R
RadioPatrol
Guest
from Windows Secrets News letter
Watch a live video, share your PC with CNN
Brian Livingston By Brian Livingston
Most Internet service providers support far less bandwidth in the upstream direction (from a PC to the Internet) than they do downstream (from the Internet to a PC). But that isn't the only concern with CNN's use of people's Internet connections:
* Deceptive marketing. Octoshape's dialog box warns that playing a live video "requires" installing new software. Despite this, however, if you click "no" to Octoshape, you can play the feed using the streaming video capability built into Windows Media Player or Adobe's Flash Player, although possibly with less fidelity. Small links to choose one of the two standard formats appear in the bottom-right corner of the playback window.
The Octoshape EULA doesn't become available until after the user is required to select "yes" or "no" to install the app. But even if the EULA appeared before the buttons, burying in legalese the commandeering of a person's PC isn't my idea of "informed consent." Only a clear explanation of the repurposing of a PC's bandwidth — in on-screen text, readable without scrolling — is an adequate way to inform users of such a technique.
* Cost-shifting to ISPs. CNN's use of Octoshape might make live feeds look somewhat smoother to end users, but the primary benefit is a reduction in cost to the cable news network.
The TorrentFreak blog cites an unnamed insider as saying 30% of CNN's live feed traffic was served from individual PCs and not the network's own servers. That saves CNN big time on bandwidth. But the cost doesn't just disappear — it's shifted to ISPs.
Brett Glass, the owner of Lariat.net, a small ISP in Laramie, Wyoming, testified before the FCC last year on cost-shifting. Bandwidth, he explains, can cost hundreds of dollars per Mbps per month to providers in rural areas like his. "CNN is setting up a server on the ISP's network without permission or compensation," he told me in an interview. "CNN's not a charity, in fact it's doing a lot better than some ISPs."
* Costs to end users. Many ISPs around the world restrict how much bandwidth users can consume. Those providers charge by the megabyte for any traffic above that level. Users who installed Octoshape's app and served traffic upstream as well as down may get an unpleasant surprise in their next monthly bill. Octoshape anticipated this in the company's EULA by saying, "You are responsible for any telecommunication or other connectivity charges incurred through the use of the Software."
In addition, ISP terms of service usually prohibit customers from using their Internet connection to host a server. The FCC ruled last year against Comcast, a major U.S. ISP, on peer-to-peer restrictions, as explained in an Ars Technica article. But other legal issues on home-grown servers remain unsettled.
(In an interview, Comcast spokeswoman Jenny Moyer declined to address CNN's use of Octoshape, saying, "I don't think it's anything we're going to be able to comment on at this time.")
* Ludicrous license terms. Anyone who reads Octoshape's EULA after clicking "yes" to install the app finds that they've agreed to some hilarious prohibitions:
"You may not collect any information about communication in the network of computers that are operating the Software or about the other users of the Software by monitoring, interdicting or intercepting any process of the Software. Octoshape recognizes that firewalls and anti-virus applications can collect such information, in which case you not are allowed to use or distribute such information."
* Company policies on outbound traffic. No one has suggested that Octoshape is doing anything other than relaying live video streams to other PCs. In a blog comment, Johan Ryman, Octoshape manager of strategic partnership and sales, assures users that the app is well-behaved and stops consuming upstream bandwidth within five seconds of a live stream being closed.
Many companies, however, have policies against sending data outside their LAN. How many CIOs will be comfortable with an app that sends unknown information to random PCs?
* Use of Flash's install mechanism. Octoshape is the only outside company that's allowed to download software using the Adobe Flash Player's so-called Express Install feature, according to a Flash Magazine technical analysis. Express Install is used by Adobe to push updates and other software, such as Acrobat Connect and the Adobe AIR runtime.
IT admins who'd like to turn off the installation of Octoshape within their companies could disable Flash's update mechanism, as explained in Adobe TechNote 16701594. But doing so would disable all auto-updates from Adobe, not just Octoshape.
* Security vulnerabilities. The Octoshape app is supported by an established company and is not any kind of virus or worm. However, most programs have bugs, and Octoshape specifically communicates with its own servers and other PCs in ways that are not apparent to end users.
Any Web site you visit that is "Octoshape aware" can invoke the application. If a security vulnerability is discovered in the Octoshape software, hackers could exploit the weakness.
Media players expose PC users to serious security flaws more often than Windows itself does, as WS associate editor Scott Dunn reported on Aug. 16, 2007. For instance, several new vulnerabilities were discovered in Flash Player version 9 in 2008 alone, including one rated "highly critical," according to advisories by the security firm Secunia.
In a follow-up article on Sept. 6, 2007, Scott reported that Flash Player 9 was found to be unpatched in 62% of the Windows PCs that participated in a test. End users can correct these holes by patching the player or upgrading to version 10, but too few do so.
* Corporate revolving doors. It's remarkable to see how a small company in Denmark has managed to gain exclusive contracts with Adobe and CNN. I'm all for innovative software firms selling cutting-edge technology.
At the same time, I wonder how these relationships came into being. Last month, Octoshape hired as its new U.S. CEO Scott Brown, previously a vice president of Turner Broadcasting, according to the Business of Video blog. Sounds like the connection between CNN and Octoshape is getting stronger all the time.
The question isn't whether peer-to-peer technology is "good" or "bad." P2P is here to stay.
But if all TV programs are going to be streamed live by media giants, as I'm sure will eventually happen, the question is what impact this will have on Internet bandwidth — and who will pay for it.
I'd like to see the computer industry start a well-publicized discussion in the major news media about this. If we're going to stream TV across the Internet, shouldn't we select an open standard (the TorrentFreak blog likes P2P-Next), rather than proprietary technology that's restricted to a few parties with patents?
What to do if you have Octoshape on your PC
As I mentioned earlier, the Octoshape app isn't currently a threat. But I personally would rather put up with a slightly jerky video than run an application on my PC that's sending God-knows-what to who-knows-whom.
Fortunately, the Octoshape program isn't hard to find or remove:
* Step 1. To find out whether the Octoshape app is running, you can use Windows' built-in Task Manager. (Right-click a blank space on the Task Bar, and then click Task Manager.)
As Susan Bradley shows in a blog post, when you're viewing a live stream from CNN.com, you'll see in Task Manager a service called octoshape.exe. (In the illustration on her blog, instances of the service are shown to be consuming 63MB of RAM, but a lot of this memory may be taken up by the Flash Player itself.)
* Step 2. To remove Octoshape's app, you can use the Control Panel in either Windows XP or Vista. In XP, the applet is called Add or Remove Programs. In Vista, it's Programs and Features. The "Octoshape add-in for Adobe Flash Player" is the name of the program to uninstall.
Strangely, there isn't an uninstaller for the Mac version of the app. You have to manually delete the Octoshape folder.
These removal procedures are explained in detail at the bottom of the Octoshape Grid Delivery FAQ.
There's much more to write on this subject, but I'll stop here. If you have additional specifics on any of this, please send a tip via the Windows Secrets contact page. Thanks!