posted this in Slack:

Last night someone got into my Spotify account to upgrade it to a Family Plan to take advantage of a promotion for a free Google Home Mini. I was able to cancel that upgrade (and got the free Home Mini too!), but definitely keep your eyes peeled for any unauthorized access

That brought up other stories about Spotify getting hacked, something that seems to happen with anecdotal regularity. Now there’s a financial incentive for the hacker: they can score a free Google Home that they can turn around and re-sell. You start paying $5 more per month so that hacker can re-sell your smart speaker.

As always, there are 2 things you should be doing to keep all your accounts safe:

  1. Use a unique password for every site, which means using a password manager. If you are all-in on Apple, iCloud Keychain does a decent job too. Mozilla is making inroads here too.
    Yes it’s a pain to start and change your passwords, but you absolutely need to be doing this. Hackers have databases of passwords from so, so many sites. Seriously, click that link and look at all the sites that have been hacked. I guarantee you use at least one of those sites. The hackers will try your password from those sites on other sites and if you reuse your passwords, you will get hacked. How sure are you that you don’t reuse that hacked password?
  2. Use 2 factor authentication wherever you can. Preferably with an app instead of SMS. Sadly, Spotify doesn’t support 2FA, which probably is why lots of folks have stories about them getting hacked.

If you do these 2 things, you will be miles ahead of most people.

What infuriates me about Rails

Python and RubyDHH, creator of Rails, drew attention to my least favorite aspect of the framework in his wrap-up of the recent Snakes and Rubies throw-down.

To me, such an elaborate administration interface with login, permissions, and groups and what have you is out of scope for inclusion in the core framework.

Show of hands, how many deployed Rails apps have no concept of users?

I’m sure there are some, but the majority have some sort of registration, login and authorization. How many programmer hours are going into either re-inventing the wheel or customizing existing solutions?

Worse, a lot of projects will start with one of the many existing solutions only to realize too late that they need something different. Then they wind up having to maintain a customized solution that doesn’t participate in the network effects of community development.

There is a “less software” solution to this complexity.

Here’s what you do: Make an ActionUser module part of the Rails core. Add a good API for ActionController and ActiveRecord to authenticate methods against the current user. That’s it.

Just as important, here’s what you don’t do: Don’t implement permissions. Don’t implement roles. Don’t implement ACLs. Don’t create fancy permission management views, or even login controllers. That doesn’t belong in the core framework.

Just like ActiveRecord is database-agnostic, allow people to write pluggable auth. modules so that do the dirty work. Need to authenticate against LDAP? Make ActionUser::LDAP. Just need to keep anonymous users out of an admin section? Make ActionUser::Simple. Need to authenticate with cookies, or HTTP auth, or Kerberos? Interchangeable modules. Develop locally with SQLite and HTTP auth, then deploy to production with Oracle and Kerberos.

I know DHH isn’t interested in including this in the core, but it’s not like ActionMailer shows up in Martin Fowler’s Patterns of Enterprise Application Architecture. With so many different auth projects going on I can’t help but think that a standard interface for auth would benefit the community as a whole.

Am I the only Rails developer sick of repeating myself, cobbling together auth for each new project?

Why you weren’t protected from Sony

In an article for Wired News, Bruce Schneier asks:

What do you think of your antivirus company, the one that didn’t notice Sony’s rootkit as it infected half a million computers?

Mr. Schneier’s readers answered him:

Many readers pointed out to me that the DMCA is one of the reasons antivirus companies aren’t able to disable invasive copy-protection systems like Sony’s rootkit: it may very well be illegal for them to do so. (Adam Shostack made this point.)

Isn’t it great that we live in a country that not only has the DMCA, but is actively exporting it? Aren’t you glad companies like Sony have laws like the DMCA; laws that keep you from protecting yourself against them? The best part is that people are generally fine with it as long as it fights “piracy,” but DRM has nothing to do with piracy!

If you want to know how we got to the point where Sony is taking complete control of your computer, look at why bad laws like the DMCA’s anticircumvention section are around.

Update 2005-11-23: Curious how other parts of the DMCA are being used? Boing Boing summarizes a study from the Chilling Effects Project. Turns out a lot of DMCA requests are bullshit. I know mine was. I publicly announced that I would participate in Grey Tuesday, and then publicly backed down when someone pointed out my hypocrisy. I still got a DMCA takedown notice, despite not having infringed any copyright. It isn’t surprising that mine wasn’t an isolated incident, but it does piss me off.

Secure Email Meme

Oh boy, a chain blog entry! Dave Walker called me out to talk about securing email; who am I to refuse?

You should secure your email. Am I done?

OK, so that’s not the best supported argument. If everyone secured their email there would be virtually no spam, but any system that doesn’t show benefits at even 10% participation is more or less doomed. However, the benefit of securing email kick in much earlier when dealing with phishers.

One thing I worry about is whether my relatives are able to tell spoofed emails from real ones, and that they don’t provide personal information to any site emailed to them. If large companies start taking security seriously, if they start signing their emails and educate their users to look for their signature, we’ll start to see a dent in phishing. If Amazon, eBay, PayPal and various banks start, they’ll influence the smaller companies to start doing it.

To help influence the influencers, you can (and should!) start signing your emails today. There are two ways to get started, and they aren’t exclusive. Many people use both signatures in their emails. Either one will take about 15 minutes, much less than getting your first email account set up probably took.

The first is to get a free S/MIME certificate from a company like thawte. I did this a while ago but I lost my certificate and had to try to retrieve my password. It was a frustrating process; I assume registering in the first place was as well since I used “Which company is pissing you off right now?” for my 5th security question. However, I still recommend this method as easier and tech support was very helpful.

There’s an amazing guide for OS X Mail, as well as instructions for Thunderbird on Windows, and these signatures work for virtually all email clients. As soon as you get your certificate installed, your emails will start showing up as secure. How cool will that make you look, when your clients see your email in their inbox highlighted as secure?

Answer: moderately to not at all cool, but they’ll still be impressed with the geek mystique.

Continue reading “Secure Email Meme”