ZatzNotFunny has an interesting post today. Dave found a letter submitted to the FCC by the National Cable & Telecommunications Association (NCTA) which appears to indicate that TiVo is porting their software to OCAP. I don’t know if this is accurate, or if the authors of the letter misunderstand the TiVo port for Comcast & Cox, which I understand to run directly on the hardware and not within the OCAP environment.
Dave is following up with TiVo, and we’ll both be at CES next week and I’ll have some questions for TiVo, pending what Dave hears back.
Overall, the letter is an argument by the cable industry to force their crappy interfaces on all of us. It is a response to a call from CE vendors to open up the cable interfaces to allow CE vendors to produce products that interact with the cable systems – for VOD, PPV, etc – with unique interfaces, such as TiVo. What the cable industry wants is that your cable vendor downloads a OCAP application to your device, so no matter which device you use, you get their interface for their features. So no matter which device you connect, the OnDemand interface is the same. That would mean no nice TiVo interface to such things, but whatever the cable company pushes – and they’ve done such a great job on their interface design to date. I think the letter greatly exaggerates the issues. It would not be difficult to present functionality in a standardized API instead of downloadable applications. And since most CE devices are updatable, even TVs these days, if the cable industry develops a new application then the devices can be updated to support them. Not a big deal.
And this is just stupidly laughable:
Development of cable’s downloadable security would no longer be subject to non-disclosure protections which are essential to the development of effective network security, again contrary to the congressional mandate in Section 629. It should be obvious that a security system must keep certain information secret that might otherwise be used to try to break its security.
Network security is one of the things I do, and have done for a while. I did firewalls and VPN for GTE Internetworking a few years back, and spent a fair bit of time with cryptography, and every expert in the field will tell you that security through obscurity is FALSE security. Effective network security is ALWAYS developed in the open, with peer review. Systems that have been developed in closed environments include CSS on DVD and WEP on WiFi – both readily cracked. WPA on WiFi, which replaced WEP, was developed using open, peer-reviewed systems and it has not been cracked. I think I’m going to send this to Bruce Schneier, just for laughs. (I just did.) Man, every time I read that “It should be obvious” sentence it makes me laugh, obviously the person who wrote that doesn’t know jackshit about security systems. A good security system only needs to keep the keys secret – everything else is open and published, like AES. If you have to keep the workings secret to maintain security, you’ve developed a bad system.
EDIT: Literally the second I hit post, I got an email notice that Dave Zatz had updated his post. TiVo replied to him and confirmed the port to OCAP.