Tag Archives: Speculative

Smart Phones as a Dance Aid

Posted on by

Smart Phones as a Dance Aid

This is another is my series of speculative blog posts.

I’ve just returned from the Newport Vintage Dance Week and I’m wondering about creating a smart phone application for dancing.

Obviously the use of a smart phone as an aid to vintage dance is somewhat anachronistic but the same could be said about electric lights. There are a number of possible applications.

One interesting use would be analyzing the music and figuring out what dances would be appropriate. Although at most formal dances, the type of dance is usually either called or listed on a sign, this is not always the case. Furthermore, much modern music is actually appropriate for vintage dance. For example, people have polkaed to “Ghost Busters”, waltzed to Metallica, and one stepped to just about anything. The user would hold up the phone at a club and have it analyze the music and then tell them “this song can be waltzed to”, “that song and be tangoed to”, “this song can be polka or one-stepped to”, etc. Having this type of algorithmic feed back would also be a good way of eventually training people to develop their own ear for figuring out what type of dance would be appropriate.

A more ambitious idea would be to have the phone actually give people feed back while dancing. For example, the dancer could wear a blue tooth ear piece and hear various instructions. For example, the phone might listen to the music and help the dancer keep the count by saying “one two three four one two three four … “ .  The instructions could also be more elaborate. For example during a quadrille, the phone could tell the dancer what they should be doing at a given part of the figure. E.g. “stay in your place and wait for the head couples”, “now forward and back with your opposite”, “two hand turn back to your place”, etc. The feed back might also be something simpler such as the phone vibrating in time to the music.

Ideally the phone would actually listen to the music and use the accelerometer to provide the dancer with very specific instructions. For example, the phone might be able to detect whether the dancer was stepping on the beat. Or in a quadrille, it might tell the dancer that they need to walk faster because they should have promenaded half way around by now. One could also see this as being useful for dances such as the Castle Schottische where there is a set sequence or for dances in which the dancer can choose their own sequences. In dances such as the one step or salsa, the dancers might be instructed to follow randomly generated but elegant sequences. e.g. “forward promenade, yale position, backing the lady, grape vine”. Or the dancers could program in a complicated choreographed sequence and be reminded of it at various points in the dance.

One could also imagine the phone being used as a negative feed back device. For example, as mentioned above the phone might use the accelerometer and the microphone to determine if the dancer was stepping on the beat. The phone could then be modified to give dancers electric shocks when they were off beat.  This would of course require special modifications to the phone or some type of blue tooth taser like device. Admittedly this would probably not be a popular add on but it would provide dancers with a strong incentive to pay attention to the music.

I hope to write a follow on blog post looking at the feasibility of actually implementing this stuff but I thought that I’d go ahead and post the conceptual idea first.

I’d love to get feed back on the feasibility, desirability, practicality, etc. of these suggestions.

Using SSL to Prove Document Authenticity

Posted on by

This blog post is an idea that I’ve been kicking around for a while but haven’t had the time to research or implement.  I’ve finally decided just to post it speculatively.  I’m really hoping to get feed back from those in the community more knowledgeable about SSL than I am.  Note: This is a relatively geeky topic if you don’t understand what https:// and SSL are this post won’t make much sense…

Introduction

Does anyone know anything about the internals of https?  I was wondering if there is any way to prove that a document downloaded over https really came from the site you claim that it came from.  In other words, if you download a document over https, is there anyway for you to prove to a third party that it actually came from the web site you claim it came from? For example,  let’s say that Alice downloads doc.pdf from https://foobar.com/doc.pdf. https provides Alice assurance that doc.pdf really came from foobar.com (assuming that the certificate is legitimate).  But assuming doc.pdf does not have a digital signature,  if Alice simply sends the downloaded file to Bob, he has no proof that the file actually came from foobar.com. (Obviously, the ideal solution would be for the maintainer of foobar.com to digitially sign the pdf file. But few websites digitially sign the files they distribute and individual users often have no means of convincing a web site to do so.)  My question is whether there is any way for Alice to prove to Bob that she really obtained the file from foobar.com.  I thought that it might be possible for Alice to prove the file’s origin by sending some of the raw network traffic establishing the SSL connection along with the file.  (I’m using a PDF file to simplify the example but presumably the same issues would apply to a web page.)

Use Cases

PACER is an online service used by the United States federal courts to provide online access to court records and documents.  The documents on PACER are generally thought to be in the public domain but remain behind a pay wall.   Efforts such as  the PACER Recycling Project and RECAP allow users to upload PDF documents obtained from PACER to a central server where the documents can then be freely downloaded by others.  However, while PACER uses SSL, it does not provide digitally signed PDF files.  Thus users currently have no way to prove that the documents really came from PACER.

Another use case, is as a replacement for web screen shots.  Because web pages can be easily altered or taken down,  screen shots are often offered as “proof” that a web page used to exist even if it has since been altered or removed.  For example, this CNET news story describes how pranksters from 4chan retaliated against AT&T for blocking their site by posting a fake report saying that AT&T’s CEO died.  The story includes this screen shot of the pranked web page prior to its removal.  Of course screen shots can be easily faked or altered using tools such as Photo Shop or just by saving and editing the html.  Presumably web screen shots posted by CNET are relatively trustworthy, but what about screen shots posted by unknown users?

Ideal Solution

I envision a Firefox extension that would allow a user to easily create an archive bundle for an https: web page containing the page and SSL information proving its legitimacy.  (Obviously this would need to work for single files as well as web pages.)  This bundle would allow other users to view the web page of file as it existed and provide easily verifiable proof that the web page really came from the site in question.

My Questions for the SSL Knowledgable

Is this doable at all?

Screen shots are trivial to fake, if this approach can’t provide perfect proof of the origin of a document how much more assurance would it give you than just a screen shot?

Would releasing the raw https traffic also mean that Alice would be releasing her user name and password?

A minor concern is that the fact that a web site hosted or displayed a particular page is slightly different from the web site signing a file.  Furthermore, there may be issues with XSS vulnerabilities that allow attackers to make an https web site display arbitrary content.  However, XSS attack are a problem now with screen shot being passed around and XSS altered pages could probably be detected by viewing the html source.

But Not All Web Sites Use SSL

It has been repeatedly shown that web 2.0 applications such as gmail and facebook cannot be used securely over an unencrypted connection.  For example, hijacking the account of a facebook users on the same network is trivial. Perhaps I’m being overly optimistic but I believe once these vulnerabilities become more widely know and attack scripts/ exploits become widely available web applications will move to SSL as the default or at least offer https as an option.  (GMail already has an option to enable https though it is buried deeply within the settings.)

Please Comment

There you have it: my first real blog post.  Please let me know what you think.

Update December 13, 2009

Unfortunately, it appears that this won’t work.  The basic problem is that SSL uses a shared key so the client could easily forge messages.  (Initially, technically unsophisticated users might not be able to forge messages and sign them with the key but someone would probably develop an automated tool to do it.)  I still hope that at some point a standardized way to show what a web page showed previously will emerge that’s harder to forge than screen shots. Many thanks to Paco Hope and his colleagues at Cigital for providing feed back on this.