Look, it’s 2015. How’d that happen?

Blogging has been pretty much nonexistent this year, apart from a public service announcement about the Heartbleed bug and a public statement about boring encryption stuff.  (Which, if you’re actually interested in that sort of thing: I did finally get the requisite number of signatures and replaced my key in Debian just in time to avoid the Great Key Purge of 2014.)

It’s a new world.  Social media has made blogs obsolete, supposedly, except that they’re now too busy competing with each other (and, sometimes, their own fans) to be terribly useful.  I’ve tried to write a blog post about that a few times, only to delete it out of frustration and long-windedness.

So there’s a resolution for 2015: get past these social media issues and get back to regular communication.  Maybe what I need is a good social media rant.  I’m sure you’re all waiting on pins and needles for that one.

Lots has been going on.  I’m an empty-nester now; the youngest kid started college this fall.  I’ve been busy at work and busy at skill freshening, including getting on this funky Haskell bandwagon that seems to be all the rage among the cool kids.  And plenty of other things going on, some of which probably deserve their own blog posts.

Maybe those will get written in 2015.  Plan: write.  Journey of a thousand miles starting with single steps, and all that.

One of the big news stories of the week has been “the Heartbleed bug“.  If you know a techie person, you might have noticed that person looking a bit more stressed and tired than usual since Monday (that was certainly true of me).  Some of the discussion might seem a bit confusing and/or scary; what’s worse, the non-tech press has started getting some of the details wrong and scare-mongering for readers.

So here’s my non-techie guide to what all the fuss is about.  If you’re a techie, this advice isn’t for you; chances are, you already know what you should be doing to help fix this.

(If you’re a techie and you don’t know, ask!  You might just need a little education on what needs to happen, and there’s nothing wrong with that, but you’ll be better off asking and possibly looking foolish than you will be if you get hacked.)

If you’re not inclined to read the whole thing, here are the important points:

• Don’t panic!  There are reports of people cleaning out their bank accounts, cutting off their Internet service, buying new computers, etc.  If you’re thinking about doing anything drastic because you’re scared of Heartbleed, don’t.
• You’ll probably need to change a lot of your passwords on various sites, but wait until each site you use tells you to.
• This is mostly a problem for site servers, not PCs or phones or tablets.  Unless you’re doing something unusual (and you’d know if you were), you’re fine as long as you update your devices like you usually do.  (You do update your devices, right?)

So what happened?

There’s a notion called a “heartbeat signal”, where two computers talking to each other say “Hey, you there?” every so often. This is usually done by computer #1 sending some bit of data to computer #2, and computer #2 sending it back. In this particular situation, the two computers actually send both a bit of data and the length of that bit of data.

Some of you might be asking “so what happens if computer #1 sends a little bit of data, but lies and says the data is a lot longer than that?” In a perfect world, computer #2 would scold computer #1 for lying, and that’s what happens now with the bug fix. But before early this week, computer #2 would just trust computer #1 in one very specific case.

Now, computers use memory to keep track of stuff they’re working on, and they’re constantly asking for memory and then giving it back when they’re done, so it can be used by something else.  So, when you ask for memory, the bit of memory you get might have the results of what the program was doing just a moment ago–things like decrypting a credit card using a crypto key, or checking a password.

This isn’t normally a problem, since it’s the same program getting its own memory back.  But if it’s using this memory to keep track of these heartbeats, and it’s been tricked into thinking it needs to send back “the word HAT, which is 500 characters long“, then character 4 and following is likely to be memory used for something just a moment ago.

Most of that “recycled memory” would be undecipherable  junk. But credit cards, crypto keys, and passwords tend to be fairly easy to pick out, unfortunately.

And that, by the way, is where the name comes from: the heartbeat signal bleeds data, so “Heartbleed”.  There’s been some fascinating commentary on how well this bug has been marketed, by the way; hopefully, we in the techie community will learn something about how to explain problems like this for future incidents.

Does this affect every site?

No.  Only sites using certain newer versions of crypographic software called “OpenSSL” are affected by this.  OpenSSL is very popular; I’ve seen estimates that anywhere from a third to a half of all secure Internet sites use it.  But not all of those sites will have the bug, since it was only introduced in the last two years.

How do we know this?  OpenSSL is open source, and is developed “in public”.  Because of that, we know the exact moment when the bug was introduced, when it was released to the world, and when it was fixed.

(And, just for the record, it was an honest mistake.  Don’t go and slam on the poor guy who wrote the code with the bug.  It should have been caught by a number of different people, and none of them noticed it, so it’s a lot more complicated than “it’s his fault!  pitchforks and torches!”)

What should I do?

Nothing, yet.  Right now, this is mostly a techie problem.

Remember that bit about crypto keys?  That’s the part which puts the little lock icon next to the URL in your browser when you go to your bank’s Web site, or to Amazon to buy things, or whatever.  The crypto keys make sure that your conversation with your bank about your balance is just between you and your bank.

That’s also the part which is making techies the world over a little more stressed and tired.  You see, we know that the people who found the bug were “good guys” and helped to get the bug fixed, but we don’t know if any “bad guys” found the bug before this week.  And if a “bad guy” used the bug to extract crypto keys, they would still have those crypto keys, and could still use them even though the original bug is fixed.  That would mean that a “bad guy” could intercept your conversation with your bank / Amazon / whoever.

Since we don’t know, we have to do the safe thing, and assume that all our keys were in fact stolen,  That means we have to redo all our crypto keys.  That’s a lot of work.

And because your password is likely protected with those same crypto keys, if a “bad guy” has Amazon’s key, they’d be able to watch you change your password at Amazon.  Maybe they didn’t even have your old password, but now they have your new one.  Oops.  You’re now less secure than you were.

Now, it’s important to make sure we’re clear: we don’t know that this has happened.  There’s really no way of knowing, short of actually catching a “bad guy” in the act, and we haven’t caught anyone–yet.  So, this is a safety measure.

Thus, the best thing to do is: don’t panic.  Continue to live life as usual.  It might be prudent to put off doing some things for a few days, but I wouldn’t even worry so much about that.  If you pay your bills online, for example, don’t risk paying a bill late out of fear.  Remember: so far, we have no evidence yet that anyone’s actually doing anything malicious with this bug.

At some point, a lot of sites are going to post a notice that looks a lot like this:

We highly recommend our users change the password on their Linux Foundation ID—which is used for the logins on most Linux Foundation sites, including our community site, Linux.com—for your own security and as part of your own comprehensive effort to update and secure as many of your online credentials as you can.

(That’s the notice my employer posted once we had our site in order.)

That will be your cue that they’ve done the work to redo their crypto keys, and that it’s now safe to change your password.

A lot of sites will make statements saying, essentially, “we don’t have a problem”.  They’re probably right.  Don’t second-guess them; just exhale, slowly, and tick that site off your list of things to worry about.

Other sites might not say anything.  That’s the most worrying part, because it’s hard to tell if they’re OK or not.  If it’s an important site to you, the best course of action might be to just ask, or search on Google / Bing / DuckDuckGo / wherever for some kind of statement.

What about your site?

Yup, I use OpenSSL, and I was vulnerable.  But I’m the only person who actually logs in to anything on this site.  I’ve got the bugfix, but I’m still in the process of creating new keys.

Part of the problem is that everyone else is out there creating new keys at the same time, which creates a bit of a traffic jam.

So yeah, if you were thinking of posting your credit card number in a comment, and wanted to make sure you did it securely… well, don’t do that.  EVER.  And not because of Heartbleed.

Encryption is in the news a lot these days for some reason.  I’ve been doing encryption using the PGP family of encryption systems for quite a while now, but hadn’t been paying close attention until a recent reminder landed in my inbox from the Debian project.  They warn about “1024D” GnuPG keys being weak, which is a fancy way of saying “the way all the cool kids created keys back in the late ’90s”.  Including yours truly.  Oops!

So, it’s time to replace my key.  I’ve uploaded the new one to the key servers and created a transition statement per the guidelines in this fine document, with some changes inspired by others doing the same.  The details are in the transition statement, so I won’t bore you with long strings of hexadecimal numbers here.

The next step is to get signatures for the new key.  I’ll be at the Linux Foundation Collaboration Summit next week, and would greatly appreciate meeting with people in person to do key signings.  If there are any key signing parties happening, please invite!

Sorry for everyone who’s wondering what I’m talking about.  We all have secrets to keep, and conversations we wouldn’t want spread around; encryption gives you a little more control over that.  Plus, encryption lets you “authenticate” people, which is a fancy way of saying “is that you, George?” when you get messages from people, and letting them say “is that you, Jeff?” when you send messages back.  If you want to learn more about taking control of your communication, post a comment, email me, or search for “PGP”, “GnuPG”, or “encryption” in your favorite search engine.

Online tech news site Ars Technica (which I recommend, by the way) recently reviewed the Dell XPS 13 Developer Edition.  Its unique feature: it ships with Ubuntu Linux as the default operating system.  This preload deal had a few unique properties:

• It’s from a major system vendor, not a no-name or third-party integrator.
• It’s a desktop-oriented product, not a server.
• Most notably, the vendor actually put effort into making it work well.

That last point deserves some explanation.  A few vendors have grabbed a Windows computer they sell and allowed the option to preload Linux on it, but without support; you’re on your own if it doesn’t work in some way, which is likely.  Essentially, they save you the time of wiping Windows off the box and doing a fresh install, but not much more.  But this laptop comes out of Dell’s Project Sputnik, a project to put out Linux machines for developers with a “DevOps” flavor, and they felt the machine had to work as well as their regular products.  So they actually put effort and testing into getting the laptop to run Ubuntu well, with all the drivers configured properly and tweaked to support the machine’s quirks, just like they do for Windows.

And so, the review is surprised to learn that Ubuntu on the XPS 13, well, just works!  It’s even in the title of the review.  Here’s reviewer Lee Hutchinson’s observations:

I’ve struggled before with using Linux as my full-time operating environment both at work and at home. I did it for years at work, but it was never quite as easy as I wanted it to be—on an older Dell laptop, keeping dual monitor support working correctly across updates required endless fiddling with xorg.conf, and whether or not it was Nvidia’s fault was totally irrelevant to swearing, cursing Past Lee, trying desperately to get his monitors to display images so he could make his 10am conference call without having to resort to running the meeting on the small laptop screen.

And thence comes the astonishment: on this Linux laptop, everything just works.  Most of the review is spent on the kinds of hardware features that distinguish this from other laptops: the keyboard is like this, the screen is that resolution, it has this CPU and this much RAM and so on.  Some space is devoted to impressions of the default Ubuntu 12.04 install, and some space is given to the special “DevOps” software, which helps the developer reproduce the software environment on the laptop when deploying apps.

But before all that, Hutchinson has to put in a dig:

It’s an impressive achievement, and it’s also a sad comment on the overall viability of Linux as a consumer-facing operating system for normal people. I don’t think anyone is arguing that Linux hasn’t earned its place in the data center—it most certainly has—but there’s no way I’d feel comfy installing even newbie-friendly Ubuntu or Mint on my parents’ computers. The XPS 13 DE shows the level of functionality and polish possible with extra effort, and that effort and polish together means this kind of Linux integration is something we won’t see very often outside of boutique OEMs.

Of course, Windows is actually worse than Linux on the hardware front–when you don’t get it pre-installed.  Imagine if more vendors put as much effort into preinstalled Linux as they did into preinstalled Windows.  In that alternate reality, I imagine people would react more like this:

“Isn’t that what you’re looking for in a mainstream product?” Rick chided. “In 1996 it was: ‘Wow look at this, I got Linux running on xxxxxxxx.’ Even in 2006 that was at times an accomplishment… When was the last time you turned on an Apple or Windows machine and marveled that it ‘just worked?’ It should be boring.”

Which was, of course, the reaction Hutchinson got when discussing the review with a Linux-using friend.

With Microsoft being less of a friend to the hardware vendors every day, here’s a case study more of them should be paying attention to.

18 years ago, I carried a baby out of a delivery room. MY baby.  What a rush.

Looking down on him in the baby warmer, amazement and fear dominated my thoughts, clamoring for my attention. I was a father. What would I do now? My life was REALLY not just my own anymore; I had this little one that was counting on me.  Was I up to the challenge?

And what about when he wasn’t a little one anymore? What would he be like as an adult? Would he be a good person? What would he care about? When he turned 18, what would we do, and what would his plans be for the future?

That day was something I thought about often in that nursery all those years ago.  And now, that day has arrived.

Jon is now a young adult.  And looking at the ultimate result of the last 18 years of worry, I feel immeasurably proud.  He has made his mistakes, and no doubt will make more mistakes in the future.  But he has not let those mistakes dampen his confident optimism, or drag down his sense of what’s right.  More importantly, he has a heart for others that expresses itself with everyone he’s around.  Often, the topics of our disagreements center around his fierce protective instinct, and on more than one occasion, he’s challenged me to improve myself.

I have not been a perfect father.  At times, I’ve been far from perfect.  But I am grateful that I’ve been a part of raising a young man I can admire and, yes, even learn from.

Happy 18th birthday, Jon.  Have an excellent life.  I’ll cherish the rest of the time you’re still at home, miss you when the time comes for you to leave, and always be there for you as long as I live.

Your mom and I are your biggest fans; never forget that.

I’ve been busy tonight spamming mailing lists and otherwise getting the word out: the LSB workgroup is preparing to update the FHS.  This update has been a long time in coming; FHS 2.3 (the current version) was released back in 2004.  Since then, a lot has happened, and it’s starting to look like the FHS is holding things back due to the lack of updates.

For the longest time, the FHS was cared for by its original editors: Dan Quinlan, Rusty Russell, and Chris Yeoh.  We should all be grateful that they created a useful and well-written standard–one that has been resilient enough to remain useful for six years without changes.  Even though it’s time to move on, we should not forget that we are building on a strong foundation they laid for us.

So, you may be asking: how can I help?  Glad you asked!

• First of all, get the word out!  If you know people who might be interested (developers for Linux distributions, standards people, etc.), point them to this post or to the LSB announcement linked earlier.
• We have set up the usual open-source project infrastructure: a bug tracker, version control (using Bazaar), a mailing list, and a wiki (of sorts; it’s actually a page on the LSB wiki).  Come and join in!  Subscribe to the mailing list, post comments on the wiki, check out the source and submit patches.
• The bug tracker deserves special mention.  We hosted it for the old FHS project, and so we’re continuing to use it.  In particular, we’ll be doing triage on the old bugs there, as well as any new bugs filed.  So go ahead and file bugs, or add comments to old bugs; we’ll be taking those into account for the new update.  If you file new bugs, please file them against the “FHS” product.

We’re tentatively shooting for a goal of releasing FHS 3.0 before July, though that’s not written in stone.  But we don’t want to wait much longer than we’ve already had to.

Some of you may remember that my wife has a genetic condition called Marfan syndrome.  If you do, you might remember that the syndrome can cause serious problems with the eyes and heart.  Both are treatable with surgery; in an ideal world, you’d deal with each problem as it comes up, and spread the surgeries over at least a period of several years.

Unfortunately, Tami didn’t get to experience that ideal world.

About this time last year, she experienced sudden vision loss in one eye while working, which didn’t clear up on its own.  We went in, and found that her eyes had deteriorated to the point that she needed surgery to preserve her vision.  Although only one eye was not working right, the other was on the verge of failing in the same way.

Then came the normally routine pre-surgery checkups.  This time, however, was anything but routine; the cardiologist declared that she had entered the “danger zone” for heart complications.  This would require open-heart surgery to fix.

All ended well.  Five surgeries later (three on the heart, plus one each per eye), she’s back to normal, and even has the best vision she’s ever experienced.  But I don’t recommend doing so much so quickly (four months from the first to the last).

“When you donâ€t update a blog, it gets stale fast.” — Tim Bray

Of course, I didn’t intend to violate this basic rule of blogging.  It just happened–one thing leads to another, and pretty soon you notice just how little your front page has changed in the past two-and-a-half years.  So, I shall begin again.

Quite a bit has changed:

• It’s especially ironic, given the previous post, that our family has given in and replaced the main television with a HDTV.  Not that I’ve changed pmy mind much; it’s just that I’ve decided to live with the limitations of the technology, and have figured out how to work around some of them.
• Although my suspicion of the cloud remains, my participation has greatly increased.  I’m now on Twitter, Facebook, LinkedIn, and piles of Google services.
• There’s been a major health scare in the family, which is now behind us.

All of these will get their own posts in the very near future.  In the meantime, enjoy the new look.  (Especially on mobile!)

So you put off buying a high-def TV for years, because you weren’t sure they had gotten all the standards right.  You recently gave in, thinking that the coming shut-off of analog broadcast TV in February meant that they had to have their technology figured out by now.

Of course, you were wrong:

CableCARD devices have generally supported only one-way access to cable systems, but their long, winding journey toward full two-way communications is finally coming to an end. Panasonic has announced that it is at last shipping new HDTVs enabled with tru2way technology to the two US markets where they can actually be used.

So what’s the main thing you’re supposed to get with tru2way?

This means that you can walk out of a retail store with a tru2way-enabled HDTV, plug it in at home, and have immediate access to basic features like an on-screen guide and on-demand content.

In other words, we are just now starting to see HDTVs that can just plug into the cable jack and work, without an add-on cable box and all the limitations that implies, right?

Well, not really.

All tru2way-compatible devices will have a CableCARD slot built into them to facilitate the decryption of protected content, though details are still sketchy as to how this system will work with devices like PVRs. Physical CableCARDs will apparently not be needed to access basic two-way services and non-encrypted channels.

Meaning that, in order to get anything you can’t get already with broadcast TV (“non-encrypted”), you still need a cable company tech to come out and install the CableCARD.  And they don’t know how all of this will integrate with the new video recorders like TiVo.

Why is this so hard?  It’s producer paranoia.  If they don’t play these games, you might watch some show for free, or share it so others can watch it for free, instead of… well, watching it for free live.  And you might cut the commercials out, instead of… cutting the commercials out by getting up for more chips during the commercial breaks.  (But that’s stealing, so you shouldn’t do that either.)

Our family keeps edging closer to deciding to get a HDTV.  But then I see stuff like this, and notice that the old tube TV still works fine…

Ubuntu is now being forced to show a EULA before letting users run Firefox, on pain of losing the rights to the Firefox trademark.  (You know, End User License Agreements: those pop-ups Windows and Mac users have to put up with all the time, with the big “I Accept” button at the bottom.)  Mark Shuttleworth, Ubuntu top dog, weighs in on the bug:

Please feel free to make constructive suggestions as to how we can meet Mozilla’s requirements while improving the user experience. It’s not constructive to say “WTF?”, nor is it constructive to rant and rave in allcaps. Your software freedoms are built on legal grounds, as are Mozilla’s rights in the Firefox trademark. To act as though your rights are being infringed misses the point of free software by a mile.

This is a bit surprising, and a bit disappointing.  Both the decision itself, and Mark’s take on it, are quite wrong.

One of the most important benefits of free software is the legal agreement you work in.  You don’t have to agree to some long contract every time you need to do something new on your system, or sometimes even when you get a “critical update” to something you’re already doing.  You don’t have to read pages of legalese, or go through some long process with your company’s legal department, or just click the “make it go away” button with this vague unease that you’ve just signed your first-born child away to the Devil.

Most importantly, you feel like you actually own your computer when you run free software on it.  When you enter a situation where you always have to ask permission to do things, and have to be constantly reminded of the rules, you don’t feel comfortable.  Clearly, the thing in front of you is not yours, whatever your credit card bill might say; if it were, there wouldn’t be all this stress over you doing something the real owners don’t like.  Free software returns your computer to you, by guaranteeing that you don’t have to enter into all these contracts before you can use it.

Well, unless that “free” software is Firefox 3.0.2 or later, it seems.

It’s “free” by a technical definition (you can strip the Firefox trademark rather easily, and get rid of the EULA as well).  But when users fire up Ubuntu, and decide to do some browsing, and get confronted with pages of legal garbage and ALL CAPS, they will ask: “What’s so different about this open source stuff?  I thought I was getting rid of all this legal crap.”  And, suddenly, they’re slogging through the same drudgery they had to endure with every Windows service pack, and they wonder what they’ve gained.

Perhaps there is a price we should be willing to pay to help Mozilla preserve their trademarks, but this price is too great.  Mozilla should never have asked this of us, and Ubuntu should never have decided, on our behalf, that this price was acceptable.

Debian has already turned its back on Firefox, and I have yet to have a problem with Iceweasel (the branding Debian chose for its Firefox-alike) that was caused by the branding change.  But I’m tempted to bring it back, in Debian’s “non-free” software repository.  Perhaps we could provide Firefox, complete with nasty EULA, but launch Iceweasel instead of Firefox if the user clicks “No”.  There are probably all kinds of reasons why this is a bad idea, but I’m still drawn to the idea of illustrating how silly and useless click-through EULAs are.

But it would be much more productive for Mozilla to back down, and not ask us to sacrifice such a large part of our identity on the altar of their sacred mark.

UPDATE: First, I notice I was remiss in not giving a hat tip to Slashdot.

Second, Mark has posted another comment on the bug.  I encourage people to read the whole comment, but here’s a telling part:

For example, at the moment, we’re in detailed negotiations with a
company that makes a lot of popular hardware to release their drivers as
free software – they are currently proprietary. It would not be possible
to hold those negotiations if every step of the way turned into a public
discussion. And yet, engaging with that company both to make sure Ubuntu
works with its hardware and also to move them towards open source
drivers would seem to be precisely in keeping with our community values.

In this case, we have been holding extensive, sensitive and complex
conversations with Mozilla. We strongly want to support their brand
(don’t forget this is one of the few companies that has successfully
taken free software to the dragons lair) and come to a reasonable
agreement. We want to do that in a way which is aligned with Ubuntu’s
values, and we have senior representatives of the project participating
in the dialogue and examining options for the implementation of those
agreements. Me. Matt Zimmerman. Colin Watson. Those people have earned
our trust.

On the one hand, yes, I believe that the Canonical people have earned our trust, and I do appreciate the utility of quiet persuasion with a proprietary software company that doesn’t understand our community.  On the other hand, I had been under the impression that Mozilla was not a proprietary software company, and didn’t need persuasion and secret negotiations to see our point of view.

Is Mozilla still a free software company, or not?

UPDATE 2: Cautious optimism is appropriate, I think.  Mitchell Baker, Mozilla chair:

We (meaning Mozilla) have shot ourselves in the foot here given the old, wrong content.  So I hope we can have a discussion on this point, but I doubt weâ€ll have a good one until we fix the other problems.

The actual changes aren’t available yet, and I wonder how much of this had been communicated to Canonical beforehand.  Still, it’s a good sign.