Advogato blog for adulau

2008-07-21 Killing Usenet Is A Bad Idea

Mon, 21 Jul 2008 11:14:17 GMT

In a recent news from the EFF, there is an increase to limit the use or block access to Usenet by some ISPs. But NNTP and Usenet can be still useful for new technologies, a nice example of a NNTP server plug-in in a wiki. In such case, you can benefit of Usenet threading using a standard Usenet client or distributing RecentChanges RSS feed in a more efficient way than regularly fetching RSS feeds via HTTP. Old is new and new is old… don't kill the Usenet infrastructure that could support the next interactive business.

Tags: internet freedom wiki usenet

2008-06-23 Hardware Random Number Generator Useful

Mon, 23 Jun 2008 15:09:12 GMT

If you have a system machine generating various cryptographic keys, you really need a non predictable state in your entropy pool. To reach a satisfied level of unpredictability, the Linux kernel gathers environmental information in order to feed this famous entropy pool. Of course gathering enough unpredictable information from a deterministic system, it's not a trivial task.

In such condition having an independent random source is very useful to improve unpredictability of the random pool by feeding it continuously. That's also avoid to have your favourite cryptographic software stopping because lacking of entropy (it's often better to stop than generating guessable keys). In the graph below you can clearly see the improvement of the entropy availability. On an idle system, it is difficult for the kernel random generator to gather noise environment as the system is going in a deterministic way while doing "near" nothing. Here the hardware-based random generator is feeding regularly the entropy pool (starting end of Week 24) independently of the system load/use.

If you are the lucky owner of a decent Intel motherboard, you should have the famous Intel FWH 82802AB/AC including a hardware random generator (based on thermal noise). You can use tool like rngd to feed in secure way the Linux kernel entropy pool. In a secure way, I mean really feeding the pool with "unpredictable" data by continuously testing the data with the existing FIPS tests.

That's the bright side of life but I would close this quick post with something from the FAQ from OpenSSL :

1. Why do I get a "PRNG not seeded" error message?
... [some confusing information]
All OpenSSL versions try to use /dev/urandom by default; 
starting with version 0.9.7, OpenSSL also tries /dev/random 
if /dev/urandom is not available.
... [more confusing information]

If I understood the FAQ, by default OpenSSL is using /dev/urandom and not /dev/random first? If your entropy pool is empty or your hardware random generator is not active, OpenSSL will use the unlimited /dev/urandom version and could use information that could be predictable. Something to remember if your software is still relying on OpenSSL.

Update on 03/08/2008 :

Following a comment on news.ycombinator.com, I tend to agree with him that my statement "/dev/urandom is predictable" is wrong but that was a shortcut to urge people to use their hardware random generator. But for key generation (OpenSSL is often used for that purpose), the authors of the random generator (as stated in section "Exported interfaces —- output") also recommend to use /dev/random (and not urandom) when high randomness is required.

That's true when you are running out of entropy, you are only depending of the SHA algorithm strength but if you are continuously feeding the one-way hashing function with a "regular pattern" (another shortcut). You could start to find problem like the one in the linear congruential generator when the seed is one character… But that's true the SHA algorithm is still pretty secure. So why taking an additional (additional because maybe the hardware random generator is already broken ;-) risk to use /dev/urandom if you have already a high-speed hardware random generator that could feed nicely /dev/random?

Tags: kernel linux security random prng hrng

2008-06-15 Internet Liberties Still In Danger

Sun, 15 Jun 2008 18:03:52 GMT

Everything started when government tried to limit the liberties on Internet, the first major case was the Communications Decency Act. The famous blue ribbon campaign of the EFF started due to that legal non-sense in 1996. We thought that we were safe from such stupid regulation in the cyberspace when the US supreme court admitted that the Communications Decency Act was mainly unconstitutional. But the history proven the opposite, governments are continuously trying to limit civil liberties on Internet (and not only in China). It's a fact and seeing such intensity from government to limit our rights in a space where freedom is there by nature, I really have a confirmation (by repeating so many times so many legal trick to achieve a complete on control on Internet) that's an intended purpose to limit our freedom space.

Hopefully there are still an active (from scientific to citizen) community where interesting paper came such as : Cassell, Justine, and Meg Cramer. “High Tech or High Risk: Moral Panics about Girls Online." Digital Youth, Innovation, and the Unexpected. An interesting part is the comparison with telegraph and telephone. The conclusion of the paper also showed the danger of the "moral panic" for women :

And in each case that we have examined, from the telegraph to today, the result of the 
moral panic has been a restriction on girls’ use of technology. As we have described above, 
the telegraph, the telephone, and then the internet were all touted for how easy they were for 
young women to use, and how appropriate it was for young women to use them. Ineluctably, 
in each case, that ease of use and appropriateness became forgotten in a panic about how 
inappropriate the young women’s use of these technologies was, and how dangerous the 
women’s use was to the societal order as a whole. 
In the current case, the panic over girls’ use of technology has taken the form of believing 
in an increased presence of child predators online. But, as we have shown, there has been 
no such increase in predatory behavior; on the contrary, the number of young women who 
have been preyed on by strangers has decreased, both in the online and ofﬂine worlds.

Finally, as with uses of communication technologies by women in the past, it is clear 
that participation in social networking sites can fulﬁll some key developmental imperatives 
for young women, such as forming their own social networks outside of the family, and 
exploring alternate identities. Girls in particular may thrive online where they may be more 
likely to rise to positions of authority than in the physical world, more likely to be able 
to explore alternate identities without the dangers associated with venturing outside of their 
homes alone, more likely to be able to safely explore their budding sexuality, and more likely 
to openly demonstrate technological prowess, without the social dangers associated with the 
term “geek.” And yet, when moral panics about potential predators take up all the available 
airtime, the importance of the online world for girls is likely to be obscured, as are other 
inequalities equally important to contemplate.

But obviously, I'm still very affected by the continuous flow of bad law (like the recent one from France) or action like blocking Usenet. Do they want to turn Internet into an useless medium where free speech is banned ? and an Internet where so many technical restriction implemented, it becomes impossible to use it.

Tags : freedom internet

2008-05-24 My Git To-Do Process

Sun, 25 May 2008 15:10:00 GMT

Until very recently, I was using a mixture of text files to maintain a to-do list across my various activities. The problem is some of my to-do and activities are linked and I needed a kind of permanent access to those lists while at work, home or travelling/moving. I also needed to update the list off-line and with the ability to merge them easily. That was working but not perfect and sometime messy.

I found an updated version of the famous todo.txt (a bash script to maintain plain text to-do list) called git-todo.py hosted at (gitorious.org). After a simple test, I decided to move all my to-do lists, idea lists or n lists to git-todo.py. The major work was to recreate all the lists using the simple format of todo.txt but that was straightforward.

So I "centralized" (a big word for a distributed SCM ;-) everything around the to-do master git repository accessible via Internet, nothing really exotic. I have some basic script to always merge the master when I'm starting to work to be sure that the local branch is up to date.

My daily process is roughly described in the diagram but the idea is there. I mixed all my various lists and used the format of todo.txt to tag the entries. That permits me to recover some old ideas lost in my previous messy format. Another big advantage of todo.txt is the ability to change child/parent for each entry. Very handy when you see that a project is going nowhere without making other tasks before.

I have also included the daily idea list where I'm just listing crazy idea coming in my mind or after discussions with a friend or a colleague. That's a way for me to keep a kind of imaginative playground along with more raw task to be done. When an idea is becoming a task (that's often a good news), I just add a tag to link the idea with the current project to work on.

Tags : gtd git todo scm idea

2008-05-12 Wiki Creativity Metric An Experiment

Tue, 13 May 2008 00:05:47 GMT

Following my past blog entry why creativity metrics are needed , I quickly made an experiment called Wiki Creativity Metric to monitor the activities of some well-known Wiki talking about Wiki (from technology to the use of them). The idea is to have a more positive approach to metrics where we can have more influence. Let's imagine that you have seen that the WCI was down yesterday, that's maybe the time to contribute more to CommunityWiki. If our world is overflowed with today's metrics, indices of all kind, why not inventing our metrics to make the world more free and better. I updated the graph following the excellent feedback from Jean-Etienne Poirrier.

Tags: metrics creativity positivism wiki freedom

2008-05-11 GPL is not always the GNU General Public License

Mon, 12 May 2008 02:05:52 GMT

GPL is not always standing for the GNU General Public License… as this seen on a flower label. It's a company doing "plant novelty rights" called GPL international (http://www.gpl.dk/). They are clearly going into the opposite direction compared to the freedom defined in the well known free software license called GNU General Public License.

By the way, if those osteospermum flowers are not F1 hybrid we will be able to keep some good seeds and copy (doing multiplication) of the plant. It's the right to nature to reproduce itself. It's the first time I see a company trying to disallow the gardener (as described on their labels, check the photo below) the multiplication of the plant purchased.

Tags: freedom biology gpl gnu license nature gardening seeds biodiversity

2008-05-03 IPv6 Multicast Forwarding Finally In Linux Kernel

Sat, 3 May 2008 16:07:49 GMT

Finally, the Linux kernel is now supporting IPv6 multicast forwarding with the recent commit of Hideaki Yoshifuji (Thanks for his great work around IPv6 support in recent Linux kernel). That's a great news and we could expect it in the next 2.6 release (of course, you can compile the current master branch). FreeBSD was natively supporting IPv6 multicast forwarding since end of 2002 as the KAME project used FreeBSD for the reference IPv6 implementation.

Before you were forced to use various tricks in order to make IPv6 multicast forwarding/routing under GNU/Linux. One of the trick is to gather the MLD (the IGMP-like protocol for IPv6) messages on each interface and do forwarding based on the messages received (the system x wants to receive group y). The system works quite well in very common tree structure where a lot of systems are connected to an aggregated infrastructure like an ISP. There is a free software implementation for Linux (if you are not running the master branch and cannot wait forwarding IPv6 multicast ;-) called ecmh doing this. The concept of "multicast forwarding based on MLD learning" is also described in the RFC 4605. Beside the new IPv6 multicast forwarding in the Linux kernel, the other approach is still applicable for old kernel or devices not able to run a recent kernel.

So I just hope that the RFC 5058 (Xcast) won't take so many years to be implemented by default in the Linux kernel… ;-)

Tags: multicast ipv6 linux kernel xcast

2008-05-02 Linkfingerprint MachineTag

Fri, 2 May 2008 10:13:20 GMT

In my continuous MachineTag dementia (but at least useful with the license Machine Tag), I experimented an implementation of an interesting expired Internet-Draft called Link Fingerprints into MachineTag. The idea of the Link Fingerprints is to fingerprint the information reference to be sure that the content of the retrieved object is matching the initially reference object (you can replace object by file). In other words, to be sure that the file downloaded is the one initially provided by the author. This is very handy when distributing free software over Internet to limit the risks of downloading compromised software. The background idea of Link Fingerprints is really good but implementing it in the URI is introducing various issues (discussed in the WG during the introduction of the Internet Draft).

Why not reimplementing the idea into MachineTag ? Here comes the Machine Tag Link Fingerprint with a specific namespace called : linkfingerprint. How does this work ? That's pretty easy if you know already what a MachineTag is.

URL : http://www.foo.be/gnupg-adulau.txt
Tags : adulau linkfingerprint linkfingerprint:hash=md5:cbd9f12c32adec490b23061edb61f5fe

The tags are stored in del.icio.us for the tests url. The reduced security risks are not really coming from the use of the MachineTag themself but more from the collaborative tagging approach of users. Collaborative tagging application (like del.icio.us) often introduces network of users and that can be used to gain a certain level of trust for a tag. This is helping to give a kind of certainty for the object or file to be downloaded. That's not perfect but better than storing the hash or fingerprint in the same directory where are hosted the files. I have also updated the MachineTagLinkFingerprint to add the support for OpenPGP detached signature.

Tags: fingerprint hash security machinetag linkfingerprint openpgp

2008-04-02 Royalty Free versus Reasonable and Non Discriminatory Licensing: When you are in a standardization process (in other words, around the table with different people trying to make a "standard"/document), there are . . .

Wed, 2 Apr 2008 09:05:53 GMT

When you are in a standardization process (in other words, around the table with different people trying to make a "standard"/document), there are two major ways regarding the licensing of the "patented technologies" required for the standard. Either you use the Royalty Free licensing model or the (un/fair) Reasonable and Non Discriminatory licensing model.

Obviously, if you want a real open standard, you have to go for the royalty free licensing model. To better understand the difference, an example is better than theory.There is nice example of a Royalty Free license around ATOM (RFC 5023 and RFC 4287) made by Google at the IETF (you are required to disclose any patent claims around a (proposed) standard) :

Subject to the terms and conditions of this License, Google hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this License) patent license for patents necessarily infringe d by implementation (in whole or in part) of this specification. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the implementation of the specification constitutes direct or contributory patent infringement, then any patent licenses for the specification granted to You under this License shall terminate as of the date such litigation is filed.

The wording is clear, there is no real ambiguity and the license is compatible (be careful, I'm not a lawyer) with free software implementation. I think that's fine for the promotion and the use of open standard. The license is valid for everyone and you don't need additional interaction with Google to have the license.

Now, here an example of a RAND (Reasonable And Non Discriminatory) licensing model, this one has been made by Cisco about VRRP :

Cisco is the owner of US patent No. 5 473 599, relating to the subject matter of "Virtual Router Redundancy Protocol for IPv6 <draft-ietf-vrrp-ipv6-spec-04.txt>. If technology in this document is included in a standard adopted by IETF and any claims of this or any other Cisco patent are necessary for practicing the standard, any party will be able to obtain a license from Cisco to use any such patent claims under reasonable, non-discriminatory terms to implement and fully comply with the standard.

First you need to contact Cisco to have a license but the terms are unknown. "Non-discriminatory" is vague and could be an issue for any free software implementation. I know that we cannot make from an example a general case but I'm still trying to find a RAND license where it is clear and without ambiguity. When you are around a table at the a standard body, please go for a real Royalty Free licensing model. That would ease adoption of the standard (by promoting free and non-free use of the standard) without the administration burden required with a RAND licensing.

Tags: patent licensing copyright ietf standard lincese

2008-03-13 Usenix Good News: Today was a bad day for me but today has been slightly improved by the excellent announce of the [http://www.usenix.org/ USENIX] organization to . . .

Thu, 13 Mar 2008 21:05:11 GMT

Today was a bad day for me but today has been slightly improved by the excellent announce of the USENIX organization to open up their conference proceedings to everyone.

This is an excellent news. Of course, this is including a small subset of the USENIX publication and this is not including other publication like ";login:" but this already a good step to a real open access approach. I hope that will trigger the other big players in the scientific public area like ACM or IEEE.

I'm (again) dreaming of reading publication without paying a fee and without limitation.

usenix openarchive copyright freeinformation publication

photo by Carlos Johnson CC licensed.