Happy Birthday, April!

Yesterday, the Vienna Fellowship group had its monthly meeting at the Metalab. One of the Agenda points was this week’s 18th Birthday of France’s leading Free Software Association April. Although FSFE as a whole had already congratulated, we wanted to send April our personal congratulations. This is why we created something analogue with a personal touch (and with our own hands :-)).

Congratulations for April from Vienna

Happy Birthday!


I really hope we got it right, but the ones of us who once learned French, haven’t spoken it for some time. So in case that it can’t be understood, it is supposed to mean “Happy Birthday from Vienna, dear April!”.

A new phase of life

Today was the beginning of a new stage in my life. After two and a half years as part-time software tester, I started working full-time as an Operations Engineer at Sipwise, a small Austrian company doing 100% Free Software (or Open Source, as they call it, see [1] for a summary on the terminology of Software Freedom). Although I’m actually studying chemistry, I have been dreaming about earning my money with Free Software for years. So this new job is nothing less than a dream come true.
Unfortunately, working full time leaves less free time for my family and also my voluntary work at FSFE, but I will try my best to keep both these things up as well. :-) In addition, I will try to report about my work at Sipwise from time to time on my blog. In the meantime, if you’re interested in cutting edge Free Software stuff in the VoIP field and cool things like watching TV over WebRTC [2], you might want to check out the Sipwise blog [3].

[1] http://fsfe.org/freesoftware/basics/comparison.html
[2] http://www.sipwise.com/news/technical/tv-over-webrt/
[3] http://www.sipwise.com/category/news/

What the Heartbleed bug revealed to me

Today, I made a really negative experience with the StartSSL certificate authority. This is the first time that this has happened to me. The problem is that it affects StartSSL’s reputation because it reveals that they value money much higher than security. Security however should be a CA’s primary concern. So, what happened?

It all started when I checked which of the certificates that were issued to me by StartSSL were potentially compromised by the OpenSSL Heartbleed bug. Fortunately, there were only a few of them and those that were possibly affected were all private ones (i.e. no FSFE certificates were affected). Since Hanno Böck stated in an article [1] that he was able to revoke a StartSSL Class 2 certificate for free and a friend of mine confirmed this [2], I immediately went ahead and sent revocation requests for the affected certificates. The first thing I realised was that the StartSSL website was under heavy load and this was not surprising given the severity of the Heartbleed bug and the number of certificates that StartSSL has probably issued. Nonetheless, I managed to send the revocation requests and received confirmation e-mails about them. Of course I stated the CVE number of the heartbleed bug as the reason for the revocation. Not much later, I was informed that one of the revocation requests had succeeded and I was able to create a new certificate. So far, so good. The trouble started, when I – after not having heard back from StartSSL about the other revocation requests for more than a day – contacted StartSSL to ask why those requests had not succeeded. I was advised to check the e-mail address behind the account I had formerly used for paying my fees to StartSSL. I followed the advise, and there they were: Three requests for USD 24.90 each with the note “revocation fee”. Quite a surprise for me after what I had read and heard. So I asked back, why I had to pay and others didn’t have to. Eddy Nigg’s answer came promptly:

First revocation is not charged in the Class 2 level – successive
revocations carry the fee as usual.

It’s obviously an unfortunate situation, but the revocation fee is
clearly part of the business model otherwise we couldn’t provide the
certificates as freely as we did and would have to charge for every
certificate a fee as all other issuers do.

This was rather shocking for me. This statement clearly reveals, that StartSSL only cares about money, not security. A responsible CA would try to revoke as many compromised certificates as possible. It definitely doesn’t help a CA’s reputation if they do not support their customers in a situation were the customer did not make a mistake and was affected by something I’d call “higher power”. The problem I see is the following: There are most probably many people like me who also care about security in their private life, but also want everything to be convenient. Unfortunately, CAcert has not managed to become part of the major browsers so far [3] and thus StartSSL is pretty much the only way to get cheap certificates for things like a private blog if you are not particularly rich – which is both true for me and also FSFE, for whose certificates I am responsible too. So my gut feeling is that many people who also saw StartSSL as their logical choice will think like me and rather not pay an mount of money that is higher than the fee you have to pay to become Class 2 validated just to revoke a certificate. They will rather stop using the compromised certificate and simply create a new one with a different CN field (which is doesn’t cost them extra). The logical result is that there will be loads of possibly compromised certificates out there that are not on StartSSL’s certificate revocation list. Would *you* trust a CA that doesn’t care about such an issue? Well, I don’t.

So what should I make out of all this? First of all, it seems that all the people who distrust commercial CAs have a good point. Second, CAcert becomes more important than ever. I have been a CAcert assurer for years, but made the mistake to go the convenient way for my private blog and such. Knowing quite a few things about CAcert, I can assure you that they *do* care about security. They care for it quite a bit. I will definitely have to increase my participation in this organisation – the problem is that my involvement in FSFE, my job and my family do not leave me with a particularly big amount of spare time. Maybe those of you who read this will also jump on the train for a Free (as in Freedom and free beer) and secure CA. But even with CAcert in the major browsers, the whole CA system should actually be questioned. For the whole certificate chain, they will always be a single point of failure, no matter if they are called CAcert, StartSSL, VeriSign or you name it. Maybe it’s time for something new to replace or complement what we have now. For example, I have been pointed to TACK [4] by Hanno, which really sounds interesting.

Ah, and of course the rumors that StartSSL is part of Mozilla’s products solely because they paid for it sound much more reasonable to me than a week ago.

For now, I will stop using StartSSL certificates and will recommend the same to FSFE. I will also remove StartSSL from the trust store in my browser. It seems that others agree with me [5-6]. And of course, I will stop recommending StartSSL immediately.

[1] http://www.golem.de/news/openssl-wichtige-fragen-und-antworten-zu-heartbleed-1404-105740.html
[2] StartSSL usually charges USD 24.90 for certificate revocations, which is understandable because it normally only becomes necessary when the certificate owner makes a mistake and StartSSL certificates are really cheap.
[3] Even the opposite: Debian dropped them from their ca-certificates package, a choice which I am still not sure what to think about.
[4] http://tack.io/
[5] https://www.mirbsd.org/permalinks/wlog-10_e20140409-tg.htm#e20140409-tg_wlog-10
[6] https://bugzilla.mozilla.org/show_bug.cgi?id=994033

“Tracking for Freedom”: Longest trip so far

Today, I went for my longest trip so far this season, which was about 75 km. Once more, I was with a group of people from TriTeam Chaos. The track itself was already well-known to me, so there’s nothing interesting to report, except maybe for the fact that my bike computer is now working again and it even shows my cadence.
Once more, I’m asking you to think about supporting my little fundraising project. I’d also be very happy if asked anybody you know who might support this. Some companies also have so-called matching gifts programs which double the employees’ donations to charities :-)

The usual numbers:

Total distance 75.2 km
Average speed 26.0 km/h
Maximum speed 51.8 km/h
Total climb 307 m
Average heart rate 152 bpm
Maximum heart rate 202 bpm
Average cadence 61 rpm
Time active 02:53:19
Time resting 00:16:57
Energy consumed 1604 kcal

Note: The climb was measured using a non-calibrated barometric altimeter; the amount of energy consumed was calculated from the measured heart rate and physiological parameters.

The GPX file recorded during this trip can be found here.

Read more about the “Tracking for Freedom” project here. All blog posts about the project are tagged Tracking for Freedom.

“Tracking for Freedom”: Systems integration test, partly failed

Yesterday, I did my first ride after installing my new €5 cadence sensor and connecting it to my bike computer. I wanted to go for a short trip and when I left home, I assumed that I’d be alone. I was wrong. After about one kilometre, I met one of the triathletes from TriTeam Chaos who told me that he’d meet two other guys for a training trip. I went with them until Greifenstein, but then I returned because joining people whose stamina is about 100% higher than your own is rather exhausting :-)
In general, the trip was pleasant because I returned before it started to rain. The only negative thing was that this trip was meant to show that the cadence sensor and the bike computer work together. They did so for the first four kilometres, but then all of a sudden, the bike computer failed to display the speed (the cadence was still shown). Today, I disassembled everything and found the reason: The cable connecting the bike computer to the speed sensor was torn. Since I couldn’t find a replacement part, I tried to fix it myself. Those who know me a bit better know I’m not a very handy person, but nonetheless, I managed to connect the cable again! The funny thing is that I explicitly bought a wired bike computer because I feared that the sensor’s battery could fail at any time without warning. Now I know that something similar can also happen with a wired sensor :-(
Because of this hardware problem, the data below comes from my Forerunner 405 (which I’m about to replace with a Forerunner 910XT with a wireless cadence sensor!).

The usual numbers:

Total distance 48.4 km
Average speed 26.5 km/h
Maximum speed 43.9 km/h
Total climb 237 m (I doubt this, I think it was less)
Average heart rate 165 bpm
Maximum heart rate 202 bpm
Time active 01:49:27
Time resting 00:23:33
Energy consumed 1939 kcal

Note: The climb was measured using a non-calibrated barometric altimeter; the amount of energy consumed was calculated from the measured heart rate and physiological parameters.

The GPX file recorded with my eTrex can be found here.

Read more about the “Tracking for Freedom” project here. All blog posts about the project are tagged Tracking for Freedom.

“Tracking for Freedom”: Climbing the hills from the other side

Yesterday, I went for another trip. My original plan was to go along a similar route as on my last trip with TriTeam Chaos, but from the other direction and with a slightly smaller distance of about 53 km. Instead of climbing Exelbergstraße in the 17th district, I went for a route via Sievering, which is part of the 19th district. Once more, the climb (see the elevation profile below) was extremely exhausting and I almost gave up. However, when I reached the highest point of my planned route, I decided to change the route a little bit so I would actually go back a longer way. In the end, I even went around the block once more to reach exactly 60 km. I was extremely tired by then I’m not sure if I can make another trip that long in the near future. If you want to help raise my motivation and support my health and Free Software all at once, please donate to FSFE using the “Tracking for Freedom” as the payment reference. If you are new to the whole project of “T4F”, read more about it here.

Elevation profile

The trip's elevation profile

Note: At the very left, the altitude is definitely wrong. It seems the barometer delivered incorrect data during the first 15 minutes or so. This might also influence the total climb measured.

 

The usual numbers:

Total distance 60.0 km
Average speed 24.5 km/h
Maximum speed 66.5 km/h
Total climb 535 m
Average heart rate 157 bpm
Maximum heart rate 192 bpm
Time active 02:32:00
Time resting 00:05:27
Energy consumed 2477 kcal

Note: The climb was measured using a non-calibrated barometric altimeter; the amount of energy consumed was calculated from the measured heart rate and physiological parameters.

The GPX file recorded with my eTrex can be found here.

“Tracking for Freedom”: Close to the fine line

Most of you probably know that there is a fine line between genius and insanity. I think there’s probably no place that reflects this fact better than the small village of Maria Gugging, right outside of Vienna. Today, I did a very light climbing training and passed this town, which used to be the home of a mental hospital, but today the Institute of Science and Technology, which is an institute of basic research (sometimes referred to as “elite university” by the Austrians) that tries to hire the best scientist from all over the world, is located right at the same place. Unfortunately, my eTrex ran out of battery pretty exactly at the spot of maximum altitude of this tour. This is why the GPX file about this trip was recorded with my Forerunner. Before I started, I added another centimeter of height to my saddle’s position, following Alex Kolar‘s advice. I didn’t feel much difference, but since he’s the expert, it was probably a good decision. Maybe I’ll have to do more adjustments in the future. When I went out on the street with my bike, the first thing I realised was a pretty heavy wind. Also, the sky was rather cloudy and everything felt like an upcoming shower. I first wasn’t sure if I should start at all, but then, what’s the price for freedom? So I went for the trip nonetheless, and I actually enjoyed it very much because the temperature was quite comfortable and even when the wind became extremely strong from time to time, it was not as bad as I had feared. I returned home rather late and I was quite thankful for my decision to put a basic illumination to my bike.

The usual numbers:

Total distance 49.0 km
Average speed 25.8 km/h
Maximum speed 54.4 km/h
Total climb n/a (eTrex failed)
Average heart rate 163 bpm
Maximum heart rate 191 bpm
Time active 01:53:55
Time resting 00:11:05
Energy consumed 1940 kcal

Note: The amount of energy consumed was calculated from the measured heart rate and physiological parameters.

The GPX file recorded with my Forerunner can be found here.

p.s. If you don’t have an offline GPX viewer, you can view the file here. Caution: The tool used on this site is not 100% free because using it on commercial sites requires the author’s permission (see here (German) for the legal details). Unfortunately, it also defaults to use Google Maps, but you can switch to OSM, which I recommend.

“Tracking for Freedom”: Survived the hills

Today, I finally managed to go for another trip for the “Tracking for Freedom” trip. I was once again with the guys from TriTeam Chaos, but this time we were even eight people. The beginning of the trip was very nice, I even had the engery to chat with some of the other participants. Later, we went up to the hills of the Wienerwald and I painfully realized that I am not (or at least not yet) a climber. I was definitely the slowest member of the group and others even had time to go up the hills twice while I was still fighting myself. I’m proud that I never had to stop and push my bike. I have attached the evelation profile of the trip to this post.

Evelation profile

The trip's elevation profile

 

The usual numbers:

Total distance 61.0 km
Average speed 22.7 km/h
Maximum speed 54.8 km/h
Total climb 539 m
Average heart rate 155 bpm
Maximum heart rate 197 bpm
Time active 02:41:30
Time resting 00:33:29
Energy consumed 2451 kcal

Note: The climb was measured using a non-calibrated barometric altimeter; the amount of energy consumed was calculated from the measured heart rate and physiological parameters.

The GPX file recorded with my eTrex can be found here.

“Tracking for Freedom”: Cycling with the pros

Today, I did another trip for the “Tracking for Freedom” project and for the first time, I was not alone. Three triathletes from TriTeam Chaos allowed me to join them on their bicycle tour. They taught me slipstreaming and I owe them a big thank you for taking me with them. I think I have never had a higher average speed on one of my tours. The track was already familiar with me, but I have never followed it so far in the past. Of course I’m not in the shape to go for a whole tour with professional triathletes, so I had to return earlier than the others.

The usual numbers:

Total distance 67.7 km
Average speed 27.7 km/h
Maximum speed 40.8 km/h
Total climb 213 m
Average heart rate 167 bpm
Maximum heart rate 194 bpm
Time active 02:20:12
Time resting 00:26:34
Energy consumed 2532 kcal

Note: The climb was measured using a non-calibrated barometric altimeter; the amount of energy consumed was calculated from the measured heart rate and physiological parameters.

The GPX file recorded with my eTrex can be found here.

“Tracking for Freedom”: Not the best route chosen

Today, I finally managed to do my second cycling trip for the “Tracking for Freedom” project. While I originally wanted to follow the Danube southbound and return the same way, I managed to take the wrong path at some point and so I improvised the remaining route. Instead of returning via the Donauinsel, I crossed the Danube at the Freudenau power plant and drove across Simmering and the central cemetery. Afterwards, chose the “Zweierlinie” from Karlsplatz to Vienna’s Landesgericht. This last part however proved to be a rather bad decision. There were lots of rather slow cyclists on the bike lane and so my average speed went down quite fast. Of course I could have chosen the car lane, but I’m not tired of life.

Some figures:

Total distance 46.6 km
Average speed 22.8 km/h
Maximum speed 40.4 km/h
Total climb 251 m
Average heart rate 153 bpm
Maximum heart rate 183 bpm
Time active 02:00:43
Time resting 00:18:52
Energy consumed 1985 kcal

Note: The climb was measured using a non-calibrated barometric altimeter; the amount of energy consumed was calculated from the measured heart rate and physiological parameters.

The GPX file recorded with my eTrex can be found here.