Information visualization is not an end but just a step to improve our understanding of data. Following a small discussion in the train about the visualisation of open data, I did a small experiment to analyse the statistics about the waste collection in my region. The result of this experiment is available along with some random notes. But the main question came from someone else looking at the visualization and basically told me: "I don't get it". He is right, the experimentation is just there to trigger more analysis (and sometime more visualization) with the objective to improve our understanding. Initially, the source of data is usually not analysed and sitting there waiting to be understood. Coming back to the data about waste collection, the initial discussion about the understanding or interpretation wouldn't be triggered if the first step of visualization is not done.
So in that scope, I tried a similar approach with a dataset I built from my cve-search tool. My idea was to see the terms used all the description of the Keywords in Common Vulnerabilities and Exposures (CVE). I did a first CVE terms visualization experiment and then I twitted about it. Then, this was triggering various explanations like why there is a predominance of some terms as commented by Steve Christey.
It clearly showed that is an iterative process especially to better understand the data. It's also an interactive process in order to improve the visualization and the data source. Following the good advise from Joshua J. Drake, I added a lemmatizer to keep only the root of each term and also exclude the standard English stopwords. With the visualization, we saw from some occurrences (e.g. unknown or unspecified) that the CVEs are based on incomplete information.
I'm quite sure that is not finished and just the beginning of more work and experiments in visualization. I read various books about information visualization but the result is often very static and you don't really see their iterative process to reach their visualization goals. Sometime, you just see a result without the process and the tools used to make the visualization happens.
At least with free software like D3.js, we have now a set of tools to understand how the visualization was built and maybe improve/discuss those visualizations. At least, if you want to play or improve the visualization of terms used for software vulnerabilities description, let me know.
You want an open mind, but not an empty head. Just because something is a new or fashionable alternative, doesn’t mean we need to get stupid when judging it. Edward Tufte.
Approximation is a representation of something that is not exact. To be extremely exact vulnerability management is not even a mathematical approximation like we know it for Pi value. But from where this utterly huge approximation is coming from? The first origin is the inner definition of "vulnerability management". If you look at various definitions like the one from Wikipedia or some information security standards, you have something like "it's a process identifying → classifying → remediation → mitigation of software vulnerabilities". Many information security vendors might told that is an easy problem but you can ask yourself if this is an easy problem why so many organizations are still compromised with software vulnerabilities.
In my pragmatic eyes, it's very broad, so broad that a first reaction is to split the problems into parts that you can solve. If we just look at the initial step to identify software vulnerabilities.
To solve this problem, the first part is to discover, know and understand the software vulnerabilities. Everyone is discovering vulnerabilities everyday (just look at how many bug reports are going into the Linux Kernel bug tracking software) and very often when you report a bug, you don't even know if this is a software vulnerability. The worst part is that an organization (or an individual) doesn't exactly know what software they are running. If someone is telling you that they have a "software vulnerability management" software that is able to detect all the software running on a system, it's a lie. If such software would exist, you would have the perfect software that would be able to solve the virus detection issue while solving the Turing's halting problem. Just look at a simple software appliance and the set of software required to run the appliance.
Discovering vulnerabilities might be easy but it's difficult to be exhaustive. Even if a vulnerability is found, there is a market to limit their publications (like zero-day vulnerability market). For a named software, there is might be a large set of unknown vulnerabilities (I'm tempted to talk about Java but I think every software might fall into that category). Does this mean that you should give up? I don't think so. You must work on your vulnerability management but don't trust blindly solutions that claim to solve such issue.
Finally, my post is not a bashing post as it was an opportunity for me to talk about a side project I'm working to ease collecting and classifying Common Vulnerabilities and Exposures (CVE). The project is called cve-search and it's not a complete vulnerability management just a small tool to solve partially the identification and the classification part.
“When he time comes to leave, just walk away quietly and don't make any fuss.”– Banksy
One more time, some lobbyists try to regulate the Internet with some of the stupidest laws or rules. SOPA (in US) is again one of this tentative to break down the freedom of citizen worldwide to preserve some archaic business model. As I have a preference for concrete action leading to a direct social improvement, I'll explain how to do soap (it's better than SOPA and more useful, please note the clever inversion of the letters). My soap recipe is released under the public domain dedication license (CC0).
Doing soap is a chemical process that requires your full operating brain. Especially that you'll use sodium hydroxide that is a corrosive substance. So respect the proportions, the process and read the whole process multiple times before doing it. Wearing protective gloves and goggles is highly recommended. Avoid to use kitchen instruments in aluminum as it will be attacked by the sodium hydroxide.
Doing soap is one of the first chemical process discovered by the humanity. The process is called saponification that is done by using a base to hydrolyze the triglycerides contained in the fats (organic or animal). This process generates a fatty acid salt along with the glycerol (the greasy touch of the soap). Each fat has a specific value for its saponification. The saponification value (usually called SAP in saponification tables) is expressed by the required volume of base (usually sodium hydroxide) to saponify 1 gram of fat. The saponification value is reduced to keep the resulting soap a bit fat (what is called the "excess fat"). I find it even convenient to keep a "safety" bound to ensure that the hydrolyze is complete and used the whole sodium hydroxide.
So that's the basis if you want to build your own soap, there are other rules to consider but for this recipe this is enough. In my case, I use olive oil as a fat. Easy to find and I have a preference for organic olive oil (to ensure that the oil producer is taking care of its environment). But you can use non-organic olive oil too (it's usually cheaper).
I'm automatically fetching the certificate revocation lists (CRLs) of all known public CAs. As of Today (17th December 2011), I compiled the reasons of certificate revocation. That's pretty interesting to see the revocation process within CAs and the CRL is usually the only public information we have. As the reason is a non-critical CRL entry (section 5.3.1 in RFC 3280 - RFC 5280), the situation is even worst because the majority of certificate revocation is without any reason. In this blog entry, there are only certificate revocations with a reason entry set.
So having a reason is already a good step for a CA to be transparent on their operations. Now if we have a deeper look on the revocation reason, you will see that is not always enough to understand the context of the revocation and especially what has been really revoked.
678039 Cessation Of Operation (code 5) 172888 Unspecified (code 0) 89823 Certificate Hold (code 6) 88788 Superseded (code 4) 76445 Key Compromise (code 1) 43482 Affiliation Changed (code 3) 3910 Privilege Withdrawn (code 9) 230 CA Compromise (code 2) 1 A A Compromise (code 10)
The reason "Unspecified" should not be used as recommended in the RFC "however, the reason code CRL entry extension SHOULD be absent instead of using the unspecified (0) reasonCode value." but as you can see it's still largely used. That's probably the behaviour of a software largely used in PKI 1.
The reason "Certificate Hold" is still largely used but its use "is strongly deprecated for the Internet PKI." as mentioned in section 5.3.2 of RFC 5280.
On the security side, the reason "Key Compromise" is regularly used showing the reality of compromised private keys. That reality is also shown with all the different malware (e.g. SpyEye? or Banker Trojan) capturing "private keys" on infected machines.
Issuer: /C=DE/O=T-Systems International GmbH/OU=Trust Center Services/CN=TeleSec ServerPass CA 1 ... Serial Number: 43ADFDBE62CB0820 Revocation Date: Dec 14 13:00:51 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: 10
What can we say on that one? that the certificate with the serial number 43ADFDBE62CB0820 has been revoked recently with the reason code 10 (aACompromise). I couldn't find a clear definition of that reason in the standard. If you have any ideas, let me know.
With the recent incidents in different CAs (from Comodo to DigiNotar?), everyone should be interested in the reason code 2 used when a CA is compromise. In those cases, that's usually intermediate CAs as the standard is not very clear about the revocation process of self-signed/root CA. But that's again a matter of interpretation of the processes…
Here is a list of the entries found in CRL with a reason "CA Compromise" (You'll see ones matching publicly disclosed incidents but for some others, questions are open):
some might be duplicate as CRLs can be duplicated. In that scope, I generated a list of CRLs URL with an MD5 hash of their output to detect the different CRL URL providing the same revocation list. http://www.foo.be/crl/crl-synonyms.txt
Issuer: /C=IT/O=Actalis S.p.A./OU=Certification Service Provider/CN=Actalis Server Authentication CA ... Serial Number: 031DFC Revocation Date: Feb 25 10:29:27 2011 GMT CRL entry extensions: Invalidity Date: Feb 25 08:29:25 2011 GMT X509v3 CRL Reason Code: CA Compromise Serial Number: 0329A2 Revocation Date: Mar 30 12:29:32 2011 GMT CRL entry extensions: Invalidity Date: Mar 30 11:29:31 2011 GMT X509v3 CRL Reason Code: CA Compromise
Issuer: /C=DE/O=T-Systems Enterprise Services GmbH/OU=Trust Center Deutsche Telekom/CN=NetPass CA 3 ... Serial Number: 42BD Revocation Date: Apr 6 10:37:00 2009 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Serial Number: 42BE Revocation Date: Apr 6 10:52:00 2009 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Serial Number: 4284 Revocation Date: Mar 19 21:52:00 2009 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Serial Number: 42BF Revocation Date: Apr 11 13:27:00 2009 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Serial Number: 41B4 Revocation Date: Feb 19 12:18:00 2009 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Serial Number: 4592 Revocation Date: Aug 26 11:13:00 2009 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Serial Number: 4218 Revocation Date: Mar 4 10:37:00 2009 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise
Issuer: /C=CH/O=WISeKey/OU=Copyright (c) 2006 WISeKey SA/OU=International/CN=WISeKey CertifyID Advanced Services CA 1 ... Serial Number: 24F1FD29000000000E9A Revocation Date: Jan 19 13:35:08 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Serial Number: 2996F242000000000E2B Revocation Date: Dec 28 12:07:34 2010 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise
Issuer: /C=BE/O=KBC Group/CN=KBC Group Server CA ... Serial Number: 27 Revocation Date: Apr 25 11:35:55 2008 GMT CRL entry extensions: Invalidity Date: Apr 24 23:35:00 2008 GMT X509v3 CRL Reason Code: CA Compromise
Issuer: /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Overheid CA ... Serial Number: 013169B0 Revocation Date: Sep 28 09:58:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise
Issuer: /C=CL/ST=Region Metropolitana/L=Santiago/O=E-CERTCHILE/OU=Autoridad Certificadora/CN=E-CERT CA/emailAddress=sclientes@ccs.cl ... Serial Number: 1A7E8043000100000009 Revocation Date: Sep 11 16:52:24 2008 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise
Issuer: /C=US/O=SAIC/OU=PKI/CN=SAIC Public Issuing CA 01 ... Serial Number: 4E9AC5F6000000000013 Revocation Date: Mar 30 22:42:59 2005 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise
Issuer: /DC=com/DC=telstra/DC=dir/DC=core/CN=Telstra RSS Issuing CA1 ... Serial Number: 368D72CB000000000331 Revocation Date: Sep 5 02:12:49 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise
The ones from DigiNotar?. As you can see the extended attributes with the Invalidity Date seem to be incorrect for DigiNotar? as the breach was discovered to be much earlier. As explained in RFC 5280 (section 5.3.2),
"The invalidity date is a non-critical CRL entry extension that provides the date on which it is known or suspected that the private key was compromised or that the certificate otherwise became invalid". I hope there are not any malicious software signed with those revoked keys…
Issuer: /C=NL/O=DigiNotar/CN=DigiNotar Extended Validation CA/emailAddress=info@diginotar.nl ... Serial Number: 022E35B1ACD40F040C444DF32A7B8DE6 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 028CF7556F8BE27026800448FA6AA527 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 03124C25849D9E49BC2A2FAD3E10C8A4 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 0370390E48A7F26AA62188A79E612DC3 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 03894A069EA682581E47A295BF0C2F0F Revocation Date: Nov 1 11:22:57 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:22:57 2011 GMT Serial Number: 044297A4F4E21750B9CC70A72CE9EBEB Revocation Date: Jul 14 09:53:45 2010 GMT CRL entry extensions: Invalidity Date: Jul 14 09:53:45 2010 GMT Serial Number: 04841B82A9D81E44CB4F2D98CFE7C374 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 04ED97B8E5DEC80B4DE778E86F18FBB7 Revocation Date: Nov 1 11:23:05 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:23:05 2011 GMT Serial Number: 0590B310AEFC7A3EDC03ECA2A6F6624F Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 05E2E6A4CD09EA54D665B075FE22A256 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 06A0E8BCC4F603D5C3C440DCBFF23089 Revocation Date: Nov 1 11:27:24 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:27:24 2011 GMT Serial Number: 06D960B14B3F464EC71C8FA8D076F459 Revocation Date: Nov 1 11:34:08 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:34:08 2011 GMT Serial Number: 071FAE720C8354F1DC28057383BE191D Revocation Date: May 6 07:46:50 2011 GMT CRL entry extensions: Invalidity Date: May 6 07:46:50 2011 GMT Serial Number: 07B546E8E002FC5854651BE31802F96D Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 07BC72A463D4DE33B2BE733D6FAC991D Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 09369288E36D7AFFEE94EA81998FA316 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 0954E1AB9141ED7E8B640FE681046451 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 0A6DFACFDEAE74A816031534BE90B75A Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 0B41ABEE6F4168D3CDE5A7D223B58BC1 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 0DEBD87C3BC2A924DFC80FA7AEF366D3 Revocation Date: Nov 1 11:13:05 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:13:05 2011 GMT Serial Number: 0E0886EEAA119CF14F1C54387060929A Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 0FF4031F07818A304ADF704B72B03EDA Revocation Date: Jul 18 08:17:02 2011 GMT CRL entry extensions: Invalidity Date: Jul 18 08:17:02 2011 GMT Serial Number: 11661878CCE9DC337CEEBB16E30F9A3A Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 121378A6DE0A13DDB295106E912A4E14 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 12E6AFD41A145754D1115068B869CEE8 Revocation Date: May 12 10:18:03 2010 GMT CRL entry extensions: Invalidity Date: May 12 10:18:03 2010 GMT Serial Number: 1348E0D85921963F7AD11A23E7FF6E32 Revocation Date: Nov 1 11:28:55 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:28:55 2011 GMT Serial Number: 13548FC160BC5C9F315AE28CDB490E36 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 13A757022817C0514A5C142FE9BF143A Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 13B0368A65AAE03134DACB69F7E01067 Revocation Date: Jul 20 14:46:30 2010 GMT CRL entry extensions: Invalidity Date: Jul 20 14:46:30 2010 GMT Serial Number: 168195E124D2776EC95DE48093C908F8 Revocation Date: Apr 11 11:31:21 2011 GMT CRL entry extensions: Invalidity Date: Apr 11 11:31:21 2011 GMT Serial Number: 170370B60D515F164119BE54FD55E1ED Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 171A8599EDE711A3315BC7D694CEBEC6 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 17CF5474D5A8B4E735E69E017CEC2F37 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 1836289F75F74A0BA5E769561DE3E7CD Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 1890BAD2FAE1E593FB013F708CBB7A7E Revocation Date: Dec 2 15:01:18 2009 GMT CRL entry extensions: Invalidity Date: Dec 2 15:01:16 2009 GMT Serial Number: 192EFE2CFB1F3EB3731B7335518B3EF8 Revocation Date: Nov 1 11:30:13 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:30:13 2011 GMT Serial Number: 1A89324D6D3E6DE6726C688BFF225DDD Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 1C6EA2DA6ECED5C5C761BCA9CA4C5308 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 1D064DDBD7F8C8C86115CFE7D9CFFB02 Revocation Date: Jun 5 09:36:17 2009 GMT CRL entry extensions: Invalidity Date: Jun 5 09:36:17 2009 GMT Serial Number: 1DCF02113D01BAE855A83A46BFB12DB5 Revocation Date: Nov 1 11:22:03 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:22:03 2011 GMT Serial Number: 209920C169512D3EB4A1ED7CAD17D033 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 226F7B79306DD674708A06A6355E700A Revocation Date: Jul 14 09:56:39 2010 GMT CRL entry extensions: Invalidity Date: Jul 14 09:56:39 2010 GMT Serial Number: 26C4B88E803C3C1592F09FE5468140BA Revocation Date: Oct 20 10:23:38 2011 GMT CRL entry extensions: Invalidity Date: Oct 20 10:23:38 2011 GMT Serial Number: 271293D4BF3AAACF1B4B5926B8548DE6 Revocation Date: Nov 1 11:33:54 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:33:54 2011 GMT Serial Number: 2734EA4F3C1908BDA1F899230CFDA7D1 Revocation Date: Nov 1 11:11:23 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:11:23 2011 GMT Serial Number: 2ACBA14BB6F65F7BD0A485BFCB6D023F Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 2B05E0B5E470CFB76EA79A631705F566 Revocation Date: Nov 1 11:30:28 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:30:28 2011 GMT Serial Number: 2B1EA767EC59E46364BC2DF9B1F30B97 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 2D711C9CB79EC15445747BFE3F8BC92F Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 2EFC7F5D32686556FFBA6E7B0FB99336 Revocation Date: Nov 1 11:25:39 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:25:39 2011 GMT Serial Number: 2F5ABFDCCAB1A2927E54283296F19FB8 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 2F88BF04DFA66B598E3999498924D602 Revocation Date: Nov 1 11:30:24 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:30:24 2011 GMT Serial Number: 30170F15A240446E6B482E0A364E3CCA Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 30DF96D87EEC8CA77A135ECCAB1AD25E Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 30F6821637DC7B7296D4BA87FFFD021C Revocation Date: Jun 17 12:40:26 2010 GMT CRL entry extensions: Invalidity Date: Jun 17 12:40:26 2010 GMT Serial Number: 31C149639E372109B4E83FC34C4C6E77 Revocation Date: Dec 2 14:50:07 2009 GMT CRL entry extensions: Invalidity Date: Dec 2 14:50:04 2009 GMT Serial Number: 31CE974DBE9F2695E897CDCC20AF4A28 Revocation Date: Jul 14 10:01:38 2010 GMT CRL entry extensions: Invalidity Date: Jul 14 10:01:38 2010 GMT Serial Number: 327B9A443C49018D7B0A97B6EC2254B8 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 33BD6F9B3ECD7FCB3DDF71E11BD1082B Revocation Date: Jul 14 10:00:40 2010 GMT CRL entry extensions: Invalidity Date: Jul 14 10:00:40 2010 GMT Serial Number: 351803DDAD7801C38D52B807A2945F71 Revocation Date: May 23 10:09:29 2011 GMT CRL entry extensions: Invalidity Date: May 23 10:09:29 2011 GMT Serial Number: 35C54E845AE855F818504C8C189F52C7 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 35FBDCDF923F99B5E1C5FF4423B715B8 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 3913B1E1C35BDDF02CE03C916E8AA638 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 39936336286F843756FC4BC296D7A8E0 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 39953BF6383A00D29BEB377568E3DE7A Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 39B5DD0ECC85C3F62A72391DC055F561 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 3A32AAA9DFE2CA7F9E003885E316944B Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 3CDCD81930F91AC0B990664931E5412E Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 3D2BC95A85EF539A68DAC84542A1AE7A Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 3EA0F90DE57187FC7E1AC45AE44D16C6 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 3F8A5EA1756DDF4A6B6F2645B4911486 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 3F8C9CDAACBB533AE94F47456819FA0E Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 40535CFBB2286E48F3B4D2CABDBBE645 Revocation Date: Nov 1 11:33:27 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:33:27 2011 GMT Serial Number: 40AD07456B7B2F6A8AE84658CC420BF6 Revocation Date: Nov 1 11:22:30 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:22:30 2011 GMT Serial Number: 4157D99E46A3E45E6130A95645410DAC Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 4455B43B9173CBAE4E247272EE2573D5 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 44C287C1C3697367B0E6CB78A78C1DF5 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 4813656784FB44665A84DE8759978140 Revocation Date: May 19 10:59:30 2011 GMT CRL entry extensions: Invalidity Date: May 19 10:59:30 2011 GMT Serial Number: 4A6D90618A5CA6797C768C03C860C4F8 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 4ADA28D281D3D14D19FB782D64086D0C Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 4CF54389AAE1572E694906522539EDFD Revocation Date: Nov 1 11:13:29 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:13:29 2011 GMT Serial Number: 4D556B338FAA020979A740B4C3AEE28C Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 4DD0497CBAABBA058574A611B26151BA Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 4FC2D72D6427CABBE3E859453865F43B Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 5087EC958715FE181BA444116E915CDF Revocation Date: Nov 1 11:22:54 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:22:54 2011 GMT Serial Number: 51071B7B15F90AB74BF144D78D8631EB Revocation Date: May 6 07:46:49 2011 GMT CRL entry extensions: Invalidity Date: May 6 07:46:49 2011 GMT Serial Number: 5132F0FCB3F8DCAA501C620575D33FEE Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 5298BCBD11B3952E3FDDC6FDD6711F5C Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 53B53BF2F74997EBEB2577D63DA692B7 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 54A13D6B84557F532352D1DA947E7552 Revocation Date: Nov 1 11:23:05 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:23:05 2011 GMT Serial Number: 54D153376CC124A49F1B9F9E5ECF862C Revocation Date: Jun 17 12:39:26 2010 GMT CRL entry extensions: Invalidity Date: Jun 17 12:39:26 2010 GMT Serial Number: 5563605FDC2DC865E2A1C32995B5A086 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 56A1C36F0A507314C0D10B8631DEB8A0 Revocation Date: Nov 1 10:31:35 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 10:31:35 2011 GMT Serial Number: 56EF1EE54D65EF7B39AF541E95BB45A9 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 5814A731F3590CC163548788E1A20344 Revocation Date: Nov 1 11:30:28 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:30:28 2011 GMT Serial Number: 58C18B290620E18B8C78AC1912E5DCD7 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 591262B97E1974E4BD29335D50A0B000 Revocation Date: Nov 1 10:30:34 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 10:30:34 2011 GMT Serial Number: 59F8BDDA3F56D8026FAB6E3130F5D843 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 5B8E5202EC6769F2389605D33DC245B2 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 5CEBD524469A075FB6B42D06C9BF27AD Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 5D4352671C39616670B2F34C173A1F63 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 5D8D0D43611275982E6A5490E7F87BD7 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 5D8F8D78B0C19EF4479F744DECBD84BC Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 5DD6A72747D90C018B63F959DFE7C976 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 5E6F7C4A0E7B9B1CEC7AF0CAAB4AE9B0 Revocation Date: Nov 1 11:33:27 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:33:27 2011 GMT Serial Number: 5F3C1BDC7A2BCD47ABAF0C8E62D9F757 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 5FFA79AB76CE359089A2F729A1D44B31 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 601315BB085FECF29538DA3F9B7BA1CE Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 604B3E3BEE932F5CAE4CA3AAA31C368D Revocation Date: May 31 08:50:27 2011 GMT CRL entry extensions: Invalidity Date: May 31 08:50:27 2011 GMT Serial Number: 60AC58FC2B5EEF9A6AEF273104D46FAA Revocation Date: Nov 1 11:22:06 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:22:06 2011 GMT Serial Number: 61BF9A0FF2CE9D55D86BC063839F72F4 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 61D11B35765ECB85890D5349786D9FCA Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 61FBB5CFCBC7CCF3351ABAACFA498B49 Revocation Date: Jul 20 14:46:31 2010 GMT CRL entry extensions: Invalidity Date: Jul 20 14:46:31 2010 GMT Serial Number: 62BF5A170CC779ADE7EF0090F395D5E6 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 63DEB17D722ACD0C4AF5F59F4D278D2D Revocation Date: Nov 1 11:22:42 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:22:42 2011 GMT Serial Number: 6410577C738133297472F6C22C2BB397 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 6580BE22A0566352B9622777BFCB7164 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 65A925E578098658FADA30E9FB67B5E4 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 65E34D749EDD5E8B3B4DA5020146AF54 Revocation Date: Nov 1 11:22:29 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:22:29 2011 GMT Serial Number: 67887932934DFF086153CA905E7DE9EE Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 68F252CD36F2798A2182F6406A31A5A2 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 698868F3B58F9A1377ECD98AC441F804 Revocation Date: Nov 5 11:25:03 2008 GMT CRL entry extensions: Invalidity Date: Nov 5 11:25:03 2008 GMT Serial Number: 6B339433956F1505104BB231314A153E Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 6BACB6C5B74FA747A3CF375EC3095035 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 6BEC7FB77BF883E1F7617E19470937FF Revocation Date: Jul 14 10:01:39 2010 GMT CRL entry extensions: Invalidity Date: Jul 14 10:01:39 2010 GMT Serial Number: 6BF3BEB26AFF31116200B14F4378C33B Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 6C1950AA83F4663F1BA063B5275C25EC Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 6D6225040EBB834EE0C32828C5E0C6B4 Revocation Date: May 30 09:05:27 2011 GMT CRL entry extensions: Invalidity Date: May 30 09:05:27 2011 GMT Serial Number: 6D6327E75F51B624D0583DE073B93849 Revocation Date: Nov 1 11:27:24 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:27:24 2011 GMT Serial Number: 6DC30A0902BB80E1724661407AA3E264 Revocation Date: Nov 1 11:06:21 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:06:21 2011 GMT Serial Number: 6DD6E103C848A1666FE01F6B8C639FE6 Revocation Date: May 26 08:50:28 2011 GMT CRL entry extensions: Invalidity Date: May 26 08:50:28 2011 GMT Serial Number: 6E6D052B5ABC015C779EA3500FA11A28 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 6FA3C48173B3B289943F113A8CD9DB8C Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 6FED5501435113C516B5D321080ABAE2 Revocation Date: Nov 1 11:29:46 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:29:46 2011 GMT Serial Number: 7034FBF641CEB257FC109A6819D19DA0 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 706BBC770C62D41DD799721ABD1868AB Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 7073C6C01DEE4E158F554555F697F7D9 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 720DF591261D710ADC73127C1BC4303D Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 72515CF15799BAC3279DE7F085D0D2B8 Revocation Date: Nov 1 11:23:16 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:23:16 2011 GMT Serial Number: 72CBC4824C6215B139FDE6BA10DAC6AD Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 7352C61297D6B04E874EDAD12480F78E Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 752A2D0325A3D34D9F5198C2F5C92A6C Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 75D94CFF95CFD7D501CAA49D67059D83 Revocation Date: Sep 12 13:51:19 2011 GMT CRL entry extensions: Invalidity Date: Sep 12 13:51:19 2011 GMT Serial Number: 763B0C2A7B83066A9D995C8C4FD9E35E Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 79C03FE0C81A3022DBF8143B27E40223 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 79DCFDA2700E06F8EAA640BA9B827810 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 79F4CCD54A6258238C3B646D6790B3FA Revocation Date: Nov 1 10:50:40 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 10:50:40 2011 GMT Serial Number: 7A61A7778842E502E2291166C4574485 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 7AA6F591D55ED1A26B6349B95E53A90E Revocation Date: Dec 2 14:52:13 2009 GMT CRL entry extensions: Invalidity Date: Dec 2 14:52:11 2009 GMT Serial Number: 7B49341AD59BA61FB9452E7E9EF41131 Revocation Date: Mar 22 12:49:27 2011 GMT CRL entry extensions: Invalidity Date: Mar 22 12:49:27 2011 GMT Serial Number: 7DD8E0E1906C1754E11E901927CCABBD Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 82072FC8F8DD7E6C0ECE9B47185F0521 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 8259C3E1DB6C2C9B7FCD6A305EADEFE4 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 826A3652F447B94D97BF8642B6C43ED0 Revocation Date: Nov 1 11:23:13 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:23:13 2011 GMT Serial Number: 82BC18B1AA5D59C61D0EFDBEA7664C08 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 82C42F0EDC18BD751727BE5C54413EF7 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 83443EFF2B97F651CF726314BE9244F1 Revocation Date: Nov 1 11:08:41 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:08:41 2011 GMT Serial Number: 8499A4C27A73A4960B9466D0F1B8C682 Revocation Date: Sep 12 13:51:20 2011 GMT CRL entry extensions: Invalidity Date: Sep 12 13:51:20 2011 GMT Serial Number: 84BE5D762F37E9018D623C8E91F4D924 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 84C17C9A9979DD3C5E9A21AD2FDBD32F Revocation Date: Nov 1 11:25:39 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:25:39 2011 GMT Serial Number: 8625B32398C2722D96E7B972580A0238 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 8779917563EC38B7746B8ECAFE239BE6 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 877CBBF23F1B414E1D8E64F773E0B1DA Revocation Date: Nov 1 11:27:22 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:27:22 2011 GMT Serial Number: 8922A9A23BE960FFE9707A0B3F4D75BD Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 8A7075422239D800F5C2241E3BBB1FF5 Revocation Date: Nov 1 11:26:06 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:26:06 2011 GMT Serial Number: 8B0EABAF922D4C6E6917FCBE365DD64A Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 8BA800DDDD865B6BF3A85ADEC4C29730 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 8C605DFAA0EC88CDB7D12F7250C9F53A Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 8C805CB17FA0B6CB52F97BC32EFC777F Revocation Date: Oct 20 10:23:38 2011 GMT CRL entry extensions: Invalidity Date: Oct 20 10:23:38 2011 GMT Serial Number: 8CC0DCE80E8FB817402FE9824F60467C Revocation Date: Nov 1 11:27:12 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:27:12 2011 GMT Serial Number: 8CC74931E64061491652CC169C8BAAB3 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 8CF1F45323EC5AB449451E7A9476CFDC Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 8D09D4B98DE67C9E9C7C18CB72AD2418 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 8ED896B9A622FF24559A3429E5888E0A Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 901F30DB86EEB1666F5A8CAE1C7BD08B Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 9084442344A7B0DD3A29785D32D52373 Revocation Date: Nov 1 11:33:27 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:33:27 2011 GMT Serial Number: 90DB656E273476CC836778255582FA8B Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 9246D260478416265FA69422399D9E84 Revocation Date: Nov 1 11:30:22 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:30:22 2011 GMT Serial Number: 9526110705F420A120D83E2CD67DD234 Revocation Date: May 9 12:54:48 2011 GMT CRL entry extensions: Invalidity Date: May 9 12:54:48 2011 GMT Serial Number: 96C61AB47F742F75B1CDE399E2C41D27 Revocation Date: Nov 1 11:27:21 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:27:21 2011 GMT Serial Number: 9854D0D12C9C7E71890238CFB5202F75 Revocation Date: Nov 1 10:29:07 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 10:29:07 2011 GMT Serial Number: 9952073595776A3D7A8101664A56AB96 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 9A3A951BE27E0729726FD8B80060E7E1 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 9AD82BE2FED538B10BDFBD229A8A5AEA Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 9AD9E57E014C69EA389DB5E9EEA13817 Revocation Date: Apr 7 07:10:22 2011 GMT CRL entry extensions: Invalidity Date: Apr 7 07:10:22 2011 GMT Serial Number: 9C79C9FE16727BAC407B4AA21B153A54 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 9D06313F21A4EDF734C324FFBCB9E2B5 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 9EDCB5E1FE1255A2F1D7FC52C4AFA3B1 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 9F7DDFE3CAAD224EC6BD68B60DE78550 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: 9FD4E57DFA86E9F336DECE29FDB45333 Revocation Date: Nov 1 11:22:51 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:22:51 2011 GMT Serial Number: A0563ABE2463550206DAC6B760D71C23 Revocation Date: Nov 1 11:27:24 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:27:24 2011 GMT Serial Number: A076DA72A8C8E2137F05FE3FA59870EB Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: A07CB7881E35C91FD9C5D20F6102572C Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: A0B56D8688716223980DA762DBCABC3C Revocation Date: Aug 18 12:05:16 2011 GMT CRL entry extensions: Invalidity Date: Aug 18 12:05:16 2011 GMT Serial Number: A5029D6A057D50D20ECFE0E528EDA067 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: A5F6F149B468683318DC178F4208E237 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: A640A29E706AF38557B86619EAF45E7A Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: A67C22A6E1F9D87799548EBFC7D5527E Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: A6B85A1F2131478C77066D87A45C3D51 Revocation Date: Nov 1 11:22:14 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:22:14 2011 GMT Serial Number: A8031D608F6549941879981764674DD7 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: A81686CEFDEFFCE82B8DBF100E1395F1 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: A869B96BCDF1D474C0714763AA34A8C9 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: A90F1BB43E9DB5EDFC60C15FB897C593 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: A91875623F828C3ECA477D4BBA8D8C90 Revocation Date: Nov 2 15:00:19 2011 GMT CRL entry extensions: Invalidity Date: Nov 2 15:00:19 2011 GMT Serial Number: A91F5E418BAB825B4E7EE9374BCCD564 Revocation Date: Nov 1 11:30:27 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:30:27 2011 GMT Serial Number: ABB21F43553F2695031A1C85355D7F1C Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: ADB59A303C6260DBE466F0149AB11A4A Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: AE5A97E205DCFB13B679E02617BC7E86 Revocation Date: Nov 1 11:23:03 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:23:03 2011 GMT Serial Number: AF5563842A85D49EDB4352C0BF0DF76B Revocation Date: Nov 1 11:33:35 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:33:35 2011 GMT Serial Number: AFA2F7E964280B36DB0D714B86256F54 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: B01AA1DCDF2798E17AE0F5667B80471F Revocation Date: Nov 1 11:33:52 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:33:52 2011 GMT Serial Number: B153C14A9B31CC287019E78A149FEB97 Revocation Date: Sep 13 07:37:22 2011 GMT CRL entry extensions: Invalidity Date: Sep 13 07:37:22 2011 GMT Serial Number: B2205D8CBDDFE49D7C5F0F95D506718F Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: B2F57BD01BAAF7AF01EF442910CEBBA0 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: B355E909FD55C5E9EF1A6E67E9C18203 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: B3B64F1925F759A2E145190333D1D6D2 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: B4F9299F05A327E60543C4CDE3277FC0 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: B5D7A148CA6C1F9693A2C16ACDD66226 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: B795E7FE1120A3553ABAD4892F0C6E91 Revocation Date: Oct 20 10:23:22 2011 GMT CRL entry extensions: Invalidity Date: Oct 20 10:23:22 2011 GMT Serial Number: B85E7BB83667097F15D8A3DEAAA1B198 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: B8FF8AA0AB3553466B1284C48C1B85ED Revocation Date: Nov 1 11:25:39 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:25:39 2011 GMT Serial Number: B95F62E86194734C9F68D4BF8B200C49 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: BB34F789A9229E8CF0C23919B9DA21DF Revocation Date: Oct 20 10:23:23 2011 GMT CRL entry extensions: Invalidity Date: Oct 20 10:23:23 2011 GMT Serial Number: BC01852405D3F4E22C48600266655026 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: BD7CB0D124DFDE784CD5B9EF288C304E Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: BED90D98FA3A1E0A5BD78AD54E55774D Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: C00132DA154BDEE361EDEE727226D0F5 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: C06C12DBBC7055FE40950803238EC104 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: C0766829AA4D2E1A5D97213A4E4A654E Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: C084DA49C3E25A501B590230DA54BB0A Revocation Date: Nov 1 11:23:04 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:23:04 2011 GMT Serial Number: C0F216CA8197AD00F0D98927EAE29E64 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: C1366C7246041A3089E1C244C5DC42E7 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: C3F9F45F19E334C8303F44288856D843 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: C47740B653399532490F7CFC5E8616CE Revocation Date: Nov 1 10:29:46 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 10:29:46 2011 GMT Serial Number: C6741E3D08C0FFD4617B94E654DD89F1 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: C6CFEBD86E69AE312289C6D18596897D Revocation Date: Sep 3 09:08:08 2010 GMT CRL entry extensions: Invalidity Date: Sep 3 09:08:08 2010 GMT Serial Number: C731140FAA7690918BABF17BECB7938D Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: C83D16E9CB29DCF35F3B351CB942FE0D Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: C880AE4D7927E6A8FA7D456CB03E9763 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: C8B2487ADFAF969E34306029AC934406 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: C8C06B0C6B7FE7CA66BCFE617AB6C4E6 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: CAB736FFE7DCB2C47ED2FF88842888E7 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: CBBCB9E06F9FC92C533B2F2A5284BA22 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: CBFE437C9B62805C4353516699E44649 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: CC075F4CFA34A748150BA611F47055D9 Revocation Date: Nov 1 11:11:54 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:11:54 2011 GMT Serial Number: CDBC0441C10DB5ABA43120E63A048425 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: CF5F7B9C6CA3994312FD88669394C323 Revocation Date: Nov 1 11:27:16 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:27:16 2011 GMT Serial Number: CFAF9BE4E5BD0F5A75F628E45E0178C9 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: D0BA58BA609CC1A001F612987A822BEF Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: D1718E9BD91257D2169C81197D508A67 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: D19F691BE086F5E3EFB9B7868D422C84 Revocation Date: Nov 1 11:23:19 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:23:19 2011 GMT Serial Number: D1FDE3A78C9D2E80C2303CC4E3E92A4C Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: D3E2205C3B899FC99D77FE802985283F Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: D50BB77AFE2AC19D32F1A6F64D291415 Revocation Date: Nov 1 10:29:52 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 10:29:52 2011 GMT Serial Number: D59D17DDA83FC660E449E4C9D985E2A4 Revocation Date: Nov 1 10:59:59 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 10:59:59 2011 GMT Serial Number: D5FB69503AD83389679490F837B8619D Revocation Date: Jun 17 12:37:26 2010 GMT CRL entry extensions: Invalidity Date: Jun 17 12:37:26 2010 GMT Serial Number: D68DB21F7B82869796D053AA3BC34A94 Revocation Date: Nov 1 11:27:23 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:27:23 2011 GMT Serial Number: D77EC92400AE0D9FA57DEF4DD8CFA4D4 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: D7E19542B47FA3E81C730D074955F6BC Revocation Date: Nov 1 11:22:41 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:22:41 2011 GMT Serial Number: DAACF72BC91FB6DA90A804933CB72E23 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: DAC51C3D23B163601305AF99DF129689 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: DB712D9D36823D44963892EE6588AF28 Revocation Date: Mar 8 15:43:31 2011 GMT CRL entry extensions: Invalidity Date: Mar 8 15:43:31 2011 GMT Serial Number: DC1665266A0198728861AC99ED368928 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: DCD1072719692871126E4159D80EFDA8 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: DD8C315D2CA61870CBCF9D56ED7474E2 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: DDAD29B8B1215191E7EB5AAEE0219338 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: DE76B17BFB1B6D6D6634C8C104A6E59F Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: DEB427AC9F1E8A0D0237049C80DF7E7F Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: DF2AD7F766E2EEFAF0FD1FB5C6883AB4 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: DF3FD6AFBBFBC30C9AD80BF764A102DB Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: E0D078FD4EA88AD769DCA6D0C90BA126 Revocation Date: Mar 22 13:03:28 2011 GMT CRL entry extensions: Invalidity Date: Mar 22 13:03:28 2011 GMT Serial Number: E1253D04A17AB8E47F4A5916B9BF9D23 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: E30C9C0AA1F53104303AF53107805127 Revocation Date: May 6 07:38:49 2011 GMT CRL entry extensions: Invalidity Date: May 6 07:38:49 2011 GMT Serial Number: E34C4FC7488C4DFEF0EA475A17AF2C7B Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: E3E120935934CBD77E1DA7F00431F745 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: E4A691D60266784968DF971D6BF473AF Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: E4B2F09505726306314DF05B734FD9D0 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: E4BFCDFB111B8A45F5CDB7D2CDBFEDEA Revocation Date: Nov 1 11:29:36 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:29:36 2011 GMT Serial Number: E6CF82506D0A646A44FE332DF170D607 Revocation Date: Nov 1 11:29:46 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:29:46 2011 GMT Serial Number: E6D568B879FE71042D0700A8F6C7AC27 Revocation Date: Nov 1 11:25:39 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:25:39 2011 GMT Serial Number: E6F9E095464F64448840A832FB3443DB Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: E73A251D3458CD0434B20CDBE3C58802 Revocation Date: Nov 1 11:22:53 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:22:53 2011 GMT Serial Number: E93B28B47C34B243EBA62E58FE2FF46F Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: E9EB8075F7FE3683B431552C2D962CB0 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: EA71F746BD17D1B05450329818572F2E Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: EAACDC2F46D4A86F39B035B793F4A94F Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: EAE97F465015E49A14F3B23403ACFA11 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: EB72415ECD0B4AACBDEEA3734F4349BF Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: EBBE94FE4B140E8FABD5F84DB6D068EB Revocation Date: Oct 20 10:23:22 2011 GMT CRL entry extensions: Invalidity Date: Oct 20 10:23:22 2011 GMT Serial Number: EBE7561CA573DA5DBB8EFAA250A40FD3 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: ED4C2EBC14B85F46A9A75F159DF8BEB3 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: ED803C6C6B5F6D0C40D5F864BC19B35A Revocation Date: Nov 1 11:23:13 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:23:13 2011 GMT Serial Number: EEBE18855322343289191913F6D769EB Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: EF40C852B996531570CC260AF6764D8D Revocation Date: Dec 2 14:52:00 2009 GMT CRL entry extensions: Invalidity Date: Dec 2 14:51:59 2009 GMT Serial Number: EFC30A7727C476C7CD00A57FD15724FF Revocation Date: Sep 13 07:37:22 2011 GMT CRL entry extensions: Invalidity Date: Sep 13 07:37:22 2011 GMT Serial Number: EFF0DD4B4927DF64232C5D2FF280C1E4 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: F1EBE73557546DC8B21E0A2DE5E3A33E Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: F346A1E62FED476F472560C6DDE0CADC Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: F5E1888EADDD5B5FF74E47207A5A71EC Revocation Date: Nov 1 11:07:00 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:07:00 2011 GMT Serial Number: F5E19830C2EBA4508E3B60516805CEF3 Revocation Date: Nov 1 11:26:15 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:26:15 2011 GMT Serial Number: F5FA42A5B421705E4803DA93C4F7E099 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: F658C0D52B3EEF71DDE6C284E7E1B337 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: F7DE638B76C3958AA3413A9785A19900 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: F87DA43A8B60E3F70A119D399C9A4F7F Revocation Date: Nov 1 11:30:20 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:30:20 2011 GMT Serial Number: F88885670C3D55EBA52096A65310DACA Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: F89F5DE575755A3B4C0DECC6EDA7C804 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: FAB79682C8EAE556F11ECF6DAD7121BA Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: FC9993EA7A4E761B6CB79ABE2BD3CDE1 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: FCC8FFF7065C54DD5C710F313F9C4EDA Revocation Date: Nov 1 11:23:02 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:23:02 2011 GMT Serial Number: FCCF53CB3D0A71494AF9664690FFCF84 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: FD75F7A29461877B785EDAD00BDDC47C Revocation Date: Nov 1 11:30:15 2011 GMT CRL entry extensions: Invalidity Date: Nov 1 11:30:15 2011 GMT Serial Number: FD8FE350325318C893AFE03F9DFC7096 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: FDEB145AAC81B8CD29B8DA018E71456F Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT Serial Number: FE873B742B230B22AE540E840490A2F4 Revocation Date: Aug 29 16:31:26 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Invalidity Date: Sep 26 12:00:00 2011 GMT
Issuer: /CN=EBG Web Sunucu Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1/O=EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E./C=TR ... Serial Number: 62EF62C5EFC8553D Revocation Date: Feb 9 08:03:35 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise
Issuer: /DC=ch/DC=cern/CN=CERN Trusted Certification Authority ... Serial Number: 30B2AE9D000200006E20 Revocation Date: Sep 16 12:35:06 2010 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise Serial Number: 15D51BD5000200007131 Revocation Date: Dec 26 11:35:39 2010 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise
Issuer: /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Organisatie CA - G2 ... Serial Number: 013134BF Revocation Date: Sep 28 08:39:53 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise
Issuer: /C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 2 L1 CA/CN=TC TrustCenter Class 2 L1 CA XI ... Serial Number: 8458000100020F69350AAD20FCD0 Revocation Date: Feb 2 08:23:01 2010 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise
Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 ... Serial Number: 0E3D04DDA1884DC39B7273414A32BEC5 Revocation Date: Sep 16 13:43:07 2009 GMT CRL entry extensions: X509v3 CRL Reason Code: CA Compromise
From the hack.lu website, you got a text message including a message stream. During the conference, you got a t-shirt.
The horrible "Beer Scrunchie" subverted the hack.lu 2011 conference to hide some cryptographic materials. He especially abused the t-shirt for hack.lu 2011 to transmit under cover activities. We still don't know at which extend "Beer Scrunchie" abused the t-shirt. Everything is possible just like those trojan t-shirts discovered...
U2FsdGVkX19EAnHXVRgs2oajPS0zZ3+w8BlYdQbHMTI7GT9gvdgFkjtTarpNAmbz ET8PRg72U8pydsLr4IaTt5n7fFz6jxyglU1ozZwjJhKAyPAftqxYvcnud4/cOiEV 2FutxaJYCORWsvQV+hi6j8LMqn5aJd7s2nhQ9BWji/ZjMZx/wXJVdCCmNL9HuWx9 q0KV/8nTaxOOEdGwENZT8rgSSb7qy5mcIlIBfdzqYAzynj8xLxHFmptNQfZaO3X0 MAbvS324WDeB3R5p6CaIDLeH95eN8jrqdXaDhxs1SrlJrq5inssTgsEttFUhHEe8 6unUI3i4sDeVvEcajMmxvKg0qQLqEkc56GXKXVuGYc+owEsgKW8JKk8DrfgbQMPy mbaaN7h1PKjlXTIfkR9KXOMd0wy/KHEoM6FdWY1jjzB2Q9UODxgug6gNXciVpQB6 fpvlzvFkV8z8BfSMcDCo1GM6526hSYYtRF0RS3PoloSPjfvDCNVX86lMjKsx6etc Wec6u4EuJVDI52dgSr3kslwlfswez4WM+H2cszKCf0xejql/tQsra6QAcj1JhSqD C6AvtDV31IzLAhHy5Di4T1ONyk68WNU40BIsrNkb3lYFTtWtQeF5Z4DGwpcM9HKg CbLIe9oiNONgrY+kn5RfkHgUaI/PbUQgWy/U6BkunbuqTuMXwiTeR3eaRwBnGQGJ KL+w6duxhoZhCa9nrlr3I2Nx2l+bs9JIzp5h2nYIq6yhqAyQ6jE+lpAQk912FE1O 5AuOLW5bhMldPMVMlYlx6w==
The message on the website gave already some clues especially that:
If you decode the message encoded in Base64, you'll see that the stream of data in binary is starting in the following way : "Salted__…." That's the behaviour of the OpenSSL? salted encryption scheme prefixing with "Salted__" to announce that the first 8 bytes of the encrypted stream are reserved for the salt. This gives the indication that the message has been probably encrypted with an OpenSSL? tool or library. If you look carefully look at the encryption schemes available in OpenSSL?:
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40
There are not so many algorithms written by Bruce Schneier in a default OpenSSL? except Blowfish (bf-*). Usually cryptographer recommends to use the "default" mode and in this case, bf is Blowfish in CBC mode. So this is highly probable…
As you didn't use the t-shirt until now, there is a good guess that the key is hidden somewhere. If you look carefully at the text in the back of the hack.lu 2011 t-shirt, you'll see many typographic errors. The interesting part is to compare the typographic errors from the original text as published by Phrack. Please note the typo in the URL (even if the URL works, doesn't mean that's the correct one ;-).
This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike. The Conscience of a Hacker, The Mentor, January 8, 1986, http://www.phrack.org/issues.html?issue=7&id=3#article
This is our world now... the world of the electron and the swich, the beauty of the baud, We make use of a service already exeisting without paying for what could be dirt-cheep if it was'nt run by profofiteering gluttons, and you call us cricriminal. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin colo, without nationlity, without rrligious bias... and you call us crimnals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. yes, I am a criminal. My crime is that of curiosity. my crime is that of judginfg people by what thy say and think, not what they look like. my crime is that of outmarting you, something that you will never forgive me for. I am a hacker, and this is my manifasto. you may stop this individul, but you can't stop us all... after all, we're all alike. The Conscience of a Hacker, The Mentor, January 8, 1986, http://www.phrack.org/issues.html?issue=7$id=3#article
So you can build a key from the differences but how? That's the most difficult part (as there are many different way to do it). As there is no natural way to generate a key, I decided to go for a long key that can be read easily from the original text. To build back the key from original to modified you can use word diff and use your favorite GNU tools for word diff. We just discarded the punctuation and we didn't care about the case sensitivity.
wdiff -i -3 original.txt modified.txt | egrep -o "(\[-(.*)-\])" | sed -e "s/-//g" | sed -e "s/\[//g" | sed -e "s/\]//" | sed -e "s/\.$//g" | sed -e "s/,//g" | sed ':a;N;$!ba;s/\n//g'
The key to decrypt the message generated from the above wdiff is the following:
switchbaudexistingdirtcheapwasn'tprofiteeringcriminalscolornationalityreligiouscriminalsjudgingtheyoutsmartingmanifestoindividualhttp://www.phrack.org/issues.html?issue=7&id=3#article
and to decrypt the message, you'll need to use OpenSSL? in the following way used the guessed parameters:
openssl enc -d -a -bf -in encrypted.txt -out decrypted.txt
and the original decrypted message is:
I'm Beer Scrunchie and I'm the author or co-author of various block ciphers, pseudo-random number generators and stream ciphers. In 2012, there will be two major events: the proclamation of a winner for the NIST hash function competition and probably the hack.lu 2012 infosec conference . I hope that my Skein hash function will be the winner. If you are reading this text and be the first to submit to tvtc@hack.lu, you just won a hack.lu ticket for next year. If I'm winning the NIST competition wit h my hashing function, you'll get a second free ticket... Bruce
I got one correct answer 5 days after the conference showing that the difficulty to get back the key was bound to the uncertainty of the key generation. Next year, it's possible that we make a multi-stage t-shirt challenge for hack.lu 2012… from something more easy to something very difficult.
Tags: crypto infosec ctf conference hacklu
Making conclusions from experience is not always a scientific approach but a blog is a place where to share experience. Today, I would like to share my past experience with information security and especially how much it's difficult to reach some security with the specific compliance detour proposed by the industry or even the society.
Many compliance mechanisms exist in the information security to ensure on paper the security of a service, a company, a process. I won't list all of them but you might know PCI-DSS, TS 101 456, ISO/IEC 27001 and so on… Very often the core target of a company is to get the final validating document at the end of the auditing process.
Of course, many of those validation processes are requiring many strong security requirements on the procedural aspect of the information security management within the company. This is usually a great opportunity for the information security department to increase somehow their budget or their attraction. Everything is nice. But usually when the paper work is finished, the company got their golden certificate and the investment in information security is just put aside.
But concrete information security is composed of many little dirty jobs that no one wants really do. Usually in the compliance documents those tasks are underestimated (e.g. a check-box at the end of a long list) or even not mentioned (e.g. discarded during the risk assessment because they seem insignificant). Those tasks are usually a core part of information security. Not only for protecting but also to detect misuse earlier.
I summarized the tasks in three large groups (it's not an exhaustive view) but show some of the core jobs to be performed in the context of protecting information systems:
The log analysis is usually the main trigger to find a compromised system. When Clifford Stoll found that the system was compromised at LBL, it was due to a specific 75 cents accounting issue. Like the recent security breach at kernel.org discovered by an error in the log from a non-installed software (Xnest) or a pop up of an invalid certificate, that's how infection or compromised infrastructure get discovered.
But to discover those discrepancies, you need someone at the end. The answer, here, is not a machine to read your logs (I already hear the SIEM vendors claiming this can be automatized). It's a human having some knowledge (with some doubts) to pick something unusual that can lead to the detection of something serious.
The log analysis is a tedious work that needs curious and competent people. It's something difficult to describe in a compliance document. The analysis job can be boring and not really rewarded. That's why sometime you see the idea of "outsourcing" log analysis but can an outsourced analysis detect an accounting issue because he knows that some user is not working during that time shift?
IMHO, it's sometime better to invest into people and promote the act of regular logs analysis than pursue into an additional security certification without the real security activities associated.
The less software you have the better it is for its security. It sounds very obvious but that's a core concept. We pile more and more features in each software used. I never saw a control in a security standard or certification that recommends to have a policy to reduce software or remove old legacy systems. If you carefully look at "Systems Development Life Cycle", this always shows the perfect world without getting rid of old crappy code.
Maintaining software and hardware could fall into the category of "reducing the attack surface" but it's another beast, often under estimated in many security compliance processes. A software is like a living organism, you have to care of it. You don't acquire a tiger and put in your garden without taking care of it. Before maintaining, you obviously need to design systems with "flaw-handling in mind" as Marcus J. Ranum said or Wietse Venema or Saltzer and Schroeder in 1975 . In today's world, we are always not going in that direction so you have to maintain the software to keep out the daily security vulnerabilities.
The main issue with a classical information system is the interactions with the other systems and its environment. If you (as a security engineer) recommend to update a software in a specific infrastructure, you always hear the same song "I can't update it", "It will be done with the yearly upgrade" (usually taking 4 years), "Do you know the impact of this update on my software?" (and obviously you didn't write his software), "It's done" (while checking it's still giving the old version number), "It's not connected so we don't need to patch" (looking at the proxy logs you scare yourself by the volume of data exchanged) and … the classical "it's not managed by us" (while reading the product name in the title of the user who answers that).
Yes, upgrading software (and hardware) is a dirty job, you have to bother people, chase them every days. Even in information security, upgrading software is a pain and you usually break stuff.
All those dirty jobs are part of protecting information systems, we have to do them. Security certification is distracting a lot of professionals from those core activities. I know it's arduous to do them and not rewarded, but we have to do those tasks if we want to make the field more difficult for the attackers.
You might ask why a picture with a radio on a piano… both can do the same "music" but are operated in a different way. Just like information security on a system or an paper are done in two different ways.
Tags: infosec compliance
Raphael Vinot and I worked on a network security ranking project called BGP Ranking to track the malicious activities per Internet Service Provider (referenced with their ASN Autonomous System Number). The project is free software and can be downloaded, forked or updated at GitHub. As BGP Ranking recently reached a beta stage, we have now a nice set of data about the ranking of each Internet service provider in the world. Every day, we are trying to find new ways to use the dataset to improve our life and remove the boring work while doing network forensic.
A very common task when you are doing network forensic is to analyse huge stack of logs files. Sometime, you don't even know where to start as the volume is so important that you end up to look for some random patterns that might be suspicious. I wrote a small software called logs-ranking to prefix each line of a log file (currently only W3c (common/combined) logs files are supported) with the ASN and its BGP Ranking value. logs-ranking uses the whois interface of RIPE RIS to get the origin AS for IP address and the CIRCL BGP Ranking whois interface to get the current ranking.
To use it, you just to stream your log file and specify the log format (apache in this case).
cat ../logs/www.foo.be-access.log| perl logs-ranking.pl -f apache >www.foo.be-access.log-ranked
and you'll get an output like this with the origin ASN and the ranking (a float value) prefixing the existing log line:
AS15169,1.00273578519859,74.125.... AS46664,1.00599888392857,173.242...
So now, you'll be able to sort your logs by the most suspicious entries at first (at least from the most suspicious Internet service provider):
sort -r -g -t"," -k2 www.foo.be-access.log-ranked
So this can be used to discriminate infected clients from Proxy logs that tries to reach bulletproof hoster where the malware C&C is hosted. Or infected machine on Internet trying to infect your latest web-based software… the ranking can be used for other purposes, it's just a matter of imagination.
Roberto Di Cosmo recently published a work called "Manifeste pour une Création Artistique Libre", the work is not really a manifesto in the traditional sense but more a work about the potential licensing scheme at the Internet age. My blog entry is not about the content of the work itself but more about the non-free license used by the author. On the linuxfr.org website many people (including myself) made comments about how strange is to publish a work about free works while the manifesto itself is not free (licensed under the restrictive CC-BY-NC-ND). The author replies to the questions explaining his rationals to choose the non-free license with an additional "non printing" clause to the CC-BY-NC-ND.
I have a profound respect to Roberto's works regarding the promotion and support to the free software community but I clearly disagree with the facts stating philosophical works must not have any derivative and cannot be a free work. I also know that Richard Stallman disallows derivative work on his various works. If you carefully check the history of philosophical works, there are a lot of essays from various philosophers having some revision due to external contributions (e.g. Ivan Illich has multiple works evolving over time due to interaction or discussions with people). It's true that the practice was not very common to publish about the evolution of the works. But that was mainly due to the slowness of the publishing mechanisms and not by the works themselves.
The main argument used to avoid freeing the works is usually the integrity of the author's work. A lot of works have been modified over time to reflect the current use of the language or make a translation to another language. Does this affect the integrity of the author's work? I don't think so. Especially for any free works (including free software) attribution is required in any case. So by default, the author (and the reader) would see the original attribution and the modification over time (recently improved in the free software community by the extensive use of distributed version control system like git).
Maybe it's now the time to reconsider that free software is going far beyond the simple act of creating software but also touching any act of thinking or creation.
If you are operating many GNU/Linux boxes, it's not uncommon to have issues with some processes leaking memory. It's often the case for long-running processes handling large amount of data and usually using small chunk of memory segment while not freeing them back to the operating system. If you played with the Python "gc.garbage" or abused the Perl Scalar::Util::weaken function but to reach that stage, you need to know which processes ate the memory.
Usually looking for processes eating the memory, you need to have a look at the running process using ps, sar, top, htop… For a first look without installing any additional software, you can use ps with its sorting functionality:
%ps -eawwo size,pid,user,command --sort -size | head -20
SIZE PID USER COMMAND 224348 32265 www-data /usr/sbin/apache2 -k start 224340 32264 www-data /usr/sbin/apache2 -k start 162444 944 syslog rsyslogd -c4 106000 2229 datas redis-server /etc/redis/redis.conf 56724 31034 datap perl ../../pdns/parse.pl 32660 3378 adulau perl pdns-web.pl daemon --reload 27040 4400 adulau SCREEN 20296 20052 unbound /usr/sbin/unbound ...
It's nice to have a sorted list by size but usually the common questions are:
My first guess was to get the values above in a file, add a timestamp in front and make a simple awk script to display the evolution and graph it. But before jumping into it, I checked in Munin if there is a default plugin to do that per process. But there is no default plugin… I found one called multimemory that basically doing that per process. To configure it, you just need to add it as plugin with the processes you want to monitor.
[multimemory] env.os linux env.names apache2 perl unbound rsyslogd
If you want to test the plugin, you can use:
%munin-run multimemory perl.value 104148992 unbound.value 19943424 rsyslogd.value 162444 apache2.value 550055
You can connect to your Munin web page and you'll see the evolution for each monitored process name. After that's just a matter of digging into "valgrind --leak-check=full" or use your favorite profiling tool for Perl, Ruby or Python.
Tags: unix command-line memory monitoring
Prediction is very difficult, especially if it's about the future. Niels Bohr
Usually at the beginning of the year, you see all those predictions about the future technology or social comportment in front of those technologies. In the information security field, you see plenty of security companies telling you that there will be much more attacks or those attacks will be diversified targeting your next mobile phone or your next-generation toaster connected to Facebook. Of course! More malware or security issues will pop up especially if you increase the number of devices in the wild, their number of wild users and especially those wild users waiting to get money fast. So I'll leave up to the security companies waiting to make press release about their marketing predictions.
As we are at the beginning of a new numerical year, I was cleaning up a bit my notes in an old Emacs folder (from 1994 until 2001). I discovered some interesting notes and some drawings and I want to share a specific one with you.
In my various notes, I discovered an old recurring interest for Wiki-like technologies at that time. Some notes are making references to some Usenet articles (difficult to find back) and some references to c2.com articles how a wiki is well (un)organized. Some notes were unreadable due to the lack of the context for that period 2. There is even a mention to the use of a Wiki-like in the enterprise or building a collaborative Wiki website for technical FAQ. There are some more technical notes about the implementation of the software to have a wiki-like FAQ website including a kind of organization by vote. I let you find the today's website doing that…
Suddenly, in the notes, there is a kind of brainstorm discussion about the subject. The notes include some discussion from myself and from other colleagues. And there is an interesting statement about Wiki-like technology from a colleague : it's not because you like the technology that other people will use it or embrace it. That's an interesting point but the argument was used to avoid doing something or invest some times in Wiki-like approach. Yes, this is right but the question is more on how you are making stuff and how people would use it. My notes on that topic ended up with the brainstorm discussion. A kind of choke to me…
What's the catch? Not doing or building something to test it out. You can talk eternally about an idea if it is good or bad. But the only way to know if this is a good or bad idea is to build the idea. I was already thinking like that but I forgot that it happened to me… Taking notes is good especially when you learned that you should pursue and transform your ideas in a reality even with the surrounding criticisms.
My conclusion to those old random notes would be something like this:
If you see something interesting and you get a strong conviction that could succeed in one way or another, do or try something with it. (please note the emphasis on the do)
Looks like, I'll keep again this advise for the next years…
In the past months, there were many articles in favor (Foreign Policy (2010-10-25), Salon (2010-03-17)) or against (Washington Post (2010-08-02), Jimmy Wales "WikiLeaks Was Irresponsible" (2010-09-28) or Wikileaks Unlike Cryptome) or neutral (New Yorker (2010-06-07)) concerning WikiLeaks. Following public or private discussions about information leaking website like WikiLeaks? or even about the vintage Cryptome website, I personally think that the point is not about supporting or not a specific leaking website but more supporting their diversity.
Usually the term "truth" mentioned at different places when talking about "leaking website" but they just play a role to provide materials to build your own "truth". And that's the main reason why we need more "leaking website", you need to have measurable and observable results just like for a scientific experiment. Diversity is an important factor, not only in biology, but also when you want to build some "truth" based on leaked information. Even if the leaked information seems to be the same raw stream of bytes, the way to disclose it is already a method on interpretation (e.g. is it better to distribute to the journalists 4 weeks before? or is it better to provide a way for everyone to comment and analyze at the same time all the leaked information?). As there is no simple answer, the only way to improve is to try many techniques or approaches to find you by yourself what's the most appropriate.
I don't really know but here is some thoughts based on reading from HN or some additional gathered from my physical and electronic readings.
We are just at the beginning of a new age of information leakage that could be beneficial for our societies. But the only way to ensure the benefit, we have to promote a diversity and not a scarcity of those platforms.
Update 20101202: It seems that some former members of WikiLeaks? decided to make an alternative platform (source Spiegel). Diversity is king and especially for interpretation of leaked information.
The past week was the Open Access Week to promote the open access to research publication and to encourage the academia to make this as a norm in scholarship and research. The movement is really important to ensure an adequate level of research innovation by easing the accessibility to the research papers. Especially to avoid editor locking where all the research publications when they are not easily accessible and you are forced to pay an outrageous price to just get access. I think Open Access is an inevitable way for scientific research in the future even if Nature (a non-Open Access publication) disagrees.
But there is an interesting paradox in the open access movement that need to be solved especially if it want to preserve their existence on the long run. The access must go further than just the access to the papers but to the infrastructure permitting the operation of open access. As an example, one of the major open access repository called arXiv where physics, chemistry or computer science open access papers are stored. arXiv had some funding difficulties in late 2009. What happens to those repositories when they run out of funding? A recent article in linuxFR.org about open access forgot to mention about the free software aspect of those repositories? Why even promoters of free software forget to mention about the need of free software infrastructure for open access repositories? Where is the software back-end of HAL (archive ouverte pluridisciplinaire) or arXiv.org?
Here is my call:
Open access is inspired by the free software movement but somehow forgets that its own existence is linked to free software. Next time, I see and I enjoy a new open access project in a specific scientific field. I will ask myself about their publication repository and its software.
After the recent Oracle to dismiss their free software strategies, there is always this discussion about free software and its viability in large corporation. But I strongly believe that the question is not there. The question is not the compatibility of free software with large corporations or some business practices. What is so inherently different in free software is the ability to provide free/convivial3 "tools" (as described by Ivan Illich) for everyone including large corporation.
In the recent GNOME Census, a lot of news articles, show the large or small contribution of various companies. But the majority of contributions are still done by volunteers and some are paid by small or large corporation. This doesn't mean that the company behind the funding of the author is always informed of the contribution and that the company is doing that for the inner purpose of free software.
Another interesting fact is free software authors always tend to keep "their" free software with them when moving from one company to another one. Free software authors often use companies as a funding scheme for their free software interest. Obviously companies enjoyed that because they found a way to attract talented people to contribute directly/indirectly to the company interests. But when the mutual interest is going away, authors and companies are separating. It's usually when you see forks appearing or/and corporations playing different strategies (e.g. jumping into aggressive licensing or stopping their open technological strategy).
Is that bad or good for free software? I don't know but this generates a lot of vitality into the free ecosystem. Meaning that free software is still well alive and contributors keep working. But this clearly show the importance of copyright assignment (or independent author copyright) and to be sure that the assignment is always linked with the interest of the free society to keep the software free.
Associated reading (EN) : Ivan Illich, Tools For Conviviality
Lecture pour en savoir plus (FR) : La convivialité, Ivan Illich (ISBN 978-2020042598)
Looking at the recent announce from Google about their "Google Command Line Tool", this is nice but missing a clear functionality : searching Google… I found various software to do it but it's always relying on external software or libraries and not really the core Unix tools. Now can we do it but just using standard Unix tools? (beside "curl" but this can be even replaced by a telnet doing an HTTP request if required)
To search google from an API, you can use the AJAX interface to do the search (as the old Google search API is not defunct). The documentation of the interface is available but the output is JSON. JSON is nice for browser but again funky to parse on command line without using external tools like jsawk. But it's still a text output, this can be parsed by the wonderful awk (made in 1977, a good year)… At the end, this is just a file with comma separated values for each "key/value". After, you can through away the key and you display the value.
curl -s "http://ajax.googleapis.com/ajax/services/search/web?v=1.0&start=0&rsz=large&q=foo" | sed -e 's/[{}]/''/g' | awk '{n=split($0,s,","); for (i=1; i<=n; i++) print s[i]}' | grep -E "("url"|"titleNoFormatting")" | sed -e s/\"//g | cut -d: -f2-
and the output :
http://en.wikipedia.org/wiki/Foobar Foobar - Wikipedia http://en.wikipedia.org/wiki/Foo_Camp Foo Camp - Wikipedia http://www.foofighters.com/ Foo Fighters Music ...
Now you can put the search as a bash function or as an alias (you can replace foo by $1). Do we need more? I don't think beside a Leica M9…
Update Saturday 19 June 2010: Philippe Teuwen found an interesting limitation (or a bug if you prefer) regarding unicode and HTML encoding used in titles. Sometimes, you may have garbage (especially with unicode encoding of ampersand HTML encoding) in the title. The solve the issue, Philippe piped the curl output in json_xs and in a recode html. This is solving the issue but as my main goal is to avoid the use of external tools. You can strip them violently with an ugly "tr" or "grep [[:alpha]]". I'm still digging into "pure core" Unix alternative…
Tags: google command-line unix internet search
The last article "Saying information wants to be free does more harm than good" from Cory Doctorow on guardian.co.uk rings a bell to me. It seems that we still don't often understand what's the profound meaning of this mantra or expression is. One of the origin for this expression could be around the fifties from Peter Samson claimed : Information should be free.
When Steven Levy published his book : "Hackers, heroes of the computer revolution", the chapter "The Hacker Ethic" includes a section called "All information should be free" in reference to The Tech Model Railroad Club (TMRC) where Peter Samson was a member. The explanation made by Steven Levy:
The belief, sometimes taken unconditionally, that information should be free was a direct tribute to the way a splendid computer, or computer program, works: the binary bits moving in the most straightforward, logical path necessary to do their complex job. What was a computer but something which benefited from a free flow of information? If, say, the CPU found itself unable to get information from the input/output (I/O) devices, the whole system would collapse. In the hacker viewpoint, any system could benefit from that easy flow of information.
A variation of this mantra was made by Stewart Brand in a hacker conference in 1984 :
On the one hand information wants to be expensive, because it's so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other
We could even assume that the modified mantra was a direct response to Steven Levy's book and to his chapter "The Hacker Ethic" (ref. mentioned in a documentary called "Hackers - Wizards of the Electronic Age"). The mantra or the aphorism was used in past twenty-five years by a large community. The application of the mantra by the GNU project is even mentioned in various documents including again the book from Steven Levy.
Regarding the last article from Cory Doctorow, why he doesn't want that make an emphasis on the information but on people's freedom. I agree to that point of view but the use of "information wants to be free" is a different matter. I want to take it on a different angle, information is not bound to physical properties like the physical objects are. By the effect of being liberated from the physical rules, information tends to be free.
Of course, this is not real axiom but it's not far away from being an axiom. If you are looking for the current issues in "cyberspace", this is always related to that inner effect of information. Have you seen all the unsuccessful attempts to make DRM (digital restrictions management or digital rights management depending of your political view) working? All attempts from the dying music industry to shut-down OpenBitTorrent or any open indexing services? or even the closing of newzbin where at the same time the source code and database leaked? or the inability to create technology to protect privacy (the techniques are not far away from the missing attempts done by DRM technologies)?
Yes, "information wants to be free", just by effect and we have to live with that fact. I personally think it is better to abuse this effect than trying to limit the effect. It's just like fighting against gravity on earth…
Tags: freedom information free freesoftware
Listening to the Belgian news is often a bit surreal (this makes sense in the country of surrealism) as they talk about problems that we don't really care or this is not really impacting the citizen. Even if the media are claiming that Belgian politics (and by so the crisis just created by some of them) are affecting our life. But if you are listening to every breaking news, this is a majority of useless information that you can't use to improve your life or the society. Neil Postman described this in a nice concept : Information-action Ratio:
In both oral and typographic cultures, information derives its importance from the possibilities of action. Of course, in any communication environment, input (what one if informed about) always exceeds output (the possibilities of action based on information). But the situation created by telegraphy, and the exacerbated by later technologies, made the relationship between information and action both abstract and remote.
You can replace telegraphy by your favourite media but this is a real issue of the current news channel (e.g. television, radio,…). The information is so distant from what you are doing everyday. We can blame our fast channel of communication being very different compared to a book or an extensive article on a specific subject where the information is often well organized and generating thinking (that can lead to action). Why are we listening to information that we don't care? Why are we giving so much importance to that useless information? I don't have a clear answer to that fact. I'm sure of at least something, instead of listening/viewing useless information in the media like Belgian politics, I'll focus more on the media (including books) increasing my information-action ratio.
If you want to start in that direction too, I'll recommend Amusing Ourselves To Death written by Neil Postman.
Tags: contribute media belgium
In the past years, I participated to plenty of meetings, conferences or research sessions covering technical or even non-technical aspects of information security or information technology. When looking back and trying to understand what I have done right or wrong and especially, what's the successful recipe in any information technology project. I tend to find a common point in any successful (or at least partially successful) project : making concrete proposals and build them at the very early stage of the project.
A lot of projects have the tendency to become the meeting nightmare with no concrete proposal but just a thousand of endless critiques of the past, present and future. Even worst, those projects are often linked to those "best practices" in project management with an abuse of the broken Waterfall model. After 3 or 4 months of endless discussion, there is no single prototype or software experiment just a pile of documents making happy any committee but also many angry software engineers.
If you are looking at successful (free and non-free) software projects or favourable standardization processes, it's always coming from real and practical contribution. Just look at the IETF practices compared to the "design by committee" methodology, practical approaches are usually winning. Why? because you can see the pitfalls directly and reorient the project or the software development very early.
There is no miracle or silver bullet approaches for having successful project but the only way to make a project better is to make errors as early as possible. It's difficult or near impossible to see all errors in those projects until you'll get your hand dirty. This is the basis of trial-and-error, you have to try to see if this is an error or not. If you don't try, you are just lowering your chance to hit errors and improve your project, software or even yourself.
So if you are contributing, you'll make error but this is much more grateful than sitting on a chair and whining about a project sheet not updated or having endless discussion. There is an interesting lightning talk at YAPC::EU in 2008 : "You aren't good enough" explaining why you should contribute to CPAN. I think this is another way to express the same idea : "contribute, make code, prototype and experiment" even if this is broken, someone else could fix it or start another prototype based on your broken one. We have to contribute if we want to stay alive…
Tags: contribute startup innovation
or why I made Forban : a small free software for local peer-to-peer file sharing
Beside my recent comparison between e-books and traditional book, I own some e-books along with a huge collection of paper-based books. With books, sharing is commonly used among book-owners or bibliophile. The fact of sharing books usually produces an interesting effect doing cross-fertilization of your knowledge. This is applicable to any kind of books and this opens your mind to new books, authors, ideas or even perspective to your life. Sharing books is a common and legally allowed activity, there are even website to support the sharing of physical books like BookCrossing. With the recent publisher's move to sell (or should I say "to rent") e-books to readers or bibliophile, it looks like the sharing of books is trapped in something difficult or impossible to conceive for any editor or publisher. Even the simple fact of moving your e-Books to one reader to another reader (at the end, just moving your book to another bookshelf) is trapped on an eternal tax of purchasing again and again the e-books. This issue of eternal tax on e-books has been clearly explained in "Kindle Total Cost of Ownership: Calculating the DRM Tax". The technology of restriction on e-books introduces many issues and threats against the sharing or access to the knowledge. The restrictive DRM "pseudo-technology" on e-books is the application of the worst nightmare explained in "The Right to Read" written in 1997 by Richard Stallman and published in Communications of the ACM (Volume 40, Number 2). I'm wondering what we can do to counter balance this excessive usage of restrictive technology on the books often defined as "the accessible support of knowledge for the human being".
To support the phrase "Think Globally, Act Locally" with the recent threats against books sharing, I tried to come with something to help me to share books locally without hassle with friends, books fans or neighbours. I created Forban to share files easily on the local network. The software is a first implementation of the Forban protocols : fully relying on traditional HTTP with a simple UDP protocol for broadcasting and announcing the service on the local network. The protocols are simple in order to help other to implement other free or non-free software to support the protocol and introduce the local file sharing as a default functionality (a kind of default social duty for promoting local sharing). Forban is opportunist and will automatically copy all files (called loot ;-) announced by other Forban on the local network. By the way, Forban used internet protocols but it is not using Internet (a subtle difference but an important one especially regarding law like HADOPI).
Happy new year and happy sharing for 2010.
Tags: books freedom sharing freesoftware
While cleaning up my desks or hiking in the forest, I got plenty of ideas for a potentially interesting blog post but it's often too small to make a complete post. Some actions or comments made on physical and virtual communities can be also "blogged" but when added in micro-blogging are loosing their context due to the limitation of 140 characters (including URLs, yes, URLs should not be accounted in the 140 characters of a micro-blogging platform, this could be part of another blog post). You can claim that is due to my friendly disorder of loving information mess or even better, due to information being connected to the other in some ways.
I recently discovered the "offer" from Getty Images made to flickr users to upload some photos in their group. If they select your photos, they could be in their stock. At first, it looks very good but digging in the FAQ of callforartists group…
There is a chance one of your Creative Commons-licensed photos may catch the eye of a perceptive Getty Images editor. You are welcome to upload these photos into the Flickr collection on Getty Images, but you are contractually obliged to reserve all rights to sale for your work sold via Getty Images. If you proceed with your submission, switching your license to All Rights Reserved (on Flickr) will happen automatically.
If you’re not cool with that, that’s totally cool. It just means that particular photo will need to stay out of the Flickr collection on Getty Images.
Hey guys, this is not cool. I wrote my arguments against the scheme on their groups, flickr helped artists to get rid of some stock photography monopolies but now they are coming back by removing (if you put your works in their group) CC-licensed from flickr.
During my benevolent work for the preservation of the intangible work in our region (in french), I made some comments regarding the digitalization of books (in french). and I discovered a free software/hardware project called Decapod to provide an easy and low-cost hardware solution to digitalize books. I really would like to test it or find similar project. A good step for making digital archiving and preservation more accessible while using free software and free hardware.
Wikileaks released a copy of the initial ACTA draft agreement between US and JP but that was in late 2008, called revision 1 - June 9,2008. Plenty of recent articles about a leakage of the latest version of the ACTA agreement but I can't find the leaked document. The document from EU is a summary of the content with the references but not the real document. I suppose that from June 2008, there are other revisions especially the one including the Internet part. The process of redaction for such legal is scary especially knowing that will be the ground for a treaty, an EU directive and after various national transpositions. Can someone distribute the latest version of the ACTA agreement?
or why I'm not happy with e-book readers and still read paper-based books
Every year at home, we are reading and stacking more than 3 shelves of books. As you can see on the above picture, I'm forced to stack books on the top of bookshelves (here on the top of a classical "Billy" from a well-known Swedish supplier). Looking at my own use of books, electronic book seemed to be a nice opportunity. So I tried various e-books reader (on a 2+ years period) but without any success or even positive experience. I won't make a review of all the readers I tried from free software e-book reader to proprietary physical e-book reader. While testing those devices, I took some notes describing what was the issues encountered while reading electronic books compared to the reading of traditional books. I summarized my impression (at the end, this is just my own experience of reading so this is quite subjective). My impression are based on additional cost added by e-book reader compared to traditional printed books.
Book doesn't need time to boot, set-up, charge battery, refresh page, index, recover or even crash. If you have 5 minutes while waiting for your friends, you'll need to open the book and start reading. With an electronic book, this is not the case. In the best case, the e-book is ready but you'll see that the battery is going low and you are stuck in your car waiting for someone without the possibility to read (and worst, you forgot the charger for the car. This happens). Right now, nothing beats a paper book on the set-up…
An electronic book limits social interaction in the tangible and physical world. One of the classical example, if you are reading a book in a train, I can't count how many times this was the opportunity for starting a discussion. Often just because the traveller next to you was trying to read on the cover what you are reading… With an electronic book, this is a limitation factor for starting a conversation : how can the traveller read the cover of your electronic book? Today, this is not possible with an electronic book. The case is valid in libraries, book-store or at home while visitors are negligently looking at your bookshelves. You can socialize with books on Internet but shutting down your local social interaction by moving from books to e-book is not an option to me.
I'm reading everywhere but my bed is one of the first place where I'm reading. Sorry but a computer or device in a bed is something strange (even a traditional book can be difficult). Reading a screen before sleeping is like having a light therapy just before sleeping. The traditional book is not emitting light, an indirect light is used to read what's written on the paper. So the comfort of a paper book is unbeatable especially while reading in your bedroom.
One of my great pleasure is to read a book while drinking tea. It happened that I spilled some tea on a book but the effect is fundamentally different with an electronic device. Water (and other liquid) is dangerous for the books but it's worst for an electronic device.
I know it's bad but I'm doing annotations (margin annotation, highlighting…) in my books and often going back to those annotations. You'll need a pencil and that's it. For electronic books, this is difficult (sometime impossible the way you want it) and to query back your annotation is also a pain.
The cost of using electronic books is high and not bringing that's much value (at least to me) compared to a traditional paper-based book. The only useful usage of an electronic book is when you'll need a reference book and doing a lookup for a word. Beside being someone using and creating technologies, I'm still more convince to read and use all those old books. The ecological impact of printing books is high but starts to be more and more limited. It's really difficult for me to find some real and concrete advantages of using electronic books. Maybe the main advantage is the lack of bookshelves, but I would be a bit nostalgic when our guest are killing their neck by reading the title. So I'll continue to purchase new bookshelves… at least for the next few years.
This is not a secret that I'm interested in botany and biology in general. When I'm shooting some pictures of the wild life, I'm always trying to classify properly the picture taken. Classification is very important when you are trying to protect the life around you. Especially when you are gardening, it happens that you have some bad surprise because a plant nursery used the same common name for two different plants. That's one of the reason why the use of binomial nomenclature is highly recommended.
I have gathered some notes on my use of machine tag for biology taxonomy. So you can express easily the classification on web services using tagging (like flickr or del.icio.us) a machine tag that can be read by human and by machine (read information automated systems) :
taxonomy:binomial="Asperula arvensis"
But finding the proper binomial name and especially, the proper spelling is not always easy. So I made a hack around agrep to find the proper spelling of a binomial name using a part of the official catalogue of life provided by ITIS.
The full text dump (around 10MB) of the binomial name extracted from the catalogue of life is also available. Without having such research data available, it would have been very difficult to build such an exhaustive catalogue.That's not a coincidence if the cover page of the latest Nature is about Data in research. Data is a critical part of the future of research but it needs to be easily accessible with the proper free license (just like free software).
Tags: tagging tag folksonomy classification reference machinetag machinetags triple_tag biology life binomial
Visualizing the Yin and Yang of Information Security. Working in the information security field, I had some difficulties to explain the equilibrium I tried to reach. Stuck (again) in a traffic jam, I quickly drew the following three circles representing the three kind of "information security" approach. I somehow work in the three circles and often trying to reconcile the three with some large failure but also some success.
Being in the centre is very hard, you have to balance between proper implementation (the creation part), proper implementation against "deconstruction"/attacks while keeping an eye on the scientific input.
In the chapter 46 of the Myths of Security, John Viega is nicely explaining when you are just in the academic hacking circle without going close to the two other circles. You are doing academic novelty that no one can use, implement and attack. So the impact of your academic research is only the academic circle and nothing else.
When Linus Torvalds is stating "we should not glorify security monkey", this is the classical behaviour of staying in the "de constructing" circle without trying to find something creative and/or academic to solve the security issue.
When Wietse Venema is explaining that you should write small independent without modifying existing program to not affect the integrity of the others program, it's when you are creating a new software without taking into account the "de constructing" attacks on your software or the scientific background to make your software with a good level of formal correctness.
I'm the first to make the mistake to be contained in a single circle but you must force yourself to touch the two other circles in some ways. Information security is difficult but this equilibrium (academic, creativity and deconstruction) is difficult to reach. When you are close to reach to it, this is really a great moment…
For my recent birthday, I received a nice book called "Plantes des haies champêtres" (plant from the natural hedges) written by Christian Cogneaux. The book is a directory of the whole plant usually composing the natural hedges. On the form, the layout and typography of the book is clear and easy to read (the form is also important to render a book more interesting). The photos made by Bernard Gambier are really beautiful and tight to the spirit of the book. The content itself is useful (especially if you want to keep or create new natural hedges in your garden or land) and provide an exhaustive overview of the species available and common to natural hedges. But what's the relationship with diversity and stability in my blog title? good question. When reading the introduction about the importance of preserving natural hedges, I immediately thought about the scientific reason behind the conversation of natural hedges.
An natural hedge with its heterogeneity provide a nice ecological system to reach a "equilibrium stability". As demonstrated by the zoologist Charles Elton, a more diverse community provides more resilience while changes are introduced (like the introduction of new species or predators). Natural hedges provide a nice complex system with the abundance of species allowing to increase the general stability. If the topic of diversity-stability interests you, there is an excellent article from Nature on the diversity stability topic in Biology.
If you want to participate to biodiversity, when you are thinking of planting new hedges, consider to not use a single specie for your hedge. On one hand, you are introducing more risk to completely loose the hedge (e.g. when the hedge is sensible to a single predator). On the second hand, using various species help to increase biodiversity and protecting the surrounding nature. There is also nice effect of diverse natural edge : a natural edge with various species is nicer to look at than a monotonic green wall-like edge.
For the information security freaks reading my humble blog, there is the collateral discussion about diversity in information system as explained in the article : The Evolution of Security : What can nature tell us about how best to manage our risks?. But this is another story…
Tags: biodiversity ecology hedges diversity stability
On the cover, you can see a nice Lonicera (very common on natural hedges).
When an idea is confronted over time, there is a high risk (but that's part of the game) of destruction. If the idea is coming more and more stronger over this confrontation process, there is the possibility of the something new to be created over time. The past few months, I read again André Gorz especially Écologica and L'immatériel : Connaissance, valeur et capital. Surprised by his consistency and ability to surround the important topics in the information society, there is a common recurring concept always popping up in his works : the metric and especially the lack of universal measure (called "étalon de mesure") in the information society. Gorz pointed the issue with the capital and the operation of the economy trying to capitalize on the "intangible capital". Reading his works right now is very interesting especially that he was really pointing the risks of creating economic bubble while trying to apply the capitalism techniques of tangible asset against the intangible.
Looking back, the idea of "universal metric" in the information society was somehow already hitting my mind with the following post and projects : Wiki Creativity Index, Innovation Metric (especially that the clumsy patent system is the only metric in use) and Creativity Metrics Are Needed. Project like Ohloh is already providing a specific answer to quantify the activity in the free software community. We are still far away(?) from an "universal metric" but when it will possible to link the respective activity of a human being with an exchangeable "money" (like bitcoin), we could have the possibility of growing without impacting the natural resources and funding the society with a real citizenship.
More than two years ago, I made a blog entry about "Google Books Killing Public Domain" where Google is adding an additional clause to render public domain works into (again) the private circle by limiting the use to private use all public domain works scanned by Google.
Reading an Interview (sorry in French) of Jean-Noël Jeanneney, Mr Jeanneney is very proud of the Europeana digital library competing with Google Books. That's nice to see competition but is it really different from Google Books? No, Europeana is also transforming public domain works into proprietary works. Just have a look at Europeana's terms of service (copying section), they make the same mistake.
I had a lot of arguments especially during a conference held by the BNF about digital libraries, their arguments is about the cost of scanning or the "add of value" in scanning those public domains works. Sorry to say that but this is pure fiction (to be polite ;-), there is nothing like "adding value" while scanning an old public domain book. If you want to create wealth for the benefit of Society, please release public domain works as public domain. You'll see unexpected use (including commercial use) of those works and that will benefit everyone even the Libraries doing the scanning.
If you want to be ahead (I'm talking to Europeana or even Google) and help everyone, please leave the public domain works in the public domain.
If you are a frequent reader of my delicious feeds, you can see my addiction regarding wiki and git. But I never found a wiki similar to Oddmuse in terms of functionalities and dynamism relying on git. Before Christmas, I wanted to have something working… to post this blog entry in git. The process is very simple : oddmuse2git import the raw pages from Oddmuse into a the master branch of a local git repository. I'm using another branch local (that I merge/rebase regularly with master (while I'm doing edit via the HTTP)) to make local edit and pushing the update (a simple git-rev-list --reverse against the master) to the Oddmuse wiki. The two scripts (oddmuse2git git2oddmuse) are available. Ok it's quick-and-dirty(tm) but it works. There is space for improvements especially while getting the Oddmuse update using RSS to avoid fetching all the pages.
Update - 20th December 2008 : I imported communitywiki.org using my oddmuse2git and update seems to work as expected. If you want clone it :
git clone git://git.quuxlabs.com/communitywiki/
I also updated the script to handle update (using the rc action from Oddmuse) to only fetch the latest updates. For more information about Oddmuse and Git.
Reading scientific/academic publications in computer science can be frustrating due to various reasons. But the most frequent reason is the inability to reproduce the results described in a paper due to the lack of the software and tools to reproduce the empirical analysis described. You can regularly read reference in papers to internal software used for the analysis or survey but the paper lacks a link to download the software. Very often, I shared this frustration with my (work and academic) colleague but I was always expecting a more formal paper describing this major issue in scientific publication especially in computer science.
By sheer luck, I hit a paper called "Empiricism is Not a Matter of Faith" written by Ted Pedersen published in Computational Linguistics Volume 34, Issue 3 of September 2008. I want to share with you the conclusion of the article :
However, the other path is to accept (and in fact insist) that highly detailed empirical studies must be reproducible to be credible, and that it is unreasonable to expect that reproducibility to be possible based on the description provided in a publication. Thus, releasing software that makes it easy to reproduce and modify experiments should be an essential part of the publication process, to the point where we might one day only accept for publication articles that are accompanied by working software that allows for immediate and reliable reproduction of results.
The paper from Ted Pedersen is clear and concise, I couldn't explain better that. I hope it will become a requirement in any open access publication to add the free software (along with the process) used to make the experiments. Science at large could only gain from such disclosure. Open access should better integrate such requirements (e.g. reproducibility of the experiments) to attract more academic people from computer science. Just Imagine the excellent arxiv.org also including a requirements in paper submission to include a link to the free software and process used to make the experiments, that would be great.
Tags: openaccess research education freesoftware
Reading the blog of Frédéric Péters, I stumbled upon his post called "Vers l'infini et au-delà !". I quickly commented as I share a similar feeling about the recent development of the relationship between software "industries" and free software. Frédéric pointed out the recent "2020 FLOSS Roadmap" report where the roadmap is more a tentative to be close to the fuzzy and vague Magic Quadrant than something really coming from the free software community (yep, the community is not only composed of "industrial consortium" even if this report is trying to give this idea).
My feeling is the following : there are no way to predict the future especially while we are talking about (free) software evolution. Roadmaps are more close to science-fiction books (I prefer to read science-fiction books that's more fun) than something else. Why it's like that? Just because software development is a trial-and-error process and especially in the free software community. Free software users also choose their free software by trial-and-error… how can you easily predict the state of free software in 2020 when a trial-and-error process is in use? This reminded me again of the post from Linus Torvalds about "sheer luck" design of the Linux kernel. To quote him :
And don't EVER make the mistake that you can design something better than what you get from ruthless massively parallel trial-and-error with a feedback cycle. That's giving your intelligence _much_ too much credit.
Projecting in 2020 what will be the Free Software is just a joke. What we really need to do to ensure a future to free software is to ensure the diversity and the creativity dynamic in the community. Creation and development of free software without boundaries or limitation is critical to ensure a free future. New free software development often comes from individuals and not often from large industrial consortium… So the roadmap is easy : "Resist and create free software".
Tags: freesoftware diversity biology freedom
It's time to join APRIL… If you have an organization to join in France doing the promotion of free software and its philosophy. There is only one… this is APRIL. The GNU will thank you (as you can see on the picture, he is already thanking me of being a member, even if I'm from Belgium).
Tags : gnu freedom april freesoftware free_software
When I first touched free software (that was a long time ago.. I'm feeling old Today) that was mainly for a technical reason. The technical reason quickly shifted to the ethical implication of free software and its relation with freedom in general. The comfort of copyleft licensing is a like a promise to me : "keeping "information" eternally free". My view is that copylefted information (from free software to free art) is just like a biotope where the environmental condition (in this case copyleft licensing) helps to create a living place. The copyleft is a guarantee for the biotope to have a sufficient input to grow and to provide a good fertilizer. In the past few years, the ecological system of copyleft has been working quite well but the main reason (IMHO) for its limited grow is the incompatibility between the copyleft-type licensing as those licenses are often mutually exclusive.
I'm not in favor of the excessive proliferation of copyleft-type license increasing the legal complexity while not improving the life activity in the copyleft biotope. That's why I'm using the following licensing statement :
This work is licensed to you under at least version 2 of the GNU General Public License. Alternatively, you may choose to receive this work under any other license that grants the right to use, copy, modify, and/or distribute the work, as long as that license imposes the restriction that derivative works have to grant the same rights and impose the same restriction. For example, you may choose to receive this work under the GNU Free Documentation License, the CreativeCommons ShareAlike License, the XEmacs manual license, or similar free licenses.
The recent minor extension of the GNU Free Documentation License 1.3 is creating the ability to also use the Creative Commons Share Alike (CC-SA) is going into the direction to improve the biotope interaction. In my view, I never understood why we have different copyleft licenses for at the end any information works like computer programs, images, arts or documentation living in the same biotope. I was willing to use the GNU General Public License for any type of free information works. I'm sure that differences between the type of works will disappear in the future and at the end, we'll have a generic GNU GPL (version 4?) where any copylefted works are included. Life is so beautiful in this biotope that we cannot limit it with incompatible licenses…
That's a "great day", we just enter into the age of Cyberpunk by the recent vote of the French Senate :
The French Senate has overwhelmingly voted in favour of a law that would cut off access to the internet to web surfers who repeatedly download copyrighted music, films or video games without paying.
In other words, the "corporate elite" (or the old and aging musical industry) made a law to cut access to Internet while there are (sometimes, just suspicious or without consent of the Internet user) downloads of "copyrighted content". Hmmm… this looks very close to the story line often used in different cyberpunk stories. To be more precise here is the portrait of cyberpunk societies made by David Brin :
…a closer look at cyberpunk authors reveals that they nearly always portray future societies in which governments have become wimpy and pathetic …Popular science fiction tales by Gibson, Williams, Cadigan and others ''do'' depict Orwellian accumulations of power in the next century, but nearly always clutched in the secretive hands of a wealthy or corporate elite.
We have to be prepared and should start the business to make a "black market" for internet access where all those people excluded from official access can get back access to the network.
Microblogging is now the preferred way to update publicly your life or activities status. The technique is now used widely due to a generation trained with SMS and small text messages (just like the Post-it note fifteen years before ;-). If you plant to put your life instant messages into a microblogging services. I would suggest you to use identi.ca and not Twitter (or any other proprietary microblogging solution like Jaiku). There are two good reasons for doing so.
The first is a philosophical reason. Software must be free but with the huge success of network services where the software become a service. The software itself looks less important and people tend to forget about its availability. That's why as a user, developer or service provider, you must take great care while using, developing or running a network service. The Franklin Street Statement on Freedom and Network Services published by autonomo.us started to look at the issue and defines what's classify a free (as in freedom) network service. In the area of microblogging services, Identi.ca is following the The Franklin Street Statement on Freedom and Network Services. The software running this microblogging service is free (released in the GNU Affero General Public License) and called laconica.
The second is a practical reason. identi.ca runs better. As I'm cross-posting between Twitter and Identi.ca, I have a script to post on both at the same time :
adulau@kz:~$perl micropost.pl "I really like #webpy... no constraint and full freedom to code your application." Posting to Twitter... 500 Server closed connection without sending any data back Posting to Identi.ca... 200 OK
Yes. I have such errors very regularly, identi.ca works as expected but Twitter is just dying. As you can see for having working service, it's not a matter of investment. You can have better services just because you have motivated people and design by constraint. Another interesting part is identi.ca supporting XMPP but on the other hand Twitter has troubles with XMPP. On practical and philosophical side, identi.ca is the winner. Of course, you shouldn't look at the trends. Trends are for marketers not users…
Tags: company startup innovation internet microblogging identi.ca freedom
#REDIRECT 2008-10-19 Why You Should Use Identica and not Twitter
A recent blog post of Alex Schroeder about corporate wikis and my comment on his post, remind me of a post I wanted sometimes ago to make about the difficulty for a corporation to learn from Internet. Internet, beside being a big mess, works often better to manage large volume of information and on-line/distributed collaboration than any other internal company designed software/process. I don't really want to understand why it is the case on Internet maybe due to the "trial-and-error" approach with the continuous feedback (well described by Linus Torvalds in this post about Kernel's evolution). I just want to point some areas where the corporate world could learn from Internet to avoid classical pitfalls.
As nicely and visually explained in the post about corporate Wikis from Alex Schroeder, new software project in a large corporation often start by accumulating all the requirements from the "stakeholders"(in other words : anyone that could be affected by the introduction of the new project). But does it work in practice? From my small experience on the subject, I tend to say "not at all". First, it's usually impossible to find any (free or proprietary) software that meet all the requirements. In such situation instead of throwing away some requests from the "stakeholders", the software project is trying to extend the software to meet all requirements. That generate unrealistic requests like modifying existing software (the famous "small customization"), creating software from scratch, over extending a work flow to match those crazy requirements or worst making a two hundred pages requirements document sent to a software engineer already working on 10 "corporate" projects.
Successful Internet projects often take the opposite approach by starting something small and doing it well. The first release of del.icio.us was simple and clearly focusing on a simple multi-user bookmarking service. But it worked. Various Internet services started very small due to their small asset and money constraint. Starting small with a really focus objective limit the risks of creating a monster that no one want to use. If it fails, you start a new project. On Internet, failure is accepted and welcome. Especially that helps (only helps ;-) to avoid repeating the same failure and experimenting other ideas that could fail or work well.
Companies should look more into this approach of creating very small project, through away "consensus among all the stakeholder" and implement ideas by prototyping early. I know that's not an easy task in the large companies especially changing (read killing) the approval process of companies (often good Wikis don't care about approval as described in Why it’s not a wiki world (yet)) or the hiding failure as default policy and we don't code we just make meetings. Don't take me wrong, I'm not trying to say that everything is broken in companies. But they should start to understand they are not living in island and they can gain a lot from Internet practices inside the companies.
This post is somehow related to a previous stacking idea page about how to better operate a company.
Tags: company startup innovation internet wiki
The 4th edition of the security conference hack.lu 2008 is on a good track. The plenary agenda is now on-line with plenty of interesting talks. If you want to join us in this information security delirium, there is also the hackcamp/barcamp. A space where more spontaneous discussion/demo can be held. If you have some crazy ideas or demos that you want to do in information security area, the hackcamp/barcamp is the right place. On the organization side, everything is going well except the standard glitches…
Looking at the recent "article"/post in slashdot about IPv6 claiming that its use is not growing, I do not agree especially when I saw the latest IPv6 statistic from AMS-IX : The usage is growing, more and more ISP announces their IPv6 prefixes and start to connect their customers. By the way, I will add an AAAA record for my webserver this month. IPv6 is real, working and its usage is increasing. Sure it will take time but it's time to jump…
Following a micro-discussion with Michael about the software that you always need on your favorite operating system, we came to a similar conclusion : Git and GNU Screen are the must. Without them, your favorite free operating system looks useless. Of course, if you want to be ahead and always have the latest version of Git and GNU Screen in your ~/bin, there is a an easy way : Git 4 ;-)
#!/bin/bash # assuming a cloned repository of GNU Screen in ./screen cd ./screen git pull SCREEN_VERSION=`git-show | head -1 | cut -c8-` git archive --format=tar --prefix=screen-current/ HEAD >../../down/screen-current.tar cd ../../down tar xvf screen-current.tar cd screen-current/src sed -e s/devel/${SCREEN_VERSION}/ patchlevel.h >patchlevel.h.tmp mv patchlevel.h.tmp patchlevel.h ./autogen.sh ./configure --prefix=${HOME} make make install
As GNU Screen development is hosted in Git, you can use Git features like commit ID to generate the version. That makes easier to know exactly which version you are running when reporting bugs. I also used a similar approach for Git. And you? What are our favorite two software that make an operating system useful?
Tags : git gnu_screen scm gnu
In a recent news from the EFF, there is an increase to limit the use or block access to Usenet by some ISPs. But NNTP and Usenet can be still useful for new technologies, a nice example of a NNTP server plug-in in a wiki. In such case, you can benefit of Usenet threading using a standard Usenet client or distributing RecentChanges RSS feed in a more efficient way than regularly fetching RSS feeds via HTTP. Old is new and new is old… don't kill the Usenet infrastructure that could support the next interactive business.
If you have a system machine generating various cryptographic keys, you really need a non predictable state in your entropy pool. To reach a satisfied level of unpredictability, the Linux kernel gathers environmental information in order to feed this famous entropy pool. Of course gathering enough unpredictable information from a deterministic system, it's not a trivial task.
In such condition having an independent random source is very useful to improve unpredictability of the random pool by feeding it continuously. That's also avoid to have your favourite cryptographic software stopping because lacking of entropy (it's often better to stop than generating guessable keys). In the graph below you can clearly see the improvement of the entropy availability. On an idle system, it is difficult for the kernel random generator to gather noise environment as the system is going in a deterministic way while doing "near" nothing. Here the hardware-based random generator is feeding regularly the entropy pool (starting end of Week 24) independently of the system load/use.
If you are the lucky owner of a decent Intel motherboard, you should have the famous Intel FWH 82802AB/AC including a hardware random generator (based on thermal noise). You can use tool like rngd to feed in secure way the Linux kernel entropy pool. In a secure way, I mean really feeding the pool with "unpredictable" data by continuously testing the data with the existing FIPS tests.
That's the bright side of life but I would close this quick post with something from the FAQ from OpenSSL :
1. Why do I get a "PRNG not seeded" error message? ... [some confusing information] All OpenSSL versions try to use /dev/urandom by default; starting with version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not available. ... [more confusing information]
If I understood the FAQ, by default OpenSSL is using /dev/urandom and not /dev/random first? If your entropy pool is empty or your hardware random generator is not active, OpenSSL will use the unlimited /dev/urandom version and could use information that could be predictable. Something to remember if your software is still relying on OpenSSL.
Update on 03/08/2008 :
Following a comment on news.ycombinator.com, I tend to agree with him that my statement "/dev/urandom is predictable" is wrong but that was a shortcut to urge people to use their hardware random generator. But for key generation (OpenSSL is often used for that purpose), the authors of the random generator (as stated in section "Exported interfaces —- output") also recommend to use /dev/random (and not urandom) when high randomness is required.
That's true when you are running out of entropy, you are only depending of the SHA algorithm strength but if you are continuously feeding the one-way hashing function with a "regular pattern" (another shortcut). You could start to find problem like the one in the linear congruential generator when the seed is one character… But that's true the SHA algorithm is still pretty secure. So why taking an additional (additional because maybe the hardware random generator is already broken ;-) risk to use /dev/urandom if you have already a high-speed hardware random generator that could feed nicely /dev/random?
Everything started when government tried to limit the liberties on Internet, the first major case was the Communications Decency Act. The famous blue ribbon campaign of the EFF started due to that legal non-sense in 1996. We thought that we were safe from such stupid regulation in the cyberspace when the US supreme court admitted that the Communications Decency Act was mainly unconstitutional. But the history proven the opposite, governments are continuously trying to limit civil liberties on Internet (and not only in China). It's a fact and seeing such intensity from government to limit our rights in a space where freedom is there by nature, I really have a confirmation (by repeating so many times so many legal trick to achieve a complete on control on Internet) that's an intended purpose to limit our freedom space.
Hopefully there are still an active (from scientific to citizen) community where interesting paper came such as : Cassell, Justine, and Meg Cramer. “High Tech or High Risk: Moral Panics about Girls Online." Digital Youth, Innovation, and the Unexpected. An interesting part is the comparison with telegraph and telephone. The conclusion of the paper also showed the danger of the "moral panic" for women :
And in each case that we have examined, from the telegraph to today, the result of the moral panic has been a restriction on girls’ use of technology. As we have described above, the telegraph, the telephone, and then the internet were all touted for how easy they were for young women to use, and how appropriate it was for young women to use them. Ineluctably, in each case, that ease of use and appropriateness became forgotten in a panic about how inappropriate the young women’s use of these technologies was, and how dangerous the women’s use was to the societal order as a whole. In the current case, the panic over girls’ use of technology has taken the form of believing in an increased presence of child predators online. But, as we have shown, there has been no such increase in predatory behavior; on the contrary, the number of young women who have been preyed on by strangers has decreased, both in the online and offline worlds. Finally, as with uses of communication technologies by women in the past, it is clear that participation in social networking sites can fulfill some key developmental imperatives for young women, such as forming their own social networks outside of the family, and exploring alternate identities. Girls in particular may thrive online where they may be more likely to rise to positions of authority than in the physical world, more likely to be able to explore alternate identities without the dangers associated with venturing outside of their homes alone, more likely to be able to safely explore their budding sexuality, and more likely to openly demonstrate technological prowess, without the social dangers associated with the term “geek.” And yet, when moral panics about potential predators take up all the available airtime, the importance of the online world for girls is likely to be obscured, as are other inequalities equally important to contemplate.
But obviously, I'm still very affected by the continuous flow of bad law (like the recent one from France) or action like blocking Usenet. Do they want to turn Internet into an useless medium where free speech is banned ? and an Internet where so many technical restriction implemented, it becomes impossible to use it.
Until very recently, I was using a mixture of text files to maintain a to-do list across my various activities. The problem is some of my to-do and activities are linked and I needed a kind of permanent access to those lists while at work, home or travelling/moving. I also needed to update the list off-line and with the ability to merge them easily. That was working but not perfect and sometime messy.
I found an updated version of the famous todo.txt (a bash script to maintain plain text to-do list) called git-todo.py hosted at (gitorious.org). After a simple test, I decided to move all my to-do lists, idea lists or n lists to git-todo.py. The major work was to recreate all the lists using the simple format of todo.txt but that was straightforward.
So I "centralized" (a big word for a distributed SCM ;-) everything around the to-do master git repository accessible via Internet, nothing really exotic. I have some basic script to always merge the master when I'm starting to work to be sure that the local branch is up to date.
My daily process is roughly described in the diagram but the idea is there. I mixed all my various lists and used the format of todo.txt to tag the entries. That permits me to recover some old ideas lost in my previous messy format. Another big advantage of todo.txt is the ability to change child/parent for each entry. Very handy when you see that a project is going nowhere without making other tasks before.
I have also included the daily idea list where I'm just listing crazy idea coming in my mind or after discussions with a friend or a colleague. That's a way for me to keep a kind of imaginative playground along with more raw task to be done. When an idea is becoming a task (that's often a good news), I just add a tag to link the idea with the current project to work on.
Following my past blog entry why creativity metrics are needed , I quickly made an experiment called Wiki Creativity Metric to monitor the activities of some well-known Wiki talking about Wiki (from technology to the use of them). The idea is to have a more positive approach to metrics where we can have more influence. Let's imagine that you have seen that the WCI was down yesterday, that's maybe the time to contribute more to CommunityWiki. If our world is overflowed with today's metrics, indices of all kind, why not inventing our metrics to make the world more free and better. I updated the graph following the excellent feedback from Jean-Etienne Poirrier.
Tags: metrics creativity positivism wiki freedom
GPL is not always standing for the GNU General Public License… as this seen on a flower label. It's a company doing "plant novelty rights" called GPL international (http://www.gpl.dk/). They are clearly going into the opposite direction compared to the freedom defined in the well known free software license called GNU General Public License.
By the way, if those osteospermum flowers are not F1 hybrid we will be able to keep some good seeds and copy (doing multiplication) of the plant. It's the right to nature to reproduce itself. It's the first time I see a company trying to disallow the gardener (as described on their labels, check the photo below) the multiplication of the plant purchased.
Tags: freedom biology gpl gnu license nature gardening seeds biodiversity
Finally, the Linux kernel is now supporting IPv6 multicast forwarding with the recent commit of Hideaki Yoshifuji (Thanks for his great work around IPv6 support in recent Linux kernel). That's a great news and we could expect it in the next 2.6 release (of course, you can compile the current master branch). FreeBSD was natively supporting IPv6 multicast forwarding since end of 2002 as the KAME project used FreeBSD for the reference IPv6 implementation.
Before you were forced to use various tricks in order to make IPv6 multicast forwarding/routing under GNU/Linux. One of the trick is to gather the MLD (the IGMP-like protocol for IPv6) messages on each interface and do forwarding based on the messages received (the system x wants to receive group y). The system works quite well in very common tree structure where a lot of systems are connected to an aggregated infrastructure like an ISP. There is a free software implementation for Linux (if you are not running the master branch and cannot wait forwarding IPv6 multicast ;-) called ecmh doing this. The concept of "multicast forwarding based on MLD learning" is also described in the RFC 4605. Beside the new IPv6 multicast forwarding in the Linux kernel, the other approach is still applicable for old kernel or devices not able to run a recent kernel.
So I just hope that the RFC 5058 (Xcast) won't take so many years to be implemented by default in the Linux kernel… ;-)
In my continuous MachineTag dementia (but at least useful with the license Machine Tag), I experimented an implementation of an interesting expired Internet-Draft called Link Fingerprints into MachineTag. The idea of the Link Fingerprints is to fingerprint the information reference to be sure that the content of the retrieved object is matching the initially reference object (you can replace object by file). In other words, to be sure that the file downloaded is the one initially provided by the author. This is very handy when distributing free software over Internet to limit the risks of downloading compromised software. The background idea of Link Fingerprints is really good but implementing it in the URI is introducing various issues (discussed in the WG during the introduction of the Internet Draft).
Why not reimplementing the idea into MachineTag ? Here comes the Machine Tag Link Fingerprint with a specific namespace called : linkfingerprint. How does this work ? That's pretty easy if you know already what a MachineTag is.
URL : http://www.foo.be/gnupg-adulau.txt Tags : adulau linkfingerprint linkfingerprint:hash=md5:cbd9f12c32adec490b23061edb61f5fe
The tags are stored in del.icio.us for the tests url. The reduced security risks are not really coming from the use of the MachineTag themself but more from the collaborative tagging approach of users. Collaborative tagging application (like del.icio.us) often introduces network of users and that can be used to gain a certain level of trust for a tag. This is helping to give a kind of certainty for the object or file to be downloaded. That's not perfect but better than storing the hash or fingerprint in the same directory where are hosted the files. I have also updated the MachineTagLinkFingerprint to add the support for OpenPGP detached signature.
Tags: fingerprint hash security machinetag linkfingerprint openpgp
When you are in a standardization process (in other words, around the table with different people trying to make a "standard"/document), there are two major ways regarding the licensing of the "patented technologies" required for the standard. Either you use the Royalty Free licensing model or the (un/fair) Reasonable and Non Discriminatory licensing model.
Obviously, if you want a real open standard, you have to go for the royalty free licensing model. To better understand the difference, an example is better than theory.There is nice example of a Royalty Free license around ATOM (RFC 5023 and RFC 4287) made by Google at the IETF (you are required to disclose any patent claims around a (proposed) standard) :
Subject to the terms and conditions of this License, Google hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this License) patent license for patents necessarily infringe
d by implementation (in whole or in part) of this specification. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the implementation of the specification constitutes direct or contributory patent infringement, then any patent licenses for the specification granted to You under this License shall terminate as of the date such litigation is filed.
The wording is clear, there is no real ambiguity and the license is compatible (be careful, I'm not a lawyer) with free software implementation. I think that's fine for the promotion and the use of open standard. The license is valid for everyone and you don't need additional interaction with Google to have the license.
Now, here an example of a RAND (Reasonable And Non Discriminatory) licensing model, this one has been made by Cisco about VRRP :
Cisco is the owner of US patent No. 5 473 599, relating to the subject matter of "Virtual Router Redundancy Protocol for IPv6 <draft-ietf-vrrp-ipv6-spec-04.txt>. If technology in this document is included in a standard adopted by IETF and any claims of this or any
other Cisco patent are necessary for practicing the standard, any party will be able to obtain a license from Cisco to use any such patent
claims under reasonable, non-discriminatory terms to implement and fully comply with the standard.
First you need to contact Cisco to have a license but the terms are unknown. "Non-discriminatory" is vague and could be an issue for any free software implementation. I know that we cannot make from an example a general case but I'm still trying to find a RAND license where it is clear and without ambiguity. When you are around a table at the a standard body, please go for a real Royalty Free licensing model. That would ease adoption of the standard (by promoting free and non-free use of the standard) without the administration burden required with a RAND licensing.
Today was a bad day for me but today has been slightly improved by the excellent announce of the USENIX organization to open up their conference proceedings to everyone.
This is an excellent news. Of course, this is including a small subset of the USENIX publication and this is not including other publication like ";login:" but this already a good step to a real open access approach. I hope that will trigger the other big players in the scientific public area like ACM or IEEE.
I'm (again) dreaming of reading publication without paying a fee and without limitation.
usenix openarchive copyright freeinformation publication
photo by Carlos Johnson CC licensed.
Protecting biodiversity is illegal, at least in France, following the last court decision made by the state against a small non-governmental association called kokopelli. Kokopelli is a small association selling seeds to gardeners like us, we are using their seeds because they sell old type of plants/vegetables difficult to find somewhere else (e.g. like a climbing variety of tomato plant). All the seeds sell by them are also non-hybrid that means you are free to make your own seeds from their seeds (the basic idea behind preservation and conservation of the biodiversity). Of course, large seller of seeds prefer to sell F1 hybrid to keep the gardener dependent.
In that context, Baumaux (a large seller of seeds) attacked kokopelli for unfair competition and at the end (as the court case was in multiple rounds) the large seller won. They won due to the stupid regulation that forces to sell only seeds being listed in an "official" directory.
It's a bad news for the preservation of biodiversity… what can we do ? Share and preserve your seeds. and don't buy seeds that you cannot duplicate for free.
biodiversity gardening kokopelli seeds
photo made by Stefan Jansson and CC licensed.
Our world is ruled by metrics (not only in the patent system) and of course mainly in the financial world. When turning the radio on, the first sentence in the morning news is often :
"...a recession is possible as the index of [replace it with your favourite financial index] is going down of [replace with a float or an integer] percent..."
A simple lookup of recession and index in Google news give also "some" results. Everyday, we are in a continuous flow of data (please note, I'm not using the term information in this case) where percentages, index values and numbers are the keywords. Are those data useful or does it give any insightful information ? Maybe but that's not my point. My point is about the negative effect of this flow information every morning… Is that motivating us for doing a better work ? being creative at work ? Not really. Often those numbers are detached from reality because they just depend of the perception held by the people making those numbers. Those numbers are often just influenced by the volume of buyer-seller of a stock. We don't really have a large influence on those numbers (except when you have large volume of stocks to sell or buy but that's not really common).
But, wait a minute, why not creating other indexes where people (you and me) have more influence to make it tangible ? Indexes are just made out of convention and used by convention. Working on a simple rsscount in the RssAny project to make creativity index from anything that generate a RSS feed is still in my to-do list. But that could be starting point to have more human indexes and metrics…
Is it time to free up some web 2.0 platforms ? If Yahoo! is really acquired by MSFT, we really need a good free platform replacing del.icio.us and flickr. I don't like to complain in my diary but maybe this bloody potential acquisition could shake up the social web to be more free and open ? Free alternative is always good but in the current stage large-scale web social platform (read : with a large user base) invest a lot in their hosting infrastructure. Is it sustainable for free social platform ? Where could they get the money to run their platform without turning the system to be proprietary ? That's still an open question. 10 years ago we had the same question for free software, we found solutions regarding the investment in free software. Maybe it's a new challenge for the free software/free information community ? finding new ways for investment in free social platform.
Update 10 Feb 2008 : Yahoo Board to Reject Microsoft bid If this is confirmed, that's already a good news. On the other hand, the issue of free information community still remains by their non existence. I just hope more free software around social networks including free infrastructure will pop-up in the future.
Tags: innovation freedom del.icio.us freesoftware yahoo microsoft
We are living in a crazy world at least I have one proof collected from the semantic-web mailing list. Someone is making an auction on some patents he filled around 1997 about some concepts of the semantic web. I don't want to dig into those patents and the potential prior art. I was just surprise that the business of patent trolling is going one step forward by proposing an auction platform to sell "intellectual capital" (as stated on the Ocean Tomo website.) and creating fear about a potential bidder having bad intentions. But if you want to join the auction, you have to pay a "small" fee to be a bidder. But maybe everything is just a bad joke (yes the gala dinner will be the 1st April ;-) but this looks so real…
Tags: innovation patent patenttroll semweb
Surprised by the recent acquisition of FAST by Microsoft, I'm wondering where is the famous pan-European project called Quaero. After the initial project initialization made by France, Germany left and created their own search engine project called Theseus. I agree with the comment from Marc Andreessen where "investing" is more burning money in existing large companies taking the lead in the project. Progress in search engine won't come from investing in existing large company structure… but from small structure not really able to participate in large EU-funded project and could grab small part of the investment.
Where is the solution to boost search engine in Europe ? Instead of giving money to large group, EU could make a public call for investing the 100 Millions of Euro in 100 start-up in Europe working in information retrieval, search and information classification. The public call should be "paper free" (one electronic proposal submission) with one simple evaluation (to avoid the burden due to project management) : a product released in the first 2 years. That would give more potential "innovation" by distributing the risks and increasing investment in small structure more likely to create something new in the search engine area. Hey EC, it's time to take risks ?
Tags : innovation startup work searchengine start-up search google quaero theseus europe FP6
RDF is providing a method to make a specific statement about a web resource. To take a very simple "triple" example out of my foaf file :
<http://www.foo.be/foaf.rdf#me> <http://xmlns.com/foaf/0.1/nick> "adulau"
Meaning roughly :
<http://www.foo.be/foaf.rdf#me> has a foaf nickname with a value "adulau"
Here, the subject is the "http://www.foo.be/foaf.rdf#me" with the property (in RDF terminology it's a predicate) "foaf nickname" and the value (in RDF terminology, it's the object) is "adulau". Don't ask me why each standard is often using a different term for naming similar things… but that's the today's topic. In free tagging, that's often the issue as people use different ways to tag something similar. If we take the previous example with a free tagging approach (like used in a social bookmarking system del.icio.us), we could have the following :
http://www.foo.be/foaf.rdf#me adulau http://www.foo.be/foaf.rdf#me alex http://www.foo.be/foaf.rdf#me udalau http://www.foo.be/foaf.rdf#me nickname:adulau http://www.foo.be/foaf.rdf#me alexdulaunoy http://www.foo.be/foaf.rdf#me foaf:nickname=adulau
First of all, I make a small assumption that everyone tagged the same subject/URI but that's not always the case (just imagine URI with the domain name only or without the anchor). We can see that every user has his own way to classify the URI. Some are just using the nickname as a tag, some are using another nickname, some have misspelled it or some are using a machine tag (sometime called the poor mans RDF).
At a first glance, RDF looks cleaner so why is everyone using tagging and not directly RDF ? I think that because free tagging keep the user free to choose is own classification and how he perceived the world around him. I know that I could be stoned by saying that as RDF can be used with any kind of name space but you must define it before using it… That's why free tagging is simple to use (you don't have to look at convention before using it) and simple to implement (the parsing of tags is minimal compared to a well formed XML document).
My view is the following between the RDF world and the free tagging world. Those two worlds must live together and trying to benefit from each other. I really think that RDF has really an important role for exchanging description of resources between machine(s) (as long as the service providers are providing open interfaces between their services). But free tagging helps to ease the interface between humans and machines. Another advantage of keeping the user free to use his own classification, we could discover more about us (human) with a free classification scheme than a predefined limited scheme. It will just render the system to analyze the information a little bit more complex while keeping the interface very simple. That's just my Sunday's point of view… and now feel free to stone me ;-)
Tags: tagging rdf semweb semanticweb tag machinetag
Following my past blog entry : Google Books Killing Public Domain made in late 2006, I found an interesting publication of Luc Vincent from Google presented at ICDAR 2007 called Google Book Search: Document Understanding on a Massive Scale.
The document is covering all the challenges encountered when doing OCR and how to analyse and understand the results of the documents scanned. That's a very difficult topic including small little things like page ordering or chapter detection. The publication also introduces the ongoing work with the OCR software engine released as free software called Tesseract OCR and the OCROpus framework also available as free software. It's still very beta software but that's nice to see Google releasing some parts of their software.
Beside all the positive there is a small negative point :
We believe we can help by making some large chunks of our (out of copyright) data available to the Document Analysis research community.
This part reminds me of my old blog entry about the public domain books scanned by Google and becoming again proprietary work… Why don't they release all the public domain datasets to make them available to everyone without the current restrictive license ? That would be easier and could provide some more interesting (scientific or not) results just like the datasets available from Wikipedia.
Tags: google publicdomain archiving copyright
If you signed any OpenPGP public keys during late or early in this morning today… It's maybe the time to revoke the signature. A small reminder (if you are an user of GnuPG) on how to revoke a signature. You cannot remove a signature you made, especially when the signed public key has been already uploaded to a public key server. But you can revoke a signature by using the --edit-key option in GnuPG with the command revsig. GnuPG will prompt you for the signature generated by the private key(s) found in your local keyring. If you were drunk during the last key signing party, you still have some options.
By the way, Happy New Year.
It's quite common to see a list of favorite at the end of year. Everyone has favorite… I'll make a list of my favorite RFCs. This is not really a favorite list as it's often boring to read (and to really understand/interpret… the most difficult part) RFCs but you are obliged if you want to implement or review software that should follow them. I'll make a quick list of the RFCs that I read the most the past two years (this is not always reflecting the quality of the RFCs but more the usefulness of them to my past works) :
I have some more but I won't add them in the list because I had already a bunch of nightmare by just trying to figure out the difference between the specification and its implementation.
On the fun side (you know the 1st April RFCs), my favorite is RFC 2795 (The Infinite Monkey Protocol Suite (IMPS)) and especially the PAN (Protocol for Assessment of Novelty) section with a nice (and sometime useful) CRITIC reject code :
8.3. Table of CRITIC Reject Codes CODE DESCRIPTION ------------------------------------------------------------------- | 0 | <Encrypted response following; see below> ------------------------------------------------------------------- | 1 | "You're reinventing the wheel." ------------------------------------------------------------------- | 2 | "This will never, ever sell." ------------------------------------------------------------------- | 3 | "Huh? I don't understand this at all." ------------------------------------------------------------------- | 4 | "You forgot one little obscure reference from twenty years | | ago that renders your whole idea null and void." ------------------------------------------------------------------- | 5 | "Due to the number of submissions, we could not accept every | | transcript." ------------------------------------------------------------------- | 6 | "There aren't enough charts and graphs. Where is the color?" ------------------------------------------------------------------- | 7 | "I'm cranky and decided to take it out on you." ------------------------------------------------------------------- | 8 | "This is not in within the scope of what we are looking for." ------------------------------------------------------------------- | 9 | "This is too derivative." ------------------------------------------------------------------- |10 | "Your submission was received after the deadline. Try again | | next year." -------------------------------------------------------------------
If you are familiar with the WG at IETF with any technical meeting. It's quite common to see meeting interaction using a variety of CRITIC reject code. So most innovative people are often using a variety of them or sometime create new ones. I'm just wondering where is the IANA consideration for this table ? ;-) just if we need to update it…
After the past RSS Everything blog entry made in February about RSS and the catrss from Jean-Etienne Poirrier, I come today with two new experiments for my own need (I still hope one day to generalize the script to make them more UNIX-like filtering friendly).
I wanted to merge my multiple activities (often represented in RSS) in one representation to give an overview to be accessible on my personal home page. I made a simple script rssmerge.py to do the job. A sample output result is available.
python2.5 rssmerge.py --maxitem 200 --output phtml "http://www.foo.be/cgi-bin/wiki.pl?action=journal&tile=AdulauMessyDesk" "http://api.flickr.com/services/feeds/photos_public.gne?id=31797858@N00&lang=en-us&format=atom" "http://a.6f2.net/cgi-bin/gitweb.cgi?p=adulau/.git;a=rss" "http://www.librarything.com/rss/reviews/adulau"
The other script (rsscluster.py) is also a very early experiment to cluster by time multiple items from an RSS feed into another RSS feed. It's quite common to have an RSS feed containing a lot of items for small events (like bookmarks) and you want to cluster them in one item for a 2 days period.
python2.5 rsscluster.py --interval 2 --maxitem 20 "http://del.icio.us/rss/adulau">adulau-2days.xml
The two scripts are accessible in my messy git repo. No major innovation but still small step to better (or more?) use RSS (at least for me). I also hope that will trigger more discussions or other ideas around RSS (or Atom).
At home, we have a small guest wired/wireless network for the guest addicted (nearly everyone is addicted including myself) to plug their laptop into the global Internet. Willing to validate the reality of IPv6 with Free Software, I move that network to an IPv6-only network. I took some notes about the installation and the various tests. Of course, the network is only IPv6 but we didn't want to put them on an island without accessibility to the majority of services available in IPv4 only.
First of all, you need a good connectivity to the IPv6 Internet. Bad luck in Belgium, there are no providers supporting natively IPv6 until now. So, we used the sixxs IPv6 tunnel broker service and use the a part of the /48 subnet allocated to me by sixxs. I split the subnets and use a simple /58 (still big enough ;-) subnet for the guest network. I have a gateway machine running a standard Ubuntu 7.10 and running the sixxs tunnel client (until Belgacom Skynet is providing IPv6 to their customers). The sixxs tunnel client works great behind a NAT of the IPv4 traffic. An Ethernet interface is allocated for that guestnet and doing the routing with the ipv6 tunnel interface. That's great with that setup my guest can access all the IPv6 internet and everyone can reach them (real public IP addresses for the client). I have also setup on the gateway machine an ISC bind 9 nameserver answering queries in IPv4 or IPv6 (that's the standard nameserver in Ubuntu without custom configuration). Great… but in such scenario, they have only access to services available in IPv6.
So we are going back to the initial chicken-egg problem for the IPv6-to-IPv4 transition… I didn't want to have a dual-stack guest network and really want to provide a full-blown connectivity in IPv6. So the compromise is to provide an HTTP proxy supporting IPv6 seamlessly. My first thought was to go with Squid but they only introduced IPv6 in their HEAD branch the 16th Dec. 2007. I compiled it (--enable-ipv6) but it works but I had some issue with the behavior of "tcp_outgoing_address" feature to reach IPv6 accessible without using the IPv4 connectivity. Then I discovered an alternative proxy, written by Juliusz Chroboczek and called Polipo (also available in any recent GNU/Linux distribution) with a good and coherent IPv6/IPv4 support. With that my IPv6 guests are now able to talk natively to the IPv6 Internet and use the proxy to reach the IPv4 Internet (mainly HTTP,FTP or TLS/SSL).
Beside that IPv6 development is quite old, the real roll out of IPv6 in common (free and non-free) operating system is now a reality. That offers the possibility to have an IPv6 connectivity in place quite quickly without changing the underlying operating system. There are still some glitches in some top application managing network connectivity without knowing the existence of the IPv6 connectivity but it works. The IPv4 Internet can be easily reached using a proxy. The main advantage of having a native IPv6 connectivity is to have real routable addressing and starts to provide services to the IPv6 internet (e.g. just imagine distributed network sensors).
After my very little success for the guest network, why not providing the IPv6 service to the whole village ? I just need to extend the reachability of my wireless network (not impossible looking at the size of the village). Digging a little bit of an allocation plan using DHCPv6 (better than the a simple "autoconfiguration" lacking network service information) and doing some promotion…
Tags: ipv6 networking freesoftware village ipv4
Reading the latest viewpoint of David Lorge Parnas in the Communications of the ACM (November 2007/Vol. 50, No. 11), he is annoyed by the increasing number of publication in computer science with less scientific value. As the measurement in research is often mainly based by the number of papers published instead of the quality and real contribution in the publication. As an example PhD students often prefer to publish recurring paper on a same topic than having a single high-quality paper. This is mainly due to an evaluation done by only checking the number of papers than really digging into each paper made by the student. This is an old issue in scientific publication or in any single metric to measure research, productivity or innovation (as I already discussed in Innovation Metric and using a single metric like the patent system for measuring innovation).
I tend to agree with Mr. Parnas that counting papers just slows the rate of scientific progress. But the source of the issue is not only the "the Numbers Game" but it's the overall (closed) peer-reviewing process. As the reviewing is done in "island mode", there are not shared not only the paper but also the reviews of it. An open archive process permits to "pre-publish" in order to peer review publication in advance. I really like the idea to have a kind of continuous on a publication. That could open the doors of more exchange between people in the computer science area. For example , the arXiv.org open archive project is already providing a nice interface and permits to trace the submission history. That's maybe the beginning of something new. That could also improve the current situation in conference where people come to make a presentation only… and that's it. Without any exchange or discussion between the participants. I'm not negative just here to improve a little bit the current situation.
A lot of name resolver have a kind of suffix lists (or search list) to lookup when trying to resolve a non-FQDN hostname. This use is quite common in internal (e.g. in large company) networks to ease the typing of people. Like that people can type intranet in their favourite browser instead of typing the FQDN like intranet.mycompany.internal. In theory, this looks nice and lazy users are quite happy. In practise, this is a nightmare… One the common example, company have a global suffix configured on all internal desktop computers like :
.dyn.mycompany.internal .mycompany.internal
Just imagine, a simple misconfigured dynamic name client named "intranet". In such order, the intranet.dyn.mycompany.internal will be resolved before intranet.mycompany.internal. The easy solution will be to change the order of the search list to avoid the described scenario. Yes this could solve a part of the issue as long as the user is not setting up is own suffix list. The suffix can be also received dynamically if the DHCP server is supporting the RFC3397 as an extension (especially look at section 4. Security Consideration) . That adds some complexity in the potential scenario of the name resolution and that's not good on a security perspective. Just have a look at the flowchart made in the name resolution documentation from Microsoft. You have a variety of case as long as the name resolution software is behaving as expected. The situation is somehow the same with the search list in the Unix-like world. Do we still need suffix search list for name resolution ? does it help or is this adding too much potential issues (from security to simple network debugging) ? If someone is asking me about it, just remove all search list (static or dynamic) and inform users to always use FQDN.
Tags : name_resolution dns security fqdn system_administration
Via Scott Berkun, I discovered the paper of Allan L. Scherr about Managing for Breakthroughs in Productivity (PDF). I'm always very sceptical when it's about "managing innovation" as I tend to consider this is very difficult to control something often unpredictable. Allan L. Scherr in his paper rejects that idea of "difficulty to control innovation" (first described in Breakthroughs! written by John M. Ketteringham and P. Ranganath Nayak) and explain in 20 pages how to manage productivity (and innovation ?). The paper is really well written and concise to describe the concept. I really loved this part of the conclusion :
The culture of breakthrough projects can be spread and productivity improvements have been seen in adjacent business-as-usual groups. The key to spreading this culture is upper management support for taking the risks that are inherent in such endeavors. If management cannot tolerate risk and the occasional failures that occur, it does not take long for the culture to return to conventional, business-as-usual ways.
When talking about innovation in companies, this is a critical part : the ability to take risks inside the company. In my eyes, this is valid on both approaches : managed and unmanaged innovation. If your boss (or you) are able to take risks, that's maybe the beginning for some innovation…
Tags : innovation startup work productivity
During the European Movie Festival of Virton, we saw various good films but I was really impressed by the film La Naissance Des Pieuvres made by Céline Sciamma. I choose the film based only on its title and that was a clever choice. Often people are going to the cinema (or the movie theather in US) and expecting action, impressive visual effect without taking their breath between each action. With La Naissance Des Pieuvres, this is completely different and that's wonderful. The film talks about the entrance to the "adult" world by three teenagers. This takes place around a swimming pool and a synchronized swimming club. Nothing more… but that's the great part, with near nothing, Céline Sciamme (and their actors) expressed a lot. I was really touched by the film, the actors, the situation and the music. A good example of what I'm expecting from a film : thinking about ourself. The film (and its action) was still in my mind after some days. That's usually a very good point for a film at least in my eyes. I also discovered that the electronic music was made by Para One aka Jean-Baptiste de Laubier and the music is also a strong point in La Naissance Des Pieuvres. I purchased the original soundtrack and discovered the music flow created for the film. Very interesting, the overall music theme is repeating until you reach the track named 'Finale'. A great moment…
Tags : film movie electronic_music electronicmusic paraone celinesciamma life electro
Vincent and I made a past experiment with the purchase of some electronic music album. But now, we found a name for this experiment : the Télépopmusik Effect. The effect is the following, you heard from radio or in a club a nice electro song from a new band. You saw various nice critics about the band, the leading song and their album. But very often, the critics are made from a "journalist" who just received the leading song (a single) from the editors. But the journalist will make a great review of a song and he'll mix the leading song review with the new and upcoming album from this band. We first encounter this effect with Télépopmusik, one great song, the rest of the album good for background music nothing more. We named the effect as I just faced it again with the latest album of Justice. Two good tracks but the rest… nothing incredible. Except various positive reviews from "journalists". The experiment will continue to see if this is not only applicable to French electro band…
Tags: music electro electronic_music
When meeting people not from Belgium, they are always asking what do I think about the current political situation in Belgium ? That's a dawn good question… I was not feeling good because I really don't know what to understand from the today's situation. I always knew Belgium with such political status. For sure, starting from my birth, I have already lived more than 1 year cumulated without government. So it's not a big deal… Looking more deeply in the situation, I'm not feeling very well. I have not really an issue with the current status but I have more an issue with the fact of rising flags of a country or a region. For me, there is no real difference between rising a flag for a country or a region. That's a kind of nationalism and I don't feel comfortable with that fact. How to solve the current situation ? I think that understanding and communication are the golden keywords for "our" political representatives to solve the issue. They must also avoid the attraction of the mass media…
I'll stop here and keep in my mind this quote from Banksy : "people who enjoy waving flags don't deserve to have one"
Tags : belgium freedom nationalism
In those time where we are between autumn and winter, between an interim government and a potential one, between life and dead… it's time to enjoy art. We are currently enjoying the 27th European Movie Festival in Virton. I really loved Hallam Foe, a film full of life, optimism… a great moment.
Do we really need a government in Belgium ? no, we just need Art and Freedom.
Discussing the ability to have an off-line Mediawiki, I was wondering why there is no Mediawiki relying on git. Mediawiki is a de facto standard for the wiki users, every company has at least a Mediawiki for one or more project. Mediawiki strongly rely on the LAMP concept with a special emphasis on MySQL and the Structured Query Language (SQL) for the storage of the wiki content. At a first glance, it looks very difficult to move away from such centralized model to a decentralized model like git. The idea is not new and there are already some tentative :
The main advantage of using a decentralized model for the storage in Mediawiki could help the off-line use of Mediawiki. Git works easily with branching without the hassle of CVS or Subversion. The techniques are there and freely available but the challenge is to provide a mix Mediawiki and git in an usable interface for the wiki users. Maybe someone is already working on a similar thing…
Tags : wiki mediawiki scm offline git decentralized wikipedia
Reading the latest paper from Daniel J. Bernstein named "Some thoughts on security after ten years of qmail 1.0" [archive info], I was impressed by the overall tone of his paper. Often in scientific papers, we don't see the full path from the errors made by the author(s) to the solution that could help the reader to avoid the same pitfalls. I have really appreciated the following part : In retrospect, it was stupid of me to spend code not just this file parsing code, but also code to distribute message files across directories dealing with a purely hypothetical performance problem that I had not measured as a bottleneck. Furthermore, to the extent that measurements indicated a bottleneck (as they eventually did for the message files on busy sites), I should have addressed that problem at its source, fixing the filesystem rather than complicating every program that uses the filesystem.
That's a great lesson of humility to all of us when we are programming. Moving the issue by creating complexity somewhere else instead of fixing the source of the problem. I made that too for various reasons but we should try harder to avoid such case. That's very difficult for me (and I'm pretty sure for you too…).
When you are more and more involved in software security assessment, you are more and more convince that simplicity and small code is a good helper to produce more secure software. The paper of Daniel J. Bernstein is reinforcing the point with his historical perspective on his own software. Again Edsger W. Dijkstra is cited and with a nice word of wisdom : ... idiot software managers measure "programmer productivity" in terms of "lines of code produced", whereas the notion of "lines of code spent" is much more appropriate.
from [archive transcription of EWD962-4]. I just hope that simplicity in software engineering will be a requirement when distributing software. But I'm just dreaming and really need to get up this morning.
Tags : security securecoding simplicity djb qmail cs software
When trying to get up, I was there : geo: Les Bulles, Chiny
Jun-ichiro “itojun” Itoh Hagino passed away on October 29, 2007 at the age of 37.
A great man who really helped the Internet community to understand the importance of interoperability, freedom and free access to technology.
It's a very sad news for his family and relative. I'll keep a very nice and happy remembrance of our past discussions.
tag: itojun Heroic Courage
Looking at the recent discussion around the patent issue between Sun and NetApp, I'm really wondering who is on the right side. Seeing the various reaction, it looks like a child play to me where no one really knows who started : especially, if you read this letter from Sun with a previous offer to NetApp for buying a cross-licensing. There is at least something clear to me, both are not using patents for defensive reasons… but maybe, I have another definition of a "defensive" patents portfolio than they have. Go back to work and stop this child play.
Tags: patents patents_delirium patent sun netapp freesoftware
Reading one of the latest excellent post from Paul Graham, I found this interesting part about the conservatism of large corporation when purchasing software :
There used to be a saying in the corporate world: "No one ever got fired for buying IBM." You no longer hear this about IBM specifically, but the idea is very much alive; there is a whole category of "enterprise" software companies that exist to take advantage of it. People buying technology for large organizations don't care if they pay a fortune for mediocre software. It's not their money. They just want to buy from a supplier who seems safe—a company with an established name, confident salesmen, impressive offices, and software that conforms to all the current fashions. Not necessarily a company that will deliver so much as one that, if they do let you down, will still seem to have been a prudent choice. So companies have evolved to fill that niche.
Reading between the line, if you run a startup and you have an excellent software that you want to sell to a large corporation. You'll need to do the following :
By doing so, you'll move your excellent software to just mediocre software chosen by large corporation (as you are not anymore focusing on the software but just its general packaging). A big dilemma…
Looking at the critics about Open Access Critics of the various open access initiatives point out that there is little evidence that a significant amount of scientific literature is currently unavailable to those who would benefit from it. From Wikipedia/Open_access.
Looking for a specific article about meta data and archiving, I found one available via the restricted access of Springer for an impressive price. One of the major argument of publisher is to say that the access to some publication is only useful to a small amount of reader having the ability to pay for the article by them self or by their institution. Sorry but I would benefit from this article but $32 for a single article. The only benefit is for the publisher. Some years, the publishers were claiming that the electronic publication will lower the prices compared to printing… That's the opposite they limited the access to a very small subset of potential readers and increase the cost per article. Why ? Simply due to the global access given to the publishers to reach the "rich" readers only (with standard printing there were forced to reach a minimal number of users to cover their cost of printing/publication). Neither such practices it's an advantage for the author or the reader. An author without reader (or with a limited set) is not really useful especially in the scientific world. I'm still wondering why such publication about digital libraries are still published in that way and not using open access… Open access has the major advantage to give the access to a large set of potential readers and by so improving the interactivity between researchers/readers/authors.
Tags: reader publisher openaccess education innovation research
There is something I really don't like when I purchase a device… Being limited by virtual boundaries restricting the potential use for me of that device. Something made by the vendor just for his sole profit and not for the benefit of his customer. Apple is going more and more in that direction regarding their audio player devices (Apple locks free software). Why are all those audio player targeted to one specific "e-music" platform with those bloody DRM locks causing only trouble to legitimate users ? In such jungle, what is a good audio player ? Something flexible enough to install rockbox, a vendor respecting their customers and respecting the free software community. There are some but the hardware is often outdated or not anymore supported. Except for one vendor : sandisk gave hardware to the rockbox project. The negative point is they just gave hardware without documentation. So the rockbox guys made some reverse engineering… This is not perfect but looks at least better compared to the behavior of the other manufacturer. I purchased the sansa e280, I just hope that sandisk will work in the future to directly support the rockbox firmware.
Today, I'm not feeling very well when reading the statement from Franco Frattini, the vice president of the European Commission :
"Donner des instructions pour fabriquer une bombe n'a rien à voir avec la liberté d'expression et la liberté d'informer les gens, a expliqué M. Frattini. Le bon équilibre, à mon avis, est de donner priorité aux droits absolus et au premier de tous, le droit à la vie."
and especially this comment from the AFP article :
Franco Frattini, le commissaire européen à la justice et à la sécurité, a annoncé lundi 10 septembre son intention de réfléchir aux moyens de limiter la recherche sur Internet de mots jugés "dangereux".
Reading between the lines, the right to education, information and freedom of expression is less important than security and "right to life". What's the hell ? Of course, you cannot be against the "right to life" but it's not by stopping access to information or education that would help. People really willing to hurt other don't need a lot of education. That's often the lack of education or information generating violence… The solution proposed by Mr. Frattini is to limit education. Curiosity is not a crime, it's the beginning of learning. How many chemist vocations started by the curiosity of explosive ? a lot. Please stop hurting education… and try to improve Europe as a free society not as a limited society.
Reading the latest memo from an additional Yahoo! reorganization, I found the memo quite similar to other memos seen in various companies and not always in the same field…
The notorious and shared common blocks are the following :
create better alignment with the core business units
"we are putting the right people in the right positions to focus on the right opportunities
"This move will drive further organizational alignment around our key audience properties
"developing holistic business strategies to delight and surprise these segments
"I saw in a comment containing a quote from Charlton Ogburn, Jr :
I was to learn later in life that, perhaps because we are so good at organising, we tend as a nation to meet any new situation by reorganising; and a wonderful method it can be for creating the illusion of progress while producing confusion, inefficiency and demoralization.
Yes, I know that's easy to take a quote. But I'm wondering why the wording when doing a reorganization in companies is always very similar and giving an impression to the reader that there is nothing new under the sun. It looks like when the approach of "reorganization" is taken is somehow a kind statement that we haven't found anything else to solve the problem. Maybe sometime a "reorganization" is giving a boost to a company due to the effect of moving the employee or operations… but moving the structure around the employee for just moving the structure. For sure, it will create a lot confusion and will probably increase inefficiency in the short and middle term. At least, I have some empirical example… I just think that company should not focus too much on their internal operation except if there are real impacts for the customers.
Tags: startup reorganization innovation entrepreneurship company
When living in a rural area, lots of people think there is nothing or not much social activities but this is not really true at least in our area in Gaume. Looking for a proof ? Friday night in the next village called Jamoigne, Joshua played live in a small concert organized by a local youth club. Joshua played really well with a nice energy (helped by a second singer called I.Q./IQ ?) and nice touch of electro. Good vibes… I'll look forward to purchase their album.
Small notes for Joshua (the band and their webmaster) : please make your website not only in the proprietary flash "technology" but make your website (plain XHTML/HTML) readable by human and machine (like the Google Bot). It will be easier when we are looking for you… and your good music.
Sometimes I'm reading the blog of Jonathan Schwartz but I shouldn't…
JAVA is a technology whose value is near infinite to the internet...
Jonathan, are you sure ? PHP, Python or Perl (and sometimes Ruby) are infinitely infinite to the Internet in such case.
I have a very bad habit when I'm in a second hand market selling old books. Before looking deeply into the table of content or the content, my eyes are always attracted by the date of publication. You never know, sometimes you may find books that felt or will fall soon in the public domain… that's a potential source to be put in Wikipedia or any other project collecting works. If those works became accessible, they could be used/mixed with other works. In that scope, there is a nice summary table of copyright term in US (for Europe there are some differences but that's already a good starting point). A table to keep in his pocket or his moleskine when you are in a second hand market…
The Free Software Foundation just released the Last Call Draft (2) of Version 3 of the GNU Affero General Public License. For those who don't know what's the Affero license is, it's a GNU General Public License with an additional clause to cover distribution over the network (e.g. web-based services or any network services). The purpose is to keep the software free including when the distribution is only via remotely accessible service. The comment process is now open… I added a comment about a potential (or not?) loophole. The usefulness of such free software license is increasing due to the exponential use of web services.
Tags: affero fsf gpl freedom freesoftware
There are numerous enemies of books : from fire to autodafé. Another enemy is water or humidity… if your books start to smell moldy. That's not good a sign. A little bit worry about that, I installed a small sensor in one of my bookshelf. The purpose is to monitor humidity and see if the relative humidity level is going to the famous 75% limit. I'm using an USB-based humidity and temperature sensor made by Raphaël Assénat. The software and the hardware design is free software/hardware but you can purchase from him the assembled version (maybe a good way to help the initiative). You can see on the today's graph that the humidity increased when it was very rainy outside and a window was opened. But nothing critical for the books. I'm just wondering when Ikea will include by default a humidity sensor in each Billy bookshelf ?
Tags: archiving humidity preservation books sensor
Why you should join the FSF ? That's simple, the FSF is a consistent organization. Just take a look at this GNU's Bulletin published in 1987. They were already fighting against DRM (before named like that).
Just when science is making it possible to copy music perfectly, record companies are trying to make it impossible again, with government-enforced copy protection.
Looking in the past, the first GNU's Bulletin shows an interesting historical part :
Schools will be able to provide a much more educational environment by encouraging all students to study and improve the system code. Harvard's computer lab used to have the policy that no program could be installed on the system if its sources were not on public display, and upheld it by actually refusing to install certain programs. I was very much inspired by this.
I'm just now wondering what's the current policy at the computer lab at Harvard. It could be highly symbolic to go at the today Harvard computer lab and check with them if they can show all the sources for the installed software on their system. FSF is still ahead and it's still the right time to join them. We need freedom in today's world and free software is playing a pillar role as the shift to an information society is a reality.
Looking at the latest discussion about the report made by the Magic Quadrant company (Gartner for the ones who are not forced to read their business reports), I discovered that the most important part is not really the report itself but the directive 98/34/EC. The current directive is defining the "approved" standard bodies (their respective publications around standardization) accepted as European policies. The directive 98/34/CE is not bad is not really reflecting the current process of "standardization". Under the current directive the organization like ITU,Cenelec/ISO are somehow accepted but the current "informal" organization like the IETF/IAB, W3C or similar are not part of the directive (and by so not really accepted in the context European policies). In reality, a lot of free standards are clearly coming from the IETF or W3C. The process in such organization is very simple compared to the standard ones like ITU or ISO. The accessibility of the standards are easier too in the Internet community (like the W3C or the IETF) than in the "nationalized" standard bodies (just try to get ISO 9241 and distribute it afterwards).
I really think the directive 98/34/CE should be updated to incorporate the two following points :
We are living in a kind of information society and a large part of the current explosion of the market is due to the free standards. Europe should not discard them if they want to be part of the information society (and its major economical gain). It's time to propose an update of the 98/34/EC.
Being caught by the police when driving too fast… it's not something that we like. In that scope, we (at quuxlabs) are working on a web service to gather and show the ongoing police control called : geopolis. For more information, check out the blog of quuxlabs. Everything is still very alpha. But feel free to provide feedback, that's just the beginning.
Just this small note about a great art book, Wall and Piece from the "anonymous" street artist : Banksy. Instead of wasting money in crappy product, the art book is really a nice buy and clearly politically engaged. I liked the following tag next to a big flag : "people who enjoy waving flags don't deserve to have one". If you want to see more, just have a look at the banksy tag in flickr. A book to have in your art-book shelve.
There are criticisms about the way items are tagged in "Web 2.0" application. Yes, that's true free tagging is sometimes confusing and lead to issues to clearly identify and tag an object. There are sometimes confusion around the tagged object, do we tag the reference of an object (e.g. a LibraryThing link to a book) or really the object (e.g. the book itself) ? The criticisms can be justified but we must not forget that we are coming from the hierarchical and fixed classification. But free tagging works and open the world of "classification" 5 to anyone. It's easy to find content in social web services (e.g. flickr) using the tags given by people without predefined fixed classification. That's nice and it works better than any imposed classification.
But sometimes in free tagging, you want to define extra information about a tag or define a specific value to a tag. The machine tags are there for providing extra information about a tag and better define the scope of the tagged object/reference. For a good introduction, there is a nice explanation about the machine tags implemented in flickr. In that scope, the current practices for tagging the license to an object/work/reference are variable and introduce confusion (Now I hear the criticisms coming from the backstage about free tagging ;-). In that scope, I'm trying to define a specific license namespace to clearly define the license of a tagged object. The idea is to use a well-defined predicate in the license namespace to avoid license confusion.
license:gpl-3
where gpl-3 predicate clearly defines the following :
GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version (ref:http://www.gnu.org/licenses/gpl-3.0.html).
I invite you to make comments or share ideas on the subject on my license namespace draft page or on the machinetags.org wiki. It's clearly open to discussion and nothing is fixed until now.
Tags: classification folksonomy tagging machinetags social license legal
This week I was lost in a surrealist discussion with an American describing me the usefulness of the war. I was not feeling well with his view on the use of violence. When he was explaining his perspective of the world, my mind slipped away due a large picture from a painter next to him. The painting was beautiful coming from some ancient age where the civilization was already violent. and suddenly I was wondering ? what's left from a old civilization ? their art or their violence ? Looking at the American talking about the usefulness of committing crime, I was sick but in my inner feeling I was pretty sure that art will take over. Violence is useless… The discussion came back in my mind when looking at the nice stamp "Make Art Not War" discovered on flickr. I just hope that flickr won't use violence to impose their current censorship… We really need to push forward art to avoid violence.
Tags: art violence non-violence censorship freedom
Last days were busy but I found the time to finish the reading of the Myths of Innovation written by Scott Berkun. It's a great book about innovation and its long process. The book is very interesting but I was positively surprised by his ranking method for his bibliography. Instead of having an "order of appearance" for the references in its book. He used a ranking method : he adds one point to the reference when using it. Like that, the bibliography is ordered by relevance. Nice and clever idea. The funny part is for his own previous book listed but ranked with zero. Maybe it's time to have a distributed ranking system for the bibliography ? a web service where people can add one point when they use a book or a paper as a reference. It's a small innovation but I'm pretty sure it will be more and more used.
Update : Jean-Etienne gave me another nice mixed example (ordered and ranked) of bibliography from the scientific community. As I was wondering what's the most efficient way, I made a small example from a small subset of a bibliography. Just click on the image to compare and see how the meaning of the bibliography can be affected by the simple fact of ordering or ranking.
Tags: social innovation bibliography ranking information_representation
Sometimes people ask me why I choose a specific web application for a service than an other available for free. I was unable to find a consistent answer to that. Looking more to the Web 2.0 (you are free to remove the version as I think it's applicable to any web application) services I frequently use gave me some possible tracks/ideas what's a good web service. I tried a lot of web services the past years but I only kept to work with the following :
All the web services listed here have different usage and they cover a large scope of use. But I choose them for some common reasons :
I don't know if it really helps when evaluating web services but it's often a starting. If a web services is seriously lacking one of the mentioned points, I tend to discard it in the short term. Of course, this is only my limited perception of web services.
Tags: usability internet eula legal complexity policies flickr del.icio.us librarything hiveminder internet social innovation
I don't like to feed useless discussion about comparison in computer science. But I found this one to be very funny, it's just an except of the documentation in Java and in Python about "the simple" rename function.
The Java version :
renameTo(File dest) Hide Renames the file denoted by this abstract pathname. Many aspects of the behavior of this method are inherently platform-dependent: The rename operation might not be able to move a file from one filesystem to another, it might not be atomic, and it might not succeed if a file with the destination abstract pathname already exists. The return value should always be checked to make sure that the rename operation was successful. dest The new abstract pathname for the named file return true if and only if the renaming succeeded; false otherwise Throws SecurityException: If a security manager exists and its checkWrite(java.lang.String) method denies write access to either the old or new pathnames Throws NullPointerException: If parameter dest is null
and the Python version :
rename(src, dst) Rename the file or directory src to dst. If dst is a directory, OSError will be raised. On Unix, if dst exists and is a file, it will be removed silently if the user has permission. The operation may fail on some Unix flavors if src and dst are on different filesystems. If successful, the renaming will be an atomic operation (this is a POSIX requirement). On Windows, if dst already exists, OSError will be raised even if it is a file; there may be no way to implement an atomic rename when dst names an existing file. Availability: Macintosh, Unix, Windows.
When you are writing programs, you are expecting a clear documentation of the behavior from the functions used. What do you think ? Will you choose Java or Python ?
I just finished the reading Modulations, une histoire de la musique électronique (a translation of the English version A History of Electronic Music: Throbbing Words on Sound. The book itself is interesting and show the patchwork of the electronic music and its foundation. The book is written in a collaborative way as each chapter is written by a different author. Thinking back of the still young electronic movement, it's difficult to draw any conclusion as we are still in the dynamic and we will continue to be in. The book remembers me the freedom in electronic music and the going forward approach. It was maybe the first contact for me of a real social network where people share different musical approaches, different way to listen or to enjoy the music, to mix it or (re)create it. In the book, there is a nice quote of Bill Laswell, here is the French version of the quote (I'm looking for the original one) :
Nous n'allons pas découvrir un son totalement nouveau, une note parfaitement inconnue auparavant, ni rien de semblable. La découverte se fait en combinant des éléments; deux éléments réunis en font un troisième, et tous ces éléments différents concourent à la création de quelque chose de nouveau. Je pense que la seule façon de parvenir à quelque chose d'un tant soit peu différent est de se mettre dès à présent à combiner les choses entre elles.
That's a clear explanation of the creation process where you need the existing elements to build new and unknown elements. Unknown elements require part of the existing elements from our world. Innovation in electronic music is a matter of sharing, mixing, combining those known elements in something new. It's part of the creative process and building new boundaries to avoid the combination of the existing is dangerous for creativity and innovation. I just remember those days where we were all together sharing intense moment while just listening to monotonous beats.
Federal election in Belgium will take place the Sunday 10 June. I was wondering what is the different political programs of each political party and their vision of our future society. I was a bit disappointed to see how large and vague the political concepts are in their programs. Political parties don't take risk to improve our society, they are just giving a nice and global vision to catch the maximum of people. They give an impression that nothing can't be easily enhanced in our societies…
Looking at the colorful advertisement of the political candidate in the street, I was wondering what we can improve in our societies (just in my eyes)… The idea is to share the ideas among the Belgian citizen and maybe propose some of them to our political representatives.
The list is clearly not exhaustive but if at least two propositions could be taken out by a political group. I would be very happy. I know I'm an idealist and worst, I'm Belgian…
When you are doing something you sometimes don't know that you are doing it.. just like Mister Jourdain6. We made GooDiff it was just for monitoring some policies of web service provider on the Internet. But when we read the recent comment from Alex Schroeder : GooDiff helps navigate the byzantine labyrinth, but I’m still hoping for somebody to tear it down in the first place. He is right : monitoring the legal changes on service providers' web site is just a small part for understanding and managing the legal complexity. We must act to reduce the overall legal complexity of those policies published by the services provider. Michael and I have the idea to extend a little bit the GooDiff scope to propose simplified and generalized legal policies.
The idea is not new : Creative Commons is doing the same regarding licensing of copyrighted works for sometimes ago. The main issue I have with the Creative Commons is the drifting from generalized license (some free and some non-free license) to localized licenses. The idea of a generalized and worldwide accepted license is better as you don't have to focus on the national detail of the law. The GNU General Public License is a success with a globally accepted free software license without moving to the glory detail of the national laws. We could start a simple to read privacy policy with two or three alternatives for the service providers. We should try to help a little bit to improve the understanding of the legal framework for the citizen without the help of a lawyer. The major issue is to come with a privacy policy valid for the vast majority of countries… but that worths a try.
The WIPO just published the 2006 yearly review of the international patent system. Don't expect any new statement regarding patents. It's just a statistical report… but there is one of the interesting comment in the report is the following : Between 2002 and 2006, the workload of the International Bureau increased by 26.6% while the number of personnel processing international applications decreased by 11%.
With 376 employee (as stated in their report), the personnel of WIPO is in charge of …processing, translating and publishing PCT international applications.
The International Bureau of the WIPO has different tasks to perform as stated in the convention establishing the WIPO. The function as described in the convention (Article 4 - Functions) but it's very broad. My main question is if the International Bureau of the WIPO is reviewing the patents processed, translated and published at an international level. It looks like that their work is limited to a simple administrative task.
In the general process of the patent system, it's still a single entity doing the reviewing of the patents in Europe. The yearly review is not including the patent rejection rate as it's not the role of WIPO. There are some statistics on the EPO website about the opposed patent (by a third party when published ?) and the granted patent. But where are the numbers of granted patents versus non-granted patents ? When the reviewing takes place, there are rejection of patents ? I should miss a column somewhere.
Tags: patent wipo epo freesoftware copyright
I received my latest order from the excellent Alfa Matrix label. In the pack, there was Deliberately Fragile (double CD including the remixes) from Technoir. Technoir, beside the name of the bar in the Terminator movie, is the name of a German duo doing a nice kind of dark (and sometimes pop) electronic music. The voice of Julia Beyer is really great and giving a nice and deep atmosphere to the majority of the tracks. The remixed version are adding some complexity to some of the song. A must to acquire if you like electronic music.
Another nice discovery is checkpoint 303, the concept behind the band is really interesting. They are taking samples in the occupied territories (the Palestinian territory) and make electronic music out of it. The work is not only politic but they really create new spaces by mixing the samples with atmospheric music. The songs are available under a restrictive creative common license (yes, not the CC-SA license). But the music is interesting and accessible. Maybe a new way to introduce the issue of the occupied territories to student in secondary school ?
Tags: blog music ebm paslestine electronicmusic technoir checkpoint303
In April 2003, Creative Commons announced a new project called Founders' Copyright : the idea behind is to propose authors to have a limited monopoly (14 years) on their work instead of the 70 years after the author's death. The idea is to free up work after their period of profitability for the author and the editor. For my perspective, it's a good idea and show the commitment of the author for respecting the social contract between the society and him. Back to the origin of copyright/authors' rights , it was one7 of the purpose of having the right balance between the authors and the civil society. Going back to the project at Creative Commons in 2003, O'Reilly media was planning to release a lot of out-of-print books :
O’Reilly, the first Founders’ Copyright adopter, will release 157 out-of-print volumes under a Creative Commons attribution license and 394 in-print titles under a Founders’ Copyright arrangement, pending author approval. The Creative Commons website will list the books in question and announce their availability as their Founders’ Copyright terms lapse.
But it looks very difficult, looking at the O'Reilly Open Book web site we are far away from 157 books in early 2007. Some out-of-print are also cleared on the creative commons website meaning the author gave is permission but the book is not available on the Open Book web site (e.g. : Net Law: How Lawyers Use the Internet). Now I'm wondering where are the difficulties ?
There are some more difficulties to public domain a published or unpublished work. What are the major issues ? I would tend to say "asking the author(s)" and waiting for their official written answer. The rest is time consuming but not impossible to achieve. If you have more information, feel free to contact me (by the way I changed my email to the single character a followed by my domain name in Belgium).
Tags: oreilly creativecommons copyright editors book publicdomain archiving
Looking at GooDiff today change set, there is a simple change for finance.google.com in their FAQ :
** How much historical data does Google Finance have? ** ... + Historical data and daily updates are provided by [ CSI ](http://www.csidata.com./) .
We had a discussion some months where finance.google.com is getting their financial information. But Google is simply using CSI Data Inc. (the provider for all non real time trading information) like any other web-based finance information. When asking the question, we were just distracted by the interface and the representation/presentation of information… but at the end it's the just plain standard data. At the end, the source of information is important but not really the differentiator among the other web based provider : the differentiator is representation of the information. If Google succeeds in getting real time data for NYSE as they asked SEC that the NYSE (and its subsidiary company managing the trading information) to follow the free data policy. This could be a great success as the value of real time information is more important in the eyes of the user. The competition should clearly focus on the representation/presentation of the information because if the free data policy is applied for financial information, the difference won't be source but just how we see the information on the screen.
Tags: google goodiff trading finance information free_information nyse
geo: Les Bulles, Chiny in the sunny garden.
Sometimes, it could be difficult to find good local food but we are quite lucky. There is a nice local market every Friday in Ansart (not far away from Les Bulles). There are lot of nice products from the producer to the consumer. Just to say that is not impossible to eat local tasty food… On the photo, you can see some goat's milk from Flassigny and bread from Avioth.
I'm a big fan of full disclosure regarding security vulnerabilities discovered in software or in hardware. The meaning behind full disclosure is often different following with who you are talking about. Of course, responsible disclosure is often a good thing to give the time to the hardware/software vendor or software author to fix the problem before publishing the vulnerability. The process of full disclosure should help to build better software or, at least, reduce the risks associated to a published vulnerability. But the process only works if the two parties are playing fair : the discoverer (the one who discovers the vulnerability) and the author (the one who wrote the vulnerable software/hardware). Please keep mind in the software world that the discoverer of a vulnerability can become the one who is writing vulnerable software. So humility is a keyword in the process of full/responsible security disclosure. In such case, the two parties should talk together and provide as much information as possible to solve the vulnerability. It would be nice if more and more security advisory include by default the process of solving the security issue too. Not only the vulnerability itself but the whole information how the vulnerability was introduced, how it was (could be) solved and the scope of the resolution. I just make this comment because that could be an interesting paper/presentation to submit for the hack.lu 2007 conference taking place in Luxembourg in October 2007. The post is a kind of advertisement for the current call for paper and call for poster. Disclaimer : I'm involved in the conference ;-)
Tags: security conference luxembourg security_conference disclosure
When I saw the GeoRSS standard integrating GML or Geo Simple, I was impressed by the simplicity behind the concept. How it works ? You have a simple namespace for GML or Simple that you just need to add in your feed (atom or RSS). That's it after you are ready to point, line, box or polygon your location for an item or in a channel. I made a quick patch and geo module for my Oddmuse installation. The nice part is a lot of web services (like Google Maps) is supporting RSS with geo information. That means you can browse my blog by location… that's just another way to represent and classify information. I'm pretty sure that the use of GeoRSS will grow… and unpredicted services will pop up between the virtual and the physical world.
Tags: blog geo oddmuse freesoftware georss
It's not a secret (oops sorry for the bad joke) that I don't like the principle behind the non-disclosure agreement. The idea behind a non-disclosure agreement is the old approach of "secrecy" in our societies. Everyday, we meet software/hardware companies trying to force people to sign non-disclosure agreements for some useful (and not always…) technical information (e.g. how to access a badly design wireless chipset). Everyone knows that Free Software is somehow due to a non-disclosure agreement proposed to Richard Stallman by Xerox for a simple printer driver. I had always the issue on how to explain clearly the "secrecy" concept behind non-disclosure agreement but today, I found the following explanation from Guy Debord. The text below is just from the commentary of his well-known book : Society of the Spectacle that has nothing to do with non-disclosure agreement. He talks about the role of "secrecy" in our societies and clearly explain at the same time the modus-operandi of a non-disclosure agreement :
... Elles (les brides d'information que l'on offre à ces familiers de la tyrannie mensongère) font plaisir pourtant à ceux qui y accèdent, car ils se sentent supérieurs à tous ceux qui ne savent rien. Elles ne valent du reste que pour faire mieux approuver la domination, et jamais pour la comprendre effectivement. ...
from page 85 of Commentaires sur La société du spectacle by Guy Debord
Tags: freedom copyright nda freesoftware secret
Again we lost one hour during the week-end, you know the bloody summer time kill our sleeping time again. The "expert" told us that's good for energy conservation or some other unproven reason. The only thing I know is that my sleeping is one hour less. Of course, you'll tell me that I just have to sleep one hour early to get back the missing hour. That's true but that's also mean you remove one active hour. Of course, it's easier to complain about the summer time shift than the winter time shift. Sorry, today I'm complaining just because I slept one hour less… To continue with criticisms, "system of practices using processes" is another ground where "expert" told us what to do and how to do it. I found this nice quote on Coding Horror about those nice "processes" :
Process is no substitute for thinking.
I forgot to mention : All events regarding "processes" are fictitious and not part of my work activities ;-)
Tags: programming process 6sigma complaining
The OLPC project is discussing about the potential eBook readers to be used in their project. I recently saw that they imported in their GIT tree, a minimalist eBook reader for reading book from the Gutenberg Project in HTML format. The software is composed of two parts : the client part (in Javascript) and the "server" part (two small Perl scripts). The software is quite young (imported two weeks ago) but looks very promising just because it's so simple… I'm always very surprised by the long process needed to reach simplicity in a software.
If you want to play and install the software :
git clone git://dev.laptop.org/ebook-browser-reader/ olpc
The software is still very alpha but it works. Don't forget to change hardcoded book name in script.js. I'm waiting for the next updates of the software.
Tags: ebook olpc gutenberg ebook_reader
The Alfa Matrix label is a well known Belgian music label at least for the EBM fan. They are currently phasing censorship from various printing companies refusing to do the booklet of Renee Cooper-Komor. We see her eating some bloody meat… That's a crazy situation : we see everyday blood in news but an artistic representation of blood is censored.
Tags: freedom censorship music ebm
In Belgium, we have Copiepresse a Belgian association representing the editors and having a very personal perspective of Internet and its operation. Copiepresse is complaining (with the bloody support of the Belgian legal framework) that an indexer is gathering pages from their press editors. Of course, an indexer is just a robot crawling the pages and following the robots file edited by the editor of the website. If you check the robots.txt on the website of a Copiepresse member, lesoir.be :
User-agent: * Disallow:
Instead of starting legal complain, they should ask their technical people to just edit the robots.txt file to disallow the GoogleBot?. That's simple, cost nothing … but Copiepresse won't make any press-release, it's less fancy and visible. By the way, there is a nice introduction about robots.txt for the ignorant editors, they are often the ones member of a "authors rights" society. Sorry I'm too sarcastic today…
Tags: archiving google copiepresse copyright
I have been to the FOSDEM 2007 this Saturday, a great free software event. I won't talk about the event itself but about the move I saw from FFII regarding the patents. They started a new initiative called ethipat in order to promote the creation of a new ethical patent system. The discriminations exposed on the ethipat website are shared by all the opponents of software patents. I would like to sign their pledge but there is something important that we should keep in mind. Why do we want to continue in a 'patent system' ? Why not simply improving the use of an open publication scheme for the industry ? Software is covered by copyright and authors'rights why not better excluding software from the patent system. and promoting the use of authors'rights in the perspective of innovation and its metric. The main advantage of copyright is its very low cost and its automatic assignment. Why not improving a registration process of copyright and authors'rights (for SME, large companies or individual authors) that could be used as a better metric, an open publication scheme and help to reduce the volume of orphan works. I fully agree with FFII regarding the current situation of the patent system… but is it worth to invest in another broken patent system ?
Update 2007 03 04 : FFII has posted a clarification about the ethical patent campaign. I agree on the point regarding that the disclosure process in the patent system is not working. Every programmer knows that's often impossible to implement anything from a patent description as it is often rewritten by lawyers. But jumping in the patent system for building a new patent system based on general good principle is dangerous just because not all the players in the patent are playing fair. Promoting existing authors rights as an industrial measure and metric for innovation looks more useful in my eyes. I hope that FFII will clearly state in their campaign that software/computer programs are only protected by the authors rights /copyright and not by the broken patent system.
Tags: innovation patent nosoftwarepatent fosdem ffii copyright
John Maeda is an artist and graphic designer working at MIT media lab. I just read his last book : The laws of simplicity. I was always very impressed by his imagination on how to use computers to generate art (if you are interested, you can have a look at Maeda@Media). His last book is about simplicity, a nice reading and useful book if you are planning to design a hardware, a software or a web service. The small issues : the cover is far away from being simple. The last part was a little bit unclear or unfinished to my taste. At the end, it's a good book for gathering ideas or paths for building simpler products/services. The path is complex to build simpler services/products.
Tags: simplicity design maeda art
Jean-Etienne tagged me : it's a game where you share five things about yourself that relatively few people know. Jean-Etienne triggers me about privacy and this "blog-tag" game . As I'm still free to participate to the game and select the five things that I want to share. I think I'll voluntary "sacrifice" a small part of my privacy for playing the game :
I won't explicitly "blog-tag" anyone I just have some people in my blog roll who were never "blog-tagged". So if you have the envy and you are willing to "sacrifice" some privacy… it's time to take your keyboard.
RSS is nice and its potential is very big. Ok, that's not a new statement and a bunch of interfaces in the Web2.0 (and the old Internet too ;-) jungle are extensively using RSS. But what's the issue ? The simplicity to generate RSS feed is not really integrated in the operating systems. Last week, I had a very simple question : "How can I generate a static RSS feed from a local directory ?"… I thought there were already a nice free software doing so. not really. There are some interfaces to the Apache HTTP server to make a dynamic RSS feed like Apache::RSS but it's dynamic and rely on the HTTP server. So I made rssdir.py, a very small Python script to generate an rss recursively from any directory on the filesystem. The interface is still very minimal but it works :
rssdir.py --prefix http://www.foo.be/cours/ . >rss.xml
It will generate recursively an RSS feed from the current directory and using the specified prefix for the urls. It's not really rocket science. The script could be improved but I'm still wondering why we don't have a collection of rss tool à la Unix. Maybe it's coming from the use of XML in the RSS format. It's more error prone to have a kind of "cut" or "grep" or "cat" using RSS format. But it should be possible to have something like that :
lsrss /etc/passwd | updaterss --description="passwd last update" >/u/barfoo/web/mysec.xml lsrss --perm=777 / | mergerss /u/barfoo/web/mysec.xml
The idea is to benefit from the feed reader use. The 'mergerss' is a kind of cat for RSS format file where you are able to merge the items of two (or more) RSS files and create a new RSS file. Like that, any Unix user could be able to create their own feeds from any information available to them under an Unix shell. Of course the mergerss command has to take care of the pubDate value to keep the items ordering. I have to dig into it. Maybe I'll found some blocking situation but that could be useful (at least for me).
When walking in the countryside, we discovered an old and rusted farming machine for the harvest of the hay. The machine by itself looks very strange but I was surprised by the metal label on top : "patent melichar-hajek". Yes, a part of the machine was patented (around 1944, thanks Google for the new patent search). I took a picture of it for the history… I'm still convinced that the patent system is an outdated system for today's world.
My week could be easily resumed in one term, the recently term used by Bruce Schneier called Security Theater. What's the meaning of the Security Theater term :
security theater: security primarily designed to make you feel more secure.
I'm not always following Bruce Schneier (especially about the so-called security awareness, for a good summary about it, the Marcus Ranum point/counterpoint ) but I tend to follow his point of view regarding the security theater. Too often, impression of securiy is more important to people than a basic real security. It's not a matter of cost… as impression is sometimes more expensive to build than a simple security mechanism. It's just a question of sensibility, you may feel save just because there is a nice label on a box with "Military Encryption" or you have the "enabled firewall" icon on your computer desktop. Marketing is playing in that field too, just giving the impression. What's the most important? the theater or the backstage ? Theater is magical… but when you are going in the backstage you start to understand how it works. But how many people are going in the backstage to see how it works after all ? Not too many. of course, the offstage part is a critical part of the theater. This week, I was deeply in the backstage… to help the magical security theater to continue his work but trying to keep the security beyond magic.
I was following a little bit the long discussion about net neutrality and found this quote from Tim Berners-Lee about net neutrality :
Anyone can build a new application on the Web, without asking me, or Vint Cerf, or their ISP, or their cable company, or their operating system provider, or their government, or their hardware vendor.
This quote summarizes really well what net neutrality is. There are a lot of discussion saying that this is not a problem when an ISP provides a differentiation regarding the services you access on the Internet. I think it is. The ISP has the role to provide you an access to a public network nothing more or… less. We don't want to get back to the old ages where there were Compuserve, a fidonet network, MSN and sometimes a wacky gateway to the Internet from those proprietary networks. We just want plain routed IP packet on the Internet…
Update 2007-01-23 : I'm not against traffic engineering in the ISP backbone. I'm just against the idea to have different kind of access depending of the agreement of the ISP made with various service provider. Imagine that you have your ISP giving you a fast access to live.com server engine but not to the google search engine. It's not a matter of law (Net Neutrality will not be solved by the legal framework), it's just a matter to keep the access to a public network. At the end, we must keep a free market when providing access to the public Internet.
The patents are often used as defensive tool against other aggressive patenters. Red Hat is registering patents in order to keep a portfolio against other companies playing unfair (if you can really play fair in the patent system but it's another discussion) in the software business. They keep the promise that they won't enforce their patents against software licensed under a free software license. The term "protection" is often used in the patent system but it's not often for protecting your invention but mainly to protect you against the potential racketeer.
Beside the "racketeer" protection, there is a very common use of patent : the innovation metric. A classical argument in favor of patent is to have such system to evaluate the innovation level of a company, a country or a region. The number of patent application is used to build dozen list of most innovative countries or the most favorable area in the world where investor should put money… Of course, we all know that only relying on the patent applications to build a kind of innovation index is a very truncated view where and when innovation pops up. Investors often relies on the capacity of a start-up to fill patents before doing large investment. Start-ups may have done a lot of research in development in a product or a service without having the ability to fill application. But you have other ways to evaluate the innovation level of start-ups like the number and the respective quality of scientific publications/papers, the various legal depots of copyrighted works, …
Evaluating innovation in a company based on a single factor like the patent system is dangerous for everyone including the investor. At a time where the society ask for more accountability inside the companies, we really need a better system to evaluate innovation. Of course, there is no miracle. There is no such thing like the perfect innovation index. But at least, we should start to think of a better solution. My first thought was that we don't need such metric as they are all broken. That's true but it looks like that the economical sector loves to use broken metric. If there is no alternative in the "innovation metrics", the economical sector will pick the only one available and it's clearly the broken one . It's maybe time to propose something else ?
Some random ideas to build such index :
Some potential factors (of course, they are all broken but not in the same area) :
Maybe there are already some other indexes… I just think that the idea well worth investigating, at least to avoid the current single factor used : the patents.
Tags: copyright innovation patent metric
I'm often asked to give a list of my favorite public feeds. Yesterday, I cleaned up my list to clearly separate the private and public feeds (you know for this vague notion of privacy in our living connected world). There are now available in an OPML format. The file is composed of more 500 RSS/Atom feeds mainly containing my current blogroll, a list of monitored free software project or some specific rss/photo feeds. The OPML format is quite old and was created by Dave Winer. A lot of people was complaining about OPML (Outline Processor Markup Language) that the specification are quite unclear (too open for interpretation) , too simple or only using element attributes (I'm often a bozo but I don't care). That could be true… but OPML is simple, implemented and available. It works and at the end it's better to have such format than having 200 pages specification without implementation. The Sage Firefox extension is supporting import and export in OPML. There is also some other extension in Firefox. You can also share your feeds on share.opml.org but it's only useful for the social web freaks… but we are all freaks. aren't we ?
As usual I'll give my Saturday courses during February and March at the University of Metz, my main topic will cover this year the use of Honeynet/pot technologies to discover and analyze old and new security threats. I was often using honeynets information as a basis for giving courses in network security and software engineering. In the early beginning, I was not really convinced by highly-interactive honeynet as it was more sending a bottle in the sea than having a real target. High-interaction honeynets are catching real attackers but quite often the same kind of attackers and cost a lot in time and money to setup, manage, monitor and analyze. The risks are quite high with highly interactive honeynet as they can be easily used to attack or launch large scale probes on the public Internet. Of course, you can use technical measures (mmmm… Maybe better to say : tricks) to limit the risks of being a nice launching pad for other attacks. It's not perfect, error prone and costly on the management side. After some years, I still think that the use of highly interactive honeynet is sometimes useful but only in rare case.
After a lot of experiment in the area, the low-interaction honeynets8 seem to me more useful and have more practical usage. A lot of honeynets framework exists in order to catch malware, spammer or misconfigured routing… with a reduced risks for their use compared to their highly interactive brother. During the session in Metz, I'll give the opportunity to the student to build their own low-interaction honeynet as a practical example. The approach is not only here to catch security issues in the wild but mainly is a practical hands on where the student can understand the inner working of a specific internet9 protocol, to understand abuse of internet services and the risks when developing (crafting) software. I hope that some of their honeypot projects could be used on the Internet and published (I'll insist on the fact to reuse existing honeynet/pot framework like honeyd in their "creation").
Today I replaced my last Antec Power Supply Unit from the notorious serie : SL350P. I now have replaced all the old SL350P by SP-350P. I broke three SL350P in less than 1 year mainly mainly due to thunder quite frequent in the area where I'm living. The strange part is that the powersupply was still giving the correct output voltage in VSB (+5V). VSB is the standby voltage to keep the minimal voltage on the mainboard (e.g. the wake-on-lan required that to power-on the board). For the rest, the outputs were quite chaotic and not standard output like +3.3V, +/-5V or +12V on the 24pin connector. From my experience, it's not a good idea to try fixing up the power supplies… and it's often better (mainly for safety) to order new one ;-)
All the story reminds me the paper from Google : High-efficiency power supplies for home computers and servers about the current inefficiency of the PSU and that we should have a single output voltage 12V from the power supply. I'll vote for it…
Some days ago, the RFC 4772 (Security Implications of Using the Data Encryption Standard) was published by the IETF. It covers the security implication of using DES and why you must avoid its use in the modern information society. The RFC is very complete and covering all the security aspect of DES including the "new" method to a make an exhaustive search using a botnet10. The RFC is a nice reading and introduction to the issues around DES and (some) block ciphers. I still know a lot of companies, individual relying on DES for legacy Virtual Private Network, file system encryption or alike. They are often keeping its use only for backward compatibility with existing or deprecated software/hardware. I really like the conclusion of the RFC :
With respect to the third reason (ignorance), this note attempts to address this, and we should continue to make every effort to get the word out. DES is no longer secure for most uses, and it requires significant security expertise to evaluate those small number of cases in which it might be acceptable. Technologies exist that put DES-cracking capability within reach of a modestly financed or modestly skilled motivated attacker. There are stronger, cheaper, faster encryption algorithms available. It is time to move on.
So guys, it's really time to move on… if not your attacker will buy a copacobana system (the new customizable EFF-like hardware code breaker) or use its botnet infrastructure to discover your small symmetric key.
I remembered a discussion I had some years ago about the similarities between the free software movement and the electronic music movement. I was feeling quite alone at that time as I was the only one thinking that the sharing principle behind the electronic music and free software creation is quite the same (e.g. sharing samples, audio works ). I kept back the idea in my mind but without thinking about it too much…
While walking in a bookshop, I discovered the following book : Digital Magma : De l'utopie des rave parties à la génération iPod made by Jean-Yves Leloup (sorry in French). It's a very nice and concise book about electronic music and its evolution in the society. My main surprise is the book is clearly explaining the parallelism between the two : the free software world and the electronic music world. There are some good references to other classical books about electronic music or free software (e.g. : like the famous book from Pekka Himanen). A nice, easy and pleasant reading if you are interested by the subject. I'll try to find back the people in the past discussion and send them the reference of this book ;-)
During our spare time, we (Michael and I) are playing a little bit with the potential "social" web (in other words, we are just trying to extract some useful information from a bunch of bloody web pages). In that scope, we have to collect, mangle, analyze and evaluate a lot of web pages. During the process of evaluation, we could think of something new but we may forget to collect important data when crawling the urls.
We discussed the possibility to write and small lightweight framework that could operate partially like the big processing framework (e.g. : MapReduce or Hadoop). Those frameworks often operate in the same way (as a lot of operation can be expressed in that way) by splitting a large dataset in small datasets across multiple node. A map function is given to process the small datasets with user-specified operations. Afterwards the datasets are reduced and compiled to provide an uniform result. Such kind of framework is composed of multiple elements like a job scheduler systems (to dispatch the task across the nodes), a distributed file system (to efficiently distribute the datasets and also… write the results), a communication process system across the nodes… So developing such framework is very complex and could be time consuming.
In that scope, I was looking for a way to restart efficiently my crawling and processing process using a very simple process. I made a very quick-and-dirty(tm) prototype to do that job. So it's a 2 hours experiment but with the idea behind to build a potential lightweight framework… Here is the basic steps in :
I made a basic interface around GNU screen (the excellent terminal multiplexer) to handle the -X option via a simple Python class(svn). Like that the job will be managed inside a single screen session.
The second part is the webcrawler (the tasks) that will collect the urls. The webcrawler is a very simple HTTP fetcher but including the ability to retrieve the url from an url list at a specific offset. The webcrawler(svn) can be called like that :
python crawl.py -s ./urlstore2/ -f all-url.txt.100000.sampled -b 300 -e 400
Where -b is the beginning of the url to fetch and -e is the last url to fetch from the url file specified with -f.
The last part is the master managing the tasks (the multiple crawl.py to be called) :
cmd = './crawl.py' p_urllist = ' -f ' urllist = "all-url.txt.100000.sampled" p_urlstore = ' -s ' p_start = ' -b ' p_end = ' -e ' p_dacid = ' -i ' urlstore = "./urlstore2" tasknum = 25 jobname = 'crawlersample' lineNum = numLine (urllist) job = TGS.TermGnuScreen(jobname) jobid = 0 for x in range (0, lineNum, lineNum/tasknum): end = x+(lineNum/tasknum) dacid = jobname+",slave1,"+str(jobid) if end > lineNum: end = lineNum cmdline = cmd + p_urllist + urllist + p_urlstore + urlstore + p_start + str(x+1) + p_end + str(end) + p_dacid + dacid job.addWindow("jobname"+str(jobid), cmdline) jobid = jobid + 1
So if you run the master.py(svn), the tasks will be launched inside a single screen session. and you can use screen to see the evolution of each tasks.
dacid:crawlersample,slave1,24 2956 of 3999
That means that the task 24 of job crawlersample has already retrieved 2956 urls on 3999. In this experiment, we are quite lucky as we are using as simple hash-based store the crawled. As the urls are unique per task, there is no issue to use the same local repository.
It's clear that experiment could be written using multi-processes or multi-threading program, but the purpose is to be able to managed the distribution of the tasks across different nodes. Another advantage of a multiple tasks approach, we can stop a specific task without impacting the rest of the job and the other tasks.
It was just an experiment… I don't know if we could come at the end of the exercise with a more useful framework ;-) But it was useful, I discovered that GNU Screen has a hard coded limit for the number of windows per session (maximum 40 windows). You can easily change that in the config.h and recompile it.
As my blog is an inconsistent space, I need some works to keep it inconsistent. The today's topic is electronic music and the review of the latest release from Dave Clarke. Dave Clarke Presents Remixes & Rarities 1992 - 2005 is released under the mythical label Music Man as two CDs (real CD without DRM…). It's a compilation including the major remixes made by Dave Clarke until today. When I saw it in the shelf of the music store, It remembered me some electronic music parties where a DJ was always playing The Storm (one of the best track from Dave Clarke part of the mythical red serie) at a specific time. Going back to the compilation, it's an eclectic collection of remixes. It's somewhat reflecting the work of Dave Clarke and so including the different level of quality in its past and current work. I don't really want to talk about the tracks I don't like… but there are two tunes on the compilation that justify it's purchasing. The remix of the EBM-style track of Douglas McCarthy and Terence Fixmer : You Want It. It's really a great remix keeping the original atmosphere of the track with a nice touch of "Dave Clarke" rhythm. The other one is Lie To Me, the original track made by Slam (founder of Soma Records). The original lyric and vocal were already incredible but the never starting "bass" is very nice and give a new smooth and deep atmosphere. The quality of the other remixes (or unreleased tracks) is quite variable… but the compilation is quite good and give a perspective of the overall work of Dave Clarke. A nice new year gift for the electronic music fans.
Thinking back of the non-sense copiepresse action and the belgian court ruling in their favor, I'm still wondering what such kind of editors society really want. We can read everywhere that copiepresse wants to have a part of the money revenue from Google. That seems to be one of the possible reason behind the legal action but in my humble opinion, it's not the main driving reason. Looking on the copiepresse website, there are plenty of leaflet where stated you can't make a copy before asking for an authorization at us and more and more works (read controlled by us ;-) are in an electronic format. When reading the leaflet, I think that the underlying idea is to translate the old approach of physical object and adding more restriction (maybe it's my naive perception). More restriction ? is it possible ? yes. In the current situation, the physical archiving of press is done by publicly funded libraries or archiving institution. There are exception in the copyright/author's right law to allow them to preserve the press article11. The access to the preserved article is allowed to the public even without a fee. But in the digital world, who is taking care of the archiving ? archive.org is doing a part of the job but lacking a lot of funding (and help) to extend the scale. Google is doing it as a service for the Internet user and adds a little bit of advertising. Some other initiatives are growing in the area of digital archiving but I agree with Jean-Etienne about the difficulty of digital archiving. Beside the technical difficulties, there are numerous legal difficulties including the latest action from copiepresse. The editors societies don't want to share and want to gain the new archiving market. They see the opportunity of changing the current physical archiving system by removing it for the electronic world. That why I think their real target is not the money of Google but they just want to kill the ability to do digital archiving.
The ability to do digital archiving is really critical to preserve on the long-term the information. More and more information is only available in digital format (quite often in proprietary format, with a lot of restriction, or in a limited quality)… Digital archiving can only work in a collaborative way. Not a single provider can't scale to archive all the information generated today. The only way is to free the archiving of digital information and to clearly extend the archiving exception in the law not to only institution but to any foundation, citizen or association willing to help to archive the digital society.
By the way, here is a small archive of lesoir.be without crawling the website and only using the RDF file provided by the website (the python script to do so, feel free to use it to archive your favorite website).
Beside a lot of stuff to do for my daily and nightly work, I made a small and interesting discovery in the area of XMPP server. I planned to upgrade an old (and worst… unstable and unsecure) Jabber server. Finding the right XMPP server is not easy but I found the one created from scratch by Brad Fitzpatrick called djabberd. It's a very flexible XMPP framework written in (clean) Perl where everything is a plugin and supporting the XMPP standard quite well. If you are interested in my minimal configuration, just have a look (I'm using the standard Digest HTTP authentication but you are free to use the authentication approach that fits your needs). When digging in its operation, I found that modularity is real. I wrote a very small plugin in 2 minutes to query Wikipedia :
package DJabberd::Bot::Wikipedia; use strict; use warnings; use base 'DJabberd::Bot'; use WWW::Wikipedia; use DJabberd::Util qw(exml); our $logger = DJabberd::Log->get_logger(); sub finalize { my ($self) = @_; $self->{nodename} ||= "wikipedia"; $self->{bot} = WWW::Wikipedia->new; $self->SUPER::finalize(); } sub process_text { my ($self, $text, $from, $cb) = @_; my $entry = $self->{bot}->search($text); if ($entry) { $cb->reply($entry->text()); } else { $cb->reply("Entry not existing in Wikipedia."); } } 1;
If you want to test it, just send a Jabber/XMPP message to wikipedia@a.6f2.net with a word. Nifty and Easy…
Playing with that, I remembered the discussion with Vincent about the Infobot running on the IRC where you can ask for "factoid" and get a result. Wikipedia is full of "factoid" (in the good sense), I mean of sentence structured like "X is Y" and full of karma (X++ when is a recurring sentence ). So why not building a database of factoid from Wikipedia ? That could be useful for building pseudo-AI bot in instant messaging. Imagine a chat room in Jabber where the bot is playing is role when a large discussion is taking place and some clarification is required on a term. It's really funny we are going back to a more textual society with such new tools… (IRC is not dead ?). So a quite good news.
Today I looked carefully to the W3C log entries of my messy web server. A lot of the HTTP queries are from web crawler gathering and collecting my (ugly) pages. Without looking at the logs, I was expecting to see a common behavior among the different web crawler. In theory that could be true but in real life is a different story. For example, the VoilaBot (an indexer owned by France Telecom) has a very strange behavior. That bot is reading the robots.txt too often. For two pages queries, he made one query to the robots.txt. For example, on 12227 queries for the robots.txt in 15 days for foo.be, 8532 is from the VoilaBot :
grep robots.txt unix-logs-full | wc -l 12282 grep robots.txt unix-logs-full | grep VoilaBot | wc -l 8532
Mmmmmm…. and it looks like that I'm not the only one having the behavior. It looks like that VoilaBot is short in memory, a caching of the robots.txt would do the job. The VoilaBot is not alone and has his friend the [VoilaBot link checker. The link checker made around 2307 requests in 15 days. It looks to be ok but the funny part is the checker is checking always the same link… I understand that's not an easy task to index the wild Internet (and by extension developing a bot ) but some other web crawler looks more clever. The GoogleBot is somewhat more clever and Google is using more and more the sitemap protocol. Google provides an interface to see the current status of indexing of your web pages. A very nice tool and efficient way to check your "indexing" visibility for your website. Does the web crawler behavior give information about the respective quality of the indexing service ? Maybe. That means the competitors of Google are still far away of having a good indexing service. At least, the competitor bots should be able to get the sitemaps of a website. Generating and pinging a search engine is an easy task and a lot of free software is including that by default (e.g. : the sitemap module in Oddmuse). For my static content, I made a quick script to export the directory structure of my htdocs in the sitemap format. All the web crawler should be able to understand the sitemap and use that information to crawl more efficiently. Maybe like that the different crawlers could focus on the really difficult information to index (like large libraries, revision in Wikis, mbox files,…).
Update 2006-12-02 : It looks like that Google, Yahoo! and Microsoft agreed around the sitemaps protocol proposed by Google mid November. For more information www.sitemaps.org. The only missing part (IMHO) is a simple META entry to specify the sitemaps location in the root document of a web site. That could ease the job of the crawler when gathering the root page and avoid the webmaster to ping the respective search engine.
Update 2007-03-27 : I have contacted Voila (France Telecom) about the strange bot behavior of their bot (always downloading the robots.txt, downloading document that never changes, looping on urls). The funny part is they don't understand what's the Voila bot is and their general answer is "Your computer is infected by virus"… arf arf.
Bonjour, Nous avons bien reçu votre mail et nous vous remercions de nous avoir contactés. Nous vous invitons à effectuer une recherche sur notre moteur Voila, en espérant que vous y trouverez la solution pour résoudre ce problème. Vous pouvez également effectuer une recherche en utilisant le service Webchercheurs disponible à l'adresse : http://webchercheurs.servicesalacarte.voila.fr Nous vous informons qu'il s'agit d'un virus qui affecte votre ordinateur. Bon surf et à bientôt ! Le Service Utilisateurs de Voila Notre engagement : être 100% à votre écoute. ---------------------------------------------------------------------- Faites un voeu et puis Voila ! http://www.voila.fr/ ---------------------------------------------------------------------- --- Original Message --- From: adulau@XXXXXXXX Received: 03/26/2007 03:23pm Romance Standard Time (GMT + 2:00 ) To: contact@voila.net Subject: Contact Voila - Moteur de recherche Sujet : VoilaBot BETA 1.2 Monsieur, Pourriez-vous informer le service technique de voila.com (France Telecom) que le bot Voila ne fonctionne pas correctement ? Il télécharge de facon réguliere (a chaque download) le robots.txt des site web et en plus il download dúne facon continue les pages qui ne changent pas... Il ne semble pas vraiment efficace. Merci d'informer le service responsable du Bot Voila, Bien à vous, Service : Moteur de recherche Provenance : http://search.ke.voila.fr
Update 2007-04-11 : The sitemap protocol has been extended to inform bot in the robots.txt where our Sitemaps are available. Great, you don't need to ping the search engine. You just need to put Sitemap: with the full url where the sitemap is located. For more information, just check out the sitemap protocol.
Update 2007-04-14 : Dave Winer made an interesting blog entry in Scripting News about sitemap and talked about a similar approach he made in 1997. The idea was a simple reverse and readable file with the changes of a specific web site. I hope that the sitemap protocol version 2.0 will include a similar approach in order to grab efficiently the content that has changed.
Tags: searchengine blog bot sitemap crawler
This week, I made a very quick presentation at a free software conference about the result of the hack.lu 2006 (a computer security conference in Luxembourg that I co-organized with other members of the CSRRT-LU). They were asking me about the status of Free Software in the world of "computer security". Sorry to say that but security is not a default feature in software. Sofware is essentially unsecure, crappy and unstable. This is valid for free software and proprietary software. The main and essential benefit of free software is its ethical value not its practical value.
At first glance people, listening to the FUD spread by media, found the statement strange as they were quite sure that free software is inherently secure. This is plain wrong; Software is software and designed, often by default, to be crappy. Of course, Free software is providing some advantages (the famous 4 freedoms) over proprietary software to make it less crappy, more stable and more secure. But the authors and users of free software must use the possibilities offered by those freedoms to build better software. It's clearly not an easy task as the software is not alone in that hostile environment. Just take a look at the presentation of Wietse Venema to build a "simple" file shredder… you'll see that's near impossible to write such software (and by so, you have to think about other paths).
We are all writing unsecure, unstable and crappy software. Some knows that but a majority will never notice.
As you are maybe aware, I have a kind of interest in Netflow for some security monitoring projects. The past days, I was looking in the different methods to export Netflow on dedicated devices in a dynamic network connectivity. First, what do I mean by a "dynamic network connectivity" ? It's a connectivity where you have not that much control over the allowed protocols or communication mechanisms able to cross that network. The typical example is an Internet connectivity over a GPRS network or in a hotel room. You have for example only HTTP access and nothing more. It's often very difficult to know what will be the protocol in such environment. For a project in the area of emergency, this is very comment to have such "dynamic environment". We decided in a project to use Netflow version 5 and ipfix as a common method to monitor ip flows. The major issue in the project is that we cannot rely on a full tcp/ip connectivity to Internet or other IP networks. The idea was to use the common available protocols in such environment to "tunnel" netflow. The two main protocols often available are : DNS (name resolution) and HTTP. In the beginning, I was planning to use DNS-based transport mechanism. The DNS client (on the monitored device) is sending specific request to a specific domainname maintained by a specific nameserver. In order to overcome the DNS limitation (e.g. : the size of the UDP packet or the query method available), I was planning a method like the one used by the Malware database. The idea was to split each PDU of a Netflow datagram into a sequence of DNS queries. I quickly discovered with a small prototype using dpkt that was the wrong way. Two many DNS queries for a small amount of Netflow datagram in another word, too much overhead. But I left the approach due to the fact that a majority of DNS servers are discarding some requests using a "GPRS¨ provider (to limit DNS tunneling or use of bandwidth ?). So the remaining transport mechanism in a "dynamic network connectivity" is HTTP and very often proxified. As the first testing version is using Netflow version 5, the protocol used by the Netflow exporters, in that case, is UDP. I found a way to encapsulate UDP using HTTP with firepass (and it works quite well for non-interactive protocols like Netflow). I didn't want to go in the direction of a full-featured VPN/Tunnel/IP-over-HTTP as the cost of setup could be quite important and it's not very welcomed in such "dynamic environment". I'll use a similar Netflow-over-HTTP approach for the following weeks and keep you inform of any evolution.
Blog entry also available on the flowog site
As a belgian citizen, I voted today in Les Bulles for the local and provincial elections. It took me five minutes (including the way by foot to the local school) to do my vote. The process of the vote was controlled by randomly selected local people (this year, including steph). It's the classic voting system : two papers and a red pencil, nothing more. Efficient (if the red pencil is broken, the replacement could be done by a human able to carry twenty grams), under constant review (the process can be controlled by any human having two eyes (one is possible too;-))), fast (two papers : one the local election and one for the provincial election)… So I was very happy to still use the classical paper voting. Computers were invented in order to ease the use/access of information or speed up operation. Are the computers useful for voting ? I don't think so. They don't bring too many advantages compared to the paper-based voting. The principal advantage (the only one ?) is to obtain quickly the results (mainly useful for the media and the politicians not really for citizen). For the rest, it's very expensive, not easy (possible? just think about the article of Ken Thompson about Reflections on Trusting Trust) for reviewing, difficult to replace when broken, setup is more important than installing a pencil, difficulty of accessibility and has a multitude of dependencies (just think about electrical power and helpdesk). Only some organizations (poureva in Belgium) are fighting against the electronic vote. I hope that more and more citizen will understand the risks with the electronic voting systems. Yes, fraud is possible in paper-based voting but it's more easy on a large scale in an electronic voting systems as all the voting office received a black box. Vote for paper-based voting, nothing else !
To assure honest elections, we need physical ballots that can be used for a recount. Richard Stallman
After the ridiculous legal battle from CopiePresse, I made a very quick-and-dirty Python script to archive the latest article from a well known french-speaking news site in Belgium. The script is valid for any website providing an RSS/RDF feed. Here is an example containing the archived article. I don't know if a bot from a search engine company will crawl the archived articles ;-) I hope that the belgian press editors will come back to reality in the following weeks…
Reading the latest Linux Kernel developers' position Linux Kernel developers' position about the GNU General Public License version 3 drafting process, I tend more and more to follow their position on the subject. I was already not in favor of the extended clause about Patent into the draft version 3. The reason behind was not the one followed by the kernel developers. My main concern is to justify the existence of the patent system for computer program. Validating the system, not really existing in EU, could be quite dangerous and open the gates to justify its creation. The section 7. of the GNU General Public License is clear enough and while not playing directly in the patent field. The section 11. of the current draft of the GPL version 3 is more difficult to understand and could be used as an argument to not use the GNU General Public License and/or block the use of the patent system as a defensive tool (ok, not always a good idea). But excluding the possibilty for potential developers to use the latest version of the free software license is limiting the potential extension of free software… I'm also wondering why the potential geographic limitation (like the ITAR restriction) is included by default in the draft. I still don't understand why is by default ? The less potential ground for creating restriction seems better for free software.
Other free software authors are willing to keep the GNU General Public License version 2 only, like BusyBox… Will you use the "or later" clause or the v2 only clause ?
Update : The current view of Alan Cox about the draft of the GPL version 3 is quite interesting. The vagueness of the GPL version 2 was an advantage as the FSF was doing his own and clear interpretation of the license. If the FSF is trying to be objective in the next version, we start to have a very fixed free software license where FSF couldn't "extend" when required (and the lawyers will have the final word). I'm pretty sure that the final interpretation of the version 2 of the license at the FSF was not really fixed at the date of its publication. I hope that the FSF will enhance the latest revision to something more flexible… for them.
Update2 - 2006-11-27 : A potential update in the current GPL version 3 draft is quite interesting. The latest "deal" between Novell and Microsoft using software patents to create a kind of isle between part of the free software. That problem could be fixed in the updated draft of the GPL version 3. That has been stated by Richard Stallman during a conference - http://www.fsfeurope.org/projects/gplv3/tokyo-rms-transcript:
[Section: The Novell and Microsoft example] However, there's another way of using software patents to threaten the users which we have just seen an example of. That is, the Novell-Microsoft deal. What has happened is, Microsoft has not given Novell a patent license, and thus, section 7 of GPL version 2 does not come into play. Instead, Microsoft offered a patent license that is rather limited to Novell's customers alone. It turns out that perhaps it's a good thing that Microsoft did this now, because we discovered that the text we had written for GPL version 3 would not have blocked this, but it's not too late and we're going to make sure that when GPL version 3 really comes out it will block such deals. We were already concerned about possibilities like this, namely, the possibility that a distributor might receive a patent license which did not explicitly impose limits on downstream recipients but simply failed to protect them. What if one company pays Microsoft for a patent license where Microsoft says "Alright, we won't sue you, but we're just not making any promises about your customers if they redistribute it". We had already written a downstream shielding provision into GPL version 3 saying that if you convey the program, and you are benefiting from a patent license that is not available, that does not extend to the downstream users, then you have to do something to shield them. This is, it turns out, inadequate in two ways. First of all, "shielding them" is vague. We're replacing that with a specific list of methods, and second, once again it assumes that the distributor has received a patent license, so the Microsoft/Novell deal cunningly does not give Novell the patent license, only Novell's customers. Well, now that we have seen this possibility, we're not going to have trouble drafting the language that will block it off. We're going to say not just that if you receive the patent license, but if you have arranged any sort of patent licensing that is prejudicial among the downstream recipients, that that's not allowed. That you have to make sure that the downstream recipients fully get the freedoms that they're supposed to have. The precise words, we haven't figured out yet. That's what Eben Moglen is working on now.
Yes, such text introduced in the license will continue to support software patent but on the other hand, it starts to block the illegitimate usage (if there is any legitimate use of software patent ;-).
I'm updating the website of the small village where I'm living. As I received a collection of pictures , I was wondering on how to display them in a nice way. A kind of dynamic slideshow with crossfading could do the job. An update of the crossfade redux is available and works quite nicely without a ton of tweaking in the CSS. I made a test with the latest photos of the frontage renovation in our house. Works well… I plan to use it for the new website of Les Bulles, the only thing I was wondering is the license of the javascript code for the fading. By default, the exclusive rights of the author apply. So it's not free software…
Reading the blog entry le soir about the court case of CopiePresse against Google, I was very disapointed of the role of CopiePresse and how the classical editors still don't understand Internet. Any indexer (including Google but others too) is providing a service (I'm not discussing here the various search engine functionalities) to help people for searching information. It's a benefit for the authors of the content AND the readers, it's providing a better access to the works made by the authors. Search engines are providing a mean to better search and sometimes, classify the information. This is the next step after the initial step of printing (from monks to Gutenberg to digital information to organized digital information). CopyPresse is stopped around digital information localized on one personal computer without any network connectivity. I'm not very proud of being belgian after seeing that (a part of?) belgian press has still not understood Internet.
The approach used by CopiePresse to play the legal battle instead of simply using the robots exclusion standard is very dangerous. I don't think that playing the legal battel about digital information is a good idea. It will generate more boundaries to the distribution of information instead of promoting the way of distribution. So editors are not playing their role of editors in that specific case.
So it's maybe the time to build an RSS scrapper to download the daily full article from lesoir.be and store them on a publicly accessible (for educational purpose) server where any search engine (like Google, Google News, Yahoo!,…) could have access ? That could be a nice example that all the legal stuff made by CopyPress is full of non-sense.
I was very happy to see Google books to propose a lot of public domain scanned books. For example, Marion De Lorme, a Victor Hugo work is available in Google Book. But I was surprised about the statement before the beginning of the public domain work :
This is a digital copy of a book that was preserved for generations on library shelves before it was carefully scanned by Google as part of a project to make the world's books discoverable online. It has survived long enough for the copyright to expire and the book to enter the public domain. A public domain book is one that was never subject to copyright or whose legal copyright term has expired. Whether a book is in the public domain may vary country to country. Public domain books are our gateways to the past, representing a wealth of history, culture and knowledge that's often difficult to discover. Marks, notations and other marginalia present in the original volume will appear in this file - a reminder of this book's long journey from the publisher to a library and finally to you. Usage guidelines Google is proud to partner with libraries to digitize public domain materials and make them widely accessible. Public domain books belong to the public and we are merely their custodians. Nevertheless, this work is expensive, so in order to keep providing this resource, we have taken steps to prevent abuse by commercial parties, including placing technical restrictions on automated querying. We also ask that you: + Make non-commercial use of the files We designed Google Book Search for use by individuals, and we request that you use these files for personal, non-commercial purposes. + Refrain from automated querying Do not send automated queries of any sort to Google's system: If you are conducting research on machine translation, optical character recognition or other areas where access to a large amount of text is helpful, please contact us. We encourage the use of public domain materials for these purposes and may be able to help. + Maintain attribution The Google "watermark" you see on each file is essential for informing people about this project and helping them find additional materials through Google Book Search. Please do not remove it. + Keep it legal Whatever your use, remember that you are responsible for ensuring that what you are doing is legal. Do not assume that just because we believe a book is in the public domain for users in the United States, that the work is also in the public domain for users in other countries. Whether a book is still in copyright varies from country to country, and we can't offer guidance on whether any specific use of any specific book is allowed. Please do not assume that a book's appearance in Google Book Search means it can be used in any manner anywhere in the world. Copyright infringement liability can be quite severe. About Google Book Search Google's mission is to organize the world's information and to make it universally accessible and useful. Google Book Search helps readers discover the world's books while helping authors and publishers reach new audiences. You can search through the full text of this book on the web at http://books.google.com/
Google clearly relicensed the public domain work under a kind of ugly non-commercial license. Of course, they are allowed to do that but this is a kind of non-sense. It's building a new era of proprietary information from works already paid by the community (this was the purpose of the author rights). It's clearly not for the benefit of the author (everybody know that Victor Hugo is a young author looking for money to continue his work ;-) or the community, it's clearly only for the benefit of the editor (Google only ?). Google is claiming that they have to do that because it's expensive to do the scanning… like it's expensive to do the crawling of Internet ? but at the end, they will use the public domain work to show their advertisement ? So the commercial restriction is clearly for the sole benefit of them. The only think I hope is that Google is not burning the book after having scanned. I'm sure that they are not doing that. They are just moving the public domain in a private collection where the benefit for the community is minimal. The citizen are already paying twice for author rights… (think about taxes on media and distribution) now we are paying a third time.
Update 22 April 2007 : I'm not anymore alone at least for governmental publication. It's an open letter for keeping the works from the US government in the public domain when being scanned for Google Books. I'm still very surprised that a lot of people understand the act of scanning of a public domain work to become a proprietary work. It looks like a kind of black magic.
Tags: google publicdomain archiving copyright
Some months ago, we (Michael Noll and I) started a project to monitor legal documents of the services provider on Internet called GooDiff12. As more and more web services are available on Internet, we (the users) are not often (never?) warmed about changes in the terms of contracts and agreements. GooDiff is a basic services to monitor specific documents (often legal or contract documents) from providers like Yahoo!, del.icio.us or Google. The service is using a customized version of Trac with a simple subversion backend.
We discussed about possible extension to GooDiff and found out that making it more "social" is an interesting feature. What do we mean by more "social" ? We would like to make a kind of annotation or comment base interface to the legal document stored in GooDiff. The idea is to provide a basic unified interface using a classical wiki engine like MediaWiki. We don't want to reinvent the wheel and we want just to focus on the issues (already too much) to monitor "unstable" document. I just started goomirror to monitor, gather and store the raw files of the monitored services. The idea behind is to use a basic gateway to publish the information to the wiki where people could be able to comment or annotate the document. There are already some nifty Perl modules to access MediaWiki via a simple API. I already made a test (rssfromAPage) for generating an RSS from a list in a specific MediaWiki? page for the hack.lu 2006 website. Using the same approach, it seems to not be difficult to gateway the goomirror content back into a community wiki. MediaWiki is maybe not the best choice (the RSS support compared to oddmuse is too minimal) but we'll test and see what's the best fit.
I'm still wondering how and when a technology is reaching an usability level where people start to use it without thinking about the technology. Very often technologies are designed for usability and they are everything but not usable. I don't know why a lot of technology designed for being usable are not usable at the end. Maybe that the inner definition of usability is difficult to describe. For example, users use hypertext system without knowing the name or what is an hypertext system. Different systems were proposed like Xanadu but at the end the simplest was selected by the users. The selection of such technology is not evolution (in the Darwin sense) as the drift is selected by the users and the creators/contributors of the technology. It's not really random but if you see the "evolution" of the HTTP protocol, you'll see that the changes are mainly coming from the use of the protocol itself. Maybe you are wondering where I want to go ? It's about Semantic Web. It looks like (but I'm maybe wrong, as you know prediction in computer science…) that we have a large stack of technologies available but usability seems to lack. Simple technologies like tagging 13 is providing a great entry into the semantic web without the cost of all the current associated technologies. It looks like that free tagging starts to be usable without thinking too much about the technology behind. That could be enhanced but it's just the beginning. Collaborative classification starts to be usable and could be a nice ground for the famous holy grall of 'Semantic Web'. Reading Folksonomies Tidying up Tags? remind me about some old article where building an encyclopedia using a wiki-like interface is too chaotic for providing good result. Maybe the evolution of free tagging usage will give us the final answer ? When and How a technology is reaching a good usability level ?
My first contact with Internet was a remote shell into a proprietary Unix running on a Sun Sparc station using cu, it was more than 15 years ago. The Internet was not very accessible and it was the really the beginning of the World Wide Web. Now, the web (2.0 arf arf) is more social and clearly more accessible to a larger number of people. We were thinking that the World Wide Web was just a simple hypertext system to access remote services but know it's also socializing tool. In this context, I played a little bit with xfn (XHTML Friends Network), a simple mechanism to represent relationships between human using hyperlinks. I made a quick-and-dirty(tm) xfn module for Oddmuse to automate in the markup the creation of such relation :
[[person:URL|Text|relationship]] [[person:http://www.stallman.org/|Richard M. Stallman|met muse]]
Now what's the use of that ? An example, the 'me' relationship is available and permits to show that you have control over the remote link. It helps to better represent the same person across different web services. Another example, it's linking different social networks by the relationship of the people. That helps indexer and crawler to better classify search results regarding the specific group of linked (or non-linked) people. xfn is very simple (just the rel attribute) compared to FOAF, it's easier to maintain xfn link in any blog or wiki software than FOAF (IMHO). I'm sure that more good ideas mixing tagging and relationships will come in the following months… but I just say nothing.
Today, I met at work a commercial representative asking us how they could enhance their proprietary product. The product is a Content Management System but this is not really important. My first idea for the enhancement was to ask them to release the software as free software. But the answer was not really compatible with the overall theme of the meeting. My main request to them is to support MySQL as a datastore, the application supports a larget set of proprietary Database and sqlite for testing. We are using various MySQL installation for different production and development systems. The funny part was the answer from the commercial representative : "Supporting a database only used by universites… no way". I was astonished by the answer. Are we living in 2006 ? Does he know that mysql is used everywhere ? The counter joke, why not supporting database used by universities ? What's the conclusion of that. Promoting or using Free Software is not really a matter of using the correct arguments (Mainly in non-technical meeting). It's just a matter of perception. A lot of software buyers are not relying on technical or usability questions… but just name or perception of support from the vendor. When a vendor is coming and asking to you for the possible enhancement in their products, they are often just giving a perception of support. Don't expect too much from a proprietary vendor… with free software, you know what you have and if you have time, just implement what you want. That's so simple to work with free software, you don't have to make meeting for asking potential or vaporware enhancement… you can actively create with free software not with proprietary software.
We (rsvj and I) were this Saturday at the Nandrin (Belgium) music festival. Initialy, the festival was a mixture of electro, pop and rock. The electro scene was only taking place the Friday before. But this new 2006 edition, the organizer moved to an electro festival only. I think it's a very good move… sorry but I'm really a big fan of electronic music. The lineup was very eclectic this year but we were very impressed by the performance of daan. They performed a very nice mixture of electro with a soft touch of guitars and a nice EBM-like voice. On the side node, the drummer of daan is also very impressive but not only on the performance. A lot of local (less local) DJs played but they often took the less risky approach of playing. Praxyd (a DJ from Liege) is always playing with the same beat and it's often too monotonic for my taste (but still good for dancing…). Anne Clark (I'm sure that you know the artist from the eighties) made a very calm performance but quite good. Nandrin is indeed a very nice electro event and I'm already waiting for the next year edition.
We had a very nice discussion about the capabilities of old camera to make excellent shot in hard condition like concert and festival. But that could be another entry in my blog.
Before going into the post, please understand that I'm really a huge fan of anonymizer software in order to protect privacy (a fundamental right in the information society). In the last days, I discovered at least three tentatives to compromise web server or other services like SSH. They were all coming from exit node in the Tor network. I was a little puzzled from that but there is always a tradeoff to accept anonymous communication. You have to allow a little part of bad traffic for permitting the good use like protection privacy. But for what I seen there is much more bad traffic than good traffic (at least on the monitored networks). Bad traffic is often composed of probes to compromise web server and they are relying on Tor to limit the way to trace them. So what to do ? If you take the approach to block all exit node, you have to build a list of all the exit node. A script is available to list all the exit node from a tor network as explained in the tor abuse faq, this is not perfect and only give a partial view of the current tor network and its exit node. I built a basic script to extract the information from the directory services which is part of the tor client. From it, I'm generating an RDF file containing the current node in the network. I counted around 4200 and 4500 nodes in a normal day and a large part of the set is stable (meaning a part of the set is a fixed list of IPs for a period longer than one day). The difficult part is how to block (or limit14 ) the IP lists to reach the targeted networks. Blocking means that the legitimate users (using the tor network or the same machine) can't access your network and the respective services. You can update the list by injecting a nullroute for the source networks into your border router. This works but could cost a lot to update as the list is quite floating. Other ways like urpf could be also considered. Blocking is not a perfect solution but could help you when you have an intensive attack from the tor network. There is no perfect solution but you have to find a balance to live with the various anonymous network around the world.
Today, I'm very sad to see the escalation of violence in the Middle East. I'm really wondering why launching a war is promoting peace (as described by one of the parties), it's clearly the opposite. It's only creating more frustated people, families, citizen, and that are generating more violence at the end. It remembered me the horrible Bloody Sunday that took place in 1972 in Derry (Northern Ireland) where 13 Civil Rights protestor where killed by the British army. One of the main impact was a twenty years armed campaign made by the people impacted by the violence. Bombing and killing people is just creating the ground for more violence. Violence is a dead end, it's clearly not a solution. I just signed the petition15 for an immediate ceasefire in the Middle East. Yep, this is just a bottle in the sea… To be more funny, I'll use the quote from the Sneakers movie : I want peace on earth and good will toward men.
Jean-Etienne Poirrier made a very interesting entry in his blog about blog software. He made a small reference to a previous post on my old blog16 about the possible alternative or how to make a blog engine alternative for "technical people" like us. Jean-Etienne described an approach to store the entries per date. The date has the advantage to be a major "key" for sorting from a blog engine. I clearly subscribe to his point of view and propose (thanks Jean-Etienne for triggering me ;-) the following minimal approach using txt2tags. At a first stage, I really don't want to take care about the markup, its parsing and rendering. That's why I propose to use an existing console-based/vty document generator. Here is a potential "program flow" for this minimal blog engine when we want to generate the blog in XHTML :
gen-main.sh ./input ./published gen-rss.sh ./input ./published html-update.sh(modified) ./input ./published
gen-main.sh is a simple shell script taking all the t2t files from the input directory (where the blogs entries are) and generating another t2t for the main page (often the famous last entries and the blogroll). At the beginning, we could have a simple last 10 entries. gen-rss.sh do the same but also generating the RSS/RDF and ATOM files. The two programs could be one but two simple scripts could be better than a complex script (to be discussed). html-update.sh (already part of txt2tags (in extras dir)) is doing the conversion of all the t2t files to the target format (like XHTML) and could includes other t2t files (like footer and alike) or t2t macros.
So for updating the blog, an interface (Emacs,vim,email,Web,…) is putting an entry in the ./input directory. The only restriction is to write files in t2t files using date as a filename as described in Jean-Etienne's blog. For publishing the blog, you run the program flow described before and (maybe?) copy the published directory to your Internet hosted server using SSH.
If you have any ideas or comments, just let us know.
A small side note regarding the interface to update the blog, I already have a GTD page where I update this wiki via a simple email. For example, I'm discussing a project with a colleague and need to quickly remember an url, a ref or a todo. The colleague or I just send a mail to a define email alias 17 The source code to append an oddmuse page in a listed way via smtp is available here.
Another side note regarding the potential storage (instead of files with datetime format), the entries could be stored in an SCM (like Subversion or git) and using the different functions part of the SCM to create blog entries. But I think this is more complex than the simple datetime format approach.
I took a testing account from the Safari Bookshelf web services provided by O'Reilly Media. My physical bookshelf is largely composed of Computer Sience and IT-related topics books. So It was quite consistent to take the 14-days evaluation from them but I'm still hesitating to continue with the paid subscription (around 20 dollars each month). It's not really a matter a price as my budget for books is clearly higher than that… but the main issue is regarding the freedom of the user to use the book. You must always be connected in order to read a book. You have the ability to buy token for downloading chapter but this is very limited and it's very easy to use all the month token for 4 or 5 chapters of the same book. Another issue (at least for me), You can't easily store the book localy for offline reading or local indexing (the proposed search via the web services is not very powerful compares a local hyperestraier, Mnogosearch or Lucene). The most strange thing for O'Reilly media (known for publishing a lot of books in the free software world) is to use a proprietary software for safari built by Bureau Van Dijk and using a very basic web interface. Ok, they didn't take a fully DRMized approach for the service but … I would expected a more free approach for the personal use of the book read. Until now, I can't make my mind for the subscription.
Update: I resigned from the Safari subscription. Not being able to save a local copy is really a major issue to me. I'll come back to such services when I'll have the same capabilities of a paper book. Like being able to store it locally, keep it or share it with a friend.
Update2 - 2006-09-10 : Beside Safari Bookshelf, O'Reilly now offers the ability to buy a PDF version of their books. I bought one to test the service and I was very pleased (compared to Safari Bookshelf) that you receive a standard PDF file without encryption. Congratulation… a good move and it's really more flexible than Safari.
Update3 - 2006-11-26 : I bought a second PDF version of a pocket reference from O'Reilly. Still very nice (standard PDF, no encryption, indexable) and now they offer the ability to get an announce when there is a revised version. The current offer for the pocket references is half the price of the physical version… I hope that O'Reilly will offer more and more books in that service instead of Safari.
I was evaluating various MVC framework to do a specific project. The project is not a simple web-based application. The web interface is just a part of the whole thing including a kind-of distributed datastore, an XML-RPC interface, a naming server and a queueing services. I was expecting a little bit of flexibility regarding the different MVC framework (like Ruby on Rails, Django or Jifty) but such framework works very well if you have a full control of all the components. This is not the situation with my current project, as the application is distributed, using different interfaces and having different datastore and model. The web (euhh…. sorry the web 2.0) interface is just a small part of the whole system. So I ended to use a mixture of perl modules like CGI::Session, HTML::Mason, CGI::Ajax… and other perl modules. MVC frameworks are cool but not for all the cases. Just pick the right tool to do the job.
We (Alice, Béné, Steph and I) made a travel in the Highlands, Scotland for around 10 days. A very nice travel where we meet different animals ranging from the famous highlands cow to european seals in Plockton. The lodging was in different B&B and guest house around the path. The scots are very friendly and open to discussions, we got some difficulties to stop the conversation with various old people ;-). The population in Scotland seems very old and the only young people seems to be located in/around the big cities. Maybe it's the beginning of the "baby boom" effect in Scotland that we'll get in the following years. The nature and the landscape are very nice… the only drawback is the food in Scotland. It's not that easy to find very good food… like we are used in Belgium.
Today, I updated my old oddmuse to a recent version and the various modules, including the flickrgallery module and others. I'll concentrate the various online activities on it and by so, I removed my old tdiary due to too many memory leak (maybe due to the software or the Ruby version used) and its general framework. oddmuse is a good replacement if you are not looking for the latest features (often used for spamming ;-)) in a blog software. The CSS need to be fixed but it works as expected until now. I tested a bunch of free software doing blog without big success. The mixture between a wiki and minimal-blog is quite efficient for my use.
I was off for one week at Cap-Ferret and so reading is a nice thing to do on the atlantic beach. I was able to complete the following reading :
Very nice and pleasant.
I'm big fan of this author but I missed this biography published in 1991. A very nice analysis and (small) biography of the master : H.P. Lovecraft. There is a kind of "positive" (if we can talk about a positive in his world) biography but also an anti-biography. Very complete in concise way. A nice book.
The sci-fi novels of Dick are often very good but this book is a compilation of "papers" made by Dick in various conferences. For my perspective, not really interesting except some discussion regarding reality… IMHO, I was a bit disappointed by his gnostic view, strange comments about dreams and the fuzziness of the proposed discussion. The positive point is the notes and references included in the book.
Various strange novels…
"I always make the Al Gore-ish statement that we invented community development." from Sun's CEO. Arf… Sun is clearly smoking too much. But it's not the first time.
Playing with oddmuse and finding some very cool stuff… I really love the minimalist approach and the single file approach. not far from tDiary but in Perl ;-)
Footnotes:
1. Could this be used to fingerprint the software used at each CA infrastructure?
2. note to myself: better explain context when describing something or an idea to implement
3. Convivial is used in the sense of tools that you have access and can use by yourself independently. For more information, Ivan Illich, Tools For Conviviality
4. Of course, you need a pre-installed git on your system
5. Yes, I should not use the term classification for free tagging. I'll burn in hell for such statement. A lot of work meeting looks like Hell to me. So I'm not afraid…
6. The famous scene where :"been speaking prose all my life, and didn't even know it!" - Bourgeois Gentleman
7. Not only but also the editors were asking for it…
8. I know the differentiation between low-interaction and high-interaction is sometimes unclear and imprecise.
1. (I) /not capitalized/ Abbreviation of "internetwork". 2. (I) /capitalized/ The Internet is the single, interconnected, worldwide system of commercial, government, educational, and other computer networks that share (a) the protocol suite specified by the IAB (RFC 2026) and (b) the name and address spaces managed by the ICANN. (See: Internet Layer, Internet Protocol Suite.)
10. Using all the vulnerable information systems and resources to build a network of compromised system that will be used for the sole purpose of the attacker. It costs (until now) less to build a software worm to infect a bunch of system than building a dedicated hardware to crack a symmetric cryptosystem.
11. I took the press as an example as copiepresse is representing some mainstream press in Belgium
12. The name has nothing to do with Google. GooDiff? is composed of two parts : Goo and Diff. Diff, for the geek, it's easy to understand, it's from the diff utility in order to view difference between files. Goo is for a hypothetical end-of-the-world event involving an uncontrolled molecular nanotechnology taking all the earth resources. The book Blood Music from Greg Bear is a nice novel about a grey goo hypothesis. That makes sense regarding the undefined legal blog ;-)
13. often called folksonomy
14. You could also use the ability to limit the state per rule in PF. source-track is a nifty option.
15. Found on AlexSchroeder's blog
16. My old blog was using tDiary and had the discussed issues of blog software. Too large, difficult to fix or adapt and very easy to lost data.
17. We hope that the email alias is not known by the spammer. When required, just renew it.