not all change is progress
August 23, 2015
Direct download links:
MP3 &
Ogg
0:01:02 Behind the Headlines
0:33:47 Feedback
0:48:49 Semplice 7
When something many of us still think of as a presentation medium becomes a genuinely serious attack vector, you’ve got to ask whether maybe things have gone too far. And we kick off our look Behind the Headlines with a bunch of stories about how web technologies are increasingly proving a danger to our privacy and security. We also talk about Oracle, and a report that claims that commercial software is more secure than Open Source.
After your Feedback, Jesse does his level best to convince the team that Semplice 7 lives up to the standards set by its previous incarnation. On this, there was some disagreement…
0:01:02 Behind the Headlines
How your phone’s battery life can be used to invade your
privacy
Websites that ID you by how you type: Great when you’ve
forgotten a password, but…
DRAM “Bitflipping” exploit for attacking PCs: Just add
JavaScript
EFF, AdBlock and Others Launch New Do Not Track
Standard
Privacy Badger 1.0 Is Here To Stop Online Tracking!
It’s official: Samsungs are for old people
Big, ugly, heavy laptops are surprise PC sales sweet spot
UK.gov issues internal ‘ditch Oracle NOW’ edict to end pricey
addiction
Oracle security chief to customers: Stop checking our code
for vulnerabilities
Commercial software more secure than open source, finds
report
Linux Foundation’s CII Donates $50k+ To OpenBSD
0:33:47 Feedback
A huge thank you to marmai and an anonymous donor for the Flattrs, Robert Forster for the PayPal donation, and to Charlie Ebert, Eoghann Walker, Christopher Atkins and Siniša Vidović for becoming Monthly Supporters – we really do appreciate knowing how much you guys value the show.
Ivor O’Connor, Nathan D. Smith and Campbell Barton all got in touch with some thoughts about GitLab, but – like Campbell – we’d still be interested in hearing a first-hand account of moving a large, active project onto that platform. Anyone?
Thanks to Richard for pointing out that the Android-x86 4.4r3 files are now available via SourceForge, rather than just on a personal Drive account; to Alex for his feedback about our Ubuntu community Over a Pint; and to Rob Landley for flagging up some thought-provoking articles that he wrote a few years back.
@AlJahom tried to sell us on the benefits of the Asus Transformer Book TF103C, and Tim Hamilton is similarly impressed with his Dell XPS 13. However, Charles Stell detailed some of the problems that he’s experienced with exactly that same machine. And thanks also to Brian Hall and Kelly Price for their thoughts on the topic.
0:48:49 Semplice 7
Way back in our second ever show, Joe brought us a gushing First Impression of Semplice 6. With version 7 now long released, and hopefully well-bedded in, we were looking forward to hearing a similarly glowing report from Jesse – which we duly did. Sadly, your other two Luddites felt the need to pour some cold water on proceedings, and pointed out just some of the myriad flaws that the distro currently suffers from. We can only hope that these issues are just a temporary blip, and that Semplice 8 will return the distro to the fine form seen previously.
JavaScript too powerful?
What about WebAssembly then? :D
http://arstechnica.com/information-technology/2015/06/the-web-is-getting-its-bytecode-webassembly/
OK, another thing then: So a gov is supposed to spend
money on the thing that (the marketing folks claim) gets
the job done instead of doing something for the public
good and contracting s/o to write Free software to solve
this problem for everyone?
And then the freaking government isn’t allowed to poke
the software for any issues?? Especially with those
gigantic Oracle databases with financial and HR
data??
Well, the various govs then clearly have to get some
regulations in place to allow them to audit the
proprietary crap they paid for…
[add some sarcastic statements about free markets and
cyberpunk predicting happiness for all in the corporate
owned world]
In addition to disagreeing with Joe for the sake of it (see children comment from Charles below) I was trying to poorly make the point that there is only so much time and money available to Gov IT departments. This means they often have to stick to tried and tested (you could say legacy) software as they can’t spend money on exploring and implementing the alternatives. So while it would be brilliant if they could pick up free software and implement it as readily as the proprietary alternative, this isn’t always possible due to difference in the available feature set, the difficulty in installing/implementing it, the lack of a single responsible company (who do you call to ask about much of the free software we use?) and as you said the need for development in some instances. This all takes someone not only with the drive to implement FLOSS but the knowledge and budget to see it through. And I’m afraid that in my opinion if you can halve the IT department costs by carrying on with MS/Oracle products which then prevents you having to cut money from other core services, I see it as an easy decision.
Oh, right, all the really big $$$ for IT-research and development goes to the NSA, GCHQ and their likes ;P
I’m pretty sure you could easily find some
company willing to provide FLOSS support. If you
don’t jump the deep end of the pool and start
with one department you wouldn’t even need to
rely on a big player like RedHat. A nice, steady
revenue stream from a 5 year gov contract would
nuture growth of said company and make sure they
stay in business.
And, of course, the contract would contain some
service level agreement so they’re bound with
more than the FLOSS license.
Plus the resulting code has to be freely
available like research data. “Public good” and
so on.
And I still think you shouldn’t get money from a gov when you’re not willing to have your stuff audited or at least thoroughly poked with static code analysis and fuzzers.
The problem is often the cost and inertia of the bureaucracy required to make any sort of change in government departments. Often staying with the current solution, provided it isn’t completely broken, is less expensive.
To give a non IT example our local council wanted to run a drain from an affordable housing site under one of our fields into a ditch. They commissioned a report from some consultants, which cost something like £45,000 to assess the site and come up with a plan. Putting a six inch drain over a distance of a couple of hundred yards and clearing the ditch was going to cost something like £25,000. We had laid a similar drain a the other end of the field a couple of years before, which cost around £1,000.
Never underestimate the ability of government departments to waste money working out how to do the bleeding obvious.
Just wanted to say the I am really enjoying the new format. I think my image of the show was changed forever when Paddy told Joe and Jesse to stop squabbling. From now on, whenever I hear the show I will be imagining Paddy sitting in the front of the car driving, with Joe and Jesse (the Luddite children) sitting in the back fighting. Family dynamic revealed! :)
That’s exactly how we record Charles – just drive about the rolling hills of ol’ Blighty for a couple of hours a fortnight ;)
I knew it! ;)
Congrats on your 50th episode guys!! Looking forward to another 50 episodes of excellent Linux talks and discussions. Thanks for everything you guys do and taking the time to better the Linux community.
Great episode again, especially the discussion about the security news and software licenses.
I think in the government software debate, I side with Joe on this one. I agree with Jesse that it would be time-consuming to get dozens or hundreds of computer workstations set up and configured, but I don’t think it’d be difficult, especially with things like the Linux Terminal Service Project (http://www.ltsp.org/), and a good linux sysadmin, who could get trained with the new courses offered by the Linux Foundation at edX.org. Many big organizations have already done it (a list of Debain servers is here: https://www.debian.org/users/).
That article you link to about the Linux Foundation’s donation to OpenBSD seems highly speculative to me regarding LibreSSL. The core initiative’s purpose is to help fund projects that are central Linux’s usage in various contexts. OpenSSH fits these criteria for being supported by the Linux Foundation. The only way to donate to OpenSSH development is by donating to the OpenBSD foundation. I don’t think LibreSSL really factored into the decision either way.
Regarding Paddy’s question, I think Privacy Badger started with the AdBlock Plus code, ripped out the filter list functionality, and then added in its algorithmic filtering based on what third party code is loaded as you browse different sites. PrivacyBadger also has some extra bits added in like trying to prevent browser fingerprinting that may or may not be in other add-ons. I think the algorithmic filtering is the main differentiation. If you mainly use an ad blocker because you are uncomfortable with how much online advertisers track your behavior but also feel bad about denying revenue to the sites you visit, you might feel better using PrivacyBadger since it blocks based on behavior that looks like tracking rather than blocking based on a list of content that someone has decided is an advertisement. In my limited experience, PrivacyBadger seems to end up blocking most ads any way. The other major point of differentiation is the licensing and motivation of the different add-ons. PrivacyBadger is produced by the EFF without a monetization plan. Some of the other popular add-ons are made by companies that try to monetize anonymized usage data (Ghostery), ad whitelisting (AdBlock Plus), or premium services (Disconnect). Some of these alternatives, like Ghostery, have proprietary licenses.
Jesse makes some good points about the practical barriers to wider adoption of free software by governments. Free software in general is kind of a difficult concept to convey to the general public, so I’m not sure how far away we are from the public appreciating its value at a governmental level. There have been some steps taken in this direction. For instance, over the past few years in the US there has been a push to make academic researchers publish all of the data obtained during work done under public research grants. It doesn’t seem too far of a stretch to go from that to requiring all vendors publish the source code of any software written to fulfill a government contract. It would be interesting to try to measure how much of the software currently used by various disciplines is supported by government grants. I think a number of open source projects (at least in the field of data science) started as tools that people wrote to use in government funded research (either in academia or a government program like NASA). Linux itself has its roots in academic research and early adoption by NASA. Sometimes I analyze and plot data for fun using the Python suite of tools (numpy, scipy, matplotlib, etc.) and I wonder what I would do if these projects that were started by academic researchers were not available and the only alternatives were things like MATLAB, Mathematica, etc. which have steep licensing fees for non-students.
Grr, yes, I wrote this twice because it seemed to be eaten the first time….
Have you seen any more written about the relationship between the Linux Foundation’s donation and LibreSSL? The only way to donate to OpenSSH is by donating to OpenBSD. I would think that supporting OpenSSH was the motivation for that donation and that LibreSSL had nothing to do with it.
Regarding Paddy’s question, I think the EFF started with AdBlock Plus to create PrivacyBadger so the basic functionality is similar. The main difference is that PrivacyBadger blocks based on an algorithm while most of the other blockers use various blacklists. For people who feel uncomfortable blocking ads and denying web sites revenue but still use an ad blocker because they don’t like the amount of tracking used on most web sites, PrivacyBadger might be a good choice since it blocks based on tracking-like behavior rather than on a blacklist. In principle, you could use blacklists that only block trackers and not all ads with the other blockers as well. The other major differentiation is the motivation of the maintainers of the different project. PrivacyBadger is supported by the EFF whereas some of the other major blockers are supported by companies that try to monetize some aspect of the blocker (Ghostery — anonymized usage data, AdBlock Plus — ad whitelisting, Disconnect — premium features). Ghostery also uses a proprietary license, though others like AdBlock Plus and Disconnect use MPLv2 and GPLv3.
In recent years in the US, the government has been working towards requiring that the results obtained through any government funded research be published to the general public within a year of publication in a subscription journal. I wonder how far off we are from the government imposing a similar requirement on companies that write software to fulfill a government contract. It would be interesting to try to quantify how much important software began or was supported by government funding. In data science at least, a lot of projects started as tools written by graduate students and professors or by researchers at government institutions like NASA. Linux also started in a research setting and was adopted early on by NASA. In the coverage of governments adopting open source software, I have only seen discussions about the costs of the transition and the costs of licenses. I wonder if there are instances of governments paying developers to add features to a project and then getting those features merged upstream.
I really like the EU and its member states starting
to require “Open Access” to results of research they
funded, too (http://ec.europa.eu/digital-agenda/en/open-access-scientific-information).
I guess most Freely available software one could call
“gov funded” is the result of research. I hope we’ll
see such a requirement on more generic code
contributions in the (not too far) future.
Btw: Gov sponsored FLOSS contribution makes me think of the FBI’s attempt to get a backdoor into OpenBSD years ago ^^
Oracle security chief is and was wrong in her blog. Oracle does not live in a vacuum. A purchaser of their product also have rights. The comment to “love it or lump it” is plain WRONG. A business can’t survive with the attitude that they don’t want to hear complaints. Once I buy the product I have a RIGHT to look “under the hood”. The “no, no you can’t” attitude is crazy. It is NOT an ALL or nothing situation. Mary Ann Davidson is and was wrong.
Enrique – I’m afraid that you’re confusing how you’d like the world to be, and how it is. You’re right that Oracle doesn’t live in a vacuum, and that businesses that don’t respect their customers don’t tend to prosper (unless they are actual or quasi-monopolies). But no, if you buy a closed-source product, I can’t think of any jurisdiction where you are legally entitled to look “under the hood”. That’s the law, and a state of affairs that you, as the purchaser, explicitly agree to when you make the purchase. And the situation is compounded because frequently you don’t ‘buy’ the software anyway – all your money pays for is a limited right of use; the product never actually becomes ‘yours’.
Like you, I’m not happy with this state of affairs. But it’s the one we have. And in this context, Mary Ann had a fair point. All we can do is lobby our governments to (a) change laws and (b) move away from using closed source software; and the latter is what we on the show try to demonstrate is possible.
Patrick,
I guess we will have to agree to disagree on this one. Oracle is the one who confused what should be to what is – and thus is the reason they backed off on this issue and removed the blog post. That being said, I do very much love your podcast and the opportunity to put in my two cents.
Pat – I guess we will have to agree to disagree on this one. Clearly Oracle confused their policy to the reality of what is. And thus, they backed off on their policy and pulled the blog post. Maybe I will have to cross the pond and share a pint with you over this issue.
Well on a more positive note, I love your podcast and am glad you give us a chance to put in our two cents worth. Keep up the good work.
What a wave of new monthly supporters! The best Linux podcast deserves the cash. The way I see it, $8 a month buys two of you a pint. You say it doesn’t pay for pints, but I wouldn’t mind if it did.
Your discussion this week of Java and HTML 5 and privacy reminded me that Java and HTML 3 celebrate 20 years this summer (approximately). The Java debate has always interested me, even as a non-developer. It made so many of today’s mobile devices practical. But the Java critics seems to gain some ground in the debate every 5 years or so, both in terms of Java’s “inherent” vulnerability, and in terms of how powerful JavaScript.
I also have to agree with Paddy’s critique of the ASUS entrl-level 11″, 13″, and 15″ laptops (usually called the X or ee series). They are fairly disposable and flimsy. But like Joe, my little ASUS ( http://smile.amazon.com/gp/product/B00F0RDY2O?ref_=cm_cr-mr-title ) has proven to be more durable and reliable than a MacBook….so far.
You mentioned a few times that “you get what you pay for”
giving me the impression you would expect everything to
work with a high-end PC. Unfortunately that’s not the
case with DELL. For instance the m6800 which has been out
for a few years and is their top of the line flagship
model. I have one that is upgraded with most of the top
end upgrades but:
1) Only boots up properly maybe 98% of the time.
Sometimes requiring a restart.
2) About 40% of the time it hangs while shutting
down.
3) After a few days without a boot it will hang.
4) Sound doesn’t work properly with all applications and
will hang the system.
5) Bluetooth connects but making actual use of it is
something I have yet to figure out.
6) Reconnecting to wifi repeatedly will sometimes require
a reboot.
7) The touchpad is so jumpy it can only be used for
emergencies.
This is with Linux Mint 17.2 XFCE. One of the nice
features is the pop out disk. Like the old 3.5 floppies
of old you can pop out a SSD. This way I can have a disk
for each OS I want to try while keeping my data on the
other SSDs. (It can supposedly hold four disks but I only
have three in it.) I’ve got two SSDs with XFCE on it as
the boot and both give me the above problems. I suspect
everything works with windows though I have never tried
it. Of course I have upgraded to the latest bios and
such. So the point is there are problems you have to work
around even on the best. To be honest lower end DELLs
have worked flawlessly for me. I’m suspecting that the
new Lenovo P70 when it becomes available will have many
problems just like the m6800.
Some years ago we bought what was supposed to be one of Dell’s high end business models. We bought it from a UK company that sells laptops that have been repossessed for various reasons. It came with two and a half years of a three year on site maintenance warranty. One of the keys on the keyboard was broken. Dell’s idea of on site maintenance was to ship me a keyboard and a pdf file on how to fit it. Luckily I am used to taking computers to bits. However, I was less than impressed with the quality of this supposed business laptop, which was obviously not designed to be taken to bits – cheap plastic self tapping screws, etc.
After that experience I would never buy anything made by Dell again.
That’s a new one but believable. I’m almost inclined to stick in the windows 8 disk that came with my laptop, figure out how to use windows 8, and see if I have the same problems that I do with Mint. Only thing stopping me besides the time is having to tear out my other disks. I don’t want W8 destroying anything.
While I don’t use Semplice, I do use Openbox on my systems as I find it fast and very stable compared to the other major environments. I find that configuring Openbox to have a 1 pixel margin on the left hand side of the screen and the top of the screen works well for accessing the right click menu. I just slam the mouse to the left or top of the screen and right click to fire up a new application or open a file from the menu.
Comments are now closed.
The content of this website, and that of the podcasts produced by the website owners, is licensed under the Creative Commons Attribution-NonCommercial 4.0 International License.