Topic: SIM Card slot???

On one of the pictures of the chumby on http://www.bunniestudios.com/wordpress/?p=115 there is what looks like a SIM card slot.
What is the purpose of this slot? Is it something that was used for some purpose in the prototype but is not going to be in the actual machine?

2 (edited by Aremith 2006-08-27 18:38:41)

Re: SIM Card slot???

Considering the SIM card can store data, I'm guessing it might be used for identification purposes, or to store User Information.

Re: SIM Card slot???

Yes the current prototype has an area for a SIM card.  Only a few devices have the connector installed.  The purpose was to evaluate the use of the SIM card to provide secure authentication.

I don't know if the production units will have them.

Re: SIM Card slot???

It would be good to use SIM cards for secure authentication. Also, if there will be a beta post production, a SIM card could be used to allow access to the beta.

Re: SIM Card slot???

Yes, but it has to authenticate itself to the Chumby server, especially when premium widgets are implemented.

Re: SIM Card slot???

It would be waaaay easier and cheaper to just include a serial with every chumby. Some sort of "license" that you can register to identify yourself to the chumby server and buy premium widgets only for your chumby.

Re: SIM Card slot???

We do have a MAC ID on the Chumby that could be used for authentication. However, the inclusion of a hardware device that can do a PKI signature operation with physically tamper-resistant keys enables us to fine-tune the level of security built into chumby.

I'm a big fan of trusting users to do the right thing, but there are skeptics out there who don't agree with my view of things. It's up to you guys to prove which of us are right. ;-) Still, I remain pragmatic on this issue. Storing a private key in a tamper-resistant module should create a sufficient cost barrier such that it is usually more economical to buy a subscription than to copy one. In fact, the SIM card isn't even necessary. A stock microcontroller capable of doing the crypto operations with its security fuse set may be a sufficient (and cheaper) implementation.

7BAA 2E53 01C1 DCFF 497B  E7F0 9699 A303 78F0 D9B9

Re: SIM Card slot???

Having read some of the other forum posts (there is a very good thread going on the chumby is free eh? topic header), I think I also need to note that even *if* strong authentication is employed, we do *nothing* to prevent you from just...not authenticating. The device is still yours; you can still use it for what you want. In fact, you can buy a chumby and hack it all you want and never register or pay for a subscription, and we (or at least I) won't care. We're hoping, though, that we do our jobs well enough that you'd be compelled to pass a pittance our way to enjoy the fruits of our efforts.

I think the greater scenario we are looking at is in the context of "normal" users (non-hackers, who, if we are successful, will be 90+% of our user base). If someone writes a script that scrapes authentication keys off of chumbys and spreads them to other people's chumbys thereby enabling everyone to get free access to our (optional) pay services, perhaps without even so much as a mouse click, then we have a business problem: the lights go out and we can't make hardware for anyone anymore. It's actually a scenario that's not good for the hacker or for us, but it might be good for a competing corporation, I suppose, that wants to shut us down. Therefore, we provision for the possibility by including the ability to store authentication tokens in an area that is immune to script-kiddie level attacks.

I personally would think it would be really cool if someone hacked a SIM card or our lower-cost microcontroller to get a key out (btw, all keys are unique so it doesn't do you much good to share them--some sharing is tolerated but a bazillion copies would get noticed and the key would be rejected). I'd love to see how it was done at least, and learn from it. ^.^

7BAA 2E53 01C1 DCFF 497B  E7F0 9699 A303 78F0 D9B9

Re: SIM Card slot???

bunnie wrote:

I personally would think it would be really cool if someone hacked a SIM card or our lower-cost microcontroller to get a key out (btw, all keys are unique so it doesn't do you much good to share them--some sharing is tolerated but a bazillion copies would get noticed and the key would be rejected). I'd love to see how it was done at least, and learn from it. ^.^

The first thing that comes to mind is plugging the SIM card into a computer (and adapters DO exist) and writing a server that forwards requests from the network to the SIM card. The Chumbys could then be modified to send SIM card requests over the network. Essentially, a bunch of Chumbys could share a single SIM card. You could probably detect this on the Chumby by measuring the response time, but since the Chumbys can be freely modified, you can't depend on that. The authentication server can't do any timing since there's a wide range of latencies on Internet connections. The protection would have to be in the SIM card (e.g. rate limiting, etc.), but that would require the SIM card to keep track of the current time continuously, and I'm not sure that's possible or practical.

Re: SIM Card slot???

WOW!!!
Chumby is not even on sale and we already know how to hack it!

Re: SIM Card slot???

couldnt you just write something into the kernel? cos the people who would probably want to defeat premium content wouldn't exactly be tech savvy enough to recompile the kernel.

need upload space for the forums or a chumby blog? right here then
http://www.nophus.com/useru
username is chumby
password is chumby

Re: SIM Card slot???

I thinks it's totally the other way around. Those who may want to defeat security measures are actually the tech savvy. The "other" people are just waiting for a complete security-breaking aplication to be released.

Re: SIM Card slot???

just my $0.02, but i dont like it when people release premium stuff for linux. linux is free. i wouldnt mind running ad enabled software, but not with huge ads. maybe a banner ad at the bottom. or an advert on bootup.

if things were only like £1 then i probably wouldnt be too bothered. its just a shame the pirates want to rip you guys off.

need upload space for the forums or a chumby blog? right here then
http://www.nophus.com/useru
username is chumby
password is chumby

Re: SIM Card slot???

The first thing that comes to mind is plugging the SIM card into a computer (and adapters DO exist) and writing a server that forwards requests from the network to the SIM card.

(I hope the quote formatting come out, just learning this forum interface)

That's actually a great idea! I think we'd be happy if you were to plug a SIM card into a normal computer and use your chumby subscription on that. Because you'd have bought that SIM card from us, and you're doing something neat with it.

I hadn't considered yet the idea that someone could also retrofit the chumby OS to just forward authentication requests to a machine that can aggregate them and pass them into the SIM card. I could put a time-out on the SIM card so it will not offer authentications any more frequently than once every 15 minutes, and then requiring that all units re-authenticate every 2 hours with a slop window of 30 minutes. That at least limits the rate of subscription leakage, but of course you can still do limited sharing of the keys around your household.

I suppose to some extent, the fact that we can revoke an authentication means that if it is a big problem (e.g, hundreds of users are sharing a single SIM) we can revoke the ID. We readily admit there is just about nothing we can do to stop you from small-scale sharing, say, within your home across your three chumbys that you own. As a result, I think we plan on making it explicitly okay for you to hack your chumby to share the key on that small scale. I guess if you want to open your personal firewall and deal with the risk of installing a chumby key server and letting everyone tickle your machine through your firewall so that hundreds of people can share your SIM, that's a personal risk you (or your workplace or whoever is hosting the SIM card) has to take and I'm guessing that might not be so appealing to save/share a $5 a month subscription.

To some extent, we've just failed if we can't convince most of our users to even shell out a few bucks a month for content. I mean, if we can't convince you it's worth one taco bell lunch a month for the convenience of widgets delivered around your home--to see your flickr pictures and to get an extra 20 minutes of sleep coz traffic is good and your chumby alarm clock knows to wake you up a little later for that--and to share in developing and funding an open source system, it probably means that our content is crappy and perhaps we deserve to fail.

7BAA 2E53 01C1 DCFF 497B  E7F0 9699 A303 78F0 D9B9

Re: SIM Card slot???

it would be cool if you could put your phone sim card in, and use that as an identifier, and receive text messages. although it is a bit much to ask tongue cos youd need a gsm module and all.

no offense ZL, but do you actually know anything about computers? cos you are saying you upgraded your chumby to an AMD processor and all sorts of things. and now you are saying that you could put an OS on a sim card. sim cards have tiny amounts of storage. you could probably fit a word document if you were lucky.

need upload space for the forums or a chumby blog? right here then
http://www.nophus.com/useru
username is chumby
password is chumby

Re: SIM Card slot???

just my $0.02, but i dont like it when people release premium stuff for linux. linux is free.

So I am sitting here at a cafe in SF and chatting about this with Luis Miras, and he made a great point on this comment. If you have a linux-based cell phone, should the cell phone service be free? Being able to call someone on your phone is like "premium content", e.g. the real time delivery of voice packets wherever you go. I think perhaps the right way to think about chumby is through a similar model, except that we also make the hardware open to you and we don't subsidize the hardware either like most carriers do--our goal is to sell effectively at cost.

7BAA 2E53 01C1 DCFF 497B  E7F0 9699 A303 78F0 D9B9

Re: SIM Card slot???

bunnie wrote:

To some extent, we've just failed if we can't convince most of our users to even shell out a few bucks a month for content. I mean, if we can't convince you it's worth one taco bell lunch a month for the convenience of widgets delivered around your home--to see your flickr pictures and to get an extra 20 minutes of sleep coz traffic is good and your chumby alarm clock knows to wake you up a little later for that--and to share in developing and funding an open source system, it probably means that our content is crappy and perhaps we deserve to fail.

That's where my views of the device differ. I've never been a big fan of subscription models for anything, but in all honesty, I don't mind paying extra up front. I'd pay $200 for the device if it meant I didn't have to pay anything else (if I didn't want to) for the rest of its life.

Furthermore, I'm a big fan of the "buy what you want" model for widgets, by putting small price tags on the widgets and purchasing them as you go. A subscription model could be used for content (such as a TV Guide service for the Chumby), but subscriptions for software pains me deeply.

I'm not sure if I'm just old fashioned in that, or if I'm just dead wrong and more people would rather have a payment model than an upfront costs model, but that's just how I feel.

Re: SIM Card slot???

bunnie wrote:

just my $0.02, but i dont like it when people release premium stuff for linux. linux is free.

So I am sitting here at a cafe in SF and chatting about this with Luis Miras, and he made a great point on this comment. If you have a linux-based cell phone, should the cell phone service be free? Being able to call someone on your phone is like "premium content", e.g. the real time delivery of voice packets wherever you go. I think perhaps the right way to think about chumby is through a similar model, except that we also make the hardware open to you and we don't subsidize the hardware either like most carriers do--our goal is to sell effectively at cost.

Don't do that! It seems easiest business-wise, but if people get fed up and don't like it, you've lost your lunch on someone buying your hardware and not buying your content.

My views on a Linux Cellphone: If the cellphone service is VoIP, and uses a peer-to-peer connection system, then yes, the service probably should be free. However, if you're maintaining a cellphone subsystem including communications towers, usage during power outages, etc. then money should be charged for it.

Quite simply: if you're doing something with my money that I give you every month, it's worthy of being paid for. Software has a touch-and-go development model, and isn't guaranteed to be useful for everyone. Yet software subscriptions lock you into paying for it. From my point of view, I'd rather be able to upload a program image to the Chumby website and allow for users to buy it for a few bucks, if they found it useful. If it's not that complicated of an app, I'd rather give it away for free (like Dashboard widgets). That way everyone gets what they want, and everyone still gets paid for the services rendered.

Re: SIM Card slot???

if you weren't charging crazy prices for widgets, id consider them. but only if they added significant features.

need upload space for the forums or a chumby blog? right here then
http://www.nophus.com/useru
username is chumby
password is chumby

Re: SIM Card slot???

I think a smart card for authentication is a great idea personally. It provides a unique way of identifiying users, and it would also mean that you could port your premium identity to different devices as well, which you wouldn't nessasarily be able to do with a serial number

21 (edited by bunnie 2006-08-28 19:38:56)

Re: SIM Card slot???

but subscriptions for software pains me deeply.

if you're doing something with my money that I give you every month, it's worthy of being paid for.

I agree with both of you, whole-heartedly. I dislike subscription based software.

I'd pay $200 for the device if it meant I didn't have to pay anything else (if I didn't want to) for the rest of its life.

In fact, you can pay about $150 (or so we hope--we won't lose money on the device, but we also won't make money on it) for it and never pay for anything else if you don't want to. You can even get software updates to the firmware for free, since we plan on distributing them via bittorrent (at least, the part that's not Adobe's Flash product--that is subject to Adobe's terms of use, but we're endeavoring to find a tasteful solution for our users, and even non-subscribers).

So, I think maybe I'd like to understand if perhaps there is a misunderstanding about what we are trying to do, or if we are just using words differently--allow me to clarify a bit and you can tell me where I'm missing your points.

Our subscription is for the Chumby Network *service* not software. This pertains specifically to content, like widgets, and the data that is in the widget. We take this subscription revenue and we do something with it every month--we have to pay for bandwidth and servers (so you can continue to receive widgets),  write new widgets, improve old ones, and also, more importantly, pay for premium service feeds that you'd have to pay for anyways. For example, real time stock quotes is a pay service (or so I'm told) and that's one of the things you might get in a chumby premium subscription. Pay content through other networks, such as syndicated content (comics, TV shows, music etc.) are also possible pay service benefits. Normally, you'd have to pay something for these, but we aggregate them and offer them to you through a single portal at a single price. And, to be clear, we also plan on offering lots of free content as well, so you can still hook up to our network without paying anything. Basically, if it costs us real money to get content, we have to pay for that somehow, and that's what subscriptions are for. The chumby network hopefully gets economies of scale and can share these economies of scale on to the users, so there is real value for everyone.

Then again, as my CEO says, he'd love it if there was *no* subscription fee, and instead we made money on advertisements alone. But really, that model has to be vetted out and we need to figure out if we can really balance the budgets with that alone. If you read the EULA closely, there is a provision in there that says that you also agree not to disable ads, because if we chose to go that route, you can get free devices and free content but only if we can convince the advertisers that we are actually reaching our users.

So no, you aren't paying a subscription for software--it's content that you're paying for, the software is essentially depreciated and considered a vehicle for content delivery. This is just like the hardware; if hardware costed us a dollar to make we'd give that away too, but unfortunately that's just not the case. And we endeavor to do something useful and beneficial to you with the subscription money you give to us, by providing you new and interesting content that you'd have to pay for anyways. And remember, you don't *have* to subscribe. You can use your chumby all you want, and get software updates without the subscription. You can even get free content on the chumby. You just can't get content that we paid money for without a subscription--because obviously, if we pay for it and you get it for free, well, eventually (actually quite quickly) we run out of money, and no more Chumby. *poof*.

7BAA 2E53 01C1 DCFF 497B  E7F0 9699 A303 78F0 D9B9

Re: SIM Card slot???

There's probably a few things you can do to make widely sharing a subscription less appealing. If you had widgets that showed new email subjects, your portfolio value, upcoming appointments, etc., that's probably something you wouldn't want to share with the world. You could disable or not use those widgets, but then you'd be missing out on a lot of functionality. You could also store preferences on the Chumby servers and link them to a Chumby account. For example, many people are interested in only a handful of stock quotes, or weather in their own neighborhood, bus arrival times at their usual stops, etc. You'd either have to suffer from information overload and subscribe to everything, or subscribe to data that's less relevant (or useless) to others.

I do think using a SIM card or a special-purpose microcontroller is overkill, though. With the proper incentives to have your own subscription, I don't think sharing will be a big issue, and I'm not sure how much more secure it'd make the system, anyway. Even if you solved the issue of sharing subscriber keys, I imagine you could still modify a Chumby to serve up information it gets from the service to others.

Re: SIM Card slot???

So you say every chumby will have some sort of mac address...
What happens if (not likely btw...) I build my own chumby??? Who sets the MAC or serial number in that chumby if it is completely homemade?
A SIM card o uController is not the answer for chumby validation. You guys are complicating things. A user password is all that is needed to make premium contents safe. You pay for premium you get a password. if that password is used in several chumbys you cheated and preium content will be disabled for you. <stupid comment> And chumby will display "SHAME ON YOU" for 3 days tongue </stupid comment>

Re: SIM Card slot???

I don't want to start a fight here, but really... How could you posibly run linux from a sim card?!?!?!
It's even hard to run it from a floppy drive on a 486 machine...

Re: SIM Card slot???

thats what i said. its just zlnetworks bullsh*tting.

need upload space for the forums or a chumby blog? right here then
http://www.nophus.com/useru
username is chumby
password is chumby