16 December 2011

Semester in review

You have successfully logged in. Please do NOT close this page, or you will lose access. Open a new tab or window to connect to Internet sites. Please notice that you will only have LIMITED network access until you upgrade your system.
I've been pretty quiet online these past few months. My first term at George Mason has been a blast; but I've been super busy.

In that time I've joined Student Government as the Undersecretary for Information Technology, where I've worked on improving our campus residential and wireless network along with the really awesome people at ITU TSD.

I became a UTA for the Computer Science I class at my university, and helped organise several late-night extended tutoring sessions in the days before project deadlines.

I also took over part of the maintenance responsibilities for the Computer Science department's faculty supercomputing cluster, and began work on developing a cluster for student use.

During this winter break it looks like I'll  be in Cambridge for a couple weeks during IAP. Among other things, I'm running an event with SIPB.

Next semester, I'll be participating in the Undergraduate Research Scholars Program extending my work on mobile device approval-based authentication with Dr. Robert Simon. Here's to the future!

14 December 2011

Making Message-ID useful in Thunderbird

In Thunderbird, if you read a message on a mailing list and want to reference a post in a blog or elsewhere, you may often want to access a copy of the mailing list posting on the web. While you can often accomplish this by searching for the subject or manually finding it in the specific archives of that list, if you're using full mail headers, there's a built-in way to find a message on the web.

Each email or Usenet message has a unique Message-ID. These are indexed at various providers which archive mailing lists, with Gmane being the most notable in the Free Software community.

If you right-click on the Message-ID of a message in Thunderbird, you can choose to "Open Browser with Message-ID". By default this menu item opens sensible-browser with a Google Groups page, which, while indexing of Usenet, remains  ignorant about most mailing lists. Most people reading this will probably find that Gmane carries their favourite mailing lists, while Google does not.

This is configurable, but sadly you have to choose one or another. In Thunderbird, go to Edit → Preferences → Advanced → Config Editor, and set the "mailnews.messageid_browser.url" property to http://mid.gmane.org/%mid. (default of http://groups.google.com/groups?selm=%mid&rnum=1)

28 June 2011

Last night in Arlington

(photo credit Arlington County)

This is my last night in Arlington for two months. I'm leaving for a brief vacation, and next week I'm off to Cambridge for my summer job with Ksplice, Inc.

After that, I'll be here for 3 days packing for college, and then I'll be off again.

Its been a fun 12 years. To all the friends I've made here, stay in touch.

02 May 2011

"Your release sucks."

I look forward to Ubuntu's semiannual release day, because it's the completion of 6ish months of work by Ubuntu (and by extension Debian) developers.

I also loathe it, because every single time we get people saying "This Ubuntu release is the worst release ever!".

Ubuntu releases are always rocky around release time, because the first time Ubuntu gets widespread testing is on or after release day.

We ship software to 12 Million Ubuntu Users with only 150 MOTUs who work directly on the platform. That's a little less than 1 developer with upload rights to the archive for every 60,000 users. ((This number, like all other usage data, is dated, and probably wasn't even accurate when it was first calculated)) Compared to Debian, which (at last estimate in 2010) had 1.5 million uniques on security.debian.org, yet has around 1000 Debian Developers.

Debian has a strong testing culture; someone once estimated that around ¾ of Debian users are running unstable or testing. In Ubuntu, we don't have good metrics on how many people are using the development release that I'm aware of (pointers welcome), but I'd guess that it's a very very small percentage. A common thread in bug reports, if we get a response at all, goes on as follows:
Triager: ((Developer, bugcontrol member, etc. Somebody who is not experiencing the problem but wants to help.)) "Is this a problem in $devel?"
User: "I'll let you know when it hits final"
Triager: "It's too late then. Then we'll want you to test in the next release. We have to fix it BEFORE its final"
User: "Ok, I'll test at beta."
Triager: "That's 2 weeks before release, which will be too late. Please test ASAP if you want us to have time to fix it"

Of course, there are really important bugs with hardware support which keep on cropping up. But if they're just getting reported on or around release day, there are limits to what can be done about them this cycle.

We need to make it easier for people to run early development versions, and encourage more people to use them (as long as they're willing to deal with breakage). I'm not sure whether unstable/testing is appropriate for Ubuntu, and I'm fairly confident that we don't want to move to a rolling release (currently being discussed in Debian, summary). But we badly need more developers, and equally importantly, more testers to try it out earlier in the release process.

To users: please, please try out the development versions. Download a LiveCD and run a smoketest, or check if bugs you reported are in fact fixed in the later versions. And do it early and often.

27 March 2011

Comodo "SSL certificate" incident and what it means for you

For those of you who missed all the news coverage, here's a quick (and hopefully straightforward) explanation of the issue.

What is this?

Executive summary: The way secure communications is handled on the internet is broken, and a recent attack higlighted that. People running the latest version of their browsers are protected.

Whenever you visit a web site, your're either accessing that site through HTTP, the Hypertext Transfer Protocol, or via HTTP inside TLS (Transport Layer Security), aka HTTPS.

With HTTP, anything you do can be watched, recorded, etc by any entity between you and the site you are trying to visit. These entities include your ISP, various internet providers your ISP has peering agreements with, or anybody who is on the same Wifi (or sometimes wired) connection as you.

HTTPS encrypts your traffic to prevent such "man in the middle" attacks. Because the entire connection is private, it can be harder for organizations to filter out specific HTTPS sites.

My personal website is available via HTTPS, and your browser accepts that it is connecting to me and not an impostor because GeoTrust / RapidSSL checked the domain records to find my contact information, and called me up to make sure I am who I say I am.

To ensure that when you connect to a site, you are actually connecting to that site and not a malicious attacker, your web browser relies on Certificate Authorities, which vouch for a site's identity. Any CA can vouch for any domain, and there are almost 50 such entities which Mozilla Firefox fully trusts. Microsoft trusts hundreds, including a variety of governments ranging from France to South Korea to  Hong Kong.

What happened?

Recently one of these CAs, Comodo, was compromised, insofar as somebody was able to get a signed certificate for a domain they did not own. From what I understand, the attacker gained control of a reseller account at Comodo, and there were inadequate checks to prevent the now compromised account from issuing fraudulent certificates.

In this case, they were able to obtain certificates for the log in pages of Google, Yahoo, Windows Live, and Skype, as well as the Mozilla Addons site. Full details are in their incident report. Based on their initial analysis, the attack appears to be sourced from within Iran, and Comodo has concluded that the breach was orchestrated by the state.

Since Comodo's certificates are trusted by all major browsers, these sites can be impersonated by others, even though none of the targeted sites used Comodo.

Why should I care?

The Iranian government or another organization controlling those certificates can intercept usernames and passwords, and access private information. This is of primary concern to Iranian dissidents, but could be used by the government there to target anybody they don't like, given the right circumstances.

What can I do about it?

Well, this breach has shown that the process for revoking a certificate is horribly broken, since most browsers do not check to see if a certificate is still valid. Fortunately, the major browser vendors (Mozilla, Google, and Microsoft) have all issued updates, so if you are running the most updated version of your browser (which you should be doing anyway!) then you are protected against this specific attack. ((Well, Apple hasn't as of this writing, but you can work around it via this  method))

However, the incident shines light on the wider issue of the way our internet trust model works: allowing hundreds of unrelated organizations to vouch authoritatively that somebody else is who they say they are. This is a hard problem in information security to solve, and most of the proposed alternatives (cough DNSSEC) also suffer from having a trusted issuer. It will be interesting to see if any decentralized alternatives to CAs gain traction because of the Comodo affair.

01 March 2011

Trip to SCOTUS, Camreta v. Greene (09-1454) or: "Justices just want tohave fun"

I usually write about technical topics in this space, so pardon my digression. </metablogging>

Today my AP Gov't class took a trip to the Supreme Court of the United States (SCOTUS). We were fortunate to get reserved seating thanks to one of my classmates, so we skipped the line and were able to sit for an entire argument. We didn't get to choose which of the two arguments we saw, since half our group was randomly sent to each. I didn't get the one I had hoped for. Camreta v. Greene (the one I attended), however, proved to be much more entertaining than Schindler Elevator v. US ex rel. Kirk, at least based on the people I talked to. A quick search of the transcripts for each confirms this:
Argument    # of instances of "(Laughter)"

Facts of the case

The Huffington Post has a detailed overview of the circumstances surrounding the case, which didn't gloss over any details or strike me as overly biased; they certainly did a better job than I did. The whole story is rather sad, but what came before the court was this: whether a child can be questioned by the police, Child Protective Services, or other governmental agencies without parental consent, probable cause, or "extingent circumstances". If so, on what grounds can such questioning occur?

04 January 2011

Google Cr-48 first impressions

On a lark, I signed up for the pilot program of the Google Cr-48 about a week ago. To my surprise, I found the distinctive box on my doorstep a week later. After initially mistaking it for an overpacked, late-model OLPC XO-1 I would have to repair,  I sort of did a double-take as I realized what I had received.

Using Chrome OS

Wow, they weren't kidding about the boot time. Chrome OS responds (to suspend / resume and boot / power-off) very quickly.  Responsiveness elsewhere in the OS of course varies on system load and other factors. On the "terms" page, there is a "system security setting" which tells me I have a Trusted Platform Module, and that my TPM has a randomly generated password. The dialog could use some rewording; I'm pretty familiar with the idea of a TPM, but I'm still not sure what I'm to do with that information.

Cloud print is really a problem for me, right now. I use school printers for the majority of my work, which I was previously able to use by adding them by IP address. Unless there's some magic I'm missing here, I can't do that with Chrome OS, and such a feature will not be supported. (except by "connectors" on Windows and Mac computers)

General thoughts

I can't imagine using a system running Chrome OS as a primary computer. The biggest missing feature is PGP (or any sort of encryption) support for email. This is probably not terribly difficult to implement as an extension, but the idea of my cryptographic software being automatically updated is rather unsettling. I think I'll have to agree with Paul Buchheit that ChromeOS will have to merge with Android; there is a utility for local apps, even if they're becoming less and less critical.