Mel Chua: Hacker. Writer. Researcher. Teacher. Human jumper cable.

Linux Security Myths: OLF talk by Mackenzie Morgan (maco)

[Linux] people will say “there are no viruses!” – and normal users will hear “nothing bad can happen!”
…and they’re wrong.
–Mackenzie “Maco” Morgan, OLF 2010

I’m liveblogging from Maco’s talk at the 2010 Ohio Linux Fest (OLF) titled “Linux Security Myths,” where she’s going through the security exploits that “normal” Linux users can get hit by. Just because the Linux virus record is practically spotless compared to that of Windows doesn’t mean us FOSS users can get off scot-free – we’ve still got to exercise common sense. As Maco said during her slide on phishing, “there’s no patch for gullibility.”

The talk started with an overview of a few common types of attacks, explaining terminology for newcomers in the audience: viruses, social engineering, trojans, worms, botnets, rootkits. Maco’s slides (which will be available on her blog soon) and Wikipedia explain these better than I can, so I’ll let them do that. She also talked about browser-based attacks, which are big and will be even bigger as we become more reliant on webservices – sure, Internet Explorer (and its legions of vulnerabilities) isn’t a problem on Linux, but Firefox and Opera and Chrom{e,ium} are cross-platform, so the same dangers apply here.

Saturday, September 11th, 2010 | fedora | 1 Comment »

Student project opportunity: MeeGo-based Fedora Spin (Marketing and Design help needed)

Image CC-BY based on graphic by Melanie Kim for the Fedora 13 Moblin Spin homepage.

Crossposting to the Teaching Open Source planet in order to see if any marketing/branding students might be interested in this as a fascinating capstone/case-study. From an email by Paul Frields to the Fedora Marketing list (italics) with my annotations for students inline.

Peter Robinson, a Fedora contributor in the Mini SIG, has worked previously on the Moblin based Fedora spin, and has been working on a spin that includes MeeGo software. He has been talking to some of the folks involved in MeeGo about their compliance testing, which is a requirement for us to use the MeeGo marks.[1][2]

[1] http://meego.com/about/trademark
and http://www.linuxfoundation.org/about/linux-foundation-trademark-usage-guidelines

[2] Using the mark is also subject to other restrictions such as when juxtaposing it with another product name like Fedora. Fedora already has agreement with the Linux Foundation on a suitable name and permission to use it, but that’s contingent on passing the compliance testing.

This paragraph contains a lot of assumptions about your background knowledge, so I’ll try to break out why this is so exciting. MeeGo is an open source software development stack for portable devices – basically, it lets people make and remix cool stuff for netbooks, phones, and things of that sort – not just the individual applications like on an Android or iPhone, but all the software on the entire device.

Fedora is an open source operating system that has something called “spins,” which let people create remixed version of the OS for specific use-cases – to make a clumsy analogy for those of you from the proprietary software world, imagine if you could, say, download “Windows: the engineering student version!” pre-loaded with Matlab, Eagle, and all the applications that an engineering student might want, or “Windows: for graphic designers!” with Photoshop and Illustrator… except that with Fedora Spins, everything – the operating system and the applications – are open source, meaning they’re both openly modifiable and shareable (libre) as well as not costing any money (gratis).

What Peter and the Mini SIG (Special Interest Group) have been working on – for fun, because they think it’d be a nifty thing to have – is a spin with MeeGo on it, so people can use a Fedora-based stack (and all the other tools and applications that are part of the Fedora ecosystem, plus the support and infrastructure of the global Fedora community) to develop and play with things on their mobile devices. They’re free to do anything they want with the code, because the code is open source; however, in order to use the trademarks – to use the name “Fedora Spin” or “MeeGo” to market what they’re making (as opposed to having to call it “Peter’s Software Thing For Small Devices” and avoid the words “Fedora” and “MeeGo” entirely) they need permission from the trademark holders. So they’ve been talking with those people to try and get permission, because “Fedora MeeGo Spin” (or similar) sounds better – and means more to people who’ve heard of MeeGo and Fedora before – than “Peter’s Software Thing.”

Unfortunately what we’ve heard about the compliance requirements (which have yet to be published AFAIK) is that we’d be required to ship and use ConnMan, a nonstandard userspace network control stack that is not compatible with NetworkManager. This is not in Fedora for several reasons, one of the most obvious among them being it would be very confusing to maintain two entirely separate and incompatible network control stacks of this type.

The Fedora Board granted the team permission to use the “Fedora Spin” name because the spin fit all the requirements from the Fedora side to use that mark (all packages come from the Fedora repositories, etc). However, the spin did not fit MeeGo’s requirements for use of the MeeGo mark. MeeGo requires a specific pieces of software (ConnMan, or “Connection Manager”) to be part of the software stack you’re shipping – if you don’t have that piece of software, you can’t call your thing “MeeGo.” (Kind of like how you can’t call something a grilled cheese sandwich if it doesn’t have cheese in it.)

The problem here is that ConnMan is not in the Fedora repositories (the selection of software we can say is “part of Fedora” because it fits Fedora’s requirements for open licensing and has been packaged to be easily installed and deployed on Fedora-based systems), so Peter can’t include ConnMan (to fulfill MeeGo’s trademark usage requirements) without going against the trademark usage requirements for Fedora.

This doesn’t mean we won’t have this particular spin, but it will affect our use of the MeeGo name and trademark. The spin will probably need to be renamed in some way. We can say the spin contains some MeeGo software, which is fair use because it is a true statement. The MeeGo name would need to be marked with proper trademark attribution.

It’s one or the other – so Peter chose, in this case, to meet the Fedora requirements. He is now making a Fedora Spin that uses the Fedora code and trademark, deploying the MeeGo code but not their trademark, and finding a way to market the resulting product without using the MeeGo name.

Peter is considering options for renaming the spin accordingly, and swapping out any required artwork, which he believes is not a substantial amount of work. If anyone is interested in helping Peter, please get in touch with him via the Spins SIG.

Peter is an amazing engineer – and this project also needs marketing and design help, which is outside Peter’s area of expertise. He’s looking for people to help him figure out naming, branding, and marketing/publicity for this spin (while adhering to trademark usage guidelines for the various pieces of software that make up the spin) and also people to look at the design work for the entire project (UI, icons, and artwork for marketing collateral) so that the software is beautiful and usable (it’s already more or less technically functional) and gets conveyed as such in the materials we put out to spread the word about it.

I’ve told you everything I know about the issue here — I’m letting Marketing know about the issue so that the team can keep in touch with Peter to make sure F14 talking points and any other F14 material like the one-page, “shiny” release notes are kept in sync. I told Peter I would send on this message on his behalf, because he’s quite busy at work but he wanted other involved teams to know what was going on.

Since efforts in Fedora are grassroots-driven and decentralized (there’s no Big Boss that declares “this product shall happen!” or “it will be marketed this way!” or “this person is in charge of doing that until I say otherwise!”), Paul is relaying a message on behalf of (the very busy) Peter in an attempt to find interested people that might want to step up and help him.

Are you interested? Maybe you’re a marketing student looking for a project so you can try out some of the things you’ve been learning about brand positioning, or someone with an interest in learning about trademark issues, or you have an interest in design and usability and have started to play around with graphics in your spare time. If you’re keen, email Peter or drop me a line (leaving a comment to this blog post will work great!) and we’ll get you started.

Saturday, September 11th, 2010 | fedora, teaching open source | No Comments »

Flight

Wrote this on the plane to Ohio, transcribing it later in the evening before I sleep.

I love the feeling of a plane taking off – the rushes and dips as it wobbles and climbs its way above the gauzy layer of cloud that wraps the world below, pads it into a gift box. I like seeing cities splayed out below me, breathing, bustling and sleeping beneath me, playing a game of find-the-familiar-landmark as my perspective pulls out, broadens, peels away from the tangle of urbanity.

When the cloud curtain draws over that, it’s just you and the hum of the engines and the sun. And then calm seas of white, for hours, as off you go to somewhere wonderful.

I like the sky. And I am hungry for the world it brings me to.

Thursday, September 9th, 2010 | Didn't fit anywhere else | 1 Comment »

Teaching Open Source: a mental model of the TOS community

I sat down for a while yesterday (okay, stood up while scribbling on a whiteboard) trying to get down my current understanding of the TOS community and what it is and where it could go. Looking for feedback, especially from folks who disagree – this is a braindump meant to spark conversation, coming from an individual in the community trying to express her own mental context of it.

TOS is a community of practice of people who teach open source community participation in an academic context. It’s not a teaching or research institution, a company or nonprofit, a software project, or a professional society, though many of its members belong to one or more of these, and we make use of their structures in order to accomplish our goals.

Our primary deliverable as a community is academic source (this term feels a bit awkward to me – perhaps there’s a better existing one from the teaching world?) – artifacts that assist the transfer of the ability to teach open source community participation in an academic context. Things like workshops, syllabi, curricular materials, handouts, etc. are tools to accomplish our goal, which is a human-to-human transmission of teaching, rather than the end-all-be-all themselves.

Several parts fit into this:

• Conferences and events in both the FOSS and academic worlds as public spaces, gatherings where we can swap this knowledge. Individual institutions, to some extent, will always be black-boxes and more private spaces; that’s okay.
• POSSE as an on-ramp into the community; you don’t have to attend POSSE to join the TOS community by any means, but if you’re interested yet don’t know how to start, it’s a good way to get up to speed.
• Infrastructure to support digital communication within and between institutions, both hosting and maintaining it within the institution-neutral space of TOS, and helping those who want to set it up within their own institutions.
• Grants to assist with all three of the above.

Open question: what value does the TOS community create for each of its participants? (In other words, why are you here, and what does your school/company/project gain from your participation?)

That’s it – I’d love feedback and thoughts on this.

Thursday, September 9th, 2010 | fedora, olin, sugar, teaching open source | No Comments »

Research Day

It’s the little things in life that drive me nuts. The tiny, mundane life-maintenance tasks that pop up and interrupt you… bills, health insurance, dishes to wash, laundry to fold, bathrooms to clean, renter’s insurance and correcting a car rental bill and convincing a company that yes, my address is in Raleigh, please ship me my computer stuff. I try to minimize and streamline and automate it as much as I can, but things still slip through – particularly since I have no steady-state, no constant shipping address, none of the steadiness and settling-down most of the world assumes.

So today I said okay, screw that. I’d been craving maker time – research time, thinking time, long unbroken hours for my mind to focus on one problem. One hard problem. No interruptions for cooking food (I’d preemptively batch-cooked over the weekend and filled the freezer with homemade instant meals) or washing dishes (later) or folding laundry (later) or dealing with the mail (okay, I slipped and did this after dinner, but it’s done now).

Today I went to the office, disregarded everything else, and thought about the POSSE curriculum. That and only that. And it felt so good. All the scattered, disconnected pieces that had been building up in my brain all summer flew onto the whiteboard and gradually merged into coherence – a picture I could understand, a system I can work with. I laid it out in color on a whiteboard in a meeting room, looked at it with the calm sense of assurance and quiet pride of someone who knows – somehow – they’ve done well, took a few deep breaths, and waved Max over. He looked at it in silence for a few moments, then looked at me. “Wow. This… is really good. I don’t know what you had to do to get your brain in a state to produce this stuff, but this is amazing.”

I’m going to try this again next week – next Wednesday is going to be another Research Day, my deep-thinking day, where I do nothing but work on one problem, one hard problem that requires mental focus and attention, all day. I won’t get anything else done. Emergency email check in the morning and report-back at night, but I’m unavailable for meetings, off chat, unable to be pinged… it’s my time to work. My time to solve the problems that I want to solve.

That’s not to say I’m just going to force myself to work on that and burn through it no matter what. I took breaks, I ate bananas, walked around the building… when I needed to relax, I did, but POSSE was gently turning in my mind, and I did not worry about any other work, did not do any other work, did not stress about my backlog. Listened to music, walked on the office treadmill, drank some soup. After the relaxation came the sprints – 30 minutes of walking and then suddenly I could just write things and they made sense.

I came back from that tonight and felt a rising sense of frustration because – well, laundry pile, dirty dishes, envelopes on the table… I took care of some of it, but shouldn’t have – I’m still finishing up my Research Day. I’m going to write up my results (which I am proud of), post them, share them, and then I shall call the day a wrap, and then I shall become available for other things (I do have to wash my dishes if I ever plan to eat from them again). It’s still my day and my time and I’m entitled to do uninterrupted work that I am proud of for the day until I’m done.

It feels ridiculously satisfying, just tackling your priorities and dropping all the tiny unimportant things. Now all I have to do is get rid of the guilt.

Wednesday, September 8th, 2010 | Didn't fit anywhere else | 1 Comment »

Dear Metabrain: choosing an academic name

I’d like to use “Mel Chua” as my academic name [0] – that is, the nom de plume I publish under for academic papers, conferences, and whatnot. How do I check to make sure there aren’t any collisions of other people publishing under that name, aside from the obvious IEEE/ACM/Google searches (which haven’t found anything yet)?

Mel isn’t my legal name, but it’s what my friends and colleagues call me, and the name I prefer to be addressed by – and the academic world is ultimately where I want to end up, so I want to make a conscious decision to be called what I want to be called in a community that is important to me (and will likely get more important as time goes on). Whatever name I start publishing under is what I’m likely to continue publishing under for the remainder of my academic life (that is to say, “the remainder of my life”).

Is there a way people are supposed to do this?

[0] I might not be using the correct terminology for this.

Tuesday, September 7th, 2010 | olin, teaching open source | 2 Comments »

Fedora Classroom, Tuesday Sep 14 at 1600 UTC – Working with people who aren’t there: basic distributed collaboration tools

I was explaining to Red Hat’s Mike Paquin, who runs the Technical College within the internal Red Hat University (training for Red Hat employees) why I spend a lot of time hanging out in the Fedora community, though that’s not the bulk of my dayjob. I’m here because I love the mission and the community and because it’s fun, but I also hang out in Fedora because I learn an amazing amount of stuff here. Fedora lets me overhear other people doing their work. It’s like being able to overhear conversations at lunch, except thanks to logs you can overhear lunch conversations that happened last week between Singapore and Arizona.

It’s harder to build up this sort of distributed community for a school or a company with offices and classroom buildings; if you’re co-located, you don’t need to have these side conversations online, and remotees don’t have enough common work to pool together and create the momentum needed to have a sustained conversation going.

original image by Francesco Crippa, licensed CC-BY

In the interests of “solving problems in your own house” and “scratching your own itch” first, I’m going to be running a Fedora Classroom on tools we use in Fedora for remote collaboration next week, and specifically inviting Red Hatters (though as with all Fedora Classroom sessions, anyone interested is more than welcome to join!) A lot of Red Hatters seem awed when we show them the tools that we folks in Fedora-land take for granted because we use them on a day-to-day basis, so I figure it’s high time we shared more of our best practices with the rest of the world.

All this is to announce I’ll be running a Fedora Classroom on basic distributed communication tools and practices on Tuesday, September 14, at 1600 UTC in #fedora-classroom on irc.freenode.net. These (open source, of course) tools aren’t coding-specific – in fact, our design, marketing, etc. teams use them as well – so anyone interested in distributed communties

I’m going to assume basic knowledge of IRC, because that’s how the session is going to be taught, but if you’re interested in this and new to IRC let me know ahead of time and I’d be happy to help you get set up prior to the session.

Topics covered:

1. Fedora Classroom – we have a channel (#fedora-classroom on freenode) set aside for learning experiences, so if someone needs to teach somebody else something in a structured way, they go there, and other people can then overhear it. This is where I will be teaching the session.
2. Running realtime meetings and synchronous conversations on IRC with zodbot – we have a logging bot that sits in the classroom channel (and in other channels for meetings). Using inline conversation tags like “#action” or “#topic” or “#agreed”, it produces meeting notes and full logs. Never take meeting notes again! Side note: log archives make for educational reading sometimes, because they’re the times in the channel that others deemed interesting enough to log.
3. Collaborative text editing with gobby and Etherpad – we’ll be using this to take notes on the classroom session being held in IRC. I like getting hands-on as early as possible when I’m teaching. :)
4. Sharing what you’ve done (asycnchronously) afterwards: For Fedora, this is a mailing list; you say things like “I’ll be teaching a packaging class on Tuesday” or “I taught packaging class on Tuesday, here are the logs.” Individual participants in that class (especially if it’s a multi-class experience) tend to blog their reflections to Planet. All these things promote accidental learning – the chances of someone who’s not already involved stumbling across these people thinking out loud about what they’re doing is very high, so learning groups tend to snowball into functionality very quickly, and people generally have a high degree of peripheral awareness as to what’s going on.

Please add suggestions and questions and whatnot here, and I’ll see you folks in #fedora-classroom next Tuesday!

Tuesday, September 7th, 2010 | fedora, olin, teaching open source | 1 Comment »

Henry Sy’s tuna fish

“I have a surprise for you,” my Ama, my father’s mother, told me. “Very special surprise.”
I nodded.
“I brought you some tuna fish!“
I blinked. “Er… thank you. Tuna fish?”
“Special tuna fish. From Henry Sy.”[0]
“Why… do you have Henry Sy’s tuna fish?”
“It is very special. They make it just for him. And we are good friends, so he gave some to me. And I bring it to the States. I give a can for Jason, a can for Michael, a can for Mark, and one for you.” She pulled out a blue can and presented it to me with great pride. “See? Specially prepared for Henry Sy Sr. and Family.”

I read the can, still puzzled. “‘The true choice of gourmets.’ Do they do anything special to the tuna fish? I mean, is it…”
“This is premium tuna fish. Made from prime cuts.” My grandmother points to the can’s label, which does indeed say “…made from the prime cuts of rare young Yellowfin Tuna. Delicate, smooth and tasty…” I have a sudden urge to grab a pen and add the missing comma.
“What do I do with it?”
My grandmother laughed, as if this were the most obvious thing in the world. “You eat it!”

Well, okay. That was obvious.

I brought the can to Boston with me and recounted the story to my aunt Lynne May. Then I cooked some spaghetti and poured the oil-packed fish over it; it was packed as an actual whole filet (not ragged clumps), beautifully cooked, perfectly seasoned. The fish flaked beautifully over the pasta, and the oil was subtly spiced. It was a perfect dinner.

I didn’t feel right just recycling the can, so I photographed it in commemoration first. (And then I recycled it.) Thank you, Ama.

[0] Henry Sy is a Chinese-Filipino tycoon who owns the mega-mall brand SM (Shoe Mart, which is what they originally sold). I guess the American equivalent would be something like “I have Sam Walton’s tuna fish!” and your grandmother being friends with the fellow who founded Wal-Mart, or… yeah. Honestly, I’m also a bit confused.

Monday, September 6th, 2010 | Didn't fit anywhere else | 2 Comments »

Audacity

Sometimes I pause, look at exactly what I’m working on, and am stunned by the sheer audacity of it all. Oftentimes when people ask me what I do for a living or what I learned in school, I’ll reply “hacking the universe,” and… well, it’s true. I learned it from many people who are far better than it than I am, alongside many friends who are also becoming skilled at it in different ways, places, and disciplines than I. And it’s not that we suddenly (or even gradually) gained superhuman powers… we’re still ordinary people doing ordinary things.

But the ways and the places and the tiny shifts of intonation and timing with which we do these things – somehow, they add up to nudge and nudge and roll the world into a position where it might, might sometimes tip over into being a better place than it was before, a cascade of thousands and millions of little acts over time that sink in, sink deep, and make that transformation last. Everybody does these tiny things, but one of the qualities I value most about my friends and colleagues is that they’re conscious of it. They live their lives with deliberate intent, so that these small actions they make do add up to make the change they’d like to see in the world.

I am so unbelievably lucky.

Monday, September 6th, 2010 | Didn't fit anywhere else | No Comments »

Happy discoveries of the day

1. I live down the street from an Indian supermarket.
2. And a kung fu school!
3. And a 24/7 Harris Teeter (supermarket) with a good selection of stuff!
4. People in Raleigh are very friendly! While eating BBQ at Ole Time, I struck up a conversation with the family behind me, and got a bunch of suggestions on things to check out in the area. (Unfortunately, I’m not into sports so much, so half the recommendations aren’t that interesting to me, but… still!) I should explore this area more.

On that latter note, I’m going to see if I can make it to the Durham farmers’ market tomorrow morning. If I wake up in time, that is. I’m still slowly unpacking my things into my apartment and trying to get rest and pace myself through work, because I’m still wiped out from August and this summer in general, and October’s travel is going to be brutal (yet awesome!) so… taking a breather is… a good idea, possibly, right now.

Feeling good. Today I got a bunch of work done, a bunch of not-work done, and whipped the apartment into far better shape. I hate cleaning, so I bribed myself – one of my high school teachers, Doc Nok (Dr. Nokkentved), gave our class his sage parting advice of “make sure you have one nice dinner per week, at minimum.” So I decided, all right, I will make that dinner day be the same as cleaning day, so I have something to look forward to. And that’s why I went to Ole Time tonight. Raleigh BBQ is… mmm.

I also looked at the contents of my fridge and decided that (1) the hardneck garlic was more perishable than I would like, (2) peeling and chopping garlic every time I cooked was a messy pain, and (3) batch-processing was awesome. I spent much of the evening peeling every single head of garlic I had purchased and placing them in a olive-oil filled container. I originally had started chopping then, but realized I could do that while cooking because I’d probably be chopping other things too (and besides, sometimes I might want larger pieces of garlic, etc). So now I have a container absolutely stuffed with peeled garlic, some of which is chopped, and olive oil that’s going to taste magnificently of garlic when I use it. Life has gotten more convenient. WIN!

This plus the cleaning made me feel incredibly domesticated, so I continued plugging through Project: Make My Car Suck Less by researching how to fix my side mirror. Looks like fun – need to unpack my tools first, though, and order the mirror. My current fix is very much a kludge.

But hey. It cost $6 (for the mirror – I already had the duct tape). It’s just… yeah. Car needs fixin’. Also needs new wiper blades. The battery already gave out in Boston – got a new one – and then both brake lines started leaking, also in Boston… got new ones, and… I’m just going to start paying much closer attention to this car now. It’s 17 and I’m not sure how much longer it will last. Ah well. I should learn things by fixing it, and when I take it to the shop I’ll ask if I can watch and learn from what they’re doing, and… it’ll be all right.

Life’s good and I’m having fun and am considerably more relaxed than usual, given the circumstances. Getting rest. In fact, getting rest now. I am sleepy and it’s bedtime.

*thud*

Sunday, September 5th, 2010 | Didn't fit anywhere else | 4 Comments »