How they talk when they think nobody can hear them, or, did I do the Right Thing or not?

Over a decade ago, in the mid 1990s, I had a subcontract gig to fix a broken backup for an early web message board. The users were mainly from the northeastern US.  And they were all cops.

The owner of the site would check the credentials of all the users, to make sure they were actually real police officers. He then outsourced the technical operation of the site to technical contractors. To people like the sysadmin who subcontracted to me to fix the broken backup system.

The operating sysadmin picked me for the gig in part because he thought I would find the site content illuminating, and encouraged me to read it. I read all the message boards posts via the database. Post after post of cops chattering among themselves, thinking they were "safe", thinking only "brother officers" would read their words, telling each other on-the-job stories, and expressing stomach churning levels of bigotry and hatred, and sharing tips and tricks for all sorts of ways engaging in small and medium scale corruption, thuggishness, theft from the public, fraud on the court, techniques for abusing the people they were detaining and arresting, and why it was ok that they do all these things.

One of the more interesting regrets in my life is that I didn't make a copy of that database, and anonymously send a copy to every investigative reporter, defense attorney law firm, and social justice org in New England.

To this day, I cannot say if I did the Right Thing or not.

I've been hearing about a modern site called "officer.com", which sounds to be a nationwide successor to that small regional web bbs. And from what I can tell from what leaks from it, it sounds like the kind of outlook and conversation has not improved any.


The DOJ vs Aaron Swartz. Rank cowards, who hide in the shadows they themselves cast

The US DOJ has admitted that they started investigating Aaron Swartz not because of the 2011 JSTOR incident, but instead in 2008 because Aaron published a manifesto for open access to scientific information.

This decision to start hounding a non-violent non-dangerous speaker and writer for writing a published article was done by a person.  A human being.  Someone with a face, and a name.  It was some aspiring political appointee, some grey headed civil servant with desk and a pension, or some "sworn LEO" with a crewcut, a badge, and a gun.

I want to know who this person is. Whoever they are, I deeply doubt that they have the courage of their convictions, to be willing to come out, and stand up, and say what they did.

I doubt they will. These people are all utter rank cowards, who hide in the shadows they themselves cast.


On big technical meetings, or why the end of the UDS is a bad idea

Canonical has just announced that the Ubuntu Developer Summit will no longer be face to face and every six months. Instead it will be entirely online and virtual, using Google Hangouts. (Here is the announcement.)

On the surface, this seems like a good idea: It's cheaper monetarily, it appears to open things up to people who are unable to travel, and it makes it easier to make complete records.

However, I think it's a bad idea, for several interrelated reasons.

Some decision making needs face-time to happen. For whatever reasons, internet-only communication is not enough for a good enough "meeting of the minds" for sticky or subtle engineering and design decisionmaking.

The IETF, who probably have the longest history of any organization ever of online internet-enabled collaboration, worked out long ago that while day to day collaboration can be done over email and text chat, some technical decison-making HAS to be done face to face. Thus, the IETF meets every 6 months.

Likewise, at the old MySQL AB, even though the entire company was famously completely distributed, we also figured out that despite being on email and IRC with each other every day, we had to meet ever 6 months, for face-time decision making. Thus, the whole company met every year, and then each team or group met together at least one other time over the year.

And then, most anyone who actually does a working attendance (as opposed to just helicoptering in to give an executive keynote, or being whisked off to a secured conference room to have a private upper executive meeting) at a technical conference knows, most of the ACTUAL work at a conference or at a technical design summit happens in the hallways, over dinner, in serendipitious meetings, in people introducing people to each other, and in impromptu engineering meetings.

These are the reasons that the OpenStack community meets together every 6 months, for our own design summit. The keynotes, the vendor booths with their signboards and handouts, the standard podium-and-rows-of-seats are, at best, a sideshow, from where the real work is getting done, the reason for the summit: the circles (not rows) of seats for the design summit meetings, and for the hallways, informal dinners, and social mixers, where all the individual meetings and necessary social processing happens.

I started to make a list of all the times I personally was part of such unstructured un-"planned" events at conferences that had significant impact, and the list grew too long, so I cut it from this post.

Email and IRC and etherpad are awesome tools, and I commend Ubuntu, as well as most other large  collaborative open source projects, such as OpenStack, for using them.  Likewise, Google Hangouts seem to be pretty awesome, and I'm glad that Canonical is trying them.

However, they do not replace face to face large group meetings, and cannot solve the problems that such gatherings can.

I wish Canonical and Ubuntu well, but this is a mistake that I hope does not damage them too much. /p


Maven's role...

Maven is a great tool to make sure that your expensive and critical application servers are running an independent copy of every single version of every single 2nd and 3rd party Java library ever written.


Why I love the Hallway Track, or instigating a junk OpenStack cloud

I just had an experience that reminds me why I find physically going to open source conferences valuable and rewarding.

I am here at the last day of Linux.conf.au 2013 in Canberra.  Earlier today, Tim Berners-Lee delivered his keynote.  Afterwards, we all moved over to the main public hall for afternoon tea.

I happened to overhear a trio of young university students talking about the huge presence of the OpenStack project at this LCA, and expressing some misconceptions about the project.  Two of them had never even heard of OpenStack before seeing it presented here at the conference.

As one may do in the "hallway track" of conferences like this, I jumped in, and introduced myself, and gave them a better overview of what OpenStack is and what it tries to do, while handing out business cards

"You mean with this OpenStack, I can run my own cloud?"

"Yes.  You do have to supply the hardware."

"Well, our department is throwing out heaps of old PCs.  We could gather them up, haul them down to our student computer club, and install it on them..."

I encouraged this line of thought, and pointed out that having ops experience and dev experience with OpenStack is right now really good for getting a job.

THAT got their attention.

"I could get a job with HP if I do this?"

"You could get a job at lots of places.  Lots of companies are getting into OpenStack, and they are hiring."

When I left them for the next talk, they were talking about getting in touch with all the other Australian university computer student clubs, each club installing OpenStack on recovered junked PCs, and joining them all together as availability zones.

I like to hope I've instigated something fun here.  Or at least made some people's lives more interesting.


Thoughts on Google, YubiCo, and "The War on Passwords"

There are a lot of articles going around the blogosphere today about Google "Declaring War on the Password", and showing picturers of a YubiKey.

While I am a fan and proponent of improved trustworthyness of authentication, especially with using 2 factor protocols like HOTP and TOTP and devices like the YubiKey, I am curious as to what all the hubub is about today.

What keeps Google Authenticator and YubiKey from easily working together right now is the fact that Google uses TOTP and YubiKey implements HOTP.  They are almost the same protocol, with one important difference.  TOTP is time based.  That's what the T stands for.  Every fixed internal (usually 30 seconds) a TOTP token generates a new password, which means that token needs to know what time it is, which means it needs a clock.  While a HOTP device like a YubiKey just needs to keep a counter, and generates a new password every time it's button is pressed.

So the Google and Yubi partnership means one of three things.

  1. Google is going to support HOTP on the Google Two Factor Login service, or
  2. Google and YubiCo have figured how to to put an extremely low power clock and extremely small battery into a new version of the YubiKey, or
  3. Google and YubiCo have written a USB device driver that speaks to the YubiKey when it's plugged in and tells it what time it is to generate the correct password (which means that driver needs to be installed on every Windows/Linux/MacOS/ChromeOS device you want to use the token on)
I look forward to seeing which one it is.  My money is on option #3, with the added guess that it will probably only be supported, at least initially, only on machines running Chrome or ChromeOS.