The Mac Trojan, the solution, and what I think about the millions of dollars it represents

A few weeks ago it came out that the Mac had a real trojan horse in the wild. (Here’s my archive.)

As I understand it, it was the result of a simple vulnerability, by happenstance a major beef I have with Ubuntu as well: some source — a website, a piece of software you install however you do it, or whatever, introduces a simple pop-up that says “Your machine has been compromised! Click here to remove it!” The dutiful lamb, er user, clicks “Ok”, then — and here’s the clincher — the downloaded “cleaning” software, which is actually the trojan horse, needs administrator access to install (or “root” access in unix parlance, the base of the Mac, and effectively the same thing with any linux distro), and the user obliges with their password. They do this of course understanding that it’s important to keep their machine safe from malware, and that when they’re doing certain things, they have to enter their password. “Trust me, I’m reputable computer software trying to protect you, I know what I’m doing. Professionals programmed me.” Then of course they get the user to hand out money for “licences” to keep their computer “protected” — as in, they get the “licence” money, and they send a command to the trojan to lie dormant and not do any harm to the system. (In some commercial districts, especially with small Mom & Pop style shops, it’s called “Protection” money; the cops call it “Extortion”.)

For the non-technically inclined, this works through a simple process:

– Under any Mac / unix / linux system, there is one all-powerful account called root.
– Switching to root to install software is occasionally a pain, so Macs (and Ubuntu) rely heavily on a command that is so heavily integrated into the system that it lets certain users transparently, when called upon, install any kind of software, good or bad, by simply entering their own password, on the presumption that this select group, which are listed in a special group, are trusted with system administration.

Here’s a bit more on root:

– This account literally is, within the limits of what that instance of the OS can do on the installed piece of hardware, the top god. For the purpose of this conversation, it’s Zeus, the chief god who is the most powerful god in Greek mythology, above all other gods.
– In such a system, the normal user — including the principal user of a computer with only 1 to 5 users (the typical home computer) — usually isn’t even a lesser god. They’re mere mortals, with limitations and unable to affect much beyond their own account.
– On the other hand, the root user, noticing that user X is consuming too many resources, can decide to put further limits on that user, or any other, but not vice-versa per se nor one mere mortal upon another. I have such a principal “mere mortal” account on all my computers, and I of course know the root passwords, so I can become root on those computers and do whatever I like on them; usual practice, of course, dictates that one temporarily logs into root to do whatever is necessary as root, then to log out back into the “mere mortal” account to do day-to-day stuff. Such as write this piece.
– One command in Mac / unix / linux is the “sudo” command. This allows defined “mere-mortal” users to elevate their privileges to that of the root user on a generally one-time and contextual basis which ceases when the task is complete, and which has to be re-invoked any time that they want or need to use said root privileges again. This overall makes them lesser gods: While they indeed do have Zeus’ powers, these powers are limited to the task at hand and only the moment at hand, and allows people to maintain their systems while avoiding carelessly doing damage, all in a convenient package. Therefore, the user can do necessary changes, adjustments, updates, and the like, but, since they are doing it as themselves with the necessary privileges only when the situation calls for it, they usually, under normal, routine circumstances — acting in the capacity of a mere-mortal — avoid doing system-wide damage, because, well, they aren’t root. Normally a simple command line command would either only affect their own account, but no one else’s, or, depending on the command, the system would (or should) say “you need to be root to do that”. The problem I see here is that on a Mac / Ubuntu / other similar system, as I explain below, sudo is so tightly integrated into the system that it’s normally presumed that since the user in question is typing in the command, they actually are fully aware of what the command does, and that they really want to do it, so the system automatically asks for their password, invoking Zeus’ — root’s — powers. (BTW, this is why it’s also dangerous to do day to day stuff as root — the system presumes that root knows what they’re doing. Hence why, as mentioned above, you only log into root to do rooty stuff, then you log out again to do day to day routine stuff.)
– Further, there is a certain security element to it: the system logs who invoked the privileges in this fashion, so that Zeus, er, root, can check up on his underlings. Incidentally, anyone on the system can be in a list of people with “sudo-er” privileges, and how they get it, when they get it, why they get it, for what purpose(s), and just about any other condition, can be set by root.
– Mac OSX, Ubuntu and its derivatives, and other similar systems, depend on sudo; in fact, the root user on both systems are disabled by default, and sudo is heavily integrated into the system: The principal user by default is the defacto root user, since their password is all that’s needed to do rooty things when such things are required — unless a savvy admin principal user makes another user a sudoer, which can be done quite easily, as explained above. To be fair, on any unix / linux system you can extremely limit access to the root user, and set it up such that the only way to use root privileges is by sudo; it’s just an active choice made by Ubuntu and MacOSX. Don’t despair, on an Ubuntu system, it is also trivially easy to reenable the root user, and remove the principal user’s (and other users’) sudo privileges; I have no clue regarding Mac OSX but I imagine that it can be done. And, no doubt, break your warranty and support privileges at the same time.

So, back to the subject at hand:

What happened with this trojan horse is that the wolf (the trojan’s programmer(s)), knowing that Little Red Riding Hood (the users) have been trained to protect their system from attacks and keep them updated and to trust the computer when it says “you’ve been attacked”, dressed up as Grandma and said, “Trust me. I’m trying to protect you.” Said LRRH users obliged. And, as I mentioned earlier, those who control the trojans get the “licence” money, send a command to the trojan to lie dormant, and as long as the money keeps on coming, no harm comes to the system. (In some commercial districts, especially with small Mom & Pop style shops, it’s called “Protection” money; the cops call it “Extortion”.)

Can you blame the users?

For the purpose of this piece, I am forced to say “No.” At least to the extent that the culture that the systems that they are using is blinding them. (Even under linux you’re expected to keep your system up to date to avoid such difficulties.) “Oooh, we’re easier to use. Oooh, we’re pretty. Oooh, you want to use your computer, not maintain its innards, just like you don’t need to be a mechanic to drive your car or ride your bicycle.”

Of course it’s a two way street: The fact is, computers these days are complicated, because the things we ask them to do are complicated. Which means that, when it comes to computers at least, a quote by Admiral James T. Kirk, to the young and inexperienced Lieutenant Saavik, after taking control of the bad guy’s ship by essentially using the ship’s root password (the ship’s “prefix number”), taking down defences, and causing critical damage, comes to mind: “You have to learn why things work on a starship.”

sudo is not evil, much as I might think or want you to believe it is. However, as I’ve said earlier, it likely could be — and here’s the proof of concept — the downfall of any system that depends on it. The main reasons it isn’t evil is that next year, someone will find another weakness to exploit, and it is quite convenient to use. Maybe in a fashion directly in line with my “holier than thou” approach to commoners’ computing (r).

And in other corners …

This trojan resulted in the proposition — so I’ve heard, so this is pure speculation at this point — that the App Store concept could be applied real hard, to the Mac. As it is, the App Store already exists for the Mac; I actually think that the App Store for the Mac is a good idea: It’s a repository of trusted software that will work — and knowing Apple, spectacularly well — on the Mac, instead of downloading it willy-nilly from anywhere on the internet. However, the idea here is that it would be to the exclusion of all other sources. And here I thought that Apple was pioneering in the Mac world the repository system, hopefully to be followed by others, just like in linux.

The upside:

– You can get all your software from one place, and it would be (presumably) safe.
– Apple would digitally sign each piece in a couple of ways such that you could only get usable, safe software from there.
– Presumably, Apple will run all software through thorough testing so that the chances of it being infected with a virus or it being or rendering your computer vulnerable to compromise would be remarkably low. (When was the last time you heard of an iPod Touch / iPhone / iPad virus or trojan?)

The downside:

– You won’t even be able to compile your own software to run on your own machine (oh sure, I imagine in a virtual testing platform at least conceptually similar to the platform used develop iPod Touch and iPad apps).
– Like with the iPod Touch, I imagine that you’ll never know whether you’ll ever be able to run your software — of which I imagine many apps will be important to a good number of developers, if only internally, and not just be yet another tip calculator or yet another Tetris reimplementation — until it shows up in the App Store. Apple isn’t stupid, though; I’m sure that with the current App Store money talks many languages, and that many commercially-backed apps get through a little more easily and assuredly when the developers pay a fee guaranteeing its appearance in the App Store, or a higher-than-average commission per download/sale.
– Of course, you will have to fork over the source code to Apple. And, only Apple will ever truly have full access to the source code of the final product, so you won’t know whether they’ll modified it (admittedly, sometimes no doubt for the better), how they’ve modified it, whether they’ve introduced bugs or vulnerabilities, or back doors. So far, nothing different from the way the App Store for the iPod Touch or the iPad work.

But here’s what really gets to me:

So you want to develop some internal software that will give you a competitive edge over your competitors? Say, a different, possibly revolutionary analysis scheme for the metrics in your industry? And, you use Macs because you consider them to be either superior to other platforms, or their use otherwise adds some inherent value to your operations?

I see a money stream for Apple here. No, a cash cow. “OK, you *must* submit the source code to us. We’ll compile and digitally sign it, and make sure it works properly on your machines. We’ll review the code, identify and remove bugs, and even suggest better code and functionality. And only your operation’s computers can install the software; we’ll password protect access to the software. For a fee, of course. Oh, you don’t trust us? OK, here’s a Mac server that you can have in your server room. You’ll get a control panel. Of course, the server will ultimately still be controlled by us only, the code will still have to be reviewed by our engineering team, and your “submit” button will merely inform our team to start looking at things, and we’ll still control what goes into the final, compiled code, including back doors and all sorts of unknown blobs. Possibly some critical functions of the “revolutionary analysis scheme” being disabled, removed, or massively modified, or replaced with inferior substitutions. For a massive fee, of course.

Sort of adds an ironic twist to the notion of “proprietary software”, doesn’t it?

Seems to me that the only thing that will keep Apple clean on this one is that it’s actually in Apple’s interest to be a clean and legitimate player. Apple has successfully built a business based not on being the biggest, the greatest, the cheapest or having quite the latest or greatest technology (sometimes things are slightly a step behind). Or even making the biggest profits. They’ve built a business on delivering a clearly superior user-experience and tightly integrating the software and technology; for instance, there’s actually something to the iPad’s function of closing instances of web browsers above a certain number, since allowing too many instances to remain open (sometimes as Orphan Annies or Captain Dunsels) they may not be performing any useful function to the user, yet would be consuming system resources such as memory, processor time, or battery power that could deprive other processes of necessary resources, and ultimately diminish the user experience. This idea has merit; every once in a while I have to make a point of closing down some windows simply because there are too many open and they’re slowing down my system.

Of course, such a value-added division — that of reviewing software over a diverse cross-section of industries and making them work really well on a given platform — would mean that they would develop lots of expertise. And, it would naturally make Apple quite the intellectual powerhouse. Imagine, Apple Medical Consulting Services. Apple Financial Expertise. Apple Engineering Software. Apple Human Resources Management. They actually would accumulate this expertise.

But what if the software that, in keeping with their business practices and policies, is necessarily in their care proves to be less then optimal, not because of the submitted source code, but because of Apple’s actions? Of course these are concerns that any company worries about every day; the issue here is the monopoly that they would be creating.

Now let’s not blow things out of proportion: Macs are remarkably secure. So is Ubuntu, and by and large any typical linux distro, certainly any of the mainstream distros and any other that is “properly” designed and maintained (I bet that you could take a dot-com era distro and actively administer it, and it will be relatively secure.)

But it seems that Apple has brought and will be bringing the repository model, which flourishes under linux, to a logical extreme, and will generally make billions more than Red Hat ever will or even could. And, will no doubt exploit the model for even more billions. But at what cost?

What — jumping the fence for a moment here — do only evil, maniacal control freaks have a monopoly on knowing know how to build safe, high-quality software?

Or maybe, just maybe, is it a matter of what makes the likes of Apple, MS, and Red Hat so successful the fact that they are able to command the sales revenues required to attract highly talented teams of programmers and other experts?

And — now coming back to the other side of the fence — what about the added value that volunteer programmer and other volunteer contributors bring to their software?

Realize that in a linux distro, the distributor leverages open-source software — with varying amounts of both paid-professional and volunteer (both otherwise professional) contributor content — to make their distro. The underlying OS part of OSX is based on Darwin, which is a direct derivative of FreeBSD, which again has varying amounts of both paid-professional and volunteer (both otherwise professional) contributor content. And even MS has a certain amount of BSD-derived code in it, for things such as the networking code, and probably elsewhere.

So, all this makes me wonder a bunch of things:

On trojans, malware, spyware, viruses, and social engineering:

I hate ’em all. I hate that there is an industry out there whose basis for legitimacy lies somewhere between software that is not optimal because it’s real brick-a-brack, and users who don’t use a bit of common sense. There will always be people trying to get the better of you; it’s that people fall for the charms of charlatans, who have little defence against common sense, that bugs me, be it the trojan authors or the software writers who figure that people won’t know better regarding what they buy.

On sudo:

Well, the problem there really lies somewhere between the keyboard and the chair; using sudo has its advantages and disadvantages, just like logging straight into root does. That tightly integrating sudo can arguably aggravate things by hiding things and make them “easier” for the user doesn’t change the fact that if an user just always logs in as root, they can do whatever they want, including wiping the whole directory tree. People have to understand *why* the computer works and does what it does, and why it is asking for a password, whether it’s their own (for sudo) or it’s the root password.

On repositories and safer, better software:

How is the repository system going to benefit the Mac? Organized and even better quality software (presumably). It’s about time that Apple used the repository system. It’s about time that Windows adopted it too. It’s about time that a few people set up repositories, possibly competing, for Windows; imagine the lineups for software of all kinds found in a single location that has been reviewed, works, is relatively safe and relatively virus free? You could use the iPod App Store model with prices ranging for $0.00 to $1,000,000.00 or more, or a NetFlix approach of a flat fee per month for unlimited access, or advertiser sponsorship, or some other revenue stream you dream up, or any combination of the above.

On monopolization and evil software empires:

Is Apple really all that evil? They don’t have *that* much of the desktop market share. Plenty more people buy MS — in the consumer market, either you buy a Mac, or you buy a computer, that has MS by default. A few of us, up to roughly comparable in numbers to the Mac crowd, depending on who you believe, use another OS sporting penguin stickers.

So I’m just having a knee-jerk reaction to the idea that Apple will probably become a monopoly over a really large cross-section of the economy.

Gnome 3 in Fedora 15 Freezes up in Fallback Mode

I have been going through some reformats over the past month or so: About five times on my then F14 desktop — three times until I finally ditched the hard drive which was obviously dying, and the fourth time on the “new” hard drive, and the fifth to explore the following problem as well as remove a poor choice of keyboard selection. The French in France must really be confused when using computers in North America (I was in Paris back in 2005), their keyboard layout is so weird. You have to realize that a French Canadian keyboard is not so different from a standard US keyboard, certainly compared to the French from France keyboard.

I have what would be considered an older computer; I’ve seen a date of about 2003 on the mother board. As such, the video card on it is too old to use Gnome Shell in Fedora 15 and uses the Fallback Mode. So I figured that when the computer appeared to freeze after a couple of hourse — no response to the keyboard or mouse and the like — that I might have a memory card problem causing the freeze, something I’ve seen before. However, two things are nagging at me:

1) During the install process, the computer would be sitting around idle while I either slept or was at work all day, the computer wouldn’t freeze up, and I just picked up where I would have were I to have babysitting the computer during the install;
2) After it froze up yesterday evening at what appeared to be a normal screensaver cycle, I did a hard reboot using the power button, and on a whim I turned the “lock” (the desktop) option in the screensaver settings screen to OFF. This morning after the computer was on the whole night, all I did was turn on the screen, and what do you know, I can use the computer like normal, with no freeze up.

As a control, my laptop, sitting beside my desktop — the former of which is recent enough to take advantage of Gnome Shell — does not lock up with the “lock” option to “on”.

I wonder what the deal is? A bad video card? Bad code? An incompatibility with the code — presumably the screensaver code, but I suppose any other — and my particular hardware?

I was doing some looking around last night on the subject, before I saw the results of the little “off” switch. Now that I’ve done an experiment and have some results, I can perhaps do one or two more and determine whether a bug report is warranted.

Canada Day and my beer

I’m just about finished cleaning and sorting all the beer bottles from yesterday’s big Canada Day festivities in Montreal West, Quebec.

For the past 14 years I’ve held what I believe to be the most critical job — certainly when it comes to efficiency, productivity, and morale — to the success of the event. Hence, with all due respect to the following people, as well as Paula and Joan and all the other critical volunteers without whom I wouldn’t be able hold such a prestigious position:

It’s more important that the Parade Marshall’s job. They just have to dress up, wave a big stick, and walk at the front of the parade.

It’s more important than the Mayor’s job. They just have to make a speech and lead everyone in singing “O Canada”.

It’s more important than the job of the nice guys who set up and light the fireworks. Hey, it’s the fireworks themselves that do the real job there, anyway.

It’s certainly on par with the fantastic people who run the beer tent (Hi Wayne and Sam!)

With this last we’re getting into the critical area: The fantastic people who run the barbecues cooking all the food for the public to come and consume. I’m one of this group. But, my job is more important that cooking burgers, hot dogs, buns, or cutting up all the tomatoes and onions and the like in preparation of the evening.

I serve the beer to, and only to, this fine crew of people who run the barbecues. Heck, I even get to serve the Mayor. (Glad you liked my beer, Mr. Masella!)

Every year for the past 22 years, with about five exceptions, I’ve been involved one way or another at the Montreal West Canada celebrations volunteering to make the event happen. For the past 18 years (plus the first year), I’ve been involved with the barbecues. For the past 14 years, I’ve held the above-mentioned prestigious position.

I love it. I love serving people. I love the accolades. I love the attention. I love bragging in the admittedly deluded way that I am right now that I hold the most important position of the day. And, for the past four years, I love all the extra compliments I get about supplying my own beer. The best part? This year I had three varieties of beer, instead of one variety the first year, and two in the intervening years. And, it seems from the roughly equal distribution of how much beer I have left from each variety, that all three were roughly as popular as each other.

This year I had 33 x 1.14L bottles of my beer, plus of course the corresponding extra regular sized bottles to go along with it. Overall I made about 75L of beer with Canada Day in mind, knowing that I’d have plenty left over of course. That I served the 33 bottles plus another 24 regular bottles says something about how large and thirsty my group is, considering that I also serve wine, water, soft drinks and the like.

One of the things I also found out last night, contrary to my experience last year with only about 20 such bottles, serving out of these 1.1L bottles is a charm instead of having to bottle that amount of beer in regular bottles and then cap them all, and then serve them individually. Although admittedly this last part is actually not necessarily the hardest part. But serving 3-4 beers out of a single bottle proved to be easy and convenient. And keeping track was easy: The big cooler had bottles that either had no elastic around the neck, or did. The third cooler had the third kind of beer. Keeping track, in practice, was quite easy.

And here’s the other part of what has me hyped about this post: The numbers.

33 x 1.14L bottles of beer served — about 37.6L
34 x 341mL bottles of beer served — about 8.2L more served
total of 45.8L of beer served just to the BBQ crew

This is the equivalent of about 130 beers served, if you take out the one 1.14L bottle that didn’t carbonate and was served to the grass. This is pretty strong — if there’s a downpour, I usually serve in the area of 80 beers. If it’s nice like it was yesterday, I usually serve about 100 to 120 beers; one year, I figure I served as much as 160 beers.

Now of that, I had made, as I said earlier, about 75L of beer for the event. So that’s about 61% of the beer I made for the occasion.

And more numbers:

After having collected all sorts of beer bottles off the side of the road, in bushes, and just about anywhere else that my travels take me, today I’ll be returning about 161 SURPLUS empty beer bottles that I’ve collected over the past year. That doesn’t include the 90 that are still full, but then again last year at this time I made a similar bottle return and kept to the order of 80 to 90 such bottles that were either full or empty — in order, of course, to be able to have enough bottles for the following batch of beer.

And of course, the above-mentioned 33 x 1.14L bottles won’t be returned; I’ll be keeping them for next year’s Canada Day beer!

My participation at FUDCon Tempe 2011

(I know, I’m a month late on this.)

I went to FUDCon for the first time this year; it was the first large gathering of Linux / Fedora /Computer people I’d attended, and I’m glad I went. I was also pleased to finally see so many Fedora desktops — over time I’ve become mildly frustrated being the only Fedora / Red Hat person in the room, often in a sea of Ubuntu.

One of the more difficult things was figuring out in advance how the nuances of how things would work: Not ever having been to a BarCamp style event, I had no clue how or whether a presentation I had prepared would be accepted, let alone inserted into the schedule.

My participation:

Friday

After a day of touristy stuff in downtown Phoenix, I showed up about 5:30pm ish to the courtesy room at the Courtyard in Tempe. After helping stuff nametags into plastic nametag holders on neckstraps, I actually managed to regale people with my stories about crossing the Canada/US border and get plenty of belly laughs. Harish and I managed to exchange a quip to the order of “Oooh, I get to meet the myth!” — first by my stating amazement at finally meeting someone who had once actually installed SLS Linux, and in turn being on the receiving end from Harish when I confirmed that I’m one of the Trekkie myths. In between, the two of us held court on the subject of rotary phones, much to the amazement of Ryan — a university student under 20 — at the anachronism. In the meantime, opensource.com was celebrating its first birthday and supplied pizza, beer and cake.

Saturday:

BarCamp pitches, voting, and State of Fedora Address

The pitches were an interesting experience — Of the 170 or so actual participants, it seemed as though at least a third if not half the room got up to pitch their presentation! During the voting process, near the end, I was quite pleased to note that approximately 30-40 people had voted for my presentation. Afterwards, Jared from Red Hat give his “State of Fedora” address, the audio of which can be found here (here’s my archive). His main messages dealt with growth and working together; Fedora is strong, not just because of the bits on the CD but because of the people. His ultimate message was that “Fedora will be stronger tomorrow because of the work today.”

Presentations:

Open Source Anthropology / Diana Harrelson

This was one of the more interesting presentations I attended. Diana did some research for her master’s degree on online communities, and chose the Fedora community as her test subjects. Some of the things that we as linux users — both Fedora and the greater Linux community — know about ourselves were confirmed. One such point that she underlined was the

Future Fedora and Reducing Bureaucracy / Max Spevack and the Fedora Board

This was an “interesting” session — perhaps not the best for me. What I found most interesting was how bureaucratic the meeting felt, and not just because of the subject being discussed. Of course it discussed how frustrated people are with how to get others involved in the Fedora project.

Fedora Security Lab and Securing Linux / Joerg Simon and Donald Buchan

Joerg’s presentation was interesting — he talked about one of Fedora’s spins, tailored to include a bunch of tools on how to test system security by measuring all sorts of parameters — open ports, security holes, and the like. I’ve downloaded it and plan on taking a look at how it operates.

My presentation worked out ok; people seemed (at least politely) receptive to my talk, the subject, and my suggestions. The most contentious issues? Root access, root passwords vs. keys, and su vs. sudo.

Juicy Software Repo Management with Pulp / Jason Connor and Jay Dobies

Even though it would have gone over my head as much as software repo management did, I wish I had have gone to Jeff Darcy’s Cloud Filesystem presentation since he’d been telling me about it on Friday evening. Unfortunately I don’t think I got anything out of this presentation, however well it was presented.

I Want to Keep on Hacking but my Hands Hurt / Mel Chua and Sebastian Dziallas

This was a fun presentation — Mel and Sebastien brought a bunch of ergonomic toys related to relieving and avoiding stresses related to using a computer. There were a lot of defacto visual gags as a result of people using the toys or assuming less harmful positions and ways to use your computer better.

FUDPub

Well as usual I showed off how horrible I am at games by agreeing to be beaten by, er play against Clint at ping pong. Food was great; burrito night! There also was plenty of liquid refreshment. I got to meet a computer science professor from Seneca College in Toronto, and thank him for the wiki he’d put up for his students’ participation in FUDCon, which can be found here (here’s my archive). Although I only found it the day before I left home, this was invaluable for framing and gelling all the little details about my participation.

Sunday

Designing UI mockups in Inkscape / Máirín Duffy

This presentation was a bit more amusing for me; at least it wasn’t over my head. 🙂 Máirín proved to be a true mistress when it comes to Inkscape, even though I suspect that for her and most Inkscape users what she was doing was basic stuff to be expected by anyone in graphic design. The coolest thing about her presentation? Her hot dog wallpaper! hotdog here too

IP Law for Hackers / Pam Chestek and Richard Fontana

This was an interesting, two hour session on how Red Hat lawyers have to deal with open licenses such as the GPL, and trademark issues related to the Fedora project. One of the main things I remember is to “keep the name of your project simple, memorable, and generic, ie. unrelated to your product.”

Lightning Talks!

Covered in another area, the lightning talks were apparently a new entry into the FUDCon format. I think that there should be a couple of such sessions, given a sufficient number of presentations. The most interesting talk? Mel talking about baking (here’s my archive). Seriously.

I did not attend the hackfests per se but I spoke with Simon about OLPC. I found his recounting of the successes of the OLPC in Bolivia (?) interestubg: The response to “we should be sending food and textbooks, not computers” criticisms is “Getting textbooks out is hard, but teachers can easily distribute educational resources with OLPC. And, the kids’ parents come back to the school in the evening to use the internet, and learn reading skills while also finding out the true price of their crops instead of being taken advantage of by unscrupulous purchasers hoping that uneducated, uninformed farmers won’t know any better.” As for having a static base (such as Fedora 7) creating a security risk, Simon reminded me that the likelier security risk is to the order of “Give me your computer, you little (censored)!”

I helped with clean up; after that I made an impromptu organization for a group of us to go to Gordon Biersch’s, a local brewpub. The whitbeer was good, and the chicken parmesan was good too. And a bunch of us organized a road trip for the next morning.

Monday

During the little road trip and on the topic of Fedora and Red Hat, I remember Brian (thank you for the driving!), a Red Hat employee, telling me about working at Red Hat and the RHEL sales model. It felt like tactics similar to a competing product.

After returning from the road trip, the hackfests on Monday were what I would consider “boring” — definitely not my thing.

The bright light for me was unfortunately at the expense of people who were stranded in Phoenix due to winter storms keeping their flights from leaving Phoenix — the Monday night party in the hotel lobby was quite a lot of fun, and even on Tuesday evening there were a few people still waiting around. I on the other hand had planned to stay sveral days later, so of course I was supposed to be there.

My thanks go to Jared, Robyn, Ryan, Southern Gentleman, Simon, Harish, Joerg, Ian, Clint, Chris, Máirín, Mel, and everyone else.

FUDCon 2011 — lightning talks

Today at the lightning talks at FUDCon 2011, the one that caught my attention was called “The Dreyfus Model: how do novices think differently from experts?” The subtitle was along the lines of “Why won’t anyone help me, I have documentation!”  Here is a pdf archive of her talk I made at the time since as of at least 2020 or earlier, it disappeared.  20210425 update:  I have found a new link to Mel’s lightning talk at https://melchua.com/blog/2011/02/02/ive-followed-your-instructions-and-i-still-cant-bake-croissants/

The gist of how Mel presented the subject was that someone is looking for a bread recipe on the internet and comes up with:

Croissants

flour
butter
other stuff
bake

She explained the various cryptic parts of this “recipe” and how obvious it may seem to an experienced baker, but to a newbie, even figuring out that Croissants is a type of bread, let alone what the “other stuff” is can be difficult to grasp, or the concepts of “oh you have to buy those ingredients first — how much? And what’s this? You need an oven? Now, when they say bake, how long? And how will I know it’s ready? Oh yeah, you need to let the bread rise first …

She went on to say how installing certain bits of software and using them may seem trivial to an experienced user, but knowing how to draw in a tarball, extract it, get all the dependencies, compile it, and all the various steps required was not easy for a newbie, especially in a culture that takes several things for granted and literally may skip steps between major milestones.

Ultimately her message lay in the importance of clear, concise, complete documentation.

When I started learning linux, I had to relearn things too, and found things challenging. I quickly learned that things were not as obvious to myself and that when someone said “oh just do this” what they were really saying was “do this 10-15 item list as root under the following circumstances using the proper switches” — not always an obvious task when you say “install package X” while omitting all the necessary parts before and after.

FUDCon Friend Finders

On the FUDCon 2011 Wiki page, suggested optional equipment is a Fedora Friend Finder (here’s my archive, since as of 2020 the link has long since been abandoned and bought by someone else), which is an extension cord with multiple sockets. I brought one, which has a 30′ extension cord, and it has typically had 2 to 3 plugs, including my own. Right now, I’m in the Lightning Talks, and I’m impressed: My FFF is plugged into another full FFF, and mine is full. Further, I’ve had two plug-in requests to which I’ve had to say, “sorry, I’m filled up”.

Now, I’m just looking for my profits. 🙂

On another note, today I went to get an extra-large pizza at Slice’s Pizzeria around the corner. I made friends quick. 🙂 One person who joined us after the pizza ran out was a local community college professor who saw my security presentation yesterday, and enjoyed it. So much so that he asked if I’d grant permission for him to use it in one of his classes, which I happily granted.

FUDCon 2011 — after my presentation

So I’ve just given my presentation at FUDCon on some basic security strategies to install on your system.

People seemed receptive. A couple of the ideas that came up was the use of denyhosts before I mentioned it, and a bit of controversy over the root user. People were suggesting the use of keys instead of passwords for the root user, and using sudo instead of allowing direct access to root.

The pairing with someone else worked ok for me — I started at 14:30 and got through all my slides in 20 minutes, including a few questions and comments; I did have to go a mile a minute though. The other person, who did an exposé on the Fedora Security Labs spin, however, had to skip a few of the things he wanted to do and talk about. His presentation was nonetheless interesting.

As I said people were generally receptive and respectful, and people generally recognized that my presentation covers basic security that anyone and everyone should do, and that it’s not necessarily intended to cover all cases or massive networks.

FUDCon 2011

Here I am at FUDCon in Tempe, Arizona.

First off, on a side note, I knew that Arizona was warm. But I left late January and came to early September. I’m blown away that I don’t even need a light jacket let alone a parka. This is the kind of weather that would be nice all year long, but I hear that Phoenix is a bit too warm, certainly for me, in the summer … 🙂

Currently I’m in a Fedora Board Meeting or whatever where things along the line of discussing the future of Fedora and how people can get more involved. Jared, the current Fedora leader, has 15 “short list” goals up on the screen, basically discussing general lines of how people can contribute and how the project can get the right people to the right job, as well as “how to get there”.

This morning I attended a talk given by an anthropologist who studied the Fedora community, such as through a previous FUDCon, and discussed her findings and how people were involved, why, and all sorts of interesting stats.

During the next session I’ll be giving my presentation on Strategies to Secure a linux system, but given the number of talks, the BarCamp style voting, and the available time & rooms, I’ve been paired with another presenter who will be discussing general security practices; his presentation is supposed to be general in nature, while mine is technical and a specific list of things to do, so perhaps this will work out nicely since he’ll presumably talk about “you should allow this and disallow that” while I discuss “go here and do this, and here are the menus to click or the command line how”. The person seems quite nice and we’ve agreed to speed up our presentation speeds and divide the time more or less equally amongst ourselves.

To be followed.

FUDCon 2011: Almost here!

So I’m quite excited about my upcoming attendance at FUDCon.

I also have some (sort of, depending on your perspective) answers to my questions, gleaned from a couple of discussions on IRC:

– People are available on IRC — Freenode at #fedora-fudcon. However, over the past week it has seemed quiet, but people are there and do answer questions and will chat.
– A list of the available restaurants was provided to me. It includes restaurants, take out (I’ve heard of Five Guys, Burgers and Fries, I’ll have to try them out), delivery places (heavy on pizza — let’s hope they can make it right, pizza outside of Quebec is a strange beast, even the good stuff), and at least one brewpub, which is in walking distance of the conference. The list will be provided in the information package given out to everyone upon registration/check in. Which means that, as I pretty much expected, people are on their own for food the whole time, just as I will be during the rest of my vacation in the area. Nice to know, though. Hopefully any further information different from that will be communicated, as I’m sure it will be.
– Yes, a projector will be available.
– And for the fun part, the presentations will be judged/refereed along the lines of “On Saturday morning, there will be sign up sheets for the various presentations. Those with the fewest sign-ups will be dropped or combined with other similar presentations according to the number of presentations and the available space.”

Also, I still have to figure out how to either not freeze on the way to the airport in Montreal, and then back home, or not boil to death with my parka when I arrive in Phoenix. Around here in Montreal this time of the year, “warm” is about -10C to -25C, without the wind chill. Phoenix area, “cool” is around +4C; “warm” is about +17C. Sheesh, to me that sounds like mid to late September, not late January. 🙂

FUDCon, Tempe, Phoenix, and the Grand Canyon, watch out, here I come. I’m a LUzer bay-bai, so why don’t you flame me? 🙂

FUDCon 2011 — Tempe, Arizona

Well, here I am, I finally did it. I’m going to FUDCon 2011 in Tempe, Arizona.

After months of saying to myself and friends “Oh I think I’d like to go do this” and asking my brother if he’s interested, and telling all sorts of people “Yep I’m doing it, I’m thinking about doing it, I’m still in the talking about it stage; I just haven’t committed to it yet”, I bought my airline tickets a couple of weeks ago to go to Phoenix, Arizona, and made reservations at the hotel. (Yes, the nice people at the hotel, months after the block was “closed”, graciously gave me the Red Hat Group rate for 6 out of 7 nights — quite the savings!)

So I’ve been working for the past few weeks at translating, updating, revising, rationalizing, etc. a presentation on System Security I presented at my local LUG a couple of years ago. (Of course it’s not in English, silly, why do you think I’ve had to work on translating it?) I’ve also been following the wiki page for the event (here’s my archive of the page).  I even have my Fedora Friend Finder (here’s my archive of the page, since the webpage disappeared) ready to bring with me.

But … apart from a few blog posts here and there, and of course the availability of the administrative notices / minutes from the planning meetings, I haven’t found what appears to be, let’s say, an online forum where FUDCon is being discussed. (Yes, I know, there’s Planet Fedora — however, it seems to discuss pretty much everything under the Red Hat sun.) The kind of place where people discuss what they’re doing outside of the formal event structure, when they’re arriving, asking questions of participants of previous such events, and so on. Basically, chatter.

I’m wondering a few things, and hope that perhaps this post will help me out in at least finding a nudge in the right direction:

– Is there a forum where people are virtually gathering and discussing the plans and attendance and logistics and so on surrounding going to FUDCon? You know, chatter?
– Assuming that my presentation isn’t tossed for being too long, too technical, too boring, out in left field, or targeted to the wrong audience (it’s sysadmin stuff, not development), will there be a projector available? Will I need my laptop — which I’ll of course have anyway — or just a USB memory stick with the presentation on it? (OO.o format, or PDF? Of course I’ll be ready for all of these circumstances.)
– Regarding my presentation, will someone be wanting it to be submitted in advance for the part about “Refereeing for technical sessions”? Or will “in advance”, in keeping with the “so do not worry about competition” part, mean half an hour before the “Orientation, BarCamp pitches and scheduling” at 9:00am Saturday?
– I signed up after the 140 cut-off mark for food and swag. I don’t have a problem with the basic concept per se: you snooze, you lose, you should have signed up earlier. However, I’m just wondering what the real implications to this are — to what food is being referred? Breakfast, lunch, and supper throughout all the event? Snacks in the hospitality suite — no green stamp on your name tag, no food? A few chits for free meals, given to the first 140 people, at the Student Union cafeteria where a lot of people presumably will eat during the breaks? Food during the FUDPub, at which Red Hat “will be treating everyone to food”? (Or just the first 140 — everyone else with a differently-marked name tag will have to pull out their wallets?) I’m just trying to figure out logistics, that’s all; I’m trying to find the ad for the advertised food, so that I know what’s being discussed. Money isn’t the issue; I’m just looking for some kind of indication, that’s all.

Well, that’s off my chest.

In other directions, I guess I now have to prepare my laptop for going through customs:
– set up an automatic login (a warning against which is in my presentation);
– do a bit of a system cleanup (a suggestion about which is in my presentation);
– remove some privileged information and make sure that it’s really wiped;
– realize that US Customs probably won’t care about my computer, and that the only people who might will be the airline — and hopefully only be amused at the XRay area when they see the square, plastic bucket I carry it in (but hopefully not say that’s it’s oversized, which it shouldn’t be. The primary airline’s limits are 23 cm x 40 cm x 55 cm; the secondary airline’s limits are 23cm x 35cm x 56 cm. I’ve just checked, and it fits.)