Mycroft Mark 1 Extendable for sale

I’m selling a Mycroft Mark 1 Extendable. In a fit of enthusiasm back in 2015 I ordered a 3-pack and, now they’ve arrived, I realise that’s rather overkill, and I just need one to start developing. So I’m selling one of my spares. It’s totally as-new, never been opened except to take the listing photos. It’s the Extendable version, so it has all the ports on the back, unlike the Basic.

Please spread the word to anyone you think might have fun with one :-)

Firefox Secure Travel Addon

In these troubled times, business travellers occasionally have to cross borders where the border guards have significant powers to seize your electronic devices, and even compel you to unlock them or provide passwords. You have the difficult choice between refusing, and perhaps not getting into the country, or complying, and having sensitive data put at risk.

It is possible to avoid storing confidential data on your device if it’s all in the cloud, but then your browser is logged into (or has stored passwords for) various important systems which have lots of sensitive data, so anyone who has access to your machine has access to that data. And simply deleting all these passwords and cookies is a) a pain, and b) hard to recover from.

What might be very cool is a Firefox Secure Travel addon where you press a “Travelling Now” button and it:

  • Disconnects you from Sync
  • Deletes all cookies for a defined list of domains
  • Deletes all stored passwords for the same defined list of domains

Then when you arrive, you can log back in to Sync and get your passwords back (assuming it doesn’t propagate the deletions!), and log back in to the services.

I guess the border authorities can always ask for your Sync password but there’s a good chance they might not think to do that. A super-paranoid version of the above would also:

  • Generate a random password
  • Submit it securely to a company-run web service
  • On receiving acknowledgement of receipt, change your Sync password to
    the random password

Then, on arrival, you just need to call your IT department (who would ID you e.g. by voice or in person) to get the random password from them, and you are up and running. In the mean time, your data is genuinely out of your reach. You can unlock your device and tell them any passwords you know, and they won’t get your data.

Worth doing?

Overheard at Google CT Policy Day…

Jacob Hoffman-Andrews (of Let’s Encrypt): “I tried signing up for certspotter alerts for a domain and got a timeout on the signup page.”
Andrew Ayer (of CertSpotter): “Oh, dear. Which domain?”
Jacob Hoffman-Andrews: “hoffman-andrews.com
Andrew Ayer: “Do you have a lot of certs for that domain?”
Jacob Hoffman-Andrews: “Oh yeah, I totally do!”
Andrew Ayer: “How many?”
Jacob Hoffman-Andrews: “A couple of hundred thousand.”
Andrew Ayer: “Yeah, that would do it…”

Technology Is More Like Magic Than Like Science

So said Peter Kreeft, commenting on three very deep sentences from C.S. Lewis on the problems and solutions of the human condition.

Suppose you are asked to classify four things –

  • religion,
  • science,
  • magic, and
  • technology.

– and put them into two categories. Most people would choose “religion and magic” and “science and technology”. Read Justin Taylor’s short article to see why the deeper commonalities are between “religion and science” and “magic and technology”.

Speaking at FOSDEM on the Mozilla Root Program

Like every year for the past ten or more (except for a couple of years when my wife was due to have a baby), I’ll be going to FOSDEM, the premier European grass-roots FLOSS conference. This year, I’m speaking on the Policy and Legal Issues track, with the title “Reflections on Adjusting Trust: Tales of running an open and transparent Certificate Authority Program“. The talk is on Sunday at 12.40pm in the Legal and Policy Issues devroom (H.1301), and I’ll be talking about how we use the Mozilla root program to improve the state of security and encryption on the Internet, and the various CA misdemeanours we have found along the way. Hope to see you there :-)

Note that the Legal and Policy Issues devroom is usually scarily popular; arrive early if you want to get inside.

Support the Software Freedom Conservancy

The Software Freedom Conservancy is an organization which provides two useful services.

Firstly, they provide “fiscal sponsor” services for free software projects which wish to benefit from being a non-profit but which do not have the resources to set up their own Foundation. They have over 35 member projects which they support. If you use WINE, Samba, Mercurial, Inkscape, Git or any of the others, you can thank and support those projects by supporting SFC.

Secondly, if you believe that copyleft has a role (and it doesn’t even have to be an exclusive role) to play in the free software licensing ecosystem, you have an interest in making sure that copyleft licenses do not de facto become the same as permissive ones. That requires working with companies to help them understand their quid pro quo obligations to share and, rarely, taking them to court when flagrant violations are not corrected after significant time. The SFC is basically the only organization which does this valuable work, and that fact makes companies (sadly) less likely to support it.

This means that SFC greatly relies on support from individuals. I have just re-committed as a supporter for 2017 and I hope many of my readers will do the same.

Booklet Printing Calculator

Ever wanted to print a booklet in software which doesn’t directly support it? You can fake it by printing the pages in exactly the right order, but it’s a pain to work out by hand.

I found a JS booklet page order calculator on Github, enhanced it to support duplex printers, cleaned it up, and it’s now on my website.

No Default Passwords

One of the big problems with IoT devices is default passwords – here’s the list coded into the malware that attacked Brian Krebs. But without a default password, you have to make each device unique and then give the randomly-generated password to the user, perhaps by putting it on a sticky label. Again, my IoT vision post suggests a better solution. If the device’s public key and a password are in an RFID tag on it, and you just swipe that over your hub, the hub can find and connect securely to the device over SSL, and then authenticate itself to the device (using the password) as the user’s real hub, with zero configuration on the part of the user. And all of this works without the need for any UI or printed label which needs to be localized. Better usability, better security, better for the internet.

Samsung’s L-ish Model Numbers

[Update 2016-09-02: the poster of the original info has updated this post, and this post therefore turns out to be mostly untrue. Apologies to Samsung.]

A slow hand clap for Samsung, who have managed to create versions of the S4 Mini phone with model numbers (among others):

  • GT-i9195
  • GT-i9195L (big-ell)
  • GT-i9195i (small-eye)
  • GT-i9195l (small-ell)

And of course, the small-ell variant, as well as being case-confusable with the big-ell variant and visually confusable with the small-eye variant if it’s written with a capital I as, say, here, is in fact an entirely different phone with a different CPU and doesn’t support the same aftermarket firmware images that all of the other variants do.

See this post for the terrible details.

Eurovision Bingo (again)

Some people say that all Eurovision songs are the same. (And some say all blog posts on this topic are the same…) That’s probably not quite true, but there is perhaps a hint of truth in the suggestion that some themes tend to recur from year to year. Hence, I thought, Eurovision Bingo.

I wrote some code to analyse a directory full of lyrics, normally those from the previous year of the competition, and work out the frequency of occurrence of each word. It will then generate Bingo cards, with sets of words of different levels of commonness. You can then use them to play Bingo while watching this year’s competition (which is on Saturday).

There’s a Github repo, or if you want to go straight to pre-generated cards for this year, they are here.

Here’s a sample card from the 2014 lyrics:

fell cause rising gonna rain
world believe dancing hold once
every mean LOVE something chance
hey show or passed say
because light hard home heart

Have fun :-)

DNSSEC on gerv.net

My ISP, the excellent Mythic Beasts, has started offering a managed DNSSEC service for domains they control – just click one button, and you’ve got DNSSEC on your domain. I’ve just enabled it on gerv.net (which, incidentally, as of a couple of weeks ago, is also available over a secure channel thanks to MB and Let’s Encrypt).

If you have any problems accessing any resources on gerv.net, please let me know by email – gerv at mozilla dot org should be unaffected by any problems.

MOSS Applications Still Open

I am currently running the MOSS (Mozilla Open Source Support) program, which is Mozilla’s program for assisting other projects in the open source ecosystem. We announced the first 7 awardees in December, giving away a total of US$533,000.

The application assessment process has been on hiatus while we focussed on getting the original 7 awardees paid, and while the committee were on holiday for Christmas and New Year. However, it has now restarted. So if you know of a software project that could do with some money and that Mozilla uses or relies on (note: that list is not exhaustive), now is the time to encourage them to apply. :-)

Hi, I’m Bill

Hi, I’m Bill. As Tim Chevalier has written about me (at least a little bit) in an article series entitled “The Christians and the Pagans” (1, 2, 3), I hope I may be permitted a short response. (Yes, it’s taken a while. Sorry about that.)

What first struck me as I read Tim’s three articles is the number of things we agree on. Firstly, I entirely agree that there is no such thing as being apolitical or non-ideological – as Tim says, being (supposedly) apolitical is a political view. In fact, I would also go on to say that there’s no such thing as being areligious – being an atheist or agnostic is a religious view. People sometimes find this assertion more palatable if I use the term ‘worldview’ instead of religion, but the point is the same – everyone has a highest point of reference, an ultimate real from which everything else flows. It may be God, matter, reason or something else, but everyone has it. Similarly, everyone has a basis on which they relate to others and a view of what would be ideal in society – everyone is political.

I also agree that it’s foolish to push away people who want to contribute. When Tim writes:

“[T]o build the best thing you can you have to include everybody who wants to and can work together on it and contribute. Pushing away people who have something to contribute is an exercise in purity-based morality, not a sound business or technical strategy.”

all I can say is a hearty (and perhaps slightly cheeky) “Amen!”.

However, when I agree with Tim on this, I can’t help remembering the following quote from the Github issue which prompted ESR’s article:

“Reading the links you posted I only have one thing to say to you:reevaluate your actions,you are becoming a toxic individual who is harming the Python and Django communities and haven’t even realized it yet. You are a member of the Django Software Foundation and are supposed to be setting the example. I will be forwarding the content of this issue to the Chair to evaluate your continued presence in the DSF. best regards.”

And I can’t help remembering what happened to Brendan Eich. There seemed to be a whole lot of pushing away, and purity-based morality, going on in both these situations. And if the response is “it’s not about his code; we didn’t like his politics”, surely that’s taking precisely the view that Tim is arguing against? Tim objects to people focussing on his politics and ignoring his code, and wishes it were different; would he grant Brendan the same grace?

Where we diverge is in Tim’s assertion that Christianity is a part of the dominant culture, an “unmarked ideology” in tech. This assertion would be within some distance of plausibility if by “Christianity” he meant the moralistic therapeutic Deism of American (and British) civil religion which is called “Christianity” in some quarters. Even then, it would be a big stretch – I think most people in tech don’t follow that; instead they see it for the hypocrisy it is. The dominant culture of tech is secular humanism. To demonstrate this point, of these pairs of opposing views, which one is dominant in tech? Which one would go unmarked if it were expressed in conversation at a tech gathering, and which would be challenged?

Christianity Secular Humanism
Marriage should be between one man and one woman Anyone should be allowed to get married to anyone else
Hell exists When we die, that’s the end
God created the universe Science explains the existence of the universe
Jesus is divine Jesus is irrelevant
Elective abortion is murder Women can do anything with what’s in their bodies
Sex should be for marriage only All (or most) forms of sex should be accepted and celebrated

As someone who has occasionally been on the sharp end of Christianity being very much a marked ideology in tech, I do find it hard to see how Tim can have come to the conclusion that it’s the mainstream. Over 1000 people come to Mozilla all-hands meetings; the prayer meetings we hold there have never attracted more than 5 people. This doesn’t bother us, because Jesus is Lord of all. But it’s hardly what one would call popular.

An additional trouble with Tim’s article is that it was prompted by an article by ESR, but Tim seems to have seriously misread him. Tim claims a pollution of agency attack – that is, people are denigrating the code of “SJWs” because of their politics. I agree his (ESR’s) headline (“Why Hackers Must Eject the SJWs”) is unhelpful at this point, but the body of his article seems clear that:

“We must cast [SJWs] out – refuse to admit them on any level *except by evaluating on pure technical merit whatever code patches they submit*.”

As we can see, ESR is urging precisely the opposite of what Tim says he is. ESR wants the hacker culture to stick to meritocracy, which he defines as focussing on the code contribution and not the person. His article is a call for a rejection by projects of a particular political stance and its ramifications, not of contributions. Just as, in a project run as perhaps Tim would have it run, other political stances and their ramifications would also be rejected by the leadership.

For myself, I unashamedly agree with this principle of operating open source projects. I don’t care if you call it meritocracy or something else. This is not to say some people don’t need more help on the contribution pathway than others – “to each according to his need”. But when it comes to looking at the code, we look at the code. If sometimes that principle is drifted from, and people start evaluating contributions based on the person who made them (a system which, for example, was being encouraged by djangoconcardiff) the solution is not to throw away the principle, but to recommit to it.

With Tim, I assert that this principle is *not* apolitical or non-ideological. Against Tim, I assert that instead, it is fundamentally based in justice. And I think this is where the heart of the disagreement is between “SJWs” and some (at least) who oppose them – it is not that one side says “we are pro-justice” and the other side says they aren’t, or says that something other principle is even more important. It’s that they don’t agree on what justice is. And perhaps one reason that “SJW” has taken on negative connotations in some circles (as Bradley discusses) is that people look at the form of justice espoused by this group and see it as no justice at all. Hence the ironic title.

More on the nature of true justice later, I hope. In the mean time, Merry Christmas to all :-)

What Does A Simple Phone for Old People Look Like? A Tablet

Ahmed Nefzaoui’s blog post about RTL languages introduced me to this awesome video, which is funny, charming, poignant and incidentally makes great points about phone usability:

It got me thinking: what would a phone for someone like Dotty look like? The more I thought about it, the more I realised the answer is “a tablet”.

Imagine a 7″ tablet with 4G phone hardware, so it has an always-on, fast, low-latency Internet connection. It is nice and big, and so easily held and viewed, and the screen controls can be made bigger for those with poor eyesight. It has no fiddly close-together hardware buttons to push. It can be unlocked with a simple swipe. You don’t have to know which is the menu button, which is *, or deal with T9 predictive text input. It has twin directional mics and speakers, with echo cancellation, so it doesn’t need to be held to the ear and the speaker positioned accurately. It has a built-in stand, so it can be placed at a good angle for calls on any flat surface. It has a camera for video calls, which (given sufficient bandwidth and frame rate) also allows for lip reading. It can record, and then email or MMS, short voice clips, which are much easier to create than text messages. It has wireless charging (or perhaps a dock) to avoid having to connect fiddly micro USB cables. One day, it might have voice recognition and speech-to-text, but perhaps not today. And it’s still small enough to fit in a handbag on the rare occasions it needs to go somewhere.

Thinking of all the advantages… why would anyone build a phone for old people in a mobile phone form factor?

10 Reasons Not To Use Open Source

I was browsing the Serena website today, and came across a white paper: “Time to harden the SDLC. Open Source: does it still make sense? (10 reasons enterprises are changing their policies)”. You are required to supply personal information to download a copy, and they force this by only providing the link by email. However, intrigued, I requested one.

Apparently, enterprises are questioning their use of Open Source software (presumably in the specific area of software development) because:

  1. Terrorists
  2. Chinese hackers stealing things
  3. Chinese hackers changing things
  4. There is no support
  5. Ransomware
  6. Man-in-the-middle attacks
  7. Local copies of source code are easy to steal
  8. Edward Snowden
  9. 0-days
  10. Git is hard to use (I’ll give them this one)

The list ends with this wonderfully inconsistent paragraph:

All of this seems very alarmist: what is the true situation? The truth is no one really knows because no one is talking about it. There is a clear, present and obvious danger from using open source solutions in support of your technology stack. You have to decide if the risk is worth it.

No-one really knows, but there’s a clear, present and obvious danger? I see. The only clear, present and obvious danger demonstrated here is the one that git is posing to Serena’s business…