Why Open Standards and Open Source Matters in Government


I have offered to the powers that be (TPTB) running the various Town Councils in Singapore an opportunity for the open source community to help build an application to manage their respective towns following the unfolding fiasco around their current software solution which is nearing end of life.

I am not surprised to hear comments and even SMS texts from friends who say that I am silly to want to offer to create a solution using open source tools. I can only attribute that to their relative lack of understanding of how this whole thing works and how we can collectively build fantastic solutions for the common good of society not only in Singapore but around the world.

I work for a company called Red Hat. Red Hat is a publicly traded company (RHT on NYSE) and is a 100% pure play open source company. What Red Hat does is to bring together open source software and make it consumable for enterprises. Doing that is not an easy thing. A lot of additional engineering and qualifications have to go into it before corporates and enterprises feel confident to deploy it. Red Hat has been successful in doing all of that because of the ethos of the company in engaging with open source developers (and hiring them as full time employees where appropriate) so that we can help the world gain and use better and higher quality software for everything.

That means that in taking open source software, Red Hat has to ensure that improvements and enhancements done are put back out as well to benefit everyone else and at the same time, at a price, provide a service to enterprises that want to use these tools but also want accountability, support, continued innovation etc. That is the Red Hat business model. We are the corporate entity that enterprises deploying open source tools look to for sanity.

Naturally, everything we create is available to anyone else, including our competition, and, yes, we can be beaten at our own game. That’s the best part. The fact that we can be challenged by others with what we helped create is a fantastic situation to be in as it forces us to constantly innovate (and in the open) and show how we are a responsible open source community member while giving tremendous value to enterprises.

It is in that spirit that I made the offer to help form a team of open source developers in Singapore to create the management system software for the town councils.  Certainly, when the software is built and deployed, the town councils would need to have competent support and there is nothing stopping any of the IT SMEs in Singapore picking up that opportunity. This gives the Town Councils significant advantage in choosing vendors to support their needs while keeping the innovation forthcoming because the code is open.

Here’s an article in an IT publication which I was interviewed about open source and CIOs – yeah, self promotion :-). But, here’s a better article about how open source is so prevalent in the US  government as well (yes, Gunnar is a colleague of mine).

So, the offer to build an open source solution is genuine and sincere. It is not for me to make money out of it per se, but to foster a situation that will create even more opportunities for others to actively participate in create fantastic open source solutions for us not only for the Singapore public sector, but the world.

I hope this offer is taken up seriously by TPTB including parts of IDA and MND. And for the record, this offer has nothing to do with Red Hat.

Advertisements

My Conscience Is Bugging Me


I cannot let the media statement put out by the “Coordinating Chairman of the PAP Town Councils” regarding the sale of the town council management software system to a ex-PAP MP-owned company be left alone without it being shredded apart. The media statement appeared on January 2, 2013 on the PAP website.

I have italicised and indented the paragraphs from the media statement and my response follows each italicised segment.

Statement by Teo Ho Pin on AIM Transaction

On 28 December 2012, I issued a press release in response to Ms Sylvia Lim’s statement on the website of the Aljunied-Hougang Town Council. Ms Lim had made various assertions in her statement. However, her statement was made without citing the relevant facts. I now make this further statement to set out fully the relevant facts.

I am the co-ordinating Chairman of all the PAP-run Town Councils (“the TCs”). The PAP TCs meet regularly and work closely with one another. This allows the TCs to derive economies of scale and to share best practices among themselves. This improves the overall efficiency of the TCs, and ensures that all the PAP TCs can serve their residents better.

In 2003, the TCs wanted to harmonise their computer systems. Hence, in 2003, all the TCs jointly called an open tender for a vendor to provide a computer system based on a common platform. NCS was chosen to provide this system. The term of the NCS contract (“NCS contract”) was from 1 August 2003 to 31 October 2010. There was an option to further extend the contract for one year, until 31 October 2011.

In 2010, the NCS contract was going to expire. The TCs got together and jointly appointed Deloitte and Touche Enterprise Risk Services Pte Ltd (“D&T”) to advise on the review of the computer system for all the TCs. Several meetings were held with D&T.

After a comprehensive review, D&T identified various deficiencies and gaps in the system. The main issue, however, was that the system was becoming obsolete and unmaintainable. It had been built in 2003, on Microsoft Windows XP and Oracle Financial 11 platforms. By 2010, Windows XP had been superseded by Windows Vista as well as Windows 7, and Oracle would soon phase out and discontinue support to its Financial 11 platform.

From what is mentioned above, D&T noted deficiencies and gaps in the system, which it seems was only about parts of the application infrastructure becoming obsolete and unmaintainable. It would be good to know what other gaps and deficiencies were reported.

It is now clear that the application that was developed ran on the system from Oracle Corporation, called “Oracle Financials 11”. It also is clear that, possibly both the server and client OS was Microsoft Windows XP. I do wonder how that original application was spec’ed out?

We have here a classic case of all of the component systems needed to run an application reaching end of life or becoming unsupported even as the application could still be used.

That, in itself, is not a big deal. Forced obsolescence is the norm in the IT industry. It is not the best state of affairs, but it is what it is.

The TCs were aware of and concerned about the serious risks of system obsolescence identified by D&T, and wanted to pre-empt the problem. In addition, as the NCS Contract was about to expire, they sought a solution which would provide the best redevelopment option to the TCs, and in the interim would allow them to continue enjoying the prevailing maintenance and other services.

Fair enough.

As Coordinating Chairman of the TCs, I had to oversee the redevelopment of the existing computer system for all TCs. It was clear to me that the existing computer software was already dated. The NCS contract would end by 31 October 2011 (if the one year extension option was exercised). However, assessing new software and actually developing a replacement system that would meet our new requirements would take time, maybe 18-24 months or even longer. We thus needed to ensure that we could get a further extension (beyond October 2011) from NCS, while working on redevelopment options.

Not sure why the preceding was needed, for it is a restatement of the first discussion.

D&T also raised with the TCs the option of having a third party own the computer system, including the software, instead, with the TCs paying a service fee for regular maintenance. This structure was not uncommon.

By stating that D&T saying that it is a common method for “third party own the computer system”, it is not clear how that would help with a rapidly aging computer system. Sounds incredulous for D&T to suggest that.

We decided to seriously consider this option. Having each of the 14 individual TCs hold the Intellectual Property (IP) rights to the software was cumbersome and inefficient. The vendor would have to deal with all 14 TCs when reviewing or revising the system. It would be better for the 14 TCs to consolidate their software rights in a single party which would manage them on behalf of all the TCs, and also source vendors to improve the system and address the deficiencies.

This paragraph contains the biggest amount of doublespeak and warped sense of value if there ever was one. What does it mean that each of the TCs holds the “Intellectual Property”?

It was stated that the reason for creating the application was (from above) “(t)his allows the TCs to derive economies of scale and to share best practices among themselves. This improves the overall efficiency of the TCs, and ensures that all the PAP TCs can serve their residents better.” which puts to lie “(t)he vendor would have to deal with all 14 TCs when reviewing or revising the system”.

It would seem that whatever that was built, ended up being 14 versions of the application and not one. How does reviewing and revising the system become any more efficient by “consolidat(ing) their software rights in a single party”? Humbug.

If that indeed was a valid reason, all the TCs could have done was to agree to trust one TC to be the custodian and decision maker. How does each giving up their ownership to an external party be any better?

I suspect the Coordinating Chairman is pulling a fast one here.

The TCs thus decided to call a tender to meet the following requirements:

1. To purchase the software developed in 2003, and lease it back to the TCs for a monthly fee, until the software was changed;

2. To undertake to secure extensions of the NCS contract at no extra cost i.e. take on the obligation to get an extension on the existing rates, until the TCs obtained new or enhanced software. This was put in to protect the financial position of the TCs; and

3. To work with the TCs to understand their enhancement and redevelopment needs and look for a suitable vendor to provide these upgrades.

If you look at the actual tender noticeall it states is that they are selling a “developed application software” and that the tenderer should be “experienced and reputable company with relevant track record”.

The devil is in the details which is only available if you fork out $214.
So, the PAP TCs wanted to sell out to someone else who fits their criteria of an experienced and reputable company with RELEVANT track record. The tender advertisement sounds very thin and vague.

Under the tender, the TCs sold only the IP in the old software. The ownership of the physical computer systems remained with the individual TCs. We wanted to sell the IP rights in the old software because it had limited value and was depreciating quickly. Had we waited until the new system was in place, the IP to the superseded old software would have become completely valueless.

Ah huh! They wanted to monetize their “IP” as it were. Time was running out. Not sure who else on the planet would want their “IP”, but they must monetize it.

The TCs advertised the tender in the Straits Times on 30 June 2010. Five companies collected the tender documents. These were CSC Technologies Services Pte Ltd, Hutcabb Consulting Pte Ltd, NCS, NEC Asia Pte Ltd and Action Information Management Pte Ltd (“AIM”).

I am sure four of the companies listed above, after wasting the $214, are run by level-headed management who realized that this tender was a huge scam and wanted no part in it and so decided not to respond.

I am aware that NCS considered bidding but in the end, decided not to do so as it was of the view that the IP rights to software developed in 2003 on soon to be replaced platforms were not valuable at all.

Another company withdrew after it checked and confirmed that it was required to ensure renewal of the NCS contract without an increase in rates. The company did not want to take on that obligation. The others may also have decided not to bid for similar reasons.

In the end, only AIM submitted a bid on 20 July 2010.

Does the Coordinating Chairman really think that NCS would have fallen into the scam as well? They would have known that there really is nothing in the application that they could “salvage”, having built it in the first place, let alone helping their customer monetize it.

We evaluated AIM’s bid in detail. First, AIM’s proposal to buy over the software IP would achieve our objective of centralising the ownership of the software, consistent with the model suggested by D&T.

This is circular logic which needs no further response.

AIM was willing to purchase our existing software IP for S$140,000, and lease it back at S$785 per month from November 2010 to October 2011. The lease payments to AIM would end by October 2011, with the expiration of the original NCS contract. Thus after October 2011, the TCs would be allowed to use the existing software without any additional lease payments to AIM, until the new software was developed.

Let’s do the math:

14 PAP Town Councils AIM
Contract Award $140,000 (perhaps each TC got $10K) ($140,000)
Lease (Nov 2010 – Oct 2011) ($785*14*12 => $131,880) $131,880
Nett $8,120

This meant that the TCs expected to gain a modest amount (about S$8,000) from the disposal of IP in the existing software.

So, the so called “Intellectual Property” is really only worth $8,120.

Second, AIM was willing to undertake the risks of getting an extension of the NCS contract with no increase in rates. This was the most important consideration for us, as it protected the TCs from an increase in fees.

And AIM will have the needed clout to negotiate with NCS – because they own the software – but the 14 PAP Town Councils being the original customer of NCS could not garner? Is that really true, Mr Coordinating Chairman? You are saying that you cannot do better than AIM against NCS? Say it ain’t so, Mr Coodinating Chairman.

Third, we were confident that AIM, backed by the PAP, would honour its commitments.

Wow, the PAP link. That’s the magic bullet.  Cronyism at its best. “Backed by the PAP” because the three directors are former PAP MPs or because the company is funded by the PAP?  Perhaps the other companies who picked up the tender document realized that they are not a PAP-{owned, funded} entity and would therefore not win.

That statement alone reeks of contempt of the free market, the principles of transparency, meritocracy and everything we hold dear in this country.
Are you, Mr Coordinating Chairman, also saying that AIM has deep pockets that they can withstand the possibility of NCS not agreeing? The directors of AIM have been reported not to be taking in director fees. That’s noble of them. It does look like the PAP Town Councils found their shining white knight in AIM.

Given the above considerations, AIM had met the requirements of the tender on its own merits. We assessed that the proposal by AIM was in the best interests of the TCs, and thus awarded the tender to AIM.

Of course! AIM has to be trustworthy and reputable given their PAP pedigree. Of course! D’oh!

Under the contract with AIM, the TCs could terminate the arrangements by giving one month’s notice if the TCs were not satisfied with AIM’s performance. Similarly, AIM could terminate by giving one month’s notice in the event of material changes to the membership of a TC, or to the scope and duties of a TC, like changes to its boundaries. This is reasonable as the contractor has agreed to provide services on the basis of the existing TC- and town-boundaries, and priced this assumption into the tender. Should this change materially, the contractor could end up providing services to a TC which comprises a much larger area and more residents, but at the same price.

What a lot of nonsense is this? It is unbelievable that the Coordinating Chairman can include a poison pill clause in the contract if the “boundaries of the Town Councils change”. I believe the boundaries of the West Coast Town Council changed after the May 2011 elections. I don’t see AIM doing anything about terminating the contract (correct me if I am wrong Mr Coordinating Chairman).

How does changes in the “larger area and more residents” materially change the way the software works? Is Mr Coordinating Chairman taking the tax payers and constituents of the PAP Town Councils to be daft? Wait a minute, a former PAP prime minister says we are (search for daft in that link)!

Since winning the tender, AIM has negotiated two extensions of the NCS contract until April 2013, at no increase in rates. The first extension was from November 2011 to October 2012, and the second from November 2012 to April 2013. The TCs received a substantial benefit in terms of getting the extensions from NCS beyond the original contract period, without any increase in prices.

Now, this is confusing. But I shall hold back for more juicy parts following.

What is not known now is the maintenance charges NCS charged as part of their original contract with the PAP Town Councils.

AIM has also been actively working with several vendors to explore new software options and enhancements for the TCs. AIM has identified software from a number of possible vendors, and has invited them to make presentations to the TCs in order for a suitable option to be chosen.

Are any of these open source solutions? Or is this going to be another closed, proprietary system that will face the same issues as the older one? Why are the Town Councils (via AIM) not looking at maximizing the tax dollars that goes into this by using open source solutions?

My offer to help build a fully open source solution remains.

Following the expiry of the initial lease arrangement for the software from AIM on 31 October 2011, no further lease payments for the software were made to AIM. During the period of its contract extension from November 2011 to April 2013, the management fee payable to AIM for the whole suite of services it provided was S$33,150, apart from what was payable to NCS for maintenance. In the end, inclusive of GST, each TC paid slightly more than $140 per month for AIM to ensure continuity of the existing system, secure the maintenance of this system at no increased costs, and identify options for a new system to which the TCs could migrate.

We entered into the transaction with AIM with the objective of benefitting the TCs. Over the last two years, the intended benefits have been realised. There is thus no basis to suggest that the AIM transaction did not serve the public interest, or was disadvantageous to residents in the TCs.

Bingo! The smoking gun perhaps?

So, AIM is not charitable and is asking the TCs to pay from November 2011 till April 2013. This is what the math looks like:

14 PAP Town Councils AIM
Contract Award $140,000 (perhaps each TC got $10K) ($140,000)
Lease (Nov 2010 – Oct 2011) ($785*14*12 => $131,880) $131,880
Nett $8,120
Nov 2011 – Apr 2013 ($33,150) $33,150
Nett ($25,030)

So, contrary to the rationale of “monetizing the IP” (a load of crap), the 14 PAP Town Councils will incur a loss of $25,030 in this deal.

This amount is on top of the cost of the D&T report and the “apart from what was payable to NCS for maintenance.”

It does seem that the PAP, having been in power for over 50 years, has found many creative means to “misdirect” tax monies.

I am saddened to have done this analysis.


Please, Mr Coordinating Chairman, please, come clean. You made a mistake. You thought you got a good deal. But that was not what it was. You have been drinking from the PAP water fountain for too long that you cannot see what is right and what is wrong. Your “media statement” is so full of holes that we can drive the Airbus A380 through it with room to spare.

Again, my offer to form a team of open source developers to build a solution that can benefit not only the town councils but anyone else remains.

Software for Public Sector Applications


The ongoing egg-in-the-face of the PAP over the “tender” (thanks to Alex for posting it via an anonymous source) awarded to AIM over the acquisition of a piece of software created for the use of the Town Councils is really disappointing.

Looking at the Today Online story, it would seem that Mr Teo and Mr Das have a lot of explaining to do.

Here’s an example of how proprietary software companies abuse their customers.  If you happen to have acquired a new laptop and it came with Windows 7 Starter Kit installed, when you set it up, you will be presented with a set of terms and conditions. Most people will just click OK and accept the terms and conditions without reading a word. But in this case, if you did not read anything you’d have missed out a juicy bit of restriction.

Section 8 on Page 7 of the Software License Terms says:

8. SCOPE OF LICENSE. The software is licensed, not sold. This agreement only gives you some rights to use the features included in the software edition you licensed. The manufacturer or installer and Microsoft reserve all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must
comply with any technical limitations in the software that only allow you to use it in certain ways. You may not
· work around any technical limitations in the software;
· customize the desktop background;
· …;

Isn’t amazing that even though you thought you bought that piece of software (according to their rules, it is not sold only licensed), you are NOT allowed to change the desktop background. Changing it will be breaking the terms and conditions of Windows 7 Starter Kit. Wow.

It sure sounds like our friends at the PAP-run Town Councils and AIM took a chunks out of the proprietary software “let’s screw and milk the customer” book. Only this time, the customer is the tax-paying Singapore public.

My offer to the Town Councils, expecially Aljunied Hougang Town Council, to help them build a fully open source solution remains.

A helper note for family and friends about your connectivity to the Internet from July 9 2012


This is a note targeted at family and friends who might find that they are not able to connect to the Internet from July 9, 2012 onwards.

This only affects those whose machines were are running Windows or Mac OSX and have a piece of software called DNSChanger installed.  The DNSChanger modifies a key part of the way a computer discovers other machines on the internet (called the Domain Name Server or DNS).

Quick introduction to DNS:

For example, you want to visit the website, http://www.cnn.com. You type this in your browser and magically, the CNN website appears in a few seconds. The way your browser figured out to reach the http://www.cnn.com server was to do the following:

a) The browser took the http://www.cnn.com domain name and did what is called a DNS lookup.

b) What it would have received in the DNS lookup is a mapping of the http://www.cnn.com to a bunch of numbers.  In this case, it would have received something like:

http://www.cnn.com.        60    IN    A    157.166.255.18
http://www.cnn.com.        60    IN    A    157.166.255.19
http://www.cnn.com.        60    IN    A    157.166.226.25
http://www.cnn.com.        60    IN    A    157.166.226.26

c) The numbers you see in the lines above (157.166.255.18 for example) are the Internet Protocol (IP) number of the server on which http://www.cnn.com resides. You notice that there are more than one IP number.  That is for managing requests from millions of systems and not having to depend only on one machine to reply.  This is good network architecture. For fun, let’s look at http://www.google.com:

http://www.google.com.      59    IN    CNAME    www.l.google.com.
http://www.l.google.com.    59    IN    A    173.194.38.147
http://www.l.google.com.    59    IN    A    173.194.38.148
http://www.l.google.com.    59    IN    A    173.194.38.144
http://www.l.google.com.    59    IN    A    173.194.38.145
http://www.l.google.com.    59    IN    A    173.194.38.146

http://www.google.com has 5 IP #s associated to it but you notice that there is something that says CNAME (stands for Canonical Name) in the first line. What that means is that http://www.google.com is also the same as http://www.l.google.com which in turns has 5 IP#s associated with it.

d) The beauty of this is that in a few seconds, you got to the website that you wanted to without remembering the IP # that is needed.

What is this important? If you have a cell phone, how do you dial the numbers of your family and friends?  Do you remember by heart their respective phone numbers? Not really or at least not anymore You probably know your own number and a small close group (your home, your work, your children, spouse, siblings).  Even then, their names are in your contact book and when you want to call (or text) them, you just punch in their names and your phone will look up the number and send out.

The difference between your cell phone directory and the DNS is that, you control what is in your phone directory.  So, a name like “Wife” in your phone could point to a phone number that is very different from a similar name in your friend’s phone directory.  That is all well and good.

But on the global Internet, we cannot have name clashes and that is why domain names are such hot things and people have snapped up pretty much a very large chunk of names during the dot.com rush in the late 1990s.

Now on to the issue at hand

So, what’s that got to do with this alarmist issue of connecting to the Internet from July 9, 2012?

Well, it has to with the fact that there as a piece of software – malware in this case – that got added to those running Windows and Mac OSX.  In all computers, the magic to do the DNS lookup is maintained by a file which contains information about which Domain Namer Server to query when presented with a domain name like http://www.cnn.com.

For example, on my laptop (which runs Fedora), the file that directs DNS looks is called /etc/resolv.conf.  This is the same for a Mac OSX file and I think it there is something similar in the Windows world as well. Fedora and Mac OSX share a common Unix heritage and so many files are in common.

The contents of my /etc/resolv.conf file is:

# Generated by NetworkManager
domain temasek.net
search temasek.net lan
nameserver 192.168.10.1

The file is automatically generated when I connect to the network and the crucial line is the line that reads “nameserver”. In this case, it points to 192.168.10.1 which happens to be my FonSpot wireless access point. But what is interesting is that my FonSpot access point is not a DNS server per se.  In the setup of the FonSpot, I’ve got it to look up domain names to Google’s public DNS server whose IP #s are 8.8.8.8 and 8.8.4.4.

Huh? What does this mean?  Simply put, when I type in http://www.cnn.com on my browser, that name’s IP# is looked up first by my browser asking the nameserver 192.168.0.1 which is the FonSpot will then return to my browser that it should go ask 8.8.8.8 for an answer. If 8.8.8.8 does not know, hopefully 8.8.8.8 will give an IP # to my browser to ask next.  Eventually, when an IP # is found, my browser will use that IP # and send a connection request to that site. All of this happens in milliseconds and when it all works, it looks like magic.

What if you don’t get to the site?  What if the entry in the /etc/resolv.conf file pointed to some IP # that was a malicious entity that wanted to “hijack” your web surfing?  There is a legitimate reason for this. For example, when you connect to a public wifi access point (like Wireless@SG for example), you will initially get a DNS nameserver entry that belongs to the wifi access provider. Once you successfully logged into that access point, then your DNS lookup will be properly directed. This technique is called “captive portal”. My FonSpot is a captive portal btw.

The issue here is that those machines who have the malware DNSChanger have the DNS lookup being hijacked and directed elsewhere.  See this note by the US Federal Bureau of Investigation about it.

It appears that the DNSChanger malware had set up a bunch of IP# to redirect maliciously all access to the Internet. If your /etc/resolv.conf file has nameserver entries that contain numbers in the following range:

85.255.112.0 to 85.255.127.255

67.210.0.0 to 67.210.15.255

93.188.160.0 to 93.188.167.255

77.67.83.0 to 77.67.83.255

213.109.64.0 to 213.109.79.255

67.28.176.0 to 67.28.191.255

you are vulnerable.

Here’s a test I did with the 1st of those IP#s on my fedora machine:

[harish@vostro ~]$ dig @85.255.112.0 www.google.com

; <<>> DiG 9.9.1-P1-RedHat-9.9.1-2.P1.fc17 <<>> @85.255.112.0 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34883
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.            IN    A

;; ANSWER SECTION:
www.google.com.        464951    IN    CNAME    www.l.google.com.
www.l.google.com.    241    IN    CNAME    www-infected.l.google.com.
www-infected.l.google.com. 252    IN    A    216.239.32.6

;; AUTHORITY SECTION:
google.com.        32951    IN    NS    ns2.google.com.
google.com.        32951    IN    NS    ns4.google.com.
google.com.        32951    IN    NS    ns3.google.com.
google.com.        32951    IN    NS    ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.        33061    IN    A    216.239.32.10
ns2.google.com.        33061    IN    A    216.239.34.10
ns3.google.com.        317943    IN    A    216.239.36.10
ns4.google.com.        33297    IN    A    216.239.38.10

;; Query time: 305 msec
;; SERVER: 85.255.112.0#53(85.255.112.0)
;; WHEN: Sun Jul  8 21:40:07 2012
;; MSG SIZE  rcvd: 242

Some explanation of what the is shown above. “dig” is a command “domain internet groper” that allows me, from the command line, to see what a domain’s IP address is. With the extra stuff “@85.255.112.0”, I am telling the dig command to use 85.255.112.0 as my domain name server and get the IP for the domain http://www.google.com. Currently 85.255.112.0 is being run as a “clean” DNS server by the those who’ve been asked to by the FBI.

Hence, what will happen on July 9th 2012 is that the request by FBI to give a reply when 85.225.112.0 is used, will expire. Therefore the command I executed above on July 8th 2012 will not return a valid IP number from July 9th 2012. While the Internet will work, there would be people whose systems have been compromised to point to the bad-but-made-to-work-OK DNS servers, will find that they can’t seem to get to any site easily by using domain names. If they instead used IP#s, they can get to the site with no issue.

A quick way to check if your system needs fixing is to go to http://www.dns-ok.us/ NOW to check. If it is OK, ie your system’s /etc/resolv.conf is not affected (or the equivalent for those still running Windows).

See the announcement from Singapore’s CERT on this issue.

And it’s live now – SCO Open Server 5.0.5 running in a RHEL 6 KVM


As promised earlier, the final bits of getting an application that runs on the old hardware on to the VM is now all done.  I tried to install the app but, I really did not want to spend too much time trying to figure out all the nuances about it.  Since this is really an effort that would eventually see the app being replaced at some future date, I wanted to get it done easily.

So, over the last long weekend, I did the following:

a) Created a brand new VM running SCO Open Server 5.0.5 on the RHEL 6.2 machine. The specs of the VM are: 2GB RAM, 8GB disk, qemu (not kvm), i686, set the network card to be PC-Net and Video as VGA. This is the best settings to complete the installation of SCO in the VM.

b) Meanwhile on the old machine, I did a tar of the whole system – “tar cvf wholesystem.tar /”. This is probably not the best way to do it, but hey, I did not want to spend time just picking what I wanted and what I did not need from the old machine. The resulting “wholesystem.tar” file was about 2G in size.

c) Ftp’ed the wholesystem.tar file to the VM and did an untar of it on to the VM – “cd /; tar xvf /tmp/wholesystem.tar “. This resulted in a VM that could boot, but needed some tweaks.

d) The tweaks were:

  1. Changing the network card to reflect the VM’s settings
  2. Changing the IP#
  3. Disabling the mouse on the VM

d) SCO is msft-ish (or may be msft learned it from SCO) in that the tool that is used to do the changes “scoadmin” will, after changes are done, need the kernel be rebuilt which then necessitates the rebooting of the VM to pick up the new values

e) Edited the /etc/hosts file to reflect the new IPs and added in /etc/rc.d/8/userdef file a line to set the default route on the VM: route add default 192.1.2.5

The VM’s IP is 192.1.2.100 and in the /etc/resolv.conf file, the nameserver was set to 8.8.8.8 and 8.8.4.4 (Google’s public DNS)

Printing:

a) The old machine had two printers – an 80 column and a 132-column dot matrix printer – connected to its serial and parallel ports.  I did not want to deal with this issue for the VM and got hold of two TP Link PS110P print servers. What’s nice about these are that they are trivial to work with (they are running Linux anyway) and by plugging them to the printers (even the serial printer had a parallel port), both printers were on the network and so printing from the SCO VM was now trivial.

b) Configuring the SCO VM to print to the network printer was using the rlpconf command. The TP Link print server has an amazing array of options and I picked the LPR option and the LPT0 and LPT1 device queue on the two TP Link print server. While the scoadmin has a printer settings section, for some reason the remote printers set up by it never quite worked.  In any case, the rlpconf edits the /etc/printcap file to reflect the remote printers and that is all that is needed.  Here’s what the /etc/printcap looked after the rplconf command was run:

cat /etc/printcap
# Remote Line Printer (BSD format)
#rhel6-pdf:\
#       :lp=:rm=rhel6:rp=rhel6-pdf:sd=/usr/spool/lpd/rhel6-pdf:
LPT0:\
:lp=:rm=192.1.2.51:rp=LPT0:sd=/usr/spool/lpd/LPT0:
LPT1:\
:lp=:rm=192.1.2.52:rp=LPT1:sd=/usr/spool/lpd/LPT1:

the IP #s were set in the TP Link print servers and their respective print spools.

c) so, once that was done, running lpstat -o all on the VM shows the remote printer status:

#lpstat -o all
LPT0:
lp1 is available ! (06,05,02,000000|01|448044|443364|04,02,02|8.2,8.3)
LPT1:
lp1 is available ! (03,02,03,000000|01|450384|445932|04,02,01|8.2,8.3)

Networking issues:

Initially, I had set up the VMs using the default networking setting for KVM.  The standard networking in KVM assumes that the VM is going to go out to the network and not running as a server per se. But this VM was going to be accessed by other machines (not the RHEL6 host) on the office LAN, so the right thing to do is to set up the a Bridging network instead of a NATed network. RHEL 6.2 does not, by default, have bridging set up and I think that need to change. NATing is fine, but in order for the VM to be accessed from systems other than the host, there has to be additional firewall rules set up if it is to be NATed, but a one liner iptables rule: “iptables -I FORWARD -m physdev –physdev-is-bridged -j ACCEPT” if it was on a Bridge.

I think the dialog box that sets up the VM via virt-manager should add an option to ask if a you need a bridged network. The option is there, but not obvious. So following these instructions carefully – they work.

Well, that was it. The SCO Open Server 5.0.5 with the application that was needed is now running happily in a VM on a RHEL 6.2 machine and the printing is via the network to a couple of print server.

I must, once again, take my hats off to the awesome open source developers of KVM, QEMU, BOCHS etc for the wonderful way all the technologies have some together in a Linux kernel as fully supported by Red Hat in Red Hat Enterprise Linux. There is an enormous amount of value in all of this, that even a premium subscription of this RHEL installation is a fraction of the true value derived. The mere fact that a 20th century SCO Open Server can now be made to run in perpetuity on a KVM instance is mind-boggling (even if Red Hat does not officially support this particular setup).

QED.

Fedora 17 before it is released


I decided to take the plunge and run Fedora 17 before it’s officially launched in May.  My system has been running Fedora 16 x86-64 since the launch last November and I must say that it has been solid – including the GNOME 3.x stuff.

What I did was the following:

a) Updated the system fully – “yum update -y”

b) Ensure that “preupgrade” is installed – “yum install preupgrade -y”

c) Run the “preupgrade” command and let it set the system up.  This last step could take a few hours depending on your Internet speed. This was exactly what I did in November as well when I went from Fedora 15 to Fedora 16.

When it finally completed the preupgrade, I rebooted the machine, then it went through the final install and, viola, all was good. The key apps I need to use on a daily basis – mutt, msmtp, Firefox, Chromium, x-chat, Thunderbird, vlc, twinkle, calibre, virt-manager all worked as before. Or so I thought.

For what it’s worth, all of them work with the exception of vlc which will play ogg, mp3 but fails to play flv and mp4 (complains that it needs h264 codecs). I thought it should be there, but I guess something might not have been properly updated.  Oh well. Not the end of the world really. Everything else works.

The version of the kernel right now is:

[harish@vostro ~]$ uname -a
Linux vostro.sin.redhat.com 3.3.4-1.fc17.x86_64 #1 SMP Fri Apr 27 18:39:03 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

I did, however, encounter an interesting problem when I rebooted the machine to the newest kernel – my wifi did not come on. For a moment I thought something broke. I rebooted the machine from a liveUSB running Fedora 16 and the wifi worked so it is not hardware issue.  What I had to do was to use the “Fn + F7” key combination (to turn on and off the wireless in the machine) and bingo, the wifi came back on.  My machine is a Dell Vostro v13.

[harish@vostro ~]$ lspci
00:00.0 Host bridge: Intel Corporation Mobile 4 Series Chipset Memory Controller Hub (rev 07)
00:02.0 VGA compatible controller: Intel Corporation Mobile 4 Series Chipset Integrated Graphics Controller (rev 07)
00:02.1 Display controller: Intel Corporation Mobile 4 Series Chipset Integrated Graphics Controller (rev 07)
00:1a.0 USB Controller: Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #4 (rev 03)
00:1a.1 USB Controller: Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #5 (rev 03)
00:1a.2 USB Controller: Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #6 (rev 03)
00:1a.7 USB Controller: Intel Corporation 82801I (ICH9 Family) USB2 EHCI Controller #2 (rev 03)
00:1b.0 Audio device: Intel Corporation 82801I (ICH9 Family) HD Audio Controller (rev 03)
00:1c.0 PCI bridge: Intel Corporation 82801I (ICH9 Family) PCI Express Port 1 (rev 03)
00:1c.2 PCI bridge: Intel Corporation 82801I (ICH9 Family) PCI Express Port 3 (rev 03)
00:1c.3 PCI bridge: Intel Corporation 82801I (ICH9 Family) PCI Express Port 4 (rev 03)
00:1c.4 PCI bridge: Intel Corporation 82801I (ICH9 Family) PCI Express Port 5 (rev 03)
00:1d.0 USB Controller: Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #1 (rev 03)
00:1d.1 USB Controller: Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #2 (rev 03)
00:1d.2 USB Controller: Intel Corporation 82801I (ICH9 Family) USB UHCI Controller #3 (rev 03)
00:1d.7 USB Controller: Intel Corporation 82801I (ICH9 Family) USB2 EHCI Controller #1 (rev 03)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev 93)
00:1f.0 ISA bridge: Intel Corporation ICH9M-E LPC Interface Controller (rev 03)
00:1f.2 SATA controller: Intel Corporation ICH9M/M-E SATA AHCI Controller (rev 03)
00:1f.3 SMBus: Intel Corporation 82801I (ICH9 Family) SMBus Controller (rev 03)
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 03)
07:00.0 Network controller: Intel Corporation WiFi Link 5100

and

[harish@vostro ~]$ lsusb
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 003: ID 10f1:1a1e Importek Laptop Integrated Webcam 1.3M
Bus 003 Device 006: ID 0a5c:4500 Broadcom Corp. BCM2046B1 USB 2.0 Hub (part of BCM2046 Bluetooth)
Bus 003 Device 007: ID 413c:8161 Dell Computer Corp. Integrated Keyboard
Bus 003 Device 008: ID 413c:8162 Dell Computer Corp. Integrated Touchpad [Synaptics]
Bus 003 Device 009: ID 413c:8160 Dell Computer Corp. Wireless 365 Bluetooth

Let’s hope that by the time Fedora 17 is Generally Available, this little toggle is long gone.

Microsoft’s “open technology” spinoff


While I would like to stand up and cheer Microsoft on them setting up the “Microsoft Open Technologies, Inc”, I am not convinced that they are doing this in good faith.

Microsoft’s founder, Bill Gates, said in 1991 – 21 years ago – that

“If people had understood how patents would be granted when most of today’s ideas were invented, and had taken out patents, the industry would be at a complete standstill today.”

only to have all of that conveniently forgotten years later when they themselves started patenting software and suing people all over. These are the kinds of actions taken by a company who cannot innovate or create anything that is new and valuable.  It is also the same company whose CE goes around saying things like:

“Linux violates over 228 patents, and somebody will come and look for money owing to the rights for that intellectual property,”

Too many of these statements and blatant lies from a company that has lost its ethical compass. This is the same company that is now pro-CISPA even after backing down from being pro-SOPA. Do read this statement from EFF about what’s wrong with CISPA.

Never mind all that. Clearly, Microsoft sees money in FOSS. It is business as usual for them in creating their new subsidiary.

If they are really serious about FOSS being part of their long-term future, I am sure they will be reaching out to many people in the FOSS world to join them. Thus far, all I have seen is a redeployment of their internal, dyed-in-the-wool MSFTies.

I think Simon’s commentary on the plausible reasons for Microsoft setting this new entity up is a good set of conspiracy theories, but I think Simon gives Microsoft too much credit.

Exposing localhost via a tunnel


I came across this tool, localtunnel, that offers a way to expose a localhost based webserver (for example) to the internet. It is a reverse proxy that brings you to your machine way behind a firewall by bouncing off of a externally reachable host running localtunnel.

I tested it out on my Fedora 16 laptop (all I had to do was to run “gem install localtunnel” as I had ruby already installed).

I like the idea, but am not entirely convinced about the security exposure.

What does it take?


I am an organizer of a programming contest that will be using some really cool technologies (HTML5, Python, OpenShift, just to name three). This will be a contest open to anyone but we would need whoever takes part to be in Singapore for the duration of the contest.

This contest will also involve children 12-years and below (in their own category using Scratch as the tool) as well as an open category covering everyone else.

This contest covers the entire gamut of users – children (the next generation coders), cool technologies, innovation, solving society’s problems).

What I would like to do is to find a way to have the President of the Republic of Singapore to be the guest of honour to present prizes to the winners when the contest is all over. President Tony Tan, in his earlier career, we a champion of education (as Minister of Education), headed up the National Research Foundation (as champion of innovation and entrepreneurship) and is the current patron of the Singapore Computer Society.

My challenge is that everyone I talk to says that “inviting the president is hard; too much protocol; too many security related issues etc”. Really? Is it so hard to invite the head of state to be the chief guest of an event focusing on things that he had championed earlier in his career?

Please tell me how I can cut to the chase and get him as the Chief Guest. Anyone? I will send an email to him directly, but I shall put this request out in public now.