Category Archives: standards

all about standards

The Enormous Empowering of Free and Open Source Software Ecosystem


It is quite disappointing to see the escalation of bad behaviour on the part of some of the partners in the technology industry legally pushed on by US politicians who have no idea what they are doing.

I got asked by many people what this withdrawal of access to the Android code by Huawei by Google would mean?

Simple. Nothing. It is just another day, another bad decision.

Why?

The Android ecosystem is driven not only by the business arrangements Google has with the various OEMs, but also by the existence of the Android Open Source Project,

The AOSP is the basis of the various replacement code that run in millions of Android phones already in the market. You have all of the functionality one expects from an Android smart phone but without access to some of the “special sauce” (proprietary) that Google provides to the OEMs. If you think about it for a moment, not having access to the proprietary secret sauce/source is actually a Good Thing.

The special code that Google provides to their OEMs is, among other things, the ability to track users. I know lots of users would say, “but how else can I use the phone”? You do not have to give up your privacy to use the Android device. And for all those who say “privacy is dead, just get on with it”, I would like to ask “why do you close the door when you use the restroom”?

I have 3 Android phones – two Nexus and one Pixel. On the Nexus I am running AOSP and the Pixel is still running stock Android OS from Google. On all three, I use, to the extent I can, mostly all open source applications – FreeOTP, Signal, Telegram, Firefox, Firefox Focus, Tor, Torbrowser, Jitsi, DuckDuckGo, OpenStreetMap, AntennaPod, Keybase, Nextcloud, MIT AI2 Companion, VLC and Feedly. I don’t use Chromium (or Chrome).

About the only Google application I use is Gmail client and Google Maps if I did not download the OSM map for the city I am travelling to. And in case it is not already obvious, I don’t use Google for search. It is DDG for me, everywhere.

I do have ParkingSG, DBS’ apps, NEA, SGBuses and some others. By and large, the phone running AOSP have pretty much the same (minus Gmail) but that is fine.

But let’s return to the issue that is annoying the tech world right now. Since Google, Intel, Qualcomm and others have been arm twisted by the USG to stop providing to Huawei, what do you think will happen? Huawei will turn to others – for the hardware components – and will also potentially spur other Chinese companies to step into the void. Thanks to a braindead move, the rest of the world has been energized to remove the Single Point of Failure situation we are all collectively facing.

Don’t get me wrong in assuming that I think Huawei is above board on all things. They probably are not. But so are the likes of Cisco, Apple etc (just search for the Snowden revelations). But, the major difference between Huawei and the US companies accused of similar bad behaviour is that Huawei has a strong link with the CCP via their CEO (if you are reading this in China, the Wikipedia page is blocked I am sure).

It is all about optics. He might indeed be a fine and honourable person. But the CCP link (and their Great Firewall of China and the slow train wreck that is their Social Credit experiment) does not bestow confidence. Compound that with the removal of the term limits on the presidency of China which essentially means one person will rule for his lifetime, does bring into sharper focus, the entire Chinese technology ecosystem in their lack of independence.

How could this be resolved. Partially, perhaps, by the CEO stepping down and having a very transparent management that we can all check for links to the CCP. This applies to the other Chinese companies as well – ZTE, Ali, Tencent, Baidu, QQ, WeChat, Didi etc. The opacity and the central control of thought by the CCP is a root cause of these troubles.

The accusations that Huawei “stole” “intellectual property” from the US is potentially provable, if we are talking about hardware. If it is about software, the code that is used to run on their systems are all essentially FOSS and GPLed code (most likely). There is no archaic 20th century style restrictions on the code and this is where Free and Open Source Code’s power is shining through. No amount of sanctions can stop the open sharing and collaboration that is already there.

Let’s make one thing clear. When you are looking at the code running on your devices (any), you have the opportunity to examine them, fix them, update them and do what you please, so long as you have access to the code. If the code is proprietary, discovering issues is really hard, not impossible, but hard.

The less informed would say that since the code is open, anyone can put in malicious code to do stuff. Of course that can happen. And precisely because the code is open, you can go in and take out the malicious code, and even publicly shame the perpetrators.

The similar statement of openness in hardware is slightly harder to make. This is because one will have to have access to the entire supply chain all the way to the chip foundry to ensure that there’s nothing that is not supposed to be in there in the first place. The issue with Supermicro board having some malicious components is a case in point. The manufacturer might actually be telling the truth that they were not aware of the issue. This is a failure of the supply chain into whcih sophisticated (perhaps state actors) work is done to incorporate malicious componenets.

Can this issue be fixed?

Potentially by having DLT (distributed ledger technologies like Hyperledger, or HashGraph, or Blockchain) in the supply chain to authenticate and verify the hardware from design to delivery. We do not yet have such a system.

To summarise, the technology world will continue to move on. Free and Open Source Software is the bedrock of all of these technology and no one can stop it from continuing to conquer the world.

 

Advertisements

Electronic voting and trust


There was s series of letters published in one of the daily papers here in Singapore about the apparent anomaly that we do lots of stuff electronically, but voting is not one of them. There was a reply from the Singapore elections department (which reports to the Prime Minister, ie, not an independent commission), that there are issues of trust still unresolved.

This thread was triggered by an article on 23rd November that headlined “Faster ballot counting, e-registration at next GE” (the MSM that it appeared in has a habit of locking up the contents so I have the PDF of the article linked below).

That lead to the first letter by a Mr Lee Kwok Weng on 1st December asking why is the voting not done electronically. That prompted a reply by the Elections Department on 4th December “Online voting still not fool-proof”. There was another reply from Mr Cheng Choon Fei on 6th December “Electronic voting open to errors and fraud”.

Understandably, the not entirely pleased Mr Lee, on 8th December, wrote back and the letter was headlined as “If online banking is acceptable, electronic voting should be too”.

Having not seen the previous letters and article, I thought that I could add to the discussion and wrote in to the MSM. Here’s what I wrote on 8th December and sent to STForum@sph.com.sg:

I would like to respond to a letter published in your forum authored by Mr Lee
Kwok Weng about he being surprised about the replies by the Elections Department
on providing online elections in Singapore. [0]

Mr Lee correctly notes that we do banking transactions and many other types of online transfer of value.

There is a simple reason as to why that works: you can verify it. You can check if monies were sent, or emails were delivered, or digitally encrypted and/or signed documents are decrypted/read only by the intended etc. If the electronic transaction was tampered with you will know.

That is a solved problem.

With election systems, however, the part about tampering is not fully solved. Most voting systems have as their corner stone, the secrecy of the vote. You know what you voted for, but you cannot check that the eventual accounting of the votes were not tampered with – because, in the simple case, you would be revealing your vote. I have always told people what I voted for because I feel voting secrecy encourages the possiblities of fraud, but I can also understand the real threat if someone is compelled to vote in a particular way under duress and threat.

Tamper-resistance and anonymous validation are active areas of research and
some of the thought leaders like David Chaum (www.davidchaum.com) have some
practical ideas that could address them, but issues of trust still remain.

I’d invite Mr Lee to consider attending and engaging with the local tech and cyber security community under the auspices of the Singapore Computer Society. The criticality of the source code of the electronic voting systems being open source, verifiable, rebuildable and repeatable, is but a small step in the direction of trust.

The MSM’s forum editor wrote back saying that they will publish my letter with some edits.

Here’s what was published today, 13th December.

letter-photo.jpg

 

My updated GPG keys: 0x61AFA27B


I have just updated my GPG keys.

The fingerprint is: 0x61AFA27B

And my public key is:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFtV24ABEADERsMgNNOOFpzfaYxrmlmYPd0IOjFn3iIba38SvqVyWJxLmuvc
/IBnA2jqawjX4MguIlnBQKA7ipV9tJcHBv+EnCCDlwfBN1pgFSPH5drOIiIkNkBM
gVk+5/0cG3OvidtPRctVDU34M2mdQCBgAvM4oI34dDIkn4OsmN01u1eg9ETwLZ6L
RlqleK458xtm7Eaks+2LjRxGNKN95KytipbIjxuCdAJt9lgnBxVdtgEDmLXSS17L
ros/c32NIyKpPdfpSumnD+GEguyT8KUbVppT+gFf3iDoY2r+YJDplGfWjVn1YbTZ
bOgm61lO5j+vOu9gACr5lm33aKCnejPI4p5mxujiWQVFuWy7+D8uY5ToGGcQBHpw
ZjJOZLqfpTXVefz+UR91ATst6K96Cke897duy02NTLaI93CtzTn3oKXCazJ54AKO
uc7UFjYkji4RkbzXD5fgZ/IoksJDd266kpjtSEQEnIAvNC9UMQ/NlLE/G3MeahOn
FIxC5VlMvlN4I9N9rk0Dr35r8dgIJHpFh8670Uk+HuRnmeZRoTjtdKecnr2y8vj5
P+2+/XxmjX8DZmYS/ZX4RYdTYgXZnj9AU6Wj1YTw+t8CsQWODq1Yv6B2Ji3WcgfO
j8tuSrTBwmZfEkdKedxBn3ePj58drcv3xmWfX+J5cqc9Lon/THj0FZMfrwARAQAB
tDNIYXJpc2ggUGlsbGF5IChVcGRhdGVkIGluIDIwMTgpIDxoLnBpbGxheUBpZWVl
Lm9yZz6JAk4EEwEIADgWIQTHG36NdBzf4bEXXWhmKVl/Ya+iewUCW1XbgAIbAwUL
CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBmKVl/Ya+ie2eCEACQdH+DsLNl9xoS
ZH5Ppj563G0a5Q5aNLsYp/tH6nGtqIgH0jmNw8kU2+KysYrcJIVs83fQ0qNp2DVr
2mmYX9xoWxC8+CNY72N4e9BFvxInTXBUdW1/VNYJc5494lyY7et9Jq1pfE3mPh2g
8Rvt3EaKKB4hY19OKOJOoGd4+HjYmPts74QT5UQ5YUWdU5kJLuE+oRSn+vusl0vw
s6oyAPuJLSL1n22+dCvPYUcuPl99i89RT7teTGOQ/NOlqrycyOCC9AFbDT+K6Drv
7bCdhNZQkZYfg3ORYlKEXov6RzvJSYnFDWp4skNpc7w7yGRYXS9BSwceQc7XGvrH
9qAslLpPc/mZzppI8Lck1K2IzsP748Qk2fzDghan43fA2LZ8jAnMKYI75PViMBiO
H5xQou9zbgywR5Lng+m+zwFn73O1QfjRbGq3zPrcG6AoHWM8gBOE4j6bH3BtlkwX
GUhhbo9ycQ+I/rSAaoyWOsTsyeJnGh/u6yLqUBnOn5YFGR/6a96m8sE03xPWyGxP
isePvlXlTnAyXQh0HAx2qyS7qkBWWYN9mwbhpC5ld9+gpEJf2Qm4KSnatYlbIPkv
PXoh2FjaHJhX74BCsQc49Rn6UhrVQkZ7L7DI1theltKXXPnGXW7I6vMIpyxXHxjM
SZb2COLvYjBBzMaecKnI0j+KELN7XrkCDQRbVduAARAAxeCFQo7Q96AVy2VTWq8c
0RKsIM5Mkq4H07EBtsw4zAyjp2Z+4y19eagOw0zdWDNtnb154WHNRS6Gv2a6CIoI
njjOrZtZYDBVPxw4A30lQMm0pxy/BhNGVB+rgT9jpXg956LkbyylYqmK8PKPPLk+
jH433k1wPbRyUfnLEZPyO3zcoCe3fP4XgNW3ck1WF8RzD/YvpRjUROJoWNpsungl
WQJJc/+cSU2fLOim+0XVgj13gAYBY1qZHjwPr1Z877P0WqxKp8ZKqF1/GcVxkWjC
4cXakHryRyyHrgyw6eePalJ+6WA3pEJENloIXEtLX99fiqDUZEKMY81pT82EtGKx
eXNyHBmMrQDYjkefBunXjn9ScNBmRqpm/tITl2RcQFL13DuvuIXBu7YLjho0CAI9
2Y7tRrCa1Zp6hZKTnnJyby69XTPlQFPporIGKvDNu0K0pSzAuNJqGT8aSFvOadbc
99a4sBCORnF8Hk1qd+tby8k39GMgRvWSWNFd/9vmsce6dEU+q5jJJE3dFzNRm/Cd
1nUeWRobsj3ULFr5mChaFKIcSE32UR0Ln/1NxZFVlj6Yr/0NgMv0hZu8HyfxSNMo
NiG0JL3+zVMrTZc1Hhs6jTUubTErGi9JM65CD0UuuDFwGNDLZWIM1eUGiiVVzpJY
goYxV6vDE71q2nmBVlqIVSEAEQEAAYkCNgQYAQgAIBYhBMcbfo10HN/hsRddaGYp
WX9hr6J7BQJbVduAAhsMAAoJEGYpWX9hr6J7Q5oQALBhF9+yGYC6e8S4tE5bZcNU
CX4HR9FcNPTUKfmzGRlEOdDYWt193b1mfH3CDHteTPH8+q7jjrvtjl4TpUxitZST
Sihn/XYMmXnnTOEsuI8dzVeg3PytBQOvDyYZqF4B6tE9weum1+YY5bQPRpQvVPe5
CeNcC/HVcIrN6Uc6yLkmG6FDcCIpvOKrMjgYFLS2chLeuNe2E9Gpzj9Ic4AROaz6
G+DiF1xgScG3CYuadyixsZ5BnUkKGA5a/MdhAxQsWCzXxtnP+RP5yLJu5ET4XGl6
rC/p6ZUQJ2MQ/Ibn02AuFUX5/VatvBcZfrfgrLHWtXpDRA5NNnu9WFH72EGUBLtO
kFHQSzRJEOfdujK6415f4WdsTQhTcR8w9YDbVlhPxh+Rm38vbrO16tikN8hV9Er4
7+xMpS8iUd8DOxa8WnIIuvo7K/33Ejqc8VOY6rEg5V4gpHO8SoxOmXolaGiExZpd
DrsdDh0nCu4Kw1CKyPj2AVUCEiUh7jz6IgfL0BmvGyjlwHWS8Qv9LV8ADD5355ip
098LZYU8gB+1vVqgBv0b5yCKBepyhNZJd2X7uPsMzPWgkcDtS8UE+Y/nFXveq+Yy
SBMXIS5n+MlkKpkrF5DHMmAy99Ps8/086gV9aUTZr7KigxnNRAi+ZnpsERGsNK7i
L2wItvjtV+KEiOfKSUdn
=mauj
-----END PGP PUBLIC KEY BLOCK-----

You can check my keys at any of the key servers. Here are two:

a) https://keys.fedroraproject.org

b) https://pgp.mit.edu

I am updating my keys to 4096 bits and that is the reason for doing it now.

You can also use keybase.io if you prefer – this still has my previous key, and it will be updated to the new one.

Seeking a board seat at OpenSource.org


I’ve stepped up to be considered for a seat on the Board of the Open Source Initiative.

Why would I want to do this? Simple: most of my technology-based career has been made possible because of the existence of FOSS technologies. It goes all the back to graduate school (Oregon State University, 1988) where I was able to work on a technology called TCP/IP which I was able to build for the OS/2 operating system as part of my MSEE thesis. The existence of newsgroups such as comp.os.unix, comp.os.tcpip and many others on usenet gave me a chance to be able to learn, craft and make happen networking code that was globally useable. If I did not have access to the code that was available on the newsgroups I would have been hardpressed to complete my thesis work. The licensing of the code then was uncertain and arbitrary and, thinking back, not much evidence that one could actually repurpose the code for anything one wants to.

My subsequent involvement in many things back in Singapore – the formation of the Linux Users’ Group (Singapore) in 1993 and many others since then, was only doable because source code was available for anyone do as they pleased and to contribute back to.

Suffice to say, when Open Source Initiative was set up twenty years ago in 1998, it was a formed a watershed event as it meant that then Free Software movement now had a accompanying, marketing-grade branding. This branding has helped spread the value and benefits of Free/Libre/Open Source Software for one and all.

Twenty years of OSI has helped spread the virtue of what it means to license code in an manner that enables the recipient, participants and developers in a win-win-win manner. This idea of openly licensing software was the inspiration in the formation of the Creative Commons movement which serves to provide Free Software-like rights, obligations and responsibilities to non-software creations.

I feel that we are now at a very critical time to make sure that there is increased awareness of open source and we need to build and partner with people and groups within Asia and Africa around licensing issues of FOSS. The collective us need to ensure that the up and coming societies and economies stand to gain from the benefits of collaborative creation/adoption/use of FOSS technologies for the betterment of all.

As an individual living in Singapore (and Asia by extension) and being in the technology industry and given that extensive engagement I have with various entities:

I feel that contributing to OSI would be the next logical step for me. I want to push for a wider adoption and use of critical technology for all to benefit from regardless of their economic standing. We have much more compelling things to consider: open algorithms, artificial intelligence, machine learning etc. These are going to be crucial for societies around the world and open source has to be the foundation that helps build them from an ethical, open and non-discriminatory angle.

With that, I seek your vote for this important role.  Voting ends 16th March 2018.

I’ll be happy to take questions and considerations via twitter or here.

This is quite a nice tool – magic-wormhole


I was catching up on the various talks at PyCon 2016 held in the wonderful city of Portland, Oregon last month.

There are lots of good content available from PyCon 2016 on youtube. What I was particularly struck was, what one could say is a mundane tool for file transfer.

This tool, called magic-wormhole, allows for any two systems, anywhere to be able to send files (via a intermediary), fully encrypted and secured.

This beats doing a scp from system to system, especially if the receiving system is behind a NAT and/or firewall.

I manage lots of systems for myself as well as part of the work I at Red Hat. Over the years, I’ve managed a good workflow when I need to send files around but all of it involved having to use some of the techniques like using http, or using scp and even miredo.

But to me, magic-wormhole is easy enough to set up, uses webrtc and encryption, that I think deserves to get a much higher profile and wider use.

On the Fedora 24 systems I have, I had to ensure that the following were all set up and installed (assuming you already have gcc installed):

a) dnf install libffi-devel python-devel redhat-rpm-config

b) pip install –upgrade pip

c) pip install magic-wormhole

That’s it.

Now I would want to run a server to provide the intermediary function instead of depending on the goodwill of Brian Warner.

 

FUDCon Kuala Lumpur 2012


It is wonderful to see the Fedora Users and Developers Conference kick off in Kuala Lumpur today, May 18 2012. The plan was for me to attend, do a keynote and also pitch a talk for the barcamp. But, Murphy was watching how everything was coming together and pulled the rug from under me on Wednesday. I experienced what I found out later to be “tennis calf”

The symptoms were 100% spot on; felt something hit my calf followed by a pull. Quickly arranged to visit a sports doctor and he advised me about what needs to be done and recommended that perhaps I should not travel for the next two to three days. Bummer. I was so looking forward to being among the Fedora community flying in from Europe, Australia, Vietnam, India, Sri Lanka, Bangladesh etc.

Among the things I wanted to talk about at FUDCon KL was the following:

  1. A demo of the plugable USB2.0 docking station that turns a Fedora 17 machine (server, desktop, laptop – does not matter) into a multi-seat Linux environment. I bought a pair from Amazon. I received it on Wednesday (shipped to Singapore via vpost.com.sg) and it worked exactly as stated – plug the USB to the laptop’s USB port, have a VGA monitor, USB keyboard and mouse plugged into the docking station, and viola, a fresh GNOME login screen. Amazing. You can even do an audio chat and watch streaming video via this setup. Really good stuff and kudos to the developers for main streaming the code into the Linux kernel and working with the Fedora devs to make this workable out of the box on Fedora 17.  What was really amazing from my point of view was the this works even when a machine is booted from a Fedora 17 LiveCD/USB. While this would suggest that the idea of the K12LTSP project is no longer needed, I think there are clear areas where they complement.
  2. My journey in OpenShift.redhat.com. I wanted to share my learnings about OpenShift and Git and all the associated stuff. More importantly, the fact that OpenShift is a technology that is being used for a 24-hour programming contest in Singapore called code::XteremeApps was important to share as well to encourage international participation in the contest.  I am hopeful that this blog post will trigger interest.

I guess all is not lost. The show has to go on and I am glad to have facilitated a lot of it.  But the main kudos has to go to the Malaysian Fedora Ambassadors who managed to pull this off in the 8 weeks when they were awarded the hosting rights!

Microsoft’s “open technology” spinoff


While I would like to stand up and cheer Microsoft on them setting up the “Microsoft Open Technologies, Inc”, I am not convinced that they are doing this in good faith.

Microsoft’s founder, Bill Gates, said in 1991 – 21 years ago – that

“If people had understood how patents would be granted when most of today’s ideas were invented, and had taken out patents, the industry would be at a complete standstill today.”

only to have all of that conveniently forgotten years later when they themselves started patenting software and suing people all over. These are the kinds of actions taken by a company who cannot innovate or create anything that is new and valuable.  It is also the same company whose CE goes around saying things like:

“Linux violates over 228 patents, and somebody will come and look for money owing to the rights for that intellectual property,”

Too many of these statements and blatant lies from a company that has lost its ethical compass. This is the same company that is now pro-CISPA even after backing down from being pro-SOPA. Do read this statement from EFF about what’s wrong with CISPA.

Never mind all that. Clearly, Microsoft sees money in FOSS. It is business as usual for them in creating their new subsidiary.

If they are really serious about FOSS being part of their long-term future, I am sure they will be reaching out to many people in the FOSS world to join them. Thus far, all I have seen is a redeployment of their internal, dyed-in-the-wool MSFTies.

I think Simon’s commentary on the plausible reasons for Microsoft setting this new entity up is a good set of conspiracy theories, but I think Simon gives Microsoft too much credit.