Slightly less Random Ramblings

May 23, 2011

Strongswan 4.5.1 now in the OpenWRT Trunk

Filed under: encryption, linux, OpenWRT — Tags: , , , — Robert Wicks @ 6:49 pm

My issues with Strongswan in the OpenWRT trunk are now resolved. Strongswan 4.5.1-1 is available.

April 5, 2011

StrongSwan on OpenWRT

Filed under: linux, OpenWRT, security — Tags: , , , , , — Robert Wicks @ 8:45 am

I recently purchased a Buffalo WZR-HP-G300NH router and installed OpenWRT on it. I used the trunk version, but found that StrongSwan4 did not allow me to pass traffic, despite an identical configuration to my working Trendnet router. I can successfully connect, but my log files show an error “unable to add SAD entry.” My client indicated no proposal. Though I have not discovered the full nature of the issue, I did notice that the current OpenWRT trunk does not include the kmod-mod-imq module. Since the networking component has changed, I wondered if that might be related. When I installed the 10.03.1-rc4 version of OpenWRT instead, things worked again.

February 22, 2011

Setting up a VPN Gateway on the Cheap

I recently got a hand-me-down Trendnet TEW-652BRP router. The label on it indicates that it is version 1.1R. Doing a bit of research, it seems as if the one I have is actually identical to the TEW-632BRP, so I compiled OpenWRT for the TEW-632BRP, and it worked like a charm. The router uses an Atheros AR9130 rev2 chipset with a MIPS processor running at 400Mhz. It features wireless N in the 2.4GHz range, 4MB of flash, which is fairly typical, and 32MB of RAM, which is more than several I’ve seen. The processor is what intrigued me. It is well known that alternative, Linux-based firmwares exist for consumer routers, which can offer an array of new features. I have several compatible models myself. But most of the older Broadcom chipset models have fairly slow processors, so some applications, such as VPNs, perform only moderately well on them.

One of my favorite VPN products is OpenVPN. It performs well, and is simple to set up. A couple of years ago, an excellent analysis of the performance of OpenVPN on a consumer grade router was published. For most home connections, you will get plenty of throughput using either of the VPN solutions we will be setting up. In order to get this up and running, first you must flash the router to get rid of the firmware which came with it and replace it with something altogether more powerful: OpenWrt. Download the backfire image builder from the trunk. Support for this chipset is newer than the Broadcom chipsets in the original Linksys WRT-54G(L) and OpenWrt is under constant development, and the trunk build has run much better than the others on my router. The features I want really push the limits of the storage, so I had to just drop wifi support. Fortunately, I have other wireless routers which I can use for access points on my home network. So these directions are for a command-line-only, wired-access-only router and VPN endpoint. After you get the builder, run

“tar -jxvf OpenWrt-ImageBuilder-ar71xx-for-Linux-x86_64.tar.bz2;cd OpenWrt-ImageBuilder-ar71xx-for-Linux-x86_64”

After you get into the directory, run something like the make command below.

make image PROFILE=”TEW632BRP” PACKAGES=”base-files busybox ddns-scripts dnsmasq dropbear firewall hotplug2 ip iptables iptables-mod-conntrack iptables-mod-conntrack-extra iptables-mod-filter iptables-mod-imq iptables-mod-ipopt iptables-mod-ipsec iptables-mod-nat iptables-mod-nat-extra kernel kmod-button-hotplug kmod-crypto-aes kmod-crypto-authenc kmod-crypto-core kmod-crypto-des kmod-crypto-hmac kmod-crypto-md5 kmod-crypto-sha1 kmod-input-core kmod-input-gpio-buttons kmod-input-polldev kmod-ipsec kmod-ipsec4 kmod-ipt-conntrack kmod-ipt-conntrack-extra kmod-ipt-core kmod-ipt-filter kmod-ipt-imq kmod-ipt-ipopt kmod-ipt-ipsec kmod-ipt-nat kmod-ipt-nat-extra kmod-ipt-nathelper kmod-iptunnel4 kmod-leds-gpio kmod-sched kmod-textsearch kmod-tun libc libgcc libgmp libiptc liblzo libnl-tiny libopenssl libpthread librt libuci libxtables mini-snmpd miniupnpd mtd openvpn opkg qos-scripts strongswan4 strongswan4-app-charon strongswan4-app-pluto strongswan4-mod-aes strongswan4-mod-attr strongswan4-mod-des strongswan4-mod-dnskey strongswan4-mod-fips-prf strongswan4-mod-gmp strongswan4-mod-hmac strongswan4-mod-kernel-netlink strongswan4-mod-md5 strongswan4-mod-pem strongswan4-mod-pgp strongswan4-mod-pkcs1 strongswan4-mod-pubkey strongswan4-mod-random strongswan4-mod-resolve strongswan4-mod-sha1 strongswan4-mod-sha2 strongswan4-mod-stroke strongswan4-mod-updown strongswan4-mod-x509 strongswan4-mod-xcbc strongswan4-utils tc uci udevtrigger -vsc7385-ucode-ap83 -vsc7385-ucode-pb44 -vsc7395-ucode-ap83 -vsc7395-ucode-pb44 zlib -kmod-ath9k -wpad-mini”

This will install Strongswan and OpenVPN, but, due to only have 4MB of flash storage to work with, will not install the web interface, so we will be doing everything from the command line. After the command above gives you your image, you will need to choose the appropriate one to flash your router. If you are going from the factory firmware, you need to use the recovery image, which, when I build it, is called “openwrt-ar71xx-generic-tew-632brp-recovery-squashfs-factory.bin.”

You can then flash your firmware by unplugging it, holding down the reset button, plugging it in while the reset button is held down for about 10 seconds, then setting your computer’s IP address to and browsing to Upload the file and flash away. The router will eventually reboot and have an IP address of

You can then set your computer’s IP address to and telnet into The router will allow you in with no password. You can issue the “passwd” command to set the root password, which I recommend. Once you do this, however, you will have to use SSH to log into the router, as telnet is disabled when the root password is set.

OpenVPN Setup

OpenVPN is a very easy to configure, cross-platform, open source VPN, and it now has wide support on third party firmwares such as OpenWRT, DD-WRT, and Tomato (but you will need either TomatoVPN or TomatoUSB). IPSec has the advantage of being a standard which can interoperate with a variety of devices and operating systems where OpenVPN is not available. I figure why not do both? We are going to use certificates to authenticate both of them, so with a bit of care, we can use the exact same certifcates and keys on our router for both services, saving us a little bit of storage. I did my certificate generation on Ubuntu 10.10, but you could use anything which runs OpenVPN and OpenSSL. On Ubuntu, run

sudo apt-get install openvpn

After the installation completes, copy the entire /usr/share/doc/openvpn/examples/easy-rsa/2.0 directory into your home directory with

cp -r /usr/share/doc/openvpn/examples/easy-rsa/2.0 $HOME/

This will give you a “2.0” directory in your home directory. Cd into that directory, and edit the vars file so that it has your organization and personalized information (this is optional). Then edit the openssl.cnf file. You will modify it so that the certificates it generates will be suitable for both OpenVPN and Windows 7’s implementation of IPSec. Go to line 196 in the file, the extendedKeyUsage line. You will also add a new line after this one. Together, they read:

extendedKeyUsage=clientAuth, serverAuth,

In place of Your.Internet.DNS.Hostname, put your computer’s hostname. If you are on a home Internet connection, you should use one of the dynamic DNS providers such as These lines will enable the Windows 7 IKEv2 VPN client to work with StrongSwan. Be sure to follow the directions here. You can then run the following commands.

. ./vars
mkdir keys
./build-key-server Your.Internet.DNS.Hostname
./build-key-pkcs12 client1

As before, replace the Your.Internet.DNS.Hostname with your Internet hostname. One of the good things about the build-key-pkcs12 script is that it generates everything you will need for OpenVPN clients on both Windows and Linux. You will find client1.key, client1.csr, client1.crt, and client1.p12 under the keys directory after running the last command. You will also see files with the same extensions (except the p12 file) prefixed by your Internet hostname. Those files will be installed on your OpenWRT VPN endpoint. The client1 files will be installed on your laptop (or whatever will be connecting into your VPN endpoint). First, we need to copy the server keys we generated into the appropriate places. We will use the default paths for StrongSwan, but OpenVPN will also use them. Run:

scp keys/Your.Internet.DNS.Hostname.crt root@:/etc/ipsec.d/certs/Your.Internet.DNS.Hostname.crt

scp keys/Your.Internet.DNS.Hostname.key root@:/etc/ipsec.d/certs/Your.Internet.DNS.Hostname.key

scp keys/ca.crt root@:/etc/ipsec.d/cacerts/ca.crt

scp keys/dh1024.pem root@:/etc/openvpn/

SSH into your OpenWRT router and run:

vi /etc/openvpn/my-vpn.conf

This will create the configuration file you will use, which you will fill with something like this:

proto udp
port 1194
dev tun0
comp-lzo adaptive
keepalive 15 60
verb 2
push “route”
ca /etc/ipsec.d/cacerts/ca.crt
dh /etc/openvpn/dh1024.pem
cert /etc/ipsec.d/certs/Your.Internet.DNS.Hostname.crt
key /etc/ipsec.d/private/Your.Internet.DNS.Hostname.key
tls-auth /etc/openvpn/ta.key 0

You should customize the route to reflect the IP scheme of your internal network. You can also alter the server line to any arbitrary private network. Finally, you can change your port to something other than 1194. Notice that the last line refers to a file, ta.key, which we have not yet created. We can do that on the router itself with the command:

openvpn –genkey –secret /etc/openvpn/ta.key

Adding this to your OpenVPN configuration will defend against port scanning and DOS attacks. You will need to copy this file to your laptop as well. Your laptop’s OpenVPN configuration will contain something like this:

dev tun
proto udp
remote Your.Internet.DNS.Hostname 1194
resolv-retry infinite
ca /etc/ipsec.d/cacerts/ca.crt
dh /etc/openvpn/dh1024.pem
cert /etc/ipsec.d/certs/Your.Internet.DNS.Hostname.crt
key /etc/ipsec.d/private/Your.Internet.DNS.Hostname.key
tls-auth ta.key 1
verb 3

You now have a working OpenVPN configuration, but you still need to modify your firewall rules to allow traffic through. Run

vi /etc/config/firewall

Add the following lines to the end:

config ‘rule’

option ‘src’ ‘wan’
option ‘target’ ‘ACCEPT’
option ‘proto’ ‘udp’
option ‘dest_port’ ‘1194’

Save the file. This will configure your firewall to accept inbound OpenVPN traffic. In order to pass the tunneled packets through, we edit the firewall.user file:

vi /etc/firewall.user

Add the following lines to that file:

/usr/sbin/iptables -I INPUT -i tun+ -j ACCEPT
/usr/sbin/iptables -I FORWARD -i tun+ -j ACCEPT

This will allow your VPN to work. Just reboot the router and OpenVPN should work. Now, let’s get to IPSec.

IPSec Setup

IPSec is actually more difficult to configure than OpenVPN, but, being a cross-platform standard, and enjoying kernel-level support, is still a nice feature to have on an Internet gateway. The crypto files have already been put in place, so we just need to edit the configuration. Run:

vi /etc/ipsec.conf

Modify the files so that it contains:

config setup


conn %default


conn nat-t


Edit your /etc/ipsec.secrets file and fill it with:

: RSA Your.Internet.DNS.Hostname.key

Now, we allow the appropriate connections to the firewall. Edit the /etc/config/firewall file and add:

config ‘rule’

option ‘src’ ‘wan’
option ‘proto’ ‘esp’
option ‘target’ ‘ACCEPT’

config ‘rule’

option ‘src’ ‘wan’
option ‘proto’ ‘udp’
option ‘dest_port’ ‘500’
option ‘target’ ‘ACCEPT’

config ‘rule’

option ‘src’ ‘wan’
option ‘proto’ ‘udp’
option ‘dest_port’ ‘4500’
option ‘target’ ‘ACCEPT’

config ‘rule’

option ‘src’ ‘wan’
option ‘proto’ ‘ah’
option ‘target’ ‘ACCEPT’

Finally, add the following to /etc/firewall.user to enable all the traffic to pass, even to the OpenWRT router itself:

/usr/sbin/iptables -I INPUT  -m policy –dir in –pol ipsec –proto esp -j ACCEPT
/usr/sbin/iptables -I FORWARD  -m policy –dir in –pol ipsec –proto esp -j ACCEPT
/usr/sbin/iptables -I FORWARD  -m policy –dir out –pol ipsec –proto esp -j ACCEPT
/usr/sbin/iptables -I OUTPUT   -m policy –dir out –pol ipsec –proto esp -j ACCEPT

This gives full access to all the tunneled traffic. On a Windows 7 client, you can follow this guide. Note that you will have to manually add the route for your home network on Windows 7, due to the limitations of the Agile VPN client. I run a command prompt as administrator and run

route add mask

after I connect. Traffic then passes. Things are much easier if you are using StrongSwan as the client. Just edit the /etc/ipsec.conf file on your Linux laptop client to contain the following:

config setup


conn roadwarrior


As you can see, you will be copying your router cert (and only the cert, not the private key) to your client. You will also copy your client1 key and cert. In a similar manner to the router, your /etc/ipsec.secrets file will contain

: RSA client1.key

You can read more on the Strongswan client configuration here. Once you have Strongswan configured, you can start ipsec, then issue

ipsec up roadwarrior

to start the tunnel.

Final Notes and Tips

You can actually replace the rightcert line with “rightid=%any” which is a better practice, from what I gather from the StrongSwan mailing list. That is how I have modified my own setup. Also, note that the Ubuntu package is actually broken, because it does not use socket-raw. To fix this, remove /usr/lib/ipsec/plugins/libstrongswan-socket-d* and restart the daemon. Or, you can do what I did and build the latest StrongSwan from source.

Be sure to look at the various documentation pages for OpenWRT, OpenVPN, and Strongswan. They have a lot of very useful information. One of the nice things you can do when you have your VPN setup working fully is completely disable all other remote access to your network. You can make your router invisible on the Internet, yet still allow full access to your home resources. With more powerful routers, especially ones with more storage, you can add useful packages to allow full SNMP support, traffic monitoring, the GUI interface, or port knocking.

If you have any questions, please post them in the comments or email me.

November 6, 2010

Noscript And Zimbra Problem

Filed under: computing, security — Tags: , , , , , — Robert Wicks @ 8:23 am

I log into a Zimbra server for email. I may be logged in on the local network, from outside, over the Internet, or across a VPN. The hostname is always the same. I found that I would have to actually quit Firefox in order to log back into Zimbra if I initiated a session over the Internet, and later made a VPN connection. I would see a white screen with a link in the upper left corner which said [Sign Out]. Clicking it did nothing. I actually had to restart Firefox. I discovered that this happened because of Noscript’s ABE protection. I did not wish to disable this, as it is a useful security feature. The solution is to go into the NoScript options, under ABE, and edit the SYSTEM settings. It normally says

# Prevent Internet sites from requesting LAN resources.
Accept from LOCAL

I added this line after the Accept lin:

Accept ALL from *.<mydomainname>

That fixed the issue. It might be advisable for people who use Noscript in a corporate environment with VPN access to add this to their ABE settings in order to prevent web application failures.

October 13, 2010

Sexuality, the State, and the Death of Black Manhood

Filed under: blacks, liberarianism, political correctness, race, war on drugs, welfare — Robert Wicks @ 8:22 pm

Recently, my college friends and myself were discussing a recent article in Vibe magazine on the experiences of a flamboyantly gay man at Morehouse College, and the response of the school’s president. I shared the two articles with family and friends, and the inevitable question “what has happened to black men?” came up. It seems clear to me that the main things which have happened are the reasons I despise Lyndon B. Johnson and Ronald Reagan. The war on poverty brought us welfare, which pushed a lot of black men from homes in the name of easy (or easier) money. That was Johnson. Reagan escalated the war on drugs, which further devastated the black family, especially the black males. Can anyone really claim that it is better for a black guy to be locked up for smoking or selling weed, rather than going to a community college and getting himself a job some day? Is controlling what someone does with his own body so very important? Is promoting the creation of drug gangs, then promoting the increase in the intrusiveness and violence of policing something we can really describe as “good?”

Because of these two factors, black men have fewer male role models. Many men emulate their mothers, unsurprising, as so many men are reared without fathers. Some of those mothers are educated, so that is fine as far as education goes. These men will pursue education. But they do not act like men. This is true even of many heterosexual men. Among any sufficiently large population, a number of gay people is to be expected. I do not find it surprising that a segment of the gay population would take emulating their mothers to an extreme that the straight men would not.

I predicted years ago that black higher education would become increasingly gay, and specifically, effeminately so. The war on drugs has devastated the ranks of black men in black communities to such an extent that female role models are, all too often, the best role models for success that black boys have. The testosterone has been depleted from the segments of black society most in need of it. This is one of the many tragedies brought to neighborhoods across the nation by the desire to force moral choices on others “for their own good.” And, while I targeted those two presidents for specific criticism, we can hardly “blame whitey” for this one. There are lots of people who are black drug warriors. Pretty much every black politician, including Obama, is a drug warrior. Eric Holder, his pick for Attorney General, is an especially fervent drug warrior. As far as I am concerned, we should treat blacks who support the war on drugs the same as we would treat a black guy doing a minstrel show in full blackface at an NAACP meeting. They deserve nothing but derision for being essentially black slave overseers. They profit from promoting oppression.

(Crossposted at The Libertarian Standard)

October 12, 2010

Twitter’s Pro-Freedom Terms of Service

Filed under: Intellectual Property — Robert Wicks @ 5:37 pm

Over at the online photography magazine, Photofocus, Scott Bourne warns photographers of the terms of service they may unwittingly agree to by posting a picture on Twitter. From the article:

Ask a real lawyer (not some guy named Larry who plays one on your local camera club forum) what this means. I did. My lawyer says it means that Twitter can do pretty much anything it wants with my photos (other than claim actual Copyright to them) and there’s nothing I can do about that. Is that an issue for you personally? Maybe not. It’s unlikely it will impact you if you aren’t trying to sell your photos. But if you are, read on.

As a professional photographer, I can’t sell “exclusive” rights to any image I decide to publish on Twitter. The reason is that once it is published on Twitter, there is no exclusivity left. That could be expensive. As professionals, we need to decide whether the exposure we get via Twitter is worth that trade off. For some of us the answer is yes – for others the answer is no. The purpose of this post is to get you to understand that you will have to make some hard choices. I am hoping they are informed choices, no matter what you decide.

In the case of the Twitter TOS, it seems that the terms Twitter stipulates are exactly the pro-freedom position: you can do whatever you want with the stuff you own (stuff, not ideas) unless you have contracted some other arrangement. Twitter owns the servers. You own the photo, sure, but you still have the photo after you uploaded it. What the uploader is actually doing is using Twitter’s stuff to create a copy on Twitter’s servers. For the photographer to then claim that he has the right to determine what Twitter does with it is like going to someone’s house and using a dollar bill left on a counter to make origami, then demanding the right to determine what happens to it as a result of your pattern rearrangement. It is nonsense from the start.

(crossposted at The Libertarian Standard)

July 19, 2010

Automounting Truecrypt in Linux

Filed under: computing, encryption, linux, Truecrypt, ubuntu — Tags: , , — Robert Wicks @ 12:35 am

I have a dual boot system with Windows 7 and Ubuntu 10.04. In order to secure the system, I have system encryption with Truecrypt and encrypted LVM in Ubuntu. I need to access my Windows files from within Ubuntu. After a bit of searching around the Internet, I pieced together this command line, which I put in /etc/rc.local. Since my system is fully encrypted and used by only me, I’m not concerned about the password being in /etc/rc.local. I installed the Truecrypt console version.

I added the following line to /etc/rc.local:

echo “MyTruecryptPassPhrase” | /usr/local/bin/truecrypt -t -m system -k “” -p ”” –protect-hidden=no –fs-options=rw,noatime,umask=000 –filesystem=ntfs-3g /dev/<windows partition> /<local mount point>

By echoing the passphrase and piping it to the Truecrypt command, we avoid having it show up in the ‘ps -ef’ command. The filesystem will be mounted with 0777 permissions.

I have found that it is even possible to mount outer partitions (with hidden partitions inside) using this method, and protecting the hidden partition. The command is as follows:

echo “HiddenPartitionPassphrase\n\nOuterPartitionPassphrase” | /usr/bin/truecrypt -t -k “” -p “”  –protect-hidden=yes –fs-options=rw,noatime,umask=000  /dev/sda2 /windows

By using the hidden OS feature in Truecrypt, it is possible to triple boot your computer, with all data on the drive except for the /boot partition in Linux being encrypted. Since no secret information is stored in /boot, this is not a problem.

April 22, 2010

Ubuntu thumb drive

Filed under: linux — Tags: , , , , , — Robert Wicks @ 9:44 pm

I recently installed Ubuntu 10.04 beta 2 (Lucid Lynx) on an Imation 4GB thumb drive. Ubuntu has a feature to install the live CD onto a thumb drive, but I have always found that solution a bit unsatisfying. I wanted an installation which could be updated and modified as I see fit. So, I wanted to use the thumb drive like a hard drive. Most of what I do allows me to forgo persistent local storage, but I did want that option, so I encrypted my home directory, which is an install option. One of the potential problems with that plan is the fact that flash storage, especially cheap flash storage, like the kind in a thumb drive, has a limited number of writes before it fails.

installing Ubuntu onto a thumb drive, using it like a hard drive, is simple. Just run the normal install, clicking on the “Advanced” tab on the screen prior to the beginning of the actual install. The subsequent screen allows you to choose the location for the boot sector. Simply change the boot sector to the thumb device, and you are done there. For further details, go here.

After the install, you can update your Ubuntu install as normal. Now, the next step is to do things which will extend the life of your thumb drive. Obviously, you do not want to have a swap file. I formatted the swap partition which Ubuntu automatically created and mounted that partition as /home. I also made use of tmpfs to mount some of the more heavily written areas in RAM, discarding them on each reboot. Here is what I did in /etc/fstab:

tmpfs /var/tmp tmpfs noatime,rw,mode=1777 0 0
tmpfs /tmp tmpfs noatime,rw,mode=1777 0 0
tmpfs /var/cache/apt tmpfs noatime,rw 0 0
tmpfs /var/log tmpfs noatime,rw 0 0

Additionally, I added this to /etc/rc.local:

mkdir -p /var/cache/apt/archives/partial
mkdir /var/log/apt

This means that the heavily written stuff, like logs, and the update cache for software, are written to RAM and discarded. The /etc/rc.local line is needed because apt-get requires both the archives and archives/partial directories to function correctly.

Once I had the system up and running, I found Firefox performance to be bad. Using the ever-trusty lsof, I found that Firefox uses multiple sqlite databases to hold stuff like preferences. The solution I decided on was to move my home directory onto a ramdisk. Since I had a small /home partition, I added the following things to my /etc/fstab:

UUID=f39t7wj8-v872-4dc9-ik47-nve73hv923nbsw1 /home2           ext4    rw,noatime        0       2
tmpfs /home tmpfs noatime,rw 0 0

Your uuid will differ, but the idea is to mount your original /home partition on /home2 instead, and mount /home as a ramdisk. I also added the following to /etc/rc.local:

rsync -a /home2/ /home/

This syncs the contents of /home2 (which is on the flash) with /home (which is in ram, and discarded at every boot). If I make an important change to my home directory, I log out of my GUI session, open another virtual terminal (by pressing ctrl-alt-F1), log in as root (you will need to set your root password to allow this), and run:

rsync -a /home/ /home2/

This will sync the changes you made back to the flash card. You should only rarely have to do this. One useful way to save files is to use the free Ubuntu One service which is included with Lucid. That makes it easy to save small files and sync them to the cloud, which ends the worry associated with having your home directory in RAM. Save any files you want to the Ubuntu One directory, and they will be saved offsite.

If you have any issues with doing any of this, feel free to contact me at Also, I would greatly appreciate corrections and suggestions. I may experiment with AUFS in the future. That may be a good alternative to tmpfs alone on some of the filesystems.

April 1, 2010

The Libertarian Standard

Filed under: Uncategorized — Robert Wicks @ 8:41 am

Check out The Libertarian Standard, a new blog for which I will occasionally write. We will cover government, technology, and anything else which interests the motley crew of contributors.

January 29, 2010

What I’d Like to See Google Do in Response to the iPad

Filed under: computing — Tags: , , , — Robert Wicks @ 11:03 pm

Apple recently unveiled the iPad, a device with which I am more impressed than I expected. It is less expensive than I thought it would be, and it has the kind of functionality it needs to have. It has the potential to be a wonderful book, magazine, and newspaper reader. It is not without its flaws, but it absolutely has the potential to revolutionize how we read, and how we access information. It is not difficult to visualize iPads in use in doctors’ offices, libraries, and various businesses for any number of purposes, both obvious and innovative.

Google is heavily invested in Android, an iPhone OS competitor in the smartphone market. Since the iPad uses the iPhone OS, it is only natural that Android competitors to the iPad emerge. And they have. Indeed, There were Android tablets already on the market before the iPad debuted, such as the Archos 7. None of the Android tablets I have investigated so far have the appealing form factor of Apple’s however.

Google sells the Nexus One directly to customers. It essentially competes head to head with Apple in the phone market, though “compete” is taking a bit of literary license when we consider the relative sales of the two phones. Still, Android phones are increasing in popularity, and the platform is evolving rapidly. I think Google could make a real play to compete head to head with the iPad as a portable reader. Google has poured huge sums of money into digitizing books and now has a considerable library of classic works. It should leverage this by developing an Android book reader optimized for a 10 inch tablet. Then, Google should practically give them away to libraries and schools across the world. Discount them heavily, just get them out. Google should make it a corporate mission to get every middle school, high school, and college student reading books and using textbooks on an Android device.

By getting students and readers used to reading on Android devices,, Google can fuel demand for its web services and get young people accustomed to using Android as their preferred platform for accessing information. Tools are difficult things to change. Get a young person used to your tool, and you probably have a customer for life. One of the major advantage Android could offer to libraries and schools is low cost. Since Android is an open platform, other manufacturers would naturally make competing devices and compete with Google in this push into the youth market. This would drive up quality and drive down costs. A few shortcomings in the iPad which could be immediately addressed are:

  • Lack of a front facing camera. With a front facing camera, an Android tablet could be a nice Skype/IM machine.
  • Multitasking. This is an easy one, and is already present in all Android devices. Being able to use streaming audio while reading email or surfing the web is an advantage over the iPhone.
  • Flash support. Being able to use services such as Hulu and various Flash gaming sites would provide a further advantage to an Android tablet.

Make no mistake. None of these things would “kill the iPad.” Just as in the case of the iPhone, I don’t want to see them die. They are innovative products which have forced others to respond to customer demand and improve the customer experience. Even if Google did all these things, and was successful with them, I’d love to see Apple come back to outdo them, point by point. You and I are would be the biggest winners.


Friends have pointed out that this plan could be prohibitively expensive.  Looking back over it, I have to agree. The educational models should ditch the camera and Google should sell the devices at cost. Later manufacturers can come along with faster processors and additional features. And Google might actually be able to get Adobe to help defer some of the cost in exchange for promotional considerations. Adobe is desperate to have Flash on mobile devices since Apple is consistently snubbing them.

« Newer PostsOlder Posts »

Create a free website or blog at

%d bloggers like this: