Wednesday 21 December 2011

Virtually singing

Some time at the beginning of last year I saw a video of Lux Aurumque that I found interesting for two reasons. Firstly, it is a piece that was in the repertoire of my choir at the time and it is always useful to hear how it is performed by other choirs, especially when conducted by the composer. Secondly, it was performed by a "virtual choir" made up of people from various countries, many of whom have probably never met each other in real life.

The idea of collaborating over the Internet is certainly not a new idea, nor is the notion of using social media to bring together musicians as was shown by the YouTube Orchestra that performed its first concert in 2009. The virtual choir, however, brings together both of these and the result is, in my opinion, something that is truly greater than the sum of its parts. I think that one reason why it has been successful is that it is being driven by the enthusiasm of one of the world's leading contemporary choral composer, Eric Whitacre. I don't doubt that some of his enthusiasm for the project comes from all the extra publicity he is getting as a result but having met some professional musicians who are trying to make a name for themselves I have come to realise that being an unashamed self-publicist is an essential part of the job.

After seeing the first virtual choir video I was keen to try to get involved with the follow up, which was being anticipated at the time. Sure enough, in September of last year version 2.0 of the choir was announced with a piece that I was not familiar with called "Sleep" and a deadline of the end of the year. Having been so keen to get involved I did what anyone else would in my position - I procrastinated. In fact, I was clearly not alone in doing this as the rate of the submissions appeared to be far below what the organisers had expected. At the announcement they stated that they were aiming to getting over 900 but when I posted my video, around about the half-way point for submissions, there were only around 200. In fact, I was secretly trying to get in at exactly video number 200 but then someone gazumped me by posting himself singing all eight parts from bottom bass to top soprano.

As it turned out there was a rush of videos towards the end and this, together with an extension of the deadline by a couple of weeks, meant that there were a massive 1752 participants from 58 different countries in the finished product. My face doesn't appear but my name is there in the credits, going past at around 8:20. For those interested, there was a TED talk when this was produced to explain a bit of the history.

It is now a year on and just today, virtual choir 3 (we appear to have dropped the '.0') has been announced. Again, it is a piece I do not know so I will probably spend a bit of time procrastinating about it but I saw just three hours after it went live that there were already six submissions and now it is up to 27, including two from here in the UK. I don't suppose you can really tell much from this as the rate will probably die down after an initial flurry but it looks like a number of people were chomping at the bit to get started.

This time it they are going a step further, with on-line masterclasses using Google+ hangouts. For the past versions people learnt their own parts individually and sang as they thought best but anyone who has sung in a choir knows that the conductor does more than just wave his hands around hoping that someone will glance his way from time to time. A lot of fine tuning goes on into a rehearsal and things like ends of phrases and breathing are difficult to get right if you are unable to get everyone in a room together. It remains to be seen, however, if Google+ hangouts are the answer.

The deadline for virtual choir 3 is 31st of January and nearly 800 people have registered so far. I'm not entirely sure when I'm going to get a chance to do anything as I will be particularly busy in the run up to a world premier on the previous Friday (quick plug) so we will have to see what happens.

Wednesday 7 December 2011

There's nothing like good privacy, and this is ...

A colleague of mine notified me via Google+ of the news that Mark Zuckerberg's photos on Facebook had been hacked, supposedly by a security glitch that has now been closed. My colleague's comment on this was that he has "never seen a photo on the site, public or otherwise, where you can't just share out/reference the underlying photo's URL if you want to" and ended by asking "am I really the only one who's noticed this?" I have noticed this but, I must confess, only after being informed about it by the aforementioned colleague. If anyone doubts this statement about the free access to Facebook pictures then they can have a look at this picture which I have uploaded to Facebook but have set to be only visible by me. For added amusement, you will find that you can view it without even being logged into Facebook and, with any luck, it may now start appearing in searches with appropriate search terms.

Facebook are here employing a technique known 'security through obscurity'. The fundamental principal of this is that the name of the image, 388043_10150400636492271_81771217_n.jpg, is so complicated that no one could possibly stumble upon it by accident. The problem with 'security through obscurity' is that it merely gives an illusion of security as it will stop someone accessing something by accident but will not deter anyone with real malicious intent. You could liken it to leaving the front door key of your house under the doormat; the postman who happens to push against the front door is not going to get in but it will not stop the real burglar. Six years ago ZDNet published the six dumbest ways to secure a wireless LAN and three of them are examples of 'security through obscurity'.

However, is there really a problem with the photographs on Facebook? What are the chances of someone stumbling across the correct 5 very large numbers followed by the correct letter to view my image? Admittedly that is not very likely but just as I have revealed to the world the URL of an image in my Facebook account that only I should be able to view, I can do the same with any picture that has been shared with me even if the owner of that picture has set restrictive access. Likewise, I could do the same with any picture visible by an account I happen to have hijacked. Happily, Firesheep is not a problem if you are using SSL but who is to say there isn't another exploit out there that is not yet publicly known?

How hard is it really to make images private? Not really too difficult, as can be illustrated by this picture at Dropbox. I am not arguing that Dropbox are a paragon of virtue (although over that weekend in June the problem was fixed quickly and no one was apparently compromised) but if you click on that link you will, I hope, get a 403 error indicating that access is forbidden. It would not be beyond the realms of possibility for Facebook to implement a similar system but I suspect that the real reason is that they want people to be able to link to their images like this:

without getting this:

The first image being my top secret Facebook picture while the broken image is in place of my Dropbox file.

I think that the conclusion is clear; do not put pictures, or any other other material for that matter, on any social media site unless you are perfectly happy for it one day to find its way into the public domain.

Update

I have just found that Google+ is the same as Facebook in this respect and here is a similar image to the one above. Google+ uses Picasa for managing users' pictures and it would appear that this has been known for some time.

Update 2 - 27/12/12

I have noticed that the link to my picture on Facebook has changed from "https://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-ash4/388043_10150400636492271_508542270_8590570_81771217_n.jpg" to "https://fbcdn-sphotos-a-a.akamaihd.net/hphotos-ak-ash4/388043_10150400636492271_81771217_n.jpg". I am not entirely sure whether this is due to an internal reshuffling of the data or maybe the links have always been time limited, which I supposed provides a small degree of extra security. It doesn't take a lot, however, to see how the new link is created from the old. I have fixed the image for the time being.