SonOpen – the Open source Sonos replacement

Open source drop-in version of Sonos without the end of life problem. PLANNING. It would be wonderful to use Sonos hardware!

Mission Statement

Many people have spend thousands on their Sonos systems. With good reason because it’s a great system. It passed the ‘Apple’ test in that it ‘just works’.

In January 2020, Sonos announced that some of the products would be obsoleted and would stop working. But much more than that, any systems with those obsolete components in would stop working. This is a terrible descision. The functionally identical equivalents cost hundreds. Sonos quicky undertook some corporate spin and backpedalled part of their announcement, but they didn’t undo it – they just watered it down.

This has caused many to wonder if another way is possible? this project may never write a line of code but it has lofty, but simple goals:

  1. Drop in replacement for Sonos. Support music libraries and streaming services. Support the same file types. Must have smartphone app and desktop controller app.
  2. Must (somehow) support real Sonos hardware. The easiest way to do this is to stream to the devices. The (much) harder way is to replace the proprietary firmware with open (linux) firmware and software. The mid difficulty solution is a hardware mod, for example to use the amp, PSU and speaker and drop in some other hardware (like an rPi).

Easy problems

Accessing music libraries Making a datbase streaming content to existing sonos devices

Medium problems

Making smartphone and desktop apps. Deciding on local vs distributed music database

Hard problems

Running custom firmware on Sonos timing different speakers playing the same thing.

Moral Problems

Sonos is a closed platform. They may not appreciate reverse engineering their hardware. Maybe they have legal protection. If the hardware reverse engineering sub-project is sucessful, then an even trickier problem is what to do with units in recycle mode? The moral problem is that the owners of these units have received discounts off new hardware in return for bricking the old ones. Sonos will argue that they should not and must not work. If we get as far as dumping flash from a working Sonos unit, can we return a recycle mode unit to (native) Sonos operation. Should we?

TurboTas January 2020

Project is here: https://github.com/turbotas/SonOpen

Poxy Vodafone

It’s always hard to cancel a mobile phone contract, but I never thought it would be so hard just to cancel a pay as you go SIM data.

I’ve measured what I got done while this chat was dragging on:

  • Written a blog post
  • Edited a photo Album
  • Cleared down my email
  • Watched a Game Demo video.

Vodafone: Thanks for choosing to chat with us. An agent will be with you shortly
VOD-PRajawat1: Hi, how can I help you today?
Toby: Hi there, I have two Broadband Data PaAYG SIMS – I’ve not been using both of them so am trying to cancel one of them, but navigating the website is a real PITA
VOD-PRajawat1: I will certainly help you with that Toby.
Toby: great, thanks
VOD-PRajawat1: Welcome always there to help you .For security reason, Could you please confirm your 1st and 2nd digit of your account PIN?
Toby: 0 7
VOD-PRajawat1: Perfect, that takes care of security.
VOD-PRajawat1: May i please confirm the number you want me to cancel for you ?
Toby: 07493 391246
VOD-PRajawat1: Thank you Toby for the number .
VOD-PRajawat1: Please allow me 2-3 minutes to help you .
Toby: great, thanks
VOD-PRajawat1: No worries , meanwhile i am working on it , may i ask if how is your day going so far?
VOD-PRajawat1: Thank you for being online Toby , we have a dedicated team to cancel the number for you . Please stay connected while i connect you to the team .
VOD-PRajawat1 has left the chat
Please wait while you’re being transferred to the appropriate team.
You are now chatting with Sienna
Sienna: Good afternoon Toby
you are chatting with Sienna , one of retention specialist hope you are doing well?
Sienna: Hi, are we still connected
Toby: yesw
Toby: Hi there, I’m trying to cancel one of my data ssims – I don’t need two any more.
Sienna: Sure I will check and help you accordingly.
Toby: many thanks
Sienna: My pleasure
May I confirm your email address, how many contracts you on this account and last two digits of your bank sort code?
Toby: turbotas@yahoo.com
Toby: 2 contracts
Toby: I’m sorry – I don’t ahve the sort code as I don’t know which bank account these are paid from
Sienna: No worries may I confirm your last bill amount?
Toby: if I click it- will the chat stay open?
Sienna: Yes it will be open if you need to check any other info please open a new window
Toby: Do you want the full amount of my last bill or just this one broadband account
Toby: £61.48
Sienna: Brilliant all correct.
Sienna: I am checking your account please stay connected.
Toby: no problem
Sienna: I have just checked both of your data Sim are eligible to get upgrade on any Tablet for free means you can go for a free tablet and then you can continue the plan with basic price which will be very low.
Toby: Hi, there. I don’t need two data SIMs at the moment, so I would like to go ahead and cancel 07493 391246
Sienna: Sure I will cancel one and would like to go for upgrade on second with a free tablet?
Toby: no thanks, £30 for the 50G seems fine for the other one.
Sienna: Okay let me check if I can make the same plan cheaper for you.
Sienna: I wish to inform right now you are paying old prices
Sienna: £30 for 50gb when new prices are launched so it will be beneficial to get upgrade the other Data sim on new price
Toby: I’m not sure that’s true – on the Vodafone website, it still says £30 per month for 50G and that’s what I pay now and the price is the same for 30 days or 12 month.
Sienna: You’re through to a specialized team that make sure customers like yourself will looked after and paying the right price to suit your needs.
Sienna: I can make a brilliant deal on other tablet
Toby: Hi there, I’m really sorry but we are not getting anywhere. I have to 30 day contracts and I just want to cancel one of them. The other SIM is just fine on 30 days fopr £30 per month for 50G. Thanks,
Sienna: The deal is 12 months
50 GB Data ,
*free 5g coverage
* Free Data capping
* Free Bill capping ( So that you will never be charged for exceeding the allowances )
* Free Flexi Upgrade to handset deal after just 90 days
* Free global Roaming and All data, minutes and texts can be used across Europe

The original cost of this plan is £30 every month However looking at your long term relation with Vodafone, I will give you this deal in Just £24 every month Inc VAT 🙂
Toby: NO! I don not want a one year contract.
Toby: Please, just cancel the one 30 day plan as asked.
Sienna: Sure It’s in process already but I wish to inform when on other you will pay £30 a months
why you would not like to go for cheaper price for £24 a months it will be a saving of £72 for you
Toby: No, It’s wont save me anything because I’m not likely to keep the other sim for a whole year. Plesae just cancel the one SIM and quit with the upsell.
Toby: I have 30 day plans becasue that’s what’s flexible for me.
Sienna: Let me check.
Sienna: You are on a contract with that plan so I am offering you the same deal in just £24 not to continue with £30 please try to understand
Toby: You would like to give me a free tablet by continuing on the same 30day plan for £24?
Sienna: Let me check if I can do that for you.
Toby: Hi there, sorry to hassle you – I’ve been at this chat window for a long time – can you confirm that the 07493 391246 SIM has now been cancelled?
Sienna: It’s in process just need to complete one or two steps more.

Sienna: The deal is 24 months With Amazing Free Huawei T3 8″
*Free 5g coverage
* With this handset you will get huge 50GB Data
* All data, minutes and texts can be used across Europe
* Free Flexi upgrade option for handset deal after 6 months anytime
* Free Vodafone Global roaming feature ( So that you will be able to use the allowances in abroad )
* also I will give you extra 12 months warranty for this handset worth of £180 absolutely free of cost.
* Free Data capping
* Free Bill capping ( So that you will never be charged for exceeding your allowances )
* Voicemail

The original cost of this plan is £27 every month I will make this deal for £21.60 a month for your loyalty discount
Toby: No. No contcract. I do 30 Day pay as you go only.
Toby: Huawei T3 is not that great a tablet, it’s only £109 to buy outright.
Sienna: I can do the same with Huawei T3 Media tab 10 as well check it please id that’s okay.
Toby: No. I just checked through the chat window: I have explained five times to you that I do not want a contract. I use 30 day only. You keep giving me the impression that you have a special deal and then try to get me to take a contract.
Sienna: Toby but I am giving you the same deal on cheapest price when you can save £9 a month with a free tablet outright cost for the second tablet is £140 in the market you can check.
Toby: No, No No. There will be no saving as I do not want a contract.
Toby: Has the SIM now been cancelled please?
Sienna: No it’s in process once it will done I will let you.
Toby: Is it possible to escalate to a supervisor please – I feel that you are not listening to me.
Sienna: It’s in process please stay connected.
Toby: Any news – why does it take so long to cancel a SIM?
Sienna: It’s done now
Thank you for your patience.
You will get confirmation text as I have cancelled.
07493 391246 this data sim for you.
Toby: Could you email me the chat please, it’s hilarious
Sienna: Sure I will help you to get the chat
I wish to suggest you will get one final bill for this subscription once it will complete for the cancellation within next 30 days and after that this will be disable from your account.
Toby: That’s fine, I expected one further bill for a 30 day notice account/.
Toby: It’s important that you understand that I started this chat wanting to cancel one SIM and it’s been so painful that all I want to do is cancel all my Vodafone SIMS.
Toby: So your retention team has had the 100% opposite effect.
Toby: https://www.turbotas.co.uk/2019/10/15/poxy-vodafone/
Sienna: I am really very sorry I was trying to make a deal
I am really very sorry I know this may be not getting good flow but when I have checked the deals are coming more cheaper I was exited may be you will go for them sorry Sir.
Toby: But they were not cheaper – they were different deals and required me to sign a long contract. I explained that, but you carried on anyway.
Toby: for a loooong time.
Sienna: Oh I see When you told me about outright cost I was thinking that you are asking for a deal which will come with a tablet for good outright cost I am sorry.
Toby: I didn’t say anything about outright cost, I just said that I pay £30 for 50G and that I don’t have a contract and that I didn’t want a contract.

Bye Drupal

Although drupal has been great, it’s a real pain to keep up-to-date. Sadly drupal has lagged behind the curve in terms of the ability to self update. This means reasonably frequent root logins followed by un-tarring and copying directories, which is never pleasant.

We have been running a WP site for the last year and found updates to be completely painless, so as of today, the drupal sites have all gone bye bye. WP brings it’s own issues of course, but lets see how it goes!

Goodbye Mediawiki and thanks for all the fish..

So here we are in 2017 and I noticed that the wiki has not had an edit for around 3 years, but I still have had to bring it down every few months for security fixes.

So the time has come to kill the Whale – all the wiki content is now moved to articles on the CMS or deleted or published elsewhere and mediawiki has gone to feed the fishes.

It was a great collaborative tool in 2004 but I can do everything in a google doc these days and someone else is keeping that secure and patched (I hope!) .

It did make me realise how much content had no links in or out and thus was effectively invisible.

There is still a private wiki to wrestle with and vSprawl is presently wiki based. But this is at least a start in simplifying the estate a little.

Maltesers

I love Maltesers and can easily consume a large bag or even a box all by myself. Lately though I’ve noticed that the quality has lapsed. The little things are not round any more. Instead they now look like asteroids: they have irregular surfaces all over them.

Pretty annoying given that on the TV adverts they roll around on desks etc!

Try and contact Masterfoods (Mars) about this: You can’t! The website is awful and has not one single contact (Yes, none!)

Bah! Roll on cheaper lookalike product manufacturers prepared to make maltesers round again.

And Dumb Security Company of the day goes to…..

Argh, dammit, I can’t tell you.  But the imaginary conversation goes like this.

Me: “Hi security company, I see that you have an enterprise grade security product that my client has put at the heart of their enterprise?”

Dumb Security Company (DSC) “Yes, can I tell you about it, its great – it has elements that …”

Me: “No, no, please stop.  Anyway, the client tells me that your security products runs on Windows”

DSC: “Yes, that’s right we have a strategic relationship with Mi…”

Me: “Woah, thanks, got that, so my client needs to apply patches to the server that you run your product on?”

DSC: “Very good, patching is an important cyb….”

Me : “Gonna have to stop you again. But in this case your support people have told their support people that they must not install the critical OS patches or bad things might happen?”

DSC: “So stability is of para….”

Me: “Easy there tiger. So just to calibrate my BS detectors – You produce an enterprise grade security product that runs on a version of windows that you insist cannot be patched – in this case for more than a year?”

DSC: “…”

Me: “You, a SECURITY company make a SECURITY PRODUCT and then insist that the platform is NEVER PATCHED?

DSC: “…”

Me: “Do you KNOW how many critical issues there are for the platform that your system runs on?”

DSC: “…”

Me “Great, nice talking to you”.

And the lesson of the day is that just because patching is hard does not mean that it does not need to be done.  Yes, you will need to regression test your product.  Get on with it.  Make fixes not excuses.

New Password Hashing Method

Dammit, Bruce Schneier had a link this month to a password hashing competition, but I was too slow.  the link is here: https://password-hashing.net/

In the meantime it occurs that one way to try and defeat GPU based cracking is to increase the complexity of the hashing process so that it's harder to pipeline the functions on the GPU.

One way to do that would be to have per user based iteration counts where the actual number of iterations is decided within the hashing process itself, by using different hashing algorithms and by re-introducing the salt at various points in the iteration process.

The hashing version would define the total iteration count and each of two hashing algorithms. V1 would use an iteration count i of 100000, SHA-512 and Whirlpool-512.

  • Take the Password 'p', generate a random salt, 'r'
  • concatenate p and r.
  • iterate pr through Algorithm 1 for 1000 iterations to arrive at h incrementing i each time
  • take the last byte of h which is unpredictable but not random as x
  • concatenate the salt with h to get hs
  • iterate hs for x iterations through Algorithm 2 increming i each time
  • take the last bye of h which is unpredictable but not random as x
  • concatenate the salt with h to get hs
  • go back to Algorithm 1 unless the i is exceeded in which case h is the output hash

As part of the password test, the user has required to transmit the password.  This would be a great time to change the salt!  Yes, I mean it, so at the same time as we test the password, we also make a new hash from a new random salt.  if the password test succeeded, we store the new salt and hash.

WTF?  Why are we doing that?  If attackers have regular access to our user table the passwords all change a LOT more frequently, so it's harder to tell who has really changed their password. The disbenefit is that users that log in rarely will be plainly obvious.  An additional benefit if that if there is a need to move from V1 to V2, this will be done magically at next login.

Each concatentaion is a string function converting the 512 bit hash to a string and then adding another string to it.

 

Certificate CA pinning

With many MITM attacks, you get fake certs.  CA pinning would help to fix this: The browser would retain a copy of every cert that it gets in a local DB and if it gets a different cert next time you visit the same domain or if the signing CA is different, it gives you a warning.  Carry on at your peril.   This kind of attack is mainly the state sponsored threat actor: they have the resources and the clout to persuade a CA operator to sign a bogus cert and\or onsert themselves in DNS traffic.

Ok, so since writing this article, I have discovered Certificate Patrol Firefox plugin, which does exactly what I described above.  Just like all most great ideas – someone has had it already!  If you use firefox, go grab the plugin.

USB Firewall

I have not found one of these,  but can't beleive it doesn't exist: A little USB dongle that plugs into your work desktop and will charge your mobile phone but without making the desktop see your phone as a device.   Basically, connect the volts, but not the data.  Obvious really.  Someone tell me why it won't work?