Wireless spectrum versus the Internet

Last month, The Register reported on a new OpenWRT release. OpenWRT is a Linux distribution designed to be installed on embedded devices like routers. It, along with other third-party firmware projects like Tomato and DD-WRT, offers users more flexibility than the original firmware. They often get updates long after the first-party firmware, and can provide a more stable system. For example, I had a Linksys WRT-54G that was starting to get flaky, to the point where I had to power cycle it every day or so. After installing OpenWRT, it became much more reliable.

I lay out the benefits of third-party firmware, because the El Reg article brought to my attention a document published by the Federal Communications Commission (FCC). The guidelines, last updated in March of this year, outline the security questions device manufacturers should answer in their Part 15 application. Part 15 refers to the section of U.S. regulations that deals with unlicensed radio frequency (RF) transmission (including WiFi). The document says, in part:

An applicant must describe the overall security measures and systems that ensure that:

1. only properly authenticated software is loaded and operating the device; and
2. the device is not easily modified to operate with RF parameters outside of the authorization.

These requirements are antithetical to the ideals of open source and the user freedom it is committed to promote. As an amateur radio operator, I am sensitive to the concerns regarding spectrum pollution. Part 15 devices can be a pain for licensed portions of the RF spectrum anyway, and allowing devices to be easily modified to transmit outside their intended band presents a real threat to licensed radio services, including public safety and aviation.

Essentially, it comes down to protecting wireless spectrum (by preventing unlicensed transmission) versus protecting Internet users (by allowing for more security updates and external auditing of the code running on routers). These are both legitimate concerns, and I’d advocate for either of them independently. When they’re pitted against each other, though, I have to side with free software.

Regardless of the technological restrictions put in place to prevent unlicensed transmission, they can be circumvented. The entire history of technology is a history of restrictions and circumventions. Additionally, the ability to (responsibly) modify and experiment with hardware is an important part of innovation. The updates and configuration flexibility of third-party firmware provide a real benefit (though I naively assume that a non-trivial portion of devices will get such firmware) against everyday threats. Given the choice, my choice is clear. I hope the FCC will come to agree with me.

The ad-supported web

The history of the public Internet is a story of arms races. Spammers versus spam blockers. “Pirates” versus DRM. Websites against their visitors.

That last one might come as a surprise, but it’s an accurate-if-cynical description. Websites have content that visitors want, but the visitors (often) don’t want to pay and the website owners and contributors (often) want to make money for their work. Advertisements have become more and more obtrusive and visitors have worked harder and harder to keep those ads out of the way.

Fundamentally, the problem is that the Internet has changed the economics of information. It used to be that the value (economically-speaking) in reporting and commentary was the scarcity and the medium. As the Internet has democratized communication, the cost of an individual article gets much smaller.

Of course, the ability to get an individual article makes a difference, too. With a newspaper or magazine, you generally have to buy the whole thing. That’s not the case with websites. And advertisers in a newspaper or magazine can only do so much to get in your way. Perhaps technology just allows them to behave like they always wanted to.

In any case, Apple’s recent announcement that it would allow ad blockers on iOS has caused no shortage of consternation among content producers, especially on smaller sites and sites that depend solely or mostly on ad revenue. “Dear Apple: I may rob your store” is a fine example.

Everything is free! is probably not a sustainable model in the long term. By the same token, subscriptions for everything won’t work either. Micropayments are nice in theory, but I haven’t seen any evidence that they actually work. I don’t have an answer, since this isn’t really my area. I’ve made about four cents from my ads on Funnel Fiasco in the past 10 years, which is probably commensurate with the value I’ve provided.

The sky is not falling, but the landscape is changing. Old business models won’t continue to be viable. Some people will lose their jobs, some will find new niches to fill. I’ll continue to not use an ad blocker because I understand it’s the tradeoff for free content, but I’ll also continue to avoid websites that abuse my tolerance.

Book review: AWS System Administration

In his forthcoming book, Mike Ryan aims to introduce Amazon Web Services (AWS) to developers and systems administrators. Correctly creating and managing an AWS environment is a cross between development and administration, so anyone coming from a straight admin or dev background would probably miss key components.

Unfortunately, in aiming for two audiences, he produces a book that doesn’t seem to quite satisfy either. The book goes into a lot of unnecessary detail, for example a lot of Postgresql detail in the backup chapter, and a lot of Puppet specifics scattered throughout.

My biggest complaint is the way the book is organized. Basic AWS concepts like regions aren’t introduced in the beginning. Several concepts appear in passing before they are explained. EC2 security groups are lumped into the chapter at IAM roles, but it makes more sense to separate those.

Much of the book focuses on a single example, without a lot of discussion of other use cases. However, the use of auto scaling and Elastic Load Balancers in various cases is very well explained. The use and limitations of IAM roles is excellent as well.

This book could benefit from some reorganization and a more focused audience. With more information about AWS and less on implementation details for specific environments, the second edition could be a valuable resource.

AWS System Administration is scheduled to be released on July 25. It is published by O’Reilly Media.

Introducing the “Permissive 3000” license

Software licenses aren’t necessarily the easiest texts to understand. This issue is compounded when the person trying to understand the license is in a different jurisdiction or is a non-native speaker of English. A recent thread on the OSI’s license-discuss list brought this issue to light. According to the original poster, a project using the BSD 3-Clause license was used without attribution in a proprietary product. The developer lost the court case because the judge did not understand English well. The poster brought an attempt at a rewrite to the list, but it had some contradictions and other meaningful differences. So I thought I’d give it a try myself.

This weekend, I started from the original BSD 3-Clause license and excised all of the words not on the Oxford 3000™ word list (or reasonably close modifications, e.g. verb tense conjugations). I did make an exception for the word “copyright”, since it seems indispensable to a software license. In all other cases, I used synonyms and circumlocution in order to preserve the meaning while remaining within the constrained word list. This was challenging at times, since circumlocution can end up making the document more difficult to understand than an unknown word might. The difficulty is further compounded by the fact that many words have a distinct legal meaning and a synonym might not have the same weight.

I consoled myself with the fact that software warranties (where most of the real challenge was) are probably not that useful anyway. Furthermore, just because a word has a distinct meaning in American courts, that doesn’t mean that foreign legal systems have the same definitions. Trying to use largely U.S.-centric licenses written in English is a challenge for a global society, but I don’t know that a system of jurisdiction/language-specific licenses would be any better.

In any case, without further ado, I present the Permissive 3000 license. It’s highly experimental and totally unvetted by legal professionals, so nobody should use it for anything except a learning exercise. I’m looking forward to some constructive feedback and hopefully it sparks a discussion about how licenses can be simplified so that they’re more easily understood by judges, developers, and users alike.

A lesson in ISO weeks

Last week, users of the Twitter client for Android experienced authentication problems. It was a long and lonely Sunday night for me without my Tweeps. When the issue was fixed, word on the street was that it was due to time travel, in a sense. Sunday started the first week of 2015 if you’re using ISO week numbering.

The next morning, I got my regular weekly email from our time tracking system at work, except it showed I had recorded zero hours in the previous week. Late December tends to be a quiet time, but not that quiet. Then I looked a little closer and noticed that the email was for week 2015-52. Oops!

I thought I’d take a look at the code for the report generator, and my hunch that it was also an ISO week issue was quickly confirmed. In the code, the current date was recorded and split into year and week values. Then the week value was decremented. This seemed silly to me. I changed it to first subtract a week before splitting into the year and week values. This seemed to fix…the glitch.

So what’s the lesson in all of this? First, make sure you do the math at the right time. Secondly, make sure you understand how time works. The year of the ISO week being ahead of the calendar year only happens on limited occasion. It’s not a scenario that one would think to test (though I expect a lot more tests will include it now).

Another great SysAdvent

Once again, a group of volunteer writers and editors came together to put together 25 posts related to systems administration for the SysAdvent blog. Although I have contributed several articles over the years, I much prefer editing. All of this year’s posts are great, but I’m very proud of the posts that I had a hand in editing. As usual, the writers did most of the work, my suggestions were always minor.

Mozilla’s new ad feature

Edited to remove erroneous statements about what gets sent to Mozilla based on Matthew Miller’s comment below.

Mozilla’s release last week of in-browser ads has caused quite the discussion on the Fedora development mailing list. Firefox now will show sponsored “tiles” on the default home screen when a new or cleared profile is used. Although Mozilla claims to collect data in such a way that it’s not personally identifiable, there are reasons to be concerned. Sure, this can be disabled, but the default behavior is the only thing most users will experience.

The reactions on Fedora-devel spanned the gamut from indifference to insistence that Firefox be removed from the repository entirely. My own take (which was already represented on the mailing list, so I refrained from “me too”-ing) is that the right answer is to disable this feature in the Firefox build that ships in Fedora, effectively making it opt-in instead of opt-out. Mozilla has a history of being a good actor and I don’t begrudge them trying to make some money. However, I’d prefer that the user have to consciously enable such tracking.

Though I disapprove of the implementation, I find it hard to get very worked up about this. The Internet is awash in tracking. Google and Facebook probably know more about me than I do about myself. But that’s because I decided the value I get from those sites (well, not so much Facebook) is worth the data I give them. I respect the right of others to come to their own decision, which is why opt-in is preferred.

I appreciate the opinion of those who think the only appropriate response is to remove Firefox entirely, but I find that to be a wholly impractical solution. If Fedora wants casual desktop users (and I see no reason to not court that use case), having Firefox is and important part of a welcoming environment. A great deal of casual computing is done in the browser these days and Firefox is a well-known browser (even if some people call it “Foxfire”). Sure, there are other FLOSS browsers (including IceWeasel), but few of them work as well for casual users as Firefox and none of them have the familiarity and name recognition. Given the good Mozilla has done for free software over the years, this hardly seems like a bridge worth burning.

Another reason to disable what you’re not using

A common and wise security suggestion is to turn off what you’re not using. That may be a service running on a computer or the bluetooth radio on a phone. This reduces the potential attack surface of your device and in the case of phones, tablets, and laptops helps to preserve battery life. On the way to a family gathering over the weekend, I discovered another, less intriguing reason.

As I exited the interstate, I passed a Comfort Inn. Having stayed a Comfort Inns in the past, my phone remembered the Wi-Fi network and apparently it tried to connect. The signal was just strong enough that my phone switched from 4G to Wi-Fi, and since the Comfort Inn had a registration portal, this messed up the navigation in the maps app. Oops.

I turned the Wi-Fi antenna off for the rest of the trip. It was a good reminder to shut off what I’m not using.

Cloud detente

Evident.io founder and CEO Tim Prendergast wondered on Twitter why other cloud service providers aren’t taking marketing advantage of the Xen vulnerability that lead Amazon and Rackspace to reboot a large number of cloud instances over a few-day period. Digital Ocean, Azure, and Google Compute Engine all use other hypervisors, so isn’t this an opportunity for them to brag about their security? Amazon is the clear market leader, so pointing out this vulnerability is a great differentiator.

Except that it isn’t. It’s a matter of chance that Xen is The hypervisor facing an apparently serious and soon-to-be-public exploit. Next week it could be Mircosoft’s Hyper-V. Imagine the PR nightmare if Microsoft bragged about how much more secure Azure is only to see a major exploit strike Hyper-V next week. It would be even worse if the exploit was active in the wild before patches could be applied.

“Choose us because of this Xen issue” is the cloud service provider equivalent of an airline running a “don’t fly those guys, they just had a plane crash” ad campaign. Just because your competition was unlucky this time, there’s no guarantee that you won’t be the lower next time.

I’m all for companies touting legitimate security features. Amazon’s handling of this incident seems pretty good, and I think they generally do a good job of giving users the ability to secure their environment. That doesn’t mean someone can’t come along and do it better. If there’s anything 2014 has taught us, it’s that we have a long road ahead of us when it comes to the security of computing.

It’s to the credit of Amazon’s competition that they’ve remained silent. It shows a great degree of professionalism. Digital Ocean’s Chief Technology Evangelist John Edgar had the best explanation for the silence: “because we’re not assholes mostly.”