Bobulate

Graphics drivers (for X11 under whatever Free Software operating system you care to use) are one area where Free Software has plenty of room for improvement. My laptop has an nVidia GeForce 9600M in it, which means that there are two drivers I can use for it: the Free Software nv driver, or the proprietary nvidia one. There are qualitative differences (based on what’s available in Kubuntu 9.04 in this case): the proprietary one has the technical advantage that suspend works, compositing works and that logout is faster (because there’s a screen capture thing happening that is used to grey out the display). But there’s also an interesting quantitative difference: power use. This is one I hadn’t thought about at all — the laptop simply gets very warm under normal usage, to the point that my hands get uncomfortable resting on the keyboard. After switching video drivers, though, I thought the laptop felt a lot cooler in normal use. So, measurements. I used a watt-meter that sits between the wall socket and the power brick of the laptop to measure the following:

• System idle, display on, nvidia driver: 40W
• System idle, display blanked, nvidia driver: 33W
• System idle, display on, nv driver: 42W
• System idle, display blanked, nv driver: 35W

Non-idle the machine draws just as much: clearly regular end-user activities (writing email, writing letters, writing blog entres, but no compiling) don’t exactly stress the machine or draw extra power. Given the numbers, I don’t understand the perceived difference in temperature or comfort of working on the machine. But it does help me put a price on Freedom: two watts.

On Wednesday the Washington Post’s “Security Fix” blog had a small item on privacy issues with the smart grid. It was most interesting for me because of the graph that was included: by looking at a simple metric (power draw in the house) one could reach conclusions on what was happening inside. Breakfast, lunch and dinner can be spotted. This isn’t much of an issue if the data is available only to the power company, stored securely, and applied only to its intended purpose for which it is collected. Presumably that’s to optimize power delivery.

But when the information is used outside of that context, then bad things can happen.

This kind of concern applies to all kinds of metrics that indirectly show what is happening inside a closed box. Consider an active developer on software project where the source repository is available publicly. This applies to lots of them — and CIA.vc makes relevant stats for many even more public. By looking at time stamps you can find out roughly when the developer is active. How accurate this is depends on the style of development, but I know I’m a commit-early, commit-often guy so you can (or used to be able to) find out when I’m awake by watching commits. No commits? I must be elsewhere. Commits skewed by three hours? I must be in Brasil, hacking.

Even that information isn’t all that bad, although it’s a derived piece of information that possibly wasn’t intended to be public. But you can use it for nefarious purposes (e.g. housebreaking). Power consumption of an encryption chip was once used to determine whether it was doing a multiply cycle or an add — and knowing that revealed bits of the key being used, and so extracted the key from the chip. That’s the kind of ancillary information leakage that we can also worry about.

All in all I think it comes down to: data collection technology isn’t bad per se, but the safeguards around the collected data and the purposes to which the data is put might be. Privacy then is a matter of trust in the people that hold the data to do the right thing (regrettably humans are susceptible to temptation).

A somewhat odd article that touches on patents and science crossed my desk last week in the weekend science section of my newspaper, the NRC. It’s about an experiment used to detect dark matter, the DAMA experiment undertaken under the Gran Sasso mountain. Science is largely about reproducibility, at least in the physical sciences: an experiment must be repeatable for it to have any weight as a data point. The reporting might be a little sketchy here, but it claims that the experiment is not repeatable (by researchers elsewhere) because there’s a *patent* on some parts of the original experiment and no-one can deliver the parts to another group of researchers without violating the patent license. The patent holders in this case are the research group who did the experiment in the first place.

Now, this might simply come down to a basic patent licensing dispute (which might be resolved either by granting special permission by the patent holder to another research group, or by re-using some of the original equipment, or by working around the experiment design entirely), but it’s certainly an illustration of how patents can stand in the way of even basic science questions asking “is this true?”

FSCONS day one is nearly done. The FSFE track in the morning was fairly well attended. Both technical topics (like the Fellowship GPG smartcard) and legal. I’ve attended a few other talks, talked to lots of people about licensing issues, eaten scrumptious cookies (the catering is both vegetarian and excellent), and now I’m ready for a nap. After that, I have a few new software licenses to read and think about, because I’ve been asked to comment on several from a Free Software perspective. Not that I’m authoritative on that topic, but I can do the rough work.

Right. Got that heading? Now turn 90 degrees to your right, because Gothenburg is that way. It’s time for FSCONS, the Free Society Conference and Nordic Summit, so off we go. I’ll be talking about licensing, best practices in governance and trying to learn about Swedish copyright law for a few days. Looking forward to it, including taking advantage of Henrik.

I’m old-school. No, really. Even in this day and age of graphical desktops (and, hey, I could hot-desk X11 sessions at home with my smartcard if I really wanted to) I keep an ssh tunnel open to a friendly server, with GNU screen and irssi in there. And that’s my Instant Messaging setup. Kopete is nice (er .. usually, although I haven’t managed to get it to do anything useful in Solaris yet), but misses the always-on functionality of screen.

But irssi is an IRC client, and the FSFE uses Jabber for much of its communication. There’s #fsfeurope on Freenode, but other than that .. the Fellowship page on communications channels is a good resource. I briefly mucked about with irssi-xmpp plugin on FreeBSD, but couldn’t get any useful functionality out of it. It also seemed quite complicated to set up right.

Enter BitlBee, which bridges some other IM clients to IRC, by acting as an IRC server locally. This is one of the rare times that I’ve rushed up to one of the developers of an application and gushed “I love your app! It improves my life!” Well, I’ve met Jelmer enough times at various conferences, I think I can take liberties like that 🙂 The FreeBSD port installs flawlessly, has a few issues when running in jails and segfaults on OTR requests, but those are technicalities: the functionality and the level of guidance given by BitlBee (the in-channel help is excellent) makes it dead simple to set up and use. And as a consequence, I now have 4 IRC channels (#ebn and #kde4-solaris among them) and 3 Jabber groupchats open (including the Fellowship channel), in screen, on my server, where I can enjoy years of uptime and uninterrupted conversation.

Thanks Jelmer, Maurits and Wilmer.

Whenever I say “it’s immoral to prevent people from sharing knowledge” it brings a smile to the lips of whomever I’m talking to. That’s nice, it’s a good emotional line — also one that needs a little nuance in order to work. But once you’ve got a smile, the rest of the conversation is easier.

In academia and education, dissemination and sharing of knowledge is what it’s all about — there the prevention of knowledge sharing really is at odds with hundreds of years of academic tradition, and the “immoral” argument gains strength. It’s always seemed odd to me how closed academic publication is (although to be honest the actual published papers by me are insignificant). One of the projects I’ve done is CodeYard, which tried to get Dutch students to build Free Software as part of the curriculum at high-school — in the open, as a way of sharing and demonstrating knowledge.

For educational materials as such for the Dutch computer science (informatica) classes in high school, there was the “Turing” method, which I thought had moved into an open contribution model — but I can’t find any indications of that quickly. One of the best sources for HS-CS information in the Netherlands is InformaticaVO, which also encourages sharing of information between teachers. I’m also happy to see Poland adding incentives for sharing to the creation of educational materials. Once learning materials are created (by teachers, on the public dime) there’s no economic reason to stop dissemination, and indeed a moral obligation (smile!) to share widely.

At an academic level, we have Open Access; there was even an Open Access Week (in Dutch) three weeks ago. I must say it passed largely unnoticed by me, but I might have been traveling. The University of Nijmegen had an event related to that week too, with a press release. There’s some push towards a semi-open-access repository called the “Radboud Repository”, but ironically it has CS papers only up to 2008 and every one I looked at there was closed, in the sense of no actual content, no link to the paper, no reference to where the content could be obtained; one paper was published in an NLUUG bundle, so I know that that one isn’t strongly protected by the publisher, and the one article that I spotted that is published by the university (R08007, on Size Analysis of ADTs) has no content link but does have a “related link” attached that doesn’t work.

By a roundabout way, suffice to say that the Radboud University might want to support Open Access, but it still has to lot of work on the “making it work” side of things. But sharing is, on the whole, doing well. I wonder if anyone has baked the peanut-butter cookies for which I shared a recipe during my Latinoware talk?

Oh goodness, it’s only taken until the first beta of Qt 4.6 (spoiler: it’s really Thiago!) for commercial jewelry to catch on to the fact. Especially because it’s next generation.

Attached to LinuxWorld is the InfoSecurity trade show (or the other way around, since LW is about a fifth of the size of IS). It’s a nice opportunity to find out about networking, crypto, and other things going on in that part of the world. Security isn’t exactly my thing, although when I was running CodeYard I was located across the hall from the security research group at the University of Nijmegen — and of course I’m never without my Fellowship of FSFE GPG-card.

At the NLUUG conference last week I heard of the Yubikey — unfortunately I missed the actual talk by Henk, so I’m still a little confused as to what you can actually achieve with such a device that acts as a USB keyboard and spits out 16 fixed characters followed by 32 random ones. One-time passwords, sure, but I’m just not creative enough to come up with what to do then.

The FSFE is an enthusiastic user of GPG encryption and digital certificates (from CAcert) because we feel that Freedom and Privacy (through the use of strong encryption) go hand in hand. So I was happy to meet some folks from a company called Legid who are pushing certificates (S/MIME and otherwise) as means for digital signing, and have a hardware-software combination that uses a smartcard with a neat wifi-and-usb (?) enabled terminal to handle them. The terminal also apparently supports something that looks like OpenID, sending authentication requests and authorization requests (e.g. when trying to pass a doorway) to different parties for permission. The long term goal is to have everyone with a smartcard and a collection of personal (i.e. bound to your real identity) certificates for legally sound document signing; naturally you’ll want more certificates to handle the different online identities you have.

Going from there to the “but email clients are too difficult” end of the spectrum, I chatted with a company that does secure document silos — to which I largely responded “why on earth would I want a new, locked-down, non-interoperable web-based silo for document exchange?” This might signal a difference in workflows — I have different client apps for different activities (but because it’s KDE4 they integrate really well) and don’t see much value in having to go to a website to retrieve a document when encrypted attachments (S/MIME or otherwise) have been part of email for tupping ages. The company (DigiNotar) claims that that’s too complicated, and I suppose for people who have a web-browser based workflow anyway, that kind of makes sense. Especially if the silo combines document management with security — the idea behind the silo is partly that you can keep better logs of document access and document reading. Again, a move towards being able to say “I know you read the document, because you were logged in (with your client certificate) and downloaded the encrypted version offered by the portal and then sent back a signature on the document.”

For such a silo my concerns quickly turn to interoperability; I have a bank that communicates with me through such a closed sercure silo — or rather, it doesn’t communicate with me because their silo doesn’t work with my choices of browsers (and the one they do support doesn’t run on my hardware).

All in all, good to see work on privacy going on; in so far as it’s possible to get a good idea of what’s going on from a chat at a trade fair.

THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.

That’s a really popular line in Free Software licenses (I copied this one out of the FreeBSD license, which is a 2-clause, permissive, non-copyleft Free Software license, but something similar can be found elsewhere, e.g. in the GPLv3). It can be the thing to hide behind in a cop-out (as in “well, it works for me, don’t bother me with bug reports”) and it can be a powerful tool to avoid liability when bugs show up that a small group of developers didn’t foresee or missed in testing — liability that might bear no relation whatsoever to the rest of the economics of the situation. It is therefore vaguely amusing to see a local council suing over software unfit for a purpose — found on the Register. Since it’s very light on details, I’ll just put up a late night comment that it’s important to pick someone negotiating a software purchase contract who is fit for that purpose; that might ease some of the pain there.