Starbeamrainbowlabs

Stardust
Blog


Archive


Mailing List Articles Atom Feed Comments Atom Feed Twitter Reddit Facebook

Tag Cloud

 3d 3d printing account algorithms android announcement architecture archives arduino artificial intelligence artix assembly async audio automation backups bash batch blender blog bookmarklet booting bug hunting c sharp c++ challenge chrome os cluster code codepen coding conundrums coding conundrums evolved command line compilers compiling compression conference conferences containerisation css dailyprogrammer data analysis debugging defining ai demystification distributed computing dns docker documentation downtime electronics email embedded systems encryption es6 features ethics event experiment external first impressions freeside future game github github gist gitlab graphics guide hardware hardware meetup holiday holidays html html5 html5 canvas infrastructure interfaces internet interoperability io.js jabber jam javascript js bin labs latex learning library linux lora low level lua maintenance manjaro minetest network networking nibriboard node.js open source operating systems optimisation outreach own your code pepperminty wiki performance phd photos php pixelbot portable privacy problem solving programming problems project projects prolog protocol protocols pseudo 3d python reddit redis reference release releases rendering research resource review rust searching secrets security series list server software sorting source code control statistics storage svg systemquery talks technical terminal textures thoughts three thing game three.js tool tutorial twitter ubuntu university update updates upgrade version control virtual reality virtualisation visual web website windows windows 10 worldeditadditions xmpp xslt

The Spaceship | Why open-source is important

It was a day like any other: Captain Ralph of the small cargo ship SS carryalot was taking a shipment of bavarian noodles to Epsilon V in time for their annual noodle festival with his partner, Egbert the Engineer.

Unfortunately though, he was having some FTL drive trouble. An hour or two previously, he docked with the layover station Alpha 9 to refuel, but yet the FTL drive suddenly abruptly cut out - leaving them stranded in space - and showed an ominous-looking triangle logo on the maintenance screen.

After trying the steps in the troubleshooting guide, he and his engineer were no further forward, so they called the official Shade Co helpline, the manufacturer of his engine and explained the problem. The Shade Co representative offered to organise a tow to the nearest official Shade Co. repair station to investigate the issue, but noted that they would charge a fee for this service.

Grumbling about delays, Ralph accepted the offer. Once they reached the repair station, a Shade Co engineer investigated the issue. A quick fix was not to be found though, as the Shade Co engineer said that there wasn't anything wrong with the engine mechanically, and that Ralph must have installed some unofficial firmware.

Ralph and Egbert had not installed unofficial firmware in fact, as a Shade Co software developer later verified. After a number of days of debugging and testing by an official Shade Co software developer (who had to be flown in all the way from Delta IV), it was discovered that the engine had actually been infected with ransomware that had encrypted taken over and encrypted all the engine's hyperparameters through a bug in the firmware that was introduce 5 years prior - yet nobody had noticed the issue previously.

Since the Shade Co engine was configured to only accept official firmware signed with the Shade Co firmware signing key, the software developer had to get the engineer to extract the engine, and send it back to HQ for analysis.

Fed up with the situation with Shade Co, Ralph got a new Teklacki engine fitted on the double. The new engine had the open-source light-rider firmware installed, and he took out a support contract with Teklacki - just in case anything went wrong.

Thankfully, Ralph and Egbert were able to deliver their cargo of bavarian noodles a few days late, but in time for the finale of the noodle festival.

5 copies of a pixel art spaceship launching from a launch pad, activing as a horizontal rule. Artwork by me - ask for permission before reproducing

It sounds like a problem straight out of a science-fiction novel, but Ralph's issue is one that is unfortunately all too common. I can't remember who said it, but I'll always remember this quote I heard while doing my undergraduate Computer Science course:

All software that is sufficiently complex to be useful, will contain bugs

This is true - but in the case of closed-source software (as in the fictional Shade Co's FTL drive firmware), nobody else is able to audit the software and check it for security issues - or any other kinds of bugs, for that matter. Open software (and open hardware) is a critically important problem and something I'm rather passionate about.

Of course, open-source software can contain bugs too (e.g. the heartbleed bug in OpenSSL), but the difference is both in the probability that such bugs will be found, and in the choice and control that users have over how they use and configure such software.

Support contracts that are popular with commercial close-source software are essential to businesses. These don't have to be exclusive to closed-source software: Indeed, Canonical for example provide a commercial support contract for Ubuntu (a distribution of Linux) called landscape.

Another example of this problem are the recent issues with the Intel Management Engine. For those not in the know, Intel CPUs run a complex piece of close-source firmware called the Intel Management Engine. Bugs in this mean that a clever attacker can access everything running on your computer at all times - yet for all the security audits I'm sure they will have done, nobody else (such as independent security researchers) can see the source code. This leaves it in a race between malicious entities and security researchers doing black-box testing to see who finds a flaw first.

The same goes with hardware as well as software. If the design of the hardware is open, then it makes it possible for others to analyse it, find and fix bugs, and contribute new features.

These are just some of the reasons that I really believe that open-source is the answer to a number of key issues with software and hardware today. It's not a perfect silver-bullet - unmaintained open-source projects can be a nightmare (just not as much of a nightmare as an abandoned closed-source program), and governance of an open-source project can be really challenging (thanks so much to @waldyrious to teaching me about this while I've been a maintainer for tldr-pages!).

All things considered though, I believe it's a better approach than locking software behind paywalls and hoping that nobody will discover a flaw in it. After all, security through obscurity is never a good idea.

Pixel art by me: Ask before copying or reproducing.

Responding to "the Internet is disintegrating"

The following post is my opinion on an article I've recently read and the issues it raises.

This isn't really my typical sort of post, but after I read this article on BBC Future recently I felt I had to post to set a few things straight.

The article talks about how authoritarian governments are increasingly controlling Internet traffic that's flowing through their countries. This part is true - China has their "great firewall", and several countries have controversial "off-switches" that they occasionally flip.

Internet protocols specify how all information must be addressed by your computer, in order to be transmitted and routed across the global wires; it’s a bit like how a Windows machine knows it can’t boot up an Apple operating system.

This is where it starts to derail. While Internet protocols such as HTTP and DNS do specify how different machines should talk to each other, it bears no resemblance to how a computer boots into it's operating system. In fact, it's perfectly possible to boot into macOS on a PC running Windows. It's important to distinguish between the hardware and the software running on it.

It also talks about "digital decider countries" being "scared" of an "open Internet".

“Nations like Zimbabwe and Djibouti, and Uganda, they don’t want to join an internet that’s just a gateway for Google and Facebook” to colonise their digital spaces, she says. Neither do these countries want to welcome this “openness” offered by the Western internet only to see their governments undermined by espionage.

Again, with this theme of not distinguishing between the hardware or network, and the software that's running on it.

An open Internet is not a space in which the likes of Facebook and Google hold total control. An open Internet is one in which people like you and me have choice. Choice of social network. Choice of email provider. Choice of news outlet.

An open Internet is defined by the choices we, as consumers, make. If everyone decides to use Facebook, then the Internet will then be subsequently dominated by Facebook. However, decentralised options do exist (also this) - and are increasing in popularity. Under a decentralised system, no 1 company has control over everyone's data, how it's processed, and who sees what.

While the obvious solution here is to simply 'block' misinformation and illegal content, it's not an easy one to implement, and it certainly comes with serious moral and ethical implications. How do we decide what is 'illegal' and what is 'legal'? How do we tell if a news article is 'real', or 'fake'? With over 10 million requests / second to CloudFlare alone, that's certainly far too much data flying around the Internet to handle manually.

Let's say we built an AI to detect what was legitimate, or implemented a set of rules (say, like a blacklist). What about satire? How do you decide out of the 1.3 billion web servers (not to mention that a single web server is likely to host several websites) which is legitimate, without potentially damaging vital competition to bigger businesses?

No algorithm is going to ever be 100% accurate. With this in mind, utilising such an algorithm would carry the terrible cost of limiting freedom of speech and communication. How can a government, which to my understanding is there to serve and represent the people, in good faith control and limit the freedom of expression of the people it is supposed to represent? There's a huge scope for abuse here, as has been clearly demonstrated by multiple countries around the world.

If blocking doesn't work, then how can we deal with misinformation online? Well, Mozilla seems to have some ideas. The solution is a collective effort: Everything from cross-verification of facts to linking to sources. When writing an article, it's imperative to link to appropriate sources to back up what you're saying. Cross-checking something you read in 1 article with another on a different website helps to ensure you have more sides of the story.

Although governments may claim that internet sovereignty protects its citizens from malware, many fear losing the freedom of the "open internet"

Malware is indeed another serious problem. Again the solution here is not "blocking" content, as malware authors will always find another way (also exhibits b, and c) to deliver their payload.

Again, the solution is in the hands of the people. Keeping systems up-to-date and making use of good password practices all help. Ensuring that device, networks, and software are all secure-by-design is great too (the website I was reading the article on doesn't even implement HTTPS correctly).

The article feels very one-sided. It makes no mention of the other alternative ways I've touched on above, or those tackling the challenges the article talks about in ways that don't harm freedom of expression. In fact, I'd say that it's more of an opinion piece (much like this post), but since it doesn't mention that it is as such, I feel it's rather deceptive.

...one thing is clear – the open internet that its early creators dreamed of is already gone.

Indeed, the early vision of the Internet has changed drastically as it's grown. However, your personal data belongs to you, so you've got the power to choose who processes it.

Sources and Further Reading

Art by Mythdael