2013-01-31

Why I love the Hallway Track, or instigating a junk OpenStack cloud

I just had an experience that reminds me why I find physically going to open source conferences valuable and rewarding.

I am here at the last day of Linux.conf.au 2013 in Canberra.  Earlier today, Tim Berners-Lee delivered his keynote.  Afterwards, we all moved over to the main public hall for afternoon tea.

I happened to overhear a trio of young university students talking about the huge presence of the OpenStack project at this LCA, and expressing some misconceptions about the project.  Two of them had never even heard of OpenStack before seeing it presented here at the conference.

As one may do in the "hallway track" of conferences like this, I jumped in, and introduced myself, and gave them a better overview of what OpenStack is and what it tries to do, while handing out business cards

"You mean with this OpenStack, I can run my own cloud?"

"Yes.  You do have to supply the hardware."

"Well, our department is throwing out heaps of old PCs.  We could gather them up, haul them down to our student computer club, and install it on them..."

I encouraged this line of thought, and pointed out that having ops experience and dev experience with OpenStack is right now really good for getting a job.

THAT got their attention.

"I could get a job with HP if I do this?"

"You could get a job at lots of places.  Lots of companies are getting into OpenStack, and they are hiring."

When I left them for the next talk, they were talking about getting in touch with all the other Australian university computer student clubs, each club installing OpenStack on recovered junked PCs, and joining them all together as availability zones.

I like to hope I've instigated something fun here.  Or at least made some people's lives more interesting.

2013-01-18

Thoughts on Google, YubiCo, and "The War on Passwords"


There are a lot of articles going around the blogosphere today about Google "Declaring War on the Password", and showing picturers of a YubiKey.

While I am a fan and proponent of improved trustworthyness of authentication, especially with using 2 factor protocols like HOTP and TOTP and devices like the YubiKey, I am curious as to what all the hubub is about today.

What keeps Google Authenticator and YubiKey from easily working together right now is the fact that Google uses TOTP and YubiKey implements HOTP.  They are almost the same protocol, with one important difference.  TOTP is time based.  That's what the T stands for.  Every fixed internal (usually 30 seconds) a TOTP token generates a new password, which means that token needs to know what time it is, which means it needs a clock.  While a HOTP device like a YubiKey just needs to keep a counter, and generates a new password every time it's button is pressed.

So the Google and Yubi partnership means one of three things.

  1. Google is going to support HOTP on the Google Two Factor Login service, or
  2. Google and YubiCo have figured how to to put an extremely low power clock and extremely small battery into a new version of the YubiKey, or
  3. Google and YubiCo have written a USB device driver that speaks to the YubiKey when it's plugged in and tells it what time it is to generate the correct password (which means that driver needs to be installed on every Windows/Linux/MacOS/ChromeOS device you want to use the token on)
I look forward to seeing which one it is.  My money is on option #3, with the added guess that it will probably only be supported, at least initially, only on machines running Chrome or ChromeOS.