Overheard at Google CT Policy Day…

Jacob Hoffman-Andrews (of Let’s Encrypt): “I tried signing up for certspotter alerts for a domain and got a timeout on the signup page.”
Andrew Ayer (of CertSpotter): “Oh, dear. Which domain?”
Jacob Hoffman-Andrews: “hoffman-andrews.com
Andrew Ayer: “Do you have a lot of certs for that domain?”
Jacob Hoffman-Andrews: “Oh yeah, I totally do!”
Andrew Ayer: “How many?”
Jacob Hoffman-Andrews: “A couple of hundred thousand.”
Andrew Ayer: “Yeah, that would do it…”

Technology Is More Like Magic Than Like Science

So said Peter Kreeft, commenting on three very deep sentences from C.S. Lewis on the problems and solutions of the human condition.

Suppose you are asked to classify four things –

  • religion,
  • science,
  • magic, and
  • technology.

– and put them into two categories. Most people would choose “religion and magic” and “science and technology”. Read Justin Taylor’s short article to see why the deeper commonalities are between “religion and science” and “magic and technology”.

FOSDEM Talk: Video Available

I spoke on Sunday at the FOSDEM conference in the Policy devroom about the Mozilla Root Program, and about the various CA-related incidents of the past 5 years. Here’s the video (48 minutes, WebM):

Given that this only happened two days ago, I should give kudos to the FOSDEM people for their high quality and efficient video processing operation.

Speaking at FOSDEM on the Mozilla Root Program

Like every year for the past ten or more (except for a couple of years when my wife was due to have a baby), I’ll be going to FOSDEM, the premier European grass-roots FLOSS conference. This year, I’m speaking on the Policy and Legal Issues track, with the title “Reflections on Adjusting Trust: Tales of running an open and transparent Certificate Authority Program“. The talk is on Sunday at 12.40pm in the Legal and Policy Issues devroom (H.1301), and I’ll be talking about how we use the Mozilla root program to improve the state of security and encryption on the Internet, and the various CA misdemeanours we have found along the way. Hope to see you there :-)

Note that the Legal and Policy Issues devroom is usually scarily popular; arrive early if you want to get inside.

Security Audit Finds Nothing: News At 11

Secure Open Source is a project, stewarded by Mozilla, which provides manual source code audits for key pieces of open source software. Recently, we had a trusted firm of auditors, Cure53, examine the dovecot IMAP server software, which runs something like two thirds of all IMAP servers worldwide. (IMAP is the preferred modern protocol for accessing an email store.)

The big news is that they found… nothing. Well, nearly nothing. They managed to scrape up 3 “vulnerabilities” of Low severity.

Cure53 write:

Despite much effort and thoroughly all-encompassing approach, the Cure53 testers only managed to assert the excellent security-standing of Dovecot. More specifically, only three minor security issues have been found in the codebase, thus translating to an exceptionally good outcome for Dovecot, and a true testament to the fact that keeping security promises is at the core of the Dovecot development and operations.

Now, if we didn’t trust our auditors and they came back empty handed, we might suspect them of napping on the job. But we do, and so this sort of result, while seemingly a “failure” or a “waste of money”, is the sort of thing we’d like to see more of! We will know Secure Open Source, and other programs to improve the security of FLOSS code, are having an impact when more and more security audits come back with this sort of result. So well done to the dovecot maintainers; may they be the first of many.

Modern Communications

I just sent something very like the following to someone buying a house from me:

This text is to tell you that I just emailed you a PDF copy of the fax my solicitor just sent your solicitor, containing the email he originally sent last week which your solicitor claimed he didn’t get, plus the confirmation that the fax was received.

Support the Software Freedom Conservancy

The Software Freedom Conservancy is an organization which provides two useful services.

Firstly, they provide “fiscal sponsor” services for free software projects which wish to benefit from being a non-profit but which do not have the resources to set up their own Foundation. They have over 35 member projects which they support. If you use WINE, Samba, Mercurial, Inkscape, Git or any of the others, you can thank and support those projects by supporting SFC.

Secondly, if you believe that copyleft has a role (and it doesn’t even have to be an exclusive role) to play in the free software licensing ecosystem, you have an interest in making sure that copyleft licenses do not de facto become the same as permissive ones. That requires working with companies to help them understand their quid pro quo obligations to share and, rarely, taking them to court when flagrant violations are not corrected after significant time. The SFC is basically the only organization which does this valuable work, and that fact makes companies (sadly) less likely to support it.

This means that SFC greatly relies on support from individuals. I have just re-committed as a supporter for 2017 and I hope many of my readers will do the same.

Religions Their Parents Don’t Belong To

More from the excellent “Stuff White People Like“:

2. Religions Their Parents Don’t Belong To. White people will often say they are “spiritual” but not religious. This usually means they will believe in any religion which doesn’t involve Jesus. The most popular choices include Buddhism, Hinduism, Kabbalah and, to a lesser extent, Scientology. A few even dip into Islam, but that’s much rarer, since you have to make real sacrifices and actually go to a mosque.

For the most part, white people prefer religions that produce artifacts and furniture that fit into their home or wardrobe. They are also particularly drawn to religions that do not require a lot of commitment or donations.

Making Good Decisions

Mitchell has been focussed for a while on how Mozilla can make good decisions which are made quickly rather than getting bogged down, but which do not bypass the important step of getting the opinions of a diverse cross-section of interested and knowledgeable members of our community.

In relation to that, I’d like to re-draw everyone’s attention to Productive Discussion, a document which came out of a session at the Summit in Brussels in 2013, and which explains how best to hold a community consultation in a way which invites positive, useful input and avoids the paralysis of assuming that consensus is required before one can move forward.

If there’s a decision you are responsible for making and want to make it using best practice within our community, it’s a recommended read.

Awareness

I’ve been reading the excellent “Stuff White People Like“, billed as “The Definitive Guide to the Unique Taste of Millions”. It’s based on a well-read (although now seemingly dormant) satirical blog. Here’s an entry which particularly hit home:

18. Awareness. An interesting fact about white people is that they firmly believe all the world’s problems can be solved through “awareness” – meaning the process of making other people aware of problems, magically causing someone else, like the government, to fix it. This belief allows them to feel that sweet self-satisfaction without actually having to solve anything or face any difficult challenges, because the only challenge of raising awareness is getting the attention of people who are currently unaware.

What make this even more appealing for white people is that you can raise “awareness” through expensive dinners, parties, marathons, T-shirts, fashion shows, concerts and bracelets. In other words, white people just have to keep doing stuff they like, except that now they can feel better about making a difference.

Raising awareness is also awesome because once you raise awareness to an acceptable though arbitrary level, you can just back off and say, “Bam! Did my part. Now it’s your turn. Fix it.”

So, to summarise: you get all the benefits of helping (self-satisfaction, telling other people) but no need for difficult decisions or the ensuing criticism. (How do you criticise awareness?) Once again, white people find a way to score that sweet double victory.

Popular things to be aware of: the environment, diseases like cancer and AIDS, Africa, poverty, anorexia, homophobia, middle school field hockey/lacrosse teams, drug rehab, and political prisoners.

Top 50 DOS Problems Solved: Can I Have A Single Drive?

Q: I intend to upgrade from MS-DOS v3.3 to either DR DOS 6 or MS-DOS 5, both of which will allow me to have my 40MB hard disk configured as a single drive instead of being partitioned into twin 20MB drives. Am I right in thinking that to do this I will re-format my hard disk, and that I must first back up all the data? I dread doing this since I have almost 30MB on there.

A: First the bad news: yes, you will need to re-format your disk to take advantage of the ability to work with partitions greater than 32MB. However, backing up needn’t be as nasty a job as you think. But your question does beg another[0]: since backing up is going to be such a large job, it sounds as though you haven’t done it before.

… The most basic approach … would be to copy important data to a floppy disk, perhaps with the aid of a file compression utility such as LHA. If the worst happens, you simply reinstall applications from their original disks (or, much better still, back-ups of them) and copy your data back from floppy. [Or, you could use] a dedicated backup utility. My current favourite is Fastbak Plus (£110)[1].

32Mb ought to be enough for everyone? How did that work out – 512 byte sectors and a 16-bit index?

[0] No, it doesn’t – Ed.
[1] £210 in today’s money. For a backup program!

Christmas Carols Words Booklet

Morland, the village in Cumbria where I grew up, recently formed a Community Choir, and every Christmas they have a carolling session at the local pub, the Crown Inn. Most of the carols they sing come from the venerable “Carols For Choirs, Book 1“, generally known as the Green Book (other books in the series are orange, blue, and the lesser-known red). There aren’t enough of those to go round, and many participants in the sing-song don’t read music, so in order that everyone might be able to see the words, they used to use some old carol sheets.

However, this were problematic because the sheets didn’t contain all the carols that they wanted to sing and, when they did, the words were sometimes different to those in the Green Book, leading to confusion.

Hence, I have created and typeset “Carols at the Crown“, a 28-page booklet of the words to some of our language’s most famous and God-honouring carols, together with brief explanations and context for each one, and a paragraph on the importance of Christmas on the back. For those carols with multiple translations, adaptions or updatings, the version of words chosen follows the Green Book for those which are in there. Feel free to use and adapt it for your church, community choir or other group.

To the extent that I have a copyright interest in it, this booklet is available under Creative Commons CC-0, which means you can do what you like with it without needing to do anything in return, including crediting me. Note that some of the words in the book are still under copyright, and so you will need to make whatever arrangements are necessary (e.g. for churches, putting your CCLI number on the back page) to make sure that’s OK.

If you are printing it, you may find my booklet printing page order calculator useful. :-)

The Blunt Spoon of Austerity

How many billion pounds did George Osborne cut government spending by in the “age of austerity” from 2010 to 2016? Have a guess.

How many billion pounds did George Osborne cut the welfare budget by during the same time? Thought of a figure, or even a percentage? Good.

When you adjust the figures for inflation, it turns out that he cut government spending by a whopping £1.2 billion over 6 years. That’s about £200m a year – as the Taxpayer’s Alliance points out, the cost of one Boaty McBoatface. Another way to put it would be just under 0.03% of the total budget, per year. Basically, he didn’t cut government spending at all, in purchasing power terms. (In terms of numerical pounds, of course, it went up. It’s only about even when adjusted for inflation.)

But what about welfare? OK, so he didn’t get overall spending down, but surely he’s been savagely cutting the welfare budget, in order to pay for more tanks, guns, bombs, duck houses and other pointless stuff the government fritters its money away on. Right? Well, again after adjusting for inflation, it turns out he reduced the welfare bill by… <drum roll> minus £1.2 billion a year. That’s right, it went up. There were reductions on welfare spending for those of working age and children, but these were more than offset by the increases in benefits paid to pensioners.

Given that the government is still spending £67 billion more each year than it takes in taxes, and has just decided to abandon its commitment to balance the books by 2020, it seems likely that the new administration is going to be just as bad. Our national debt is currently around £1,782 billion – which will already be a burden borne by our children, either in repayments or interest payments. And it seems like our current intention is, scandalously, to keep adding to that burden. Where’s the intergenerational justice here?

A good person leaves an inheritance for their children’s children… — Proverbs 13:22a