Simple AirPlay setup for whole house audio

I’ve been enamored with home audio since I was a very young.  I can recall turning on radios in separate rooms of the house so I could run from room to room playing my guitar along with the radio, preparing myself for future “rock-stardom”.  Fortunately for us all the long hair and spandex didn’t survive the 80’s but my desire to have audio in every room of the house didn’t.

Since then, I’ve spent more time (and money) than I should trying to build a fully distributed, multi-source audio distribution system, or what has been marketed at Whole House Audio but the big A/V vendors.  None of these efforts have been inexpensive, user friendly, or as functional as I would have wished.

Needless to say, I was very excited at the potential uses of AirPlay when it was initially introduced by Apple.  Utilizing this feature built into IOS devices and iTunes, you can easily put together a reasonable system (from a cost and complexity standpoint) that will give you fairly good results.

I’m certain there are more ways to do this than I’ll give you here, so please don’t flame me for forgetting your preferred method….

Step 1 – Start with a source

The most basic of AirPlay sources is iTunes.  If you’ve accepted iTunes to be your central storage for all digital media, this gives you a good based from which to start. iTunes gives you a lot of flexibility here and can easily be controlled via the Apple remote app from any IOS device.

From iTunes or the Remote app you can select your music or playlist as well as the destinations within your home.  Each AirPlay target has a separate audio level control available so you can balance out the levels to your preference (or the devices capability).

If you don’t want to use your media library and you prefer to stream your music selections, you are in luck.  You can use a streaming source, like Pandora, to feed AirPlay.  In this case I will use an iPad which I have Pandora set up on.  Launch the app and start playing your preferred playlist.  Once it starts you can double-click the home button to bring up the “multitasking bar”, swipe to the right and you’ll see your audio controls, from there you can click on the AirPlay button to choose which target you would like to use.

Step 2 – Simple target devices (or audio destinations)

Since AirPlay has been out for just over a year now and manufacturers are now starting to integrate it’s features into their devices.  Audio/Video receivers from Denon and many small speaker/dock devices have implemented AirPlay, but I’ve yet to see one of these solutions that are reasonably priced to use if you wanted to stream music to say 5-7 locations in or around your home.

The approach I’ve taken doesn’t really care if the speakers or stereos are “AirPlay enabled” or not.  In fact, most of my target systems are built from either powered speakers or systems we’ve had in our home far longer than the existence of AirPlay.

So how do I connect them?

One of the simplest and underrated devices from Apple is the Airport Express.  While it has the capability to extend your wireless network (albeit at the expense of your throughput), make USB devices like hard drives or printers wireless, or provide ethernet connectivity to a non-wireless device, the biggest feature is it’s ability to be an endpoint in an AirPlay environment.

On every airport express is a combination mini-toslink and analog miniplug connection.  So you can connect to a RCA input with a mini to RCA cable or directly to a digital input with the mini-toslink to toslink cable.  I am very aware that Apple sells a nice “kit” with both these cables for an astonishing $39.  A quick Google search will find an appropriate cable for your application for less than $5 per cable.

I have Airport Expresses using both options.  Where I have a bookshelf stereo unit with optical input, I’ve connected the AE via the toslink cable.  However in a simple and somewhat portable setup, I’ve used another AE simply connected to a pair of powered computer speakers.  With these two options, you can probably accomodate most any stereo or powered speaker setup you have in place today.

To extend my options a bit further, I’ve also utilized Apple TV2s as target devices for AirPlay.  ATV2s fit quite a different category of use verses the AE.  The biggest difference for me is the lack of an analog audio out on the ATV2.  While it has a full size optical output, it can perform the same function as an AE connected to a receiver with an optical input.  This is truly a matter of preference, do what you wish here.  The deciding point for me is what is the end device.  If it’s really at TV, then the ATV2 is the preferred component.  If it’s an audio only device, then the AE is my preferred device.

So now rooms like bedrooms and the family room don’t necessarily have to have a dedicated audio system in them to have audio streamed to them.  The downside to this particular option is that you have to have the television on in those rooms in order to have the audio output.  Whereas you can leave the stereo or speakers connected to the AE always on and set to a preferred volume level.

Step 3 – MultiSource?

While not a traditional multi-source setup, you can get a similar function from this setup.  I cannot use iTunes running from my central media server to serve up different playlists to different rooms/targets.  This would be a wonderful feature if someone on the iTunes dev team could work that out.  However you can use a couple of sources (possibly multiple iTunes or IOS devices) to control separate sets of speakers.  So my daughters could use the iPad to connect to speakers in the bedrooms upstairs to play Radio Disney while I have iTunes or my iPhone streaming music to all the speakers downstairs or outside.

If you’re looking to distribute audio on a fairly reasonable budget, I don’t believe you can easily beat this setup.  It definitely gives you a lot of flexibility about what you want to put where (from a target perspective) and can easily grow to fit your needs.  As each iTunes and IOS update come out, I eagerly look to see what new AirPlay options may be enabled.  Especially as Apple starts to introduce the ability to distribute video in the same manner.  But that’s a whole other topic…

Obama Birth Certificate search results yield malware

It’s long been a tactic of ne’er-do-wells to capitalize on topical issues to deliver malware.  Today is no different.  Many of the “1st page” Google image results for “Obama Birth Certificate” yielded images which had embedded exploits which would take advantage of known browser and/or Java vulnerabilities.

When you think about it, this is a very effective mechanism for malware delivery.  In our post-physical newspaper society, many get their news from online news sources.  Of that many, some will consistently goto the same sites to get information, the rest will simply search for (dare I say Google) what specific piece of news they are looking for.

Malware authors are well aware of this and capitalize on it quite often. While users may have become more aware of this when looking a links in a typical Google search, they may not be as aware when doing searches on images (like have occurred recently with Charlie Sheen and the Obama Birth Certificate searches).

So what can you do to help protect yourself in this ever changing malicious environment we call the Internet?

  1. As a “safe browsing technique” – try to use known, “reputable” new sites when you are looking for topical information.  I will concede that just because news site is well known does not make it immune from being hacked or to be delivering malware.  But the chances are much less with those sites than general unknown sites.
  2. Certainly use caution with all pop-ups that ask you to download, install, or run anything.  Also do not rely on the little red X to close those windows.  Chances are, it won’t do what you expect it to.  You are best off to bring up your system processes and just kill off your browsing sessions and start over.
  3. Make sure you operating system and security applications are kept up to date.  If you stay current with your patches and keep your security protection suite updated, you have reduced the opportunity for any of the known exploits to actually work on your system.
Follow these precautionary steps and you could be “winning” too…

Indian Government demands access to Gmail, Skype, and Blackberry data.

From SANS:

The Indian government is seeking to ensure that it will have access to
the content of communications sent over Gmail and the Skype and
BlackBerry networks in a readable format.  The government wants the
power to access communications as a means to combat terrorism.  Skype
and BlackBerry parent company RIM have been given two weeks to comply,
or they could find themselves banned in India.

Quick impressions:

While I’ve expressed concerns before over the decryption of Skype calls in China and Germany by the government, it has mainly been an issue of “is Skype business ready”.  While I’ve been okay with the use of Skype for personal communications, that is it.

Blackberry communications is another story.  A large percentage of the 41 million Blackberry users around the world are “corporate” users.  Which should mean that most of the data between those devices is work data (though we know quite a bit isn’t).  RIM supposedly has a symmetric key system while would mean that only the customer creates their own encryption key.  It would be very bad for RIM for this not to be the case and would cause a lot of issues with their customer base (many of which have chosen them for their secure messaging).

Gmail… again, this shouldn’t be your corporate mail system.  If Google willingly allows this, you can choose to opt out and choose another provider.  So while I’m not keen on the idea, at least you have the option.

Does my cell phone have a virus?

Many users aren’t worried about viruses or malware on their cell phones.  However, most companies are.

To date, there isn’t any exploit based malware for the major smartphone OSs (Andriod, Symbian, iPhone, Windows Mobile, Blackberry and… oh yeah.. Palm).  What this means is that, unlike the Windows operating system, there isn’t piece of malware that has been written that takes advantage of a weakness in the code or device which would allow for an exploit to occur (at least not yet).

This means that all attacks on your cell phone require an action by the end user for them to work.  I think alot of people are still hung up on this point, so I’m going to restate it.  I can take advantage of a web server exploit and place malware in an iframe.  When, from your PC, you simply browse to that site, you can become infected assuming you don’t have an AV scanner or content filtering service that would protect you from the redirect and download.  In browsing the website, you have “done” something.

GREAT! Make sure everyone knows not to do anything to allow themselves to be compromised (or pwned)!

Rickrolled iPhone

Rickrolled iPhone

If only it were that easy, right?

What we have is a combination of a social engineering problem and end user education/awareness.

In many aspects, all malware delivered via email, web, sms, etc. has some context of social engineering to it.  One would either used a compromised account from a friends device and delivered messages to the contact lists, therefore making it seem like a trusted source or falsify the origination of the email to make it appear that it’s coming from a large trusted source (e.g.  Either way, they are trying to not raise any red flags and get you to open the email, the attachment, or follow the url.

We try to mitigate this with device control policies and the above mentioned user education/awareness.  By providing our users with examples and scenarios we try to make sure they are as informed as possible so they don’t fall prey to these attacks.

I have written a list of best practices for cell phone use to help protect you and your information.  If you are interested in those recommendations, please check out my post on Cell Phone Security Best Practices – keeping your personal information personal.



But wait, there’s another big hole here!  These are smartphones.  It’s not about email, text, and phone anymore.  These things can have applications installed on them!


And so we have the app stores.  Each major manufacture has them for their respective OS (see list above).  What we have now is a channel by which a malicious person could deliver their application (aka malware) to your device.  What makes this more interesting is that you are willingly downloading and installing this application (aka malware).

These are supposed to be trusted channels.  Each manufacture has a process by which they test and verify some aspects of the application before they sign the app and publish it to their respective store.  This may range from, does the app start?  Does it crash my phone OS?  Or is it secure?  We can’t really assume they are checking for the security of it’s actions.

And why is that you ask?

Let me give you an example of a published application, that you would very likely not want.  Let’s just call this app “Flex(insert a vowel here)spy” and the vowel rhymes with the word try.  This company writes this application.  Submits it to an app store and says “This is a personal backup app.  It backs up your files, emails, contacts, etc to a website for you”.  Sounds good.  App store tests it and approves for sale.  It was posted in the app store and sold for a period of time.  Until our good friends at F-Secure notified them “um, you guys are selling an app that allows someone to spy on another users phone use”.  What????

What may have been presented to the app store as one thing, was in practice quite something else.  The app could be deployed directly to the phone or just put onto a memory card and slipped inside a phone to be activated.  So if you wanted to track someones usage and get their info, all you needed was 30 seconds of access to their phone.  What’s even more interesting is this is what the company’s website indicated you could do with the product.  If only the app testers had read it…

While not perfect, the app stores do provide a level of protection that should help keep users from putting malicious applications on their phones.  That is, until the users decide they need to “assert their freedoms” and jailbreak their devices so they can do things like install application not reviewed by the manufacturer.  Are you jailbreakers still sure your in the right here?

Even the new and highly touted Droid has seen issues with developers posting “apps” to help you connect to your online banking site.  Seriously though, when I want to connect to Citibank, do I need an app from 09driod that costs $.99 to do so?

Mobile Device Management

Mobile Device Management

Where does that leave us?

  1. Have policies for your device
  2. Use management applications for the device to enforce those policy settings
  3. Educate your users

This should look remarkably like any policy for managing a PC.  Well it is.  Lets take the approach that, as smartphones continue to mature and gain functionality, they will be under attack as much (if not more) than our PCs.  Since we have the perspective of having dealt with PC security issues, let’s try and stay in front of the smartphone security issues.