Religion In School

December 7th, 2012 by Dylan No comments »

The issue of religion being taught in schools has come up a few times in the last year or so and has come up again recently with the story of Jeff McClintock’s 7-year-old daughter being left in the back of the classroom while RI was taking place in the same room.

One of the primary schools I attended had a Bibles In Schools programme, and even then – more than 20 years ago – it was difficult not to take part in the ‘optional’ programme. While I was opted out from the class I was made to attend on more than one occasion, and the rest of the time I was one of only a couple of students not attending. I was often questioned and confronted by others about why I didn’t attend, asked if I knew I’d go to hell and teased about my non-involvement.

It’s for this reason that I became really concerned when we discovered that the school our oldest son would attend next year participates in Christian Religious Education. We’ve talked to the school and hopefully won’t have any major trouble, but it’s still forcing us to choose between making our child an outsider from the very beginning at his new school, and sending him to Christian religious education that we disagree with.

For this reason I decided to write an email to the Minister of Education about the deliberate loophole that allows schools to “close” and offer religious education.

Subject: Religious Education in Schools
Date: Tue, 13 Nov 2012 22:18:03 +1300
From: Dylan Reeve
To: h.parata@ministers.govt.nz

Hi,

I am writing in regards to religious education in schools. We are moving house soon and as a result our seven-year old will be attending a new school. At our new new address we are only in zone for one school. While researching the school we discovered it runs a Christian Religious Education class for 30-minutes once a week.

We are very uncomfortable with this. While it’s possible for us to opt our child out of this class, doing so creates and “us and them” situation.

It is absolutely absurd and offensive to me as a parent and taxpayer that the school can claim to be closed for half and hour every week (while still requiring our child to be at school) and offer a program that is little more than indoctrination.

I’m a writing to express my frustration that this silly loophole is allowed to continue. Over the course of a year the students of this school will miss out on 20 hours of actual classes – that is a whole week.

Unfortunately we have no choice in this matter – we have to send our child to this school, and we will opt him out. We are hopefully this will not result in his being seen as different or an outsider, but annecdotal evidence from others doesn’t offer much hope.

Please close this loophole. In Christian groups want to run groups within schools then it should be done in a definitively opt-in fashion and entirely outside school hours.

Dylan Reeve

Unsurprisingly, I did not receive a response from the Minister herself, but instead my query was handed off…

From: Tiana Lilo <Tiana.Lilo@parliament.govt.nz>
To: “‘dylan@dylanreeve.com‘” <dylan@dylanreeve.com>
Subject: FW: Religious Education in Schools
Date: Wed, 14 Nov 2012 06:11:25 +0000

Dear Mr Reeve

On behalf of Hon Hekia Parata, I acknowledge receipt of your email.

The issues you raise fall within the responsibility of the Ministry of Education. Therefore, your letter has been referred to the Ministry for reply on the Minister’s behalf. The Ministry will respond to you as soon as possible.

Thank you for writing.

Tiana Lilo Ministerial Assistant I Office of Hon Hekia Parata – Minister of Education and Minister of Pacific Island Affairs

Almost a month later I received a response from the Ministry. It was a letter that had been typed, signed, scanned and attached as a PDF. It also arrived rotated 90 degrees to the right – I’ve had to correct that – it’s attached below.

Mineduletter

This response completely fails to address my primary point, which is, fundamentally, that this loophole in law should be closed. Of course that’s unsurprising as the Ministry can’t change law. But the minister, who I wrote to first, can.

My son starts at his new school next year, so we’ll wait and see.

Dealing with #WTFMSD

October 15th, 2012 by Dylan No comments »

About 24 hours ago (as I write this) journalist Keith Ng dropped a bombshell about lax security from one of our government’s biggest departments.

The Ministry of Social Development, it turns out, had some pretty big IT security issues in house and operate publicly accessible computer kiosks. These two things meant that anyone could literally wander in off the street and start browsing potentially sensitive data with a few mouse clicks.

The details have been widely covered in the media, and Ben Gracewood offered up a great post about the difficulty of doing things right in enterprise IT.

The Source

This evening the story took another interesting turn – after being alerted by inquiries from a journalist that the name of his source had been released (presumably by the MSD) Keith Ng decided to preemptively publish the source’s name and details of his dealings with the MSD.

There are two big bullet points that will gain attention in the media – the first is that the source, Ira Bailey, was one of the Urewera 17. The second is that he’d approached the MSD asking if they had a vulnerability reward program.

The first issue is a distraction – a co-incidence.

The second issue is more complicated. To someone who has no familiarity with IT security it could easily appear that Bailey was attempting to extort the MSD. As Ng describes it I don’t think that’s the case. Bailey appeared to make a genuine query about such a program. Upon learning there was no such program he did what I think is the next best thing – talked to a good journalist who would strive to properly understand and report the issue (while also giving MSD reasonable notice to mitigate risk).

Vulnerability Rewards are not uncommon (they are offered by Google, Facebook, Firefox, Paypal and many many others). The idea is that they reward people for reporting security issues to them. Generally all they ask is a reasonable time period to correct the issue before public disclosure.

It’s an acknowledgment that these security issues will have a value to someone.

Preemptive Exposure

It appears that the MSD has already floated the blackmail idea (scare quotes around reward in a Herald article quoting Paula Bennett for example) – the next step was naming the “hacker” in question. It seems they’d leaked the name to at least one journalist.

Keith Ng’s decision (with Ira Bailey) to disclose all the details preemptively seems like the right one to me. It assures that journalists writing about the story aren’t only presented with the details as the MSD wish to frame them. Ng and Bailey could have responded after his name was publicly disclosed but by then the MSD’s framing of the approach would have been presented unchallenged.

Avoiding a Repeat

So what should be done about this issue and how can similar things be prevented?

The answer is to be found within this event. A vulnerability reward program. The government should establish some sort of IT advisory or oversight group that can properly communicate and cooperate with various government IT departments and contractors, and that groups should establish and publicise a vulnerability reward program.

The information in question is far too important to simply hope that a “good citizen” will report any issue they find and that it will be properly addressed without any oversight or accountability.

Ideally this process would be transparent. All vulnerability would be publicly reported once they’d been addressed and credit given (if
desired) to those that reported them.

Wheedling Their Way Out

October 3rd, 2012 by Dylan 1 comment »

When I first heard about Wheedle I was immediately skeptical for two reasons… Firstly they thought it was a good idea to sink millions into competing with TradeMe. Secondly they felt it necessary to boast about their 40 servers. Both appeared to suggest a fundamental lack of awareness about the market and the technology involved.

Then it all started to unfold – the site was very flakey pre-launch. When it wasn’t offline or timing out it was returning a different user’s session on every page load. But that wasn’t really live yet.

On Monday, when the site went live, the session issue seemed solved. It was possible to register an account and sign in. In theory you could also add a listing or browse and bid on those that were there. At least for a little while. Within hours the site, all forty servers apparently, were breaking under the load and totally unable to provide responses to all but the most simplistic responses.

But that wasn’t all – there started to be some pretty serious questions. It was quickly noted that a ‘Forgot My Password’ request resulted in an email being sent to the user with the username and password in it. This was a huge warning sign. Wheedle said they’d address the issue “ASAP

The site was up and down on Monday evening and Tuesday morning. And then things got really crazy. It became apparent that a lot of input validation was being done entirely on the client-side and people registered usernames they should not have been able to – the best I saw was 8===>~~~

Then came the Oh My God moment – Twitter user @ruatara discovered that it was possible for any logged in user to edit the prices (Starting, Reserve and Buy Now) of any auction. See a car you like? Add a Buy Now of $1 and then buy it.

Clearly this was completely impossible for Wheedle to ignore, it was impossible for anyone to run a reliable auction on the site. They did the only thing they could do and took the site offline. Then they did what, at the time, seemed like exactly the right thing – they annouced the site would be down indefinately while they seriously addressed the problems.

But then this evening I received a Personal Message from Wheedle CEO Carl Rees…

Dear Wheedle Member,

I made a decision yesterday morning to take Wheedle offline.

On Monday night our tech team made some tweaks and changes to the website to improve its performance and speed. These changes were deployed to the website without first passing through our normal test protocols. We quickly discovered that the changes were causing problems with the auction listing prices. There was also some concern raised around password security and retrieval. Please rest assured that your password has been, at all times, strongly encrypted and stored in our database. We are also exploring alternative ways to further increase password security.

In light of these events, we are undertaking a complete review of the website including engaging an independent firm to carry out a full a check of the security of the website.

We experienced a very positive interest in Wheedle and we had an astounding member uptake. We will be back soon, better, stronger and safer.

I apologise for any inconvenience this has caused and thank you for your support.

Unfortunately thie email is, at best, disingenuous; at worst, an outright lie.

It is simply implausible that the fundamental failures in the security model that allowed any authenticated user to edit the details of any auction were introduced as a result of the site tuning made on Monday night. And to describe this issue as “problems with the auction listing prices” completely fails to acknowledge the nature to the issue.

As for the passwords this is either a complete lie or the practices employed on the site were incredibly irresponsible. A website should never be able to retrieve your password in any meaningful way. The fact that it was possible to email users their password is a clear indication that either they weren’t encrypted in the database at all, or they were encrypted in an unencryptible way (and that the software was doing so to send passwords to people). Either option is totally unacceptable and flys in the face of established practices in web development.

Bear in mind this was a site that is asking you to trust it to handle financial transactions on your behalf, and soon would be asking you for your credit card details.

The fact that Wheedle still seems unable to properly address the nature of their failures suggest either that they still don’t fully understand where they’ve gone wrong, or that they are deliberately trying to wheedle their way out of the situation they’ve found themselves in.

Unfortunately at all stages it has appeared that Wheedle has tried to down-play the nature of the problems, attributing them to things like higher-than-expected traffic and lack of pre-lauch testing. And now the email above. But the evidence suggests the issues were a failure in design from the outset.

While I have no inside information on the development, it would appear from the outside that the developers of the site (an Indian-based programming team of about a dozen, apparently) were handed a brief that read, approximately, “take a look a TradeMe.co.nz… Now, make a site that does that” and left to their own devices. Indeed they made a site, that in a basic look and functionality sense, duplicated TradeMe, but they lacked the knowledge or guidance to properly develop the underlying architecture to support such a site.

Wheedle will be tainted for me until they can be honest about how they’ve failed and what’s being done to correct the issue. The site’s backers need to admit they’ve embarked on the project without the right expertise and then get some of that expertise on board.

 

Remote USSD Attack – Clarifications

September 26th, 2012 by Dylan No comments »

I decided I should offer some clarifications about some of this USSD stuff as my blog posts and test page have become widely cited…

I didn’t discover this issue and I’m not a mobile security expert. The first place I saw details was in the YouTube clip featuring Ravi Borgaonkar (@raviborgaonkar). I recognised what was happening and set about testing it myself.

My test page uses the USSD code *#06# which is supposed to display the phone’s IMEI number. A phone is only really vulnerable if the 14- or 16-digit IMEI code is displayed with no specific user intervention.

Update: In some cases having the IMEI display doesn’t necessarily indicate a vulnerability to other (potentially more damaging) service codes. This is because it’s possible that some dialers may handled different codes differently (the IMEI code could be a special case, etc). While this is technically true it is hard to verify on a given device. In general I think that allowing the automatically handling of any special code taht wasn’t keyed in directly is a bad design and should treated with as much caution as possible.

While many Android phones are vulnerable in general to the injection of these USSD codes, only the Samsung phones are known (at this stage) to have a working “factory reset” USSD code. However, while this may mean other phones aren’t at risk of being wiped it doesn’t mean there aren’t still risks. There are a wide variety of USSD codes that can potentially do other damaging or annoying things, even interacting with a user’s carrier account.

Update: I’ve used the term USSD to describe the overall vulnerability. This is not strictly true. A USSD code is designed to communicate with the network. The other codes could more accurately be called device codes, service codes or engineering codes perhaps, as they are handled locally by the phone and have nothing to do with the network. However they do (usually) follow the same pattern, starting with * and ending with # – so I’m okay with calling them USSD codes, even if it’s not entirely accurate.

A factory reset may not be as damaging as some have suggest (to be honest, I haven’t been keen to see exactly what gets wiped) but it is, at the very least, incredibly inconvienient. It’s likely that app settings and other less obvious data will be lost even if things like images and files are retained.

Some browsers (most notably Opera) appear to offer some security by not handling the iframe injection code immediately. This is not much help as there are potentially other ways to inject the URI within the browser as well as other attack vectors (such as the QR code, SMS WAP Push and NFC methods detailed by Ravi.

While manufactuers may have issued (or be issuing) new firmware to address this issue, the frequently cited issues with Android fragmentation and carrier customisation both appear to hamper this. The best workaround for the majority of users, I believe, is to install an alternative dialer or one of the applications that has been designed to catch potentially harmful tel: URIs.

 

Remote USSD Attack – It’s not just Samsung

September 25th, 2012 by Dylan 1 comment »

Please read: Remote USSD Attack – Clarifications

The remote USSD vulnerability I detailed in my last post (and now covered widely in the tech media) is not just a Samsung problem. The same general vulnerability (executing a USSD code without user intervention from a website, or other delivery vector) affects many phones. I’ve personally verified it on an HTC One X (running HTC Sense 4.0 on Android 4.0.3) and a Motorola Defy (running Cyanogen Mod 7 on Android 2.3.5).

I’ve also heard reports of the proof of concept working on a Sony Xperia Active. 

The potential impact of the issue is limited only by whatever USSD codes can be executed on a given phone. It’s not clear if all manufacturers have Factory Reset USSDs on but at least some do.

I have only been testing with the IMEI code and have no intention to test with anything more damaging, but it is possible that in some cases different USSD codes could be handled differently. So while the IMEI code may work, it’s possible that other more damaging codes would not. This is, however, very speculative and there’s no safe way to know without testing.

Regardless it is very poor design to allow a passed value to execute as if it were keyed in interactively.

Update: It would appear that the root of the problem is probably the standard Android dialer – the vulnerability was identified and patched three months ago. For this reason it’s likely to affect any phone using the standard dialer (as it existed three months ago) or a dialer based on it.

It would be fairly trivial to weaponise the vulnerability to detect phone model with browser User Agent and tailor the response to suit.

As I mentioned in my earlier post – the simplist to mitigate the risk from this issue is to install another dialer. Either setting one that exhibit the risky behaviour as default, or simply having more than one installed to force a “Complete action using..” choice.

Remote USSD Attack – Prevention

September 25th, 2012 by Dylan 1 comment »

Please read: Remote USSD Attack – Clarifications

An interesting (and potentially devestating) remote attack against at least some Samsung Android phones (including the Galaxy S3) was disclosed recently.

Update 1: Samsung have been aware of this issue for a few months and the latest firmware for Galaxy S3 (4.0.4) appears to resolve the issue.

Update 1a: While some 4.0.4 versions appear to be secure, others are vulnerable.

Update 1b: The issue has been patched in some firmware builds. It appears that all 4.1-based builds are safe, and possibly some 4.0.4 builds are also.

Update 2: Samsung is not alone in being vulnerable to this issue.

Update 3: Some apps have been created specifically to catch these URL calls: TelStop (by @colimrm) and Auto-reset Blocker

In brief it works like this:

  • Phones support special dialing codes called USSDs that can display certain information or perform specific special features. Among these are common ones (*#06# to display IMEI number) and phone specific ones (including, on some phones, a factory reset code). 
  • There is a URL scheme prefix called tel: which can, in theory, be used to hyperlink to phone numbers. The idea being that clicking on a tel: URL will initiate the phone’s dialer to call that number.
  • In some phones the dialer will automatically process the incoming number. If it’s a USSD code then it will be handled exactly as if it had be keyed in manually – requiring no user intervention to execute.
  • A tel: URL can be used by a hostile website as the SRC for an iframe (or potentially other resources like stylesheets or scripts I guess). It may then be loaded and acted upon with no user intervention at all.

A video demonstrating the process has been widely circulated – it also details some other vectors to deliver the tel: URL – including WAP Push SMS, QR Code and NFC. All of these processes have the same end result.

[youtube http://www.youtube.com/watch?v=Q2-0B04HPhs?wmode=transparent]

I created a small page to test the attack myself (using the non-destructive *#06# IMEI code rather than the very damaging factory reset one) and replicated the outcomes displayed in the video and documented elsewhere.

Ussd-imei

The fundamental problem here is the dialer. It is acting on the phone number it’s sent exactly as it would had it been keyed in directly. If it the tel: URL can be directed to an application that does not have that behaviour then the threat can be neutralised.

Thankfully Android allows for alternate dialers to be installed. I picked a popular one from Google Play – Dialer One – and installed it. Even with out making it the default phone dialer I have prevented the threat. A tel: URL will now prompt me for the application to use.

Ussd-prompt

If I select the standard dialer the same issue reoccurs, but if I select Dialer One (which does not take action on the incoming USSD code) or cancel the request entire I am protected.

Ussd-dialerone

It’s likely that many other dialers behave in the same way, but you should test them carefully. The important thing is to avoid letting the stock dialer handle tel: URLs without direct user interaction.

A Digital Killswitch

August 9th, 2012 by Dylan No comments »

In current court proceedings examining the Kim Dotcom raid by the NZ police early this year it is being suggested that part of the decision to use the police special tactics group (previously known as the anti-terrorist squad) was based on the FBI’s apparent suspicion that Dotcom had some sort of digital killswitch or some other device that would allow him to destroy data on computer systems and warn others.

Even if that were true – and to be fair such a system is something that could very easily be implemented – it is hard to understand how that would support the use of possibly the least subtle method of arrest possible. 

If you are to imagine that, with the press of a button, a phone call or some other simple action, it was possible for Kim Dotcom to destroy evidence then it’s very difficult to imagine that two helicopters and armed police officers screaming “police” and bashing in doors wasn’t going to give him enough time to activate that switch.

The alternative – that a detective makes an appointment to come and “discuss some issues” or even turns up unannounced for a chat – would seem to provide much more opportunity to prevent the alleged MegaPirate from destroying evidence. With no warning that the meeting was likely to result in arrest or search it would be hardly likely that Dotcom would have been on edge with his finger on the “button”.

The other major factor that lead to the STG’s involvement in the raid (or perhaps that was used to help justify it) was a claim that Dotcom was “armed, had a history of violence, was showing current signs of violence and had issued threats to kill” on a police threat assessment form – a claim which is clearly untrue. The source of that information, unsurprisingly, was the FBI.

While police, probably truthfully, claim that the FBI agents weren’t directly involved with the planning or execution of the assault on the Dotcom mansion it seems plainly obvious that they chose to provide ‘information’ that would lead to that sort of action. I’m sure the police have many sane officers who would have been more than capable of arresting Dotcom without incident had they simply been given a full picture of the situation.

Unfortunately the end result of all this is that the police are made to look like gung-ho fools, which I think they generally are not. If I were a senior commander involved with this operation I would be furious at having been put in this position – I hope the NZ police learn a lot from these events.

Minimum Alcohol Pricing

July 2nd, 2012 by Dylan 1 comment »

Labour has announced that it intends to seek to amend the Alcohol Law Reform Bill to allow for minimum pricing to be enforced. This was something that featured in Labour’s policy before the election (although it wasn’t a bullet point they ever brought up). There’s no indication of how Labour would implement the idea or what the cost implications would be.

The problem that this will supposedly address is related to binge drinking and alcohol related disorder in NZ. The idea being that people (young people) are “pre-loading” on cheap booze before going into town. The simplistic solution then? Make booze more expensive. 

The scapegoats in this argument are usually either “alcopops” (premixed drinks) and discount wine (usually from supermarkets). By imposing minimum pricing, the argument goes, you increase the cost and thus decrease the appeal and availability of those type of drinking.

This, like Labour’s GST-free fruit and vege policy, is short-sighted and unoriginal. They are taking aim at very simple parts of very complex issues and attempting to attack them in broad and blunt way.

So far we have only two clues really about what Labour might be imagining for this law. The first is a quote today from Labour’s Charles Chauvel, “If instead of being able to buy a bottle of cheap wine for $6 from the supermarket, a minimum pricing regime puts that up to 12, 13 or 14 dollars then it’s much harder people to lay their hands on cheap booze.”

The second is a ballpark figure tossed around by Lianne Dalziel in discussion of alcohol law reform late last year where she mentioned “$2 per standard drink” – this would possibly line up with Chauvel’s estimate as a bottle of wine is usually between 6 and 8 standard drinks.

But the whole idea seems fatally flawed really. We’re talking about people who are presumably getting drunk then heading into town and buying a few drinks while out. Is the price rise going to stop them? They’ll still buy the cheapest booze and it’s not going to cost a lot more. Assuming that 6-8 drinks is enough to get you happily drunk then we’re looking at only $12-16 which isn’t much compared to the $5-10 per drink you’d expect to pay in a bar. Sure, it’s more than the maybe $6-10 to get drunk now, but it’s hardly the sort of price hike that’ll change behaviour.

Instead the people who suffer are the rest of us who buy wine, beer and spirits to enjoy responsibly. Chances are we’re not buying the cheapest products on the shelf now, but if the bottom shelf goes up in price then it seems certain that rest of the market will trend upward too. After all, if a budget bottle of wine is $7 now, but will be $14 in the future, then the mid-range $15 bottle is hardly going to stay that price. 

And what of spirits? The only obvious way to legislate pricing is on the “standard drink” measure, any other methods will either be worked around or will simple change demand toward whatever is a cheaper option. So the minimum (legal) price on a standard 1L bottle of spirits will be around $60. That’s about $20 more than you’d expect to pay currently for a common brand like McKenna or Jim Beam. The “middle shelf” products tend to be about $20 more, so maybe they’d go from around $40 to $60? So what do we expect to happen to quality spirits – a 1L bottle of Glenfiddich Reserve currently is around $100 – about 2.5x the entry level price, so should we expect that to come in at $150?

Obviously raising the price of an aged single malt Scotch isn’t going to make any difference to binge drinkers, but it seems likely to be an unavoidable consequence and one that punishes those who are currently choosing to drink responsibly.

Also if $60 is the absolute least you can charge for a 1L bottle of 40% spirits, then will that be the standard retail price? Typical retail marketing psychology makes strong use of discounts and sales to drive business – so perhaps we would expect standard retail pricing to be above that lower limit to allow for price reductions.

Minimum drink pricing isn’t going to make a difference – at the low end (where problem drinking apparently occurs) it makes only a small dent on wallets. But at the upper end where many entirely responsible adults chose to spend their money it sill make a big difference.

Global Mode… Gone.

May 12th, 2012 by Dylan 1 comment »

A new ISP launched in New Zealand last week – FYX – the service was notable for two reasons. Firstly, and least notable of the two – the pricing model was new. A base rate of $34.34 for access, with no bandwidth caps and a flat $0.34/GB for traffic. Pay for what you use, at a fairly decent rate.

The second point was big. Really big. International tech news big. FYX, the ISP itself, was offering a global mode allowing users to effectively bypass the geo-blocks used by content services like Hulu and Netflix in the US, and BBC iPlayer and others elsewhere in the world.

In other news, the new ISP, FYX that made headlines when it launched last week offering a geo-blocking bypass decided to back down on their global mode service. No reason was stated but the service ended up being available for all of about 48 hours in total. Existing users are being offered refunds or lower pricing going ahead.

So, what happened? Why?

No idea. The popular speculation is that they were scared off by legal threats, but I don’t really buy it. There’s really no clear grounds under which they could be threatened legally. There’s nothing in NZ law that seems likely to offer grounds for that.

If you were to look at the case of me as a user (I wasn’t, but it’s easier this way) using Hulu to watch Game of Thrones (I don’t, and it’s not on there, but this is a demonstration case) it’s hard to see who could really do anything to stop FYX. If I am using technology to circumvent Hulu’s geoblock then I am breaking their terms of use, so they could cancel my account (if I had one) or try to stop my access in some way, but that’s between me and Hulu. Similarly Sky who owns the broadcast (and limited on-demand internet catchup rights) to Game of Thrones could feel aggrieved, but FYX isn’t providing the content, Hulu is. It’s up to Hulu to ensure they only provide content where they are allowed to.

However FYX was also backed by a “grown up” ISP (Maxnet) and in reality I think they were probably just a little spooked by the level of attention the service gathered.

As for the service, some evidence and apparently informed insider gossip suggest it was basically just a wholesale version of the service provided by Unblock US. But all is probably not lost, the company it not being very definite about the service being gone, it may well return in the near future.

QuickFlix: A Step in the Right Direction?

March 29th, 2012 by Dylan No comments »

Aussie DVD-by-mail and Streaming media company QuickFlix launched a New Zealand streaming service today (obviously they feel the DVD-by-mail market is served well enough already). Offering movies and TV shows for $9.99/month it seems like a great step in the right direction for NZ, but there are some issues.

The Good:

The company is already established in Australia and has existing relationship and a proven track record. This should make it easier for them to secure the all important content rights.

Already a number of ISPs (initially Orcon and Slingshot) have agreed to zero-rate the data so that users can take advantage of the service without needing to worry about their fragile data caps.

 

The Bad:

I don’t like to feel like I’m concentrating on the negative, but it seems like there’s a few significant issues with the service…

The technology is somewhat proprietary. Content can be viewed on Windows and Mac PCs and, in theory, Sony PlayStation 3 consoles and some Bravia TVs. That’s it. Unlike the popular US NetFlix service the content is not available through devices like the Apple TV or devices like the iPad, iPhone and Android smartphone. Also the content can’t be downloaded or saved for viewing offline.

Also the premium Pay-Per-View content is not available on any devices at all, only through PC and Mac computers.

The TV content is very limited. Currently only a very small range of BBC titles (and in many cases only the first series). Although to be fair we’re actually winning here – there is NO streaming TV content for the Australian service.

Very limited movie selection also – fewer than 360 titles, and less than 25 from the last two years (not including PPV titles), and many of those that you’ll never have heard of.

Before you read on…

QuickFlix have clarified their pricing to me on Twitter – the introductory price is the standard monthly price for people who sign up in the introductory period. So if you join before the 30th of June then your standard monthly price indefinitely will be $9.99 (unless there is a notified price rise in future).

This is still unclear on their site, and the stuff below was written as a result of that lack of clarity. Hopefully they will make this offer clearer.

I also have a big problem with the cost, or at least how it’s promoted. It’s advertised on the site as $9.99/mth. It says this is an introductory price, but there is no more information. If you click on the Join link you’ll see this…

Quickflix-start

Subscribe to Quickflix – Only $9.99 Per Month” says the title in big bold letters. No “for a limited time” or “introductory price of” just a big, bold $9.99 per month.

If you fill in your details there you’ll be taken to the next page, where you’d hope to find some more details…

Quickflix-two

No more details on the regular price, or for how long you pay $9.99 or even any details about what you’re signing up for really. Also a delightfully confusing detail – “If you are joining as part of a promotional offer, there won’t be any charges if you cancel your subscription before the promotional offer period ends. If you continue after the promotional offer this is the credit card we will use for your monthly subscription payment.”

It would seem reasonable to assume that an Introductory Price might be a promotional offer so maybe you don’t have to pay anything now? But when do you? I don’t think the Introductory Price is a promotional offer. As far as I can tell if you put credit card details in there you’ll be paying $9.99 for your first month (actually 30 days – they bill every thirty days, not by calendar month) plus the $8.50 administration fee.

As of now there is NOTHING on the site to say how much the regular price is. It is $16.99/mth – getting close to twice the advertised introductory price – and that will be the price from June 30th. The only way I found this out was by phoning their help line, answered, eventually by Australian staff.

Unfortunately the person I spoke to knew nothing of the NZ service at all. He asked if I was interested in the DVD or streaming service. He quoted me Australian prices, and told me about Australian terms. If I hadn’t already been aware of the full NZ price (thanks to an Orcon press release) I would have taken him at his repeatedly-wrong word. Instead I told him he was wrong, and eventually, after a few minutes on hold while he went to talk to someone, found out when the introductory pricing expired.

While I’m not sure, I suspect that inducing someone to signup for a service on a limited time special offer without disclosing the full pricing and when it comes in to effect would be against NZ’s consumer protection laws.

Quickflix-faq

I understand that today is the first day they’ve been open to the public and that there could be teething issues, but it’s not like they haven’t had time to prepare. Not having this information clearly available is simply misleading.

In general I like where QuickFlix is heading, but I think there are a lot of issues to be resolved first, and sadly I’m not convinced that all of them can be – the licensing of content being the primary one.