linux.conf.au 2017 Hobart – The future of open source

This year, linux.conf.au 2017 headed to the picturesque state of Tasmania, to Hobart’s Wrest Point convention centre, and the theme of the conference was ‘the future of open source’. My key takeaway from the conference was that:

The future will be built on trust, and trust takes many forms –

  1. Trusting that data and systems have confidentiality, integrity and availability – traditional security
  2. Trusting that digital experiences will be pleasant, safe and as frictionless as possible – user experience and community experience
  3. Trusting that people will build the future that they want – agency and empowerment

This blog post is going to explore some of my picks from the conference through these lenses.

Security, privacy and integrity

Security, privacy and integrity was a recurring theme of the conference.

Michael Cordover – The Future of Privacy

Michael Cordover‘s talk, ‘The Future of Privacy‘, was perhaps the most thought-provoking talk around privacy. Michael provided a history of privacy, underscoring how technology has shaped notions of what it means to be left alone, and what it means to have personal data remain private. In our ubiquitously-connected, always-on world, it’s becoming harder to delineate what informed consent means – given that data can be inferred by association (which is exactly how Tapad‘s technology is designed). It’s also harder for people to be aware of how apps and platforms are using data – terms and conditions are hard to read, and detract from usability. Practically, it’s hard to own your own data – you essentially have to run your own services. Open systems, decentralisation, federation and non-permissive by default are Cordover’s answers to these problems – but these all pay a usability price. In Cordover’s words,

There’s no easy path forward that ordinary people can take.

David Bell – In Case of Emergency: Break Glass – BCP, DRP, & Digital Legacy

As a first time linux.conf.au Speaker, David delivered a solid presentation covering business continuity planning, disaster recovery planning and digital legacy. His focus was on ensuring that appropriate planning was done before business interruption events. He also covered personal digital legacy – an almost-unexplored topic – for example – would the people you leave behind when you die know how to access your passwords?

George Fong – The Security and Integrity of the Internet

George Fong (previous Chair of Internet Australia, current Deputy Chancellor at Federation University) delivered a very strong presentation which advocated for the defence of security and integrity of the internet, largely because governments and other non-technical actors in the ecosystem don’t trust the internet – the “cybers”.

The key takeaway from George’s talk that continued to resonate for days afterwards was:

Trust is the byproduct of integrity

Using examples such as Dirty COW and Heartbleed, Fong opined that we as an opensource community need to make sure that Linux – which the foundation of the internet rests upon – is trustworthy. Bugs are only shallow if many eyeballs are on them, and all too often there aren’t enough eyeballs. Using the analogy of seatbelts, and how few of us would ever feel safe and secure driving without one, he articulated how the internet in many ways is still a frontier, devoid of strong security measures and protocols that ensure safety and integrity – and therein, trust.

Touching on another key theme of the conference – agency and empowerment – he urged the audience to grasp that they, we, the open source community are the voices of the internet. Fong encouraged us to use those voices to better educate the public on what we do – we need to promote our activities to strengthen integrity. Things are broken – and we’re not helping. It’s up to us to fix the problem.

On a side note, as the recently-elected President of Linux Australia, I’m looking forward to working with George, and recently-appointed Chair of Internet Australia, Anne Hurley, to identify how we can work collaboratively together on some of these aims – as Internet Australia and Linux Australia have some overlap in mission, values and remit.

Jon Oxer – Network Protocol Analysis for IoT Devices

Nowhere is security, privacy and integrity more pressing that in the field of Internet of Things. There were several IoT related talks this year, but two that stood out. Firstly, Jon Oxer‘s talk on Network Protocol Analysis for IoT Devices was an eye-opener into the history of the radio frequency spectrum, how some of it is unregulated, but moreover how device protocols can be reverse engineered with simple equipment and a penchant for code-breaking. Oxer showed how simple it is to launch a man-in-the-middle attack on IoT devices on the RF 422 MHz band by intercepting their transmissions, decoding their protocols and then using a playback attack. We definitely need better encryption in IoT.

Christopher Biggs – How to Defend Yourself from your Toaster

Christopher Biggs also gave an excellent security talk around IoT – ‘How to defend yourself from your toaster‘, however he tackled it from the perspective of an IoT device manufacturer or developer – clearly articulating what features and functions should be included in new IoT devices. Although he didn’t frame it as such, his talk was basically outlining a maturity model for IoT devices. For example, devices with low maturity have poor user interfaces, no provision for maintenance, and employ poor security practices – such as having insecure protocols (such as telnet) available. He provided useful advice for improving maturity, for instance port-scanning devices to see which ports are open, and what data is being transmitted. One of the key takeaways here was that if you are designing an IoT device, or managing a fleet of IoT devices, that you need to get someone else to do the hard parts. Apple, Amazon and Google all now have SDKs available for IoT, but the drawback is that most of them are not open sourced.

Biggs spoke of a metric that I hadn’t heard before in this space – MTT1C – mean time to first compromise – or the length of time it takes an IoT device to be compromised once it’s placed on the public internet. This got me thinking that I haven’t seen anywhere a capability maturity model for enterprise IoT – for instance the practices, support, metrics and continuous improvement that would be used in a large organisational deployment of IoT. Perhaps this is something that the standards bodies in this space – Open Connectivity Foundation, BITAG and Resin.io – will develop in time.

Dr Vanessa Teague – Election Software

Dr Vanessa Teague gave one of my favourite talks of the conference on e-voting systems, and the general problem of end to end verification. Using a number of examples of how companies have (or have not) implemented verification, she articulated a number of anomalies with current e-voting systems in NSW, which are soon to be used in both WA and Victoria. Given the recent controversy around United States elections, this talk was particularly timely, and gave rise to a number of uncomfortable questions – such as just how many votes does it take to change an election result, and possibly the course of history?

One of the most resonating points within Dr Teague’s talk was the rejection of an e-voting system – V-Vote – which had superior verification capabilities, but poor user experience and usability qualities. This touches on the second theme which emerged from #lca2017 – it is not sufficient for a product, tool or platform to be functional – it must also have form. People are persuaded by the shiny – and rather than scoff at this – default behaviour for a lot of our community – we need to recognise and respond to this.

Dr Teague was an engaging, humourous and articulate speaker, and I’d really like to hear more from her in future conf lineups.

User experience and community experience

It may be unusual to relate user experience and customer / community experience to trust, but I see it as fitting. Our experience with a task, a process, or an interaction either enhances or erodes our trust in the organisation, platform or person with whom we’re interacting.

Donna Benjamin – I am your User, why do you Hate me?

Donna Benjamin‘s excellent talk aimed to bring a user experience / human-centred design element to open source developers by questioning some of the fundamental ‘defaults’ we tend to hold. Using project onboard experiences as a lens to explore how we treat newcomers, she demonstrated that our actions are turning people away from opensource – exactly the opposite effect that we’re aiming for. She outlined how contributions in triage, review and testing are not valued as highly as code contributions, again presenting a barrier to increasing participation and diversity. Benjamin argued for the open source community to see users not in terms of what they can’t do – develop software – but as people – with needs and emotions.

This talk highlighted for me the lack of design thinking, human-centred design and user experience practices that are adopted not just on open source products, but to communities in general. Lowering ‘friction’ – the antithesis of good user experience – is something that both open source products and open source communities need to get better at.

Rikki Endsley – The proper care and feeding of communities and carnivorous plants

Rikki Endsley‘s talk likewise touched on how managing communities is a complex task, often fraught with pitfalls. The key takeaway was that you can’t change everything at once – you need to change elements of the community carefully, then have the metrics available to measure the impact of the change.

VM Brasseur – The Business of Community

VM Brasseur‘s talk was a practical guide for people working inside companies to ‘sell’ support of open source projects to management. This talk was framed along three key topics – benefits, costs and implementation. Benefits such as word of mouth marketing, stronger brand recognition, and more effective upstream support are all selling points. One of the strong points of this talk was the recognition of in-kind / non-monetary support to open source communities by business, such as the provision meeting space, marketing, guidance, leadership and mentoring. In particular, Brasseur cautioned that businesses should ask the community what it needed – rather than making assumptions – and providing, for instance, unwanted promotional goodies. Although implementation plans will vary across companies, Brasseur provided some generic advice, such as having clear goals and objectives for community support, setting expectations and being transparent about the company’s intentions.

Nadia Eghbal – Consider the Maintainer (keynote)

Nadia’s keynote brought to the fore many simmering tensions within the open source community. Essentially, the burden of maintaining open source software falls to a few dedicated maintainers, who in some cases may be supporting a product with a user base of tens or thousands of uses.

Eghbal set out four freedoms for open source producers / maintainers, being:

  • The freedom to decide who participates in your community
  • The freedom to say no to contributions or requests
  • The freedom to define the priorities and policies of the project
  • The freedom to step down or move on from a project, temporarily or permanently

Whether these freedoms are embraced and used to support open source maintainers remains to be seen.

Nadia Eghbal keynoting linux.conf.au 2017
Nadia Eghbal keynoting linux.conf.au 2017

Agency and empowerment

The third key theme that was reflected in the conference programme was that of agency and empowerment – being the changes that we want to see in the open source world.

Pia Waugh – Choose your own adventure

Pia Waugh kicked off this theme, delivering the first conference keynote, where she gave a retrospective on human evolution, and then extrapolated this to the future of open source, articulating how we’re likely to see a decentralisation of power in order to strengthen democracy. She went on to challenge a number of existing paradigms, calling them out as anachronisms as the world has evolved.

This talk was full of Waugh’s trademark energy and vibrancy, and was an excellent choice to open the conference.

Dr Audrey Lobo-Pulo – Publicly Releasing Government Models

Dr Audrey Lobo-Pulo’s talk extended the open data movement by advocating for the public release of government open source models – financial and economic models used to assess public policy decisions – in essence, virtual worlds to explore the implications of policy.

The key takeaway from her talk was that industry and business also stand to benefit greatly from the release of these models, as they could then be combined with private data – in a unique public private partnership. Lobo-Pulo put forward the four components of government policy models (shown below) – and how each contributes the accuracy and validity of the model.

Karen M. Sandler – Surviving the Next 30 Years of Free Software

Karen‘s sensitive and tactful talk recognised the fact that as a community, many of our pillars and key contributors are aging, and that over the next few years we are likely to bid goodbye to many in our community. Her talk explored the different ways in which copyrights can be assigned after death, and the key issues to consider – empowering us to make informed and well founded decisions while we are in a position to do so. Few presenters could have handled this difficult topic with such aplomb, and as usual Karen’s grace, wit and wisdom shone through.

Closing thoughts

Again, linux.conf.au delivered engaging, thought-provoking and future-looking talks from a range of experienced, vibrant and wise Speakers – and again it was an excellent investment of time. The diversity of Speakers this year was excellent, if perhaps erring on the non-technical side.

Open source still faces a number of challenges – the ecosystem is often underfunded, maintainers are prone to burnout and we still haven’t realised that UX needs to be a key part of what we’re all about. But that’s part of the fun – we have the power to evolve just like the rest of the world.

And I can’t wait for a bit of history repeating at Sydney 2018!

Save

Save

Save

Save

Save

Save

My talk picks for #lca2017 – linux.conf.au

linux.conf.au 2017 heads to Hobart, where it was last held in 2009. I absolutely love Tasmania – especially its food and scenery – and am looking forward to heading over.

So, here’s my talk picks  – keeping in mind that I’m more devops than kernel hacker – so YMMV.

Executive Summary

  • Monday 16th – Networking breakfast, possibly some WootConf sessions and / or Open Knowledge Miniconf sessions.
  • Tuesday 17th – Law and policy Miniconf, Community Leadership Summit
  • Wednesday 18th – Future Privacy by Michael Cordover, In Case of Emergency – Break Glass by David Bell, Handle Conflict Like a Boss by Deb Nicholson, Internet of Terrible Things by Matthew Garrett.
  • Thursday 19th – Network Protocols for IoT Devices by Jon Oxer, Compliance with the GPL by Karen Sandler and Bradley M. Kuhn, Open source and innovation by Allison Randall and Surviving the next 30 years of open source by Karen Sandler.
  • Friday 20th – Publicly releasing government models by Audrey Lobo-Pulo

Monday 16th January

I’m keeping Monday open as much as possible, in case there are last minute things we need to do for the Linux Australia AGM, but will definitely start the day with the Opening Reception and Networking Breakfast. A networking breakfast is an unusual choice of format for the Professional Delegates Networking Session (PDNS), but I can see some benefits to it such as being able to initiate key relationships and talking points early in the conference. The test of course will be attendance, and availability of tasty coffee 😀

If I get a chance I’ll see some of the WootConf sessions and/or Open Knowledge Miniconf sessions (the Open Knowledge Miniconf schedule hadn’t been posted at the time of writing).

Tuesday 17th January

The highlight for me in Tuesday’s schedule is the excellent Pia Waugh talking ‘Choose your own Adventure‘. This talk is based on Waugh’s upcoming book, and the philosophical foundations, macroeconomic implications and strategic global trends cover a lot of ground – ground that needs to be covered.

As of the time of writing, the schedule for the Law and Policy Miniconf hadn’t been released, but this area is of interest to me – as is the Community Leadership Summit. I’m interested to see how the Community Leadership Summit is structured this year; in 2015 it had a very unconference feel. This was appropriate for the session at the time, but IMHO what the Community Leadership Summit needs to move towards are concrete deliverables – such as say a whitepaper advising Linux Australia Council on where efforts should be targeted in the year ahead. In this way, the Summit would be able to have a tangible, clear impact.

Wednesday 18th January

I’ll probably head to Dan Callahan’s keynote on ‘Designing for failure’. It’s great to see Jonathan Corbet’s Kernel Report get top billing, but my choice here is between the ever-excellent Michael Codover’s ‘Future Privacy‘ and Cedric Bail’s coverage of ‘Enlightenment Foundation Libraries for Wearables‘. Next up, I’ll be catching David Bell (Director, LCA2016) talking ‘In case of emergency – break glass – BCP, DRP and Digital Legacy‘. There’s nothing compelling for me in the after lunch session, except perhaps Josh Simmon’s ‘Building communities beyond the black stump‘, but this one’s probably too entry-level for me, so it might be a case of long lunch / hallway track.

After afternoon tea, I’ll likely head to Deb Nicholson’s ‘Handle conflict like a boss‘, and then Matthew Garett‘s ‘Internet of terrible things‘ – because Matthew Garrett 😀

Then, it will be time for the Penguin Dinner!

Thursday 19th January

First up, I’m really looking forward to Nadia Eghbal’s ‘People before code‘ keynote about the sustainability of open source projects.

Jon Oxer’s ‘Network Protocol Analysis for IoT Devices‘ is really appealing, particularly given the rise and rise of IoT equipment, and the lack of standards in this space.

It might seem like a dry topic for some, but Bradley M. Kuhn and Karen Sandler from the Software Freedom Conservancy will be able to breathe life into ‘Compliance with the GPL‘ if anyone can; they also bring with them considerable credibility on the topic.

After lunch, I’ll be catching Allison Randall talking on ‘Open source and innovation‘ and then Karen Sandler on ‘Surviving the next 30 years of open source‘. These talks are related, and speak to the narrative of how open source is evolving into different facets of our lives – how does open source live on when we do not?

Friday 20th January

After the keynote, I’ll be catching Audrey Lobo-Pulo on ‘Publicly releasing government models‘ – this ties in with a lot of the work I’ve been doing in open data, and government open data in particular. After lunch, I’m looking forward to James Scheibner’s ‘Guide to FOSS licenses‘, and to finish off the conference on a high note, the ever-erudite and visionary George Fong on ‘Defending the security and integrity of the ‘Net’. Internet Australia, of which Fong is the chair, has many values in common with Linux Australia, and I foresee the two organisations working more closely together in the future.

What are your picks for #lca2017?

State of my toolchain 2016

In July, I transitioned from a 16-year career in digital and IT with a regional university to setting up my own digital consultancy. This meant that I no longer had a Managed Operating Environment (MoE) to rely on, and instead had to build my own toolchain. Both to document this toolchain, and to provide a snapshot to compare to in the future, this post articulates the equipment, software and utilities I use, from hardware up the stack.

Hardware

I have three main devices;

  • Asus N76 17.3″ laptop – not really a portable device, but a beast of a work machine. I’ve had this since January 2013, and it hasn’t let me down yet. It has 16GB of RAM, 4 dual core Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz CPUs, so 8 cores in total, and it basically needs its own power station to run. This machine is a joy to own. It speeds through GIMP and video processing operations, and has plenty of grunt to do some of data visualisation (Processing) work that I do. The NVIDIA graphics are beautiful. The only upgrade in this baby’s near term future is to swap out the spinning rust HDD (x2) with some solid state goodness.
  • Asus Trio Transformer TX201LA – a portal device, useful for taking on trains and to meetings. I’ve had this for around 18 months now, and while it’s a solid little portable device, it does have some downsides. This is a dual operating system device – the screen, which is a touchscreen, and detaches, runs stock Android (which hasn’t had an update since 4.2.2 – disappointing), while I’ve got the base configured via Grub to dual boot Win10 and Ubuntu 16.04 LTS. Switching between the mobile OS and desktop OS is generally seamless, but I’ve had some glitches switching between Ubuntu and Android – in ASUS’ defence, they did tell me that Linux wasn’t supported on this device, and of course you all knew what my response that was, didn’t you? Challenge: accepted. The hardware on this device is a little less grunty than I’d like – 4GB RAM and Intel® Core™ i7-4500U processor. It just isn’t enough RAM, and I have to pretty much limit myself to running 3-4 apps at a time, and less than 10 Firefox tabs. But, that said, I *do* like the convenience of having the Android device as well – and the screen is a joy to work with. One little niggle is that VGA / HDMI out are via mini display port – and only a VGA adaptor was provided in the box. I’ll have to get a mini display port to HDMI adapter at some stage, as the world embraces digital video out. For the meantime, I’ll have to party like it’s 1999 with VGA.
  • LG Nexus 5X – my mobile phone. Purchased in January 2016, it’s running stock Android Marshmallow, and I’ve been super happy with how fast Android OTA updates ship to this device. For non-RAM-intensive operations it’s pretty snappy, and the quality of the camera is fantastic. The battery life is pretty good compared to my old Nexus 4, and I can usually go a full day on a charge, if I’m not Ingressing. This device has some pretty major downsides though. The USB-C charging cable is frustrating, given everything else I own charges on micro USB, so I’ve had to shell out for new cables. The RAM on this device just isn’t enough for its processor, and I’m constantly experiencing lag on operations, making for a frustrating user experience. The camera is buggy as hell, and there’s more than once I’ve taken a great shot, only to find it hasn’t been saved. I’ll be looking for a different model next time, but I can’t justify replacing this at the moment – it’s only around 8 months old.

My hardware overview wouldn’t be complete without these other useful peripherals:

Wearables

The two key wearables I have are the Pebble Time and Fitbit. As Pebble Time’s GPS and fitness tracking capabilities increase, I’m expecting to be able to decom my Fitbit. I can’t imagine living without the Pebble now – it’s a great wearable device. The battery life is pretty good – 3-4 days, and the charging connector is robust – unlike my poor experiences with the Fitbit – both with the device battery itself degrading over time, and having been through 5-6 chargers in 3 years. I’ve Kickstarted the Pebble Core, and can’t wait to see where this product line goes next.

Software

At the operating system level, both my laptops dual boot both Windows 10 and Ubuntu LTS 16.04, with my preference to be to use Ubuntu if possible. This generally works well, but there are some document types that I can’t access readily on Ubuntu – such as Microsoft Project. Luckily, most of the work I do these days is web-based. I still need Windows for gaming, because not all the titles I play are delivered via Steam – with the key one being The Secret World. Total addict 🙂

Office productivity

  • LibreOffice – my office suite of choice is LibreOffice. OpenOffice is pretty much dead, and the key driver of that is being umbrella’d by Oracle. Open source communities don’t want to be owned by large corporates who purchase things, like, oh I don’t know, MySQL, to simply gain market share rather than ascribing to the open source ethos.
  • Firefox – my browser of choice. Yes, I know it’s slower. Yes, I know it’s a memory hog. But it’s Firefox for me. I really like the Sync feature, meaning that the plugins and addons that I have on one installation automatically download on another – very useful when you’re running essentially four machines. My favourite and most used extensions would have to be LeetKey, Awesome Screenshot, Zotero, ColorZilla and of course Web Developer tools.
  • Thunderbird – I run Thunderbird with a bunch of extensions like Enigmail, Lightning (with a Google Calendar integration for scheduling) and Send Later – so that if I write a bunch of emails at 2am in the morning, they actually send at a more humane hour.
  • Zotero – I used Zotero, and its LibreOffice plugin for referencing. It’s beautiful. And open source.
  • Slack – Slack is the new killer app. I use it everywhere, on all the things. The integrations it has are so incredibly useful. In particular, I use an integration called Tomato Bot for Pomodoro-style productivity.
  • Xero – Yes, I have a paid account to Xero for accounting and bookkeeping. It’s lovely and simple.
  • Trello – For all the project management goodness. I got some free months of Trello Gold, and I’ve let it lapse, but will probably buy it again. It’s $USD 5 per month and has great integration with Slack. Again, if there were an open source alternative I’d give that a go, but, well, there just isn’t.
  • GitHub and Git – If your office is about digital and technology, then GitHub is an office productivity tool! I use Git from the command line, because it’s just easier than running another application on top of everything else.

Social media and radio

  • Hootsuite – Yes, I have a paid account to Hootsuite. There just isn’t a comparable open source alternative on the market yet. It has some limitations – such as lack of strong integration with newer social media platforms such as Instagram and SnapChat, but you can’t go past it for managing multiple Facebook pages or Twitter accounts at once.
  • Pandora – I stream with Pandora, but I really, really, really miss Rdio.

Quantified self

Over the years, I’ve found a lot of value in running a few quantified self applications to get a better idea of how I’m spending my time – after all, making a problem visible is the first step toward a solution.

  • RescueTime – the visualisations are beautiful, and it runs on every device I have, including Linux. It provides great insights, and makes really clear when I’ve been slacking off and not doing enough productive work. One of the features that I appreciate most is to be able to set your own categorisations. For examples, Ingress in my RescueTime is categorised as neutral – yes it’s a game, but I only play it when I’m walking – so that’s something I’m aiming to do more of.
  • BeeMindr – this nifty little app puts a sting in the tail of goals – and charges you money if you don’t stick with strong habits. I’ve found it’s started to help change my behaviour and build some better habits, such as more sleep and more steps. It has a huge range of integrations with other tools such as RescueTime and Fitbit.

Coding, data visualisation and other nerdery

  • Atom Editor – this is my editor of choice, again because it works on both Windows and Linux. The only downside is that plugins – I run many – have to be individually installed. If Atom had something like Firefox Sync, it would be a killer product. It’s so much lighter than Eclipse and other Java-based editors I’ve used in the past.
  • D3.js – this is my go to Javascript visualisation library. V4 has some pitfalls – namely syntax changes since v3, but it’s still a beautiful visualisation library.
  • Processing – I’ve used Processing a little bit, but I’m frustrated that it’s Java-based. Processing.js is a library that attempts to replicate the Java-based Processing, but the functionality is not yet fully equivalent – particularly for file manipulation operations. The concept behind Processing – data visualisation for designers, not programmers – is sound, but I feel that they’ve made an architectural faux pas by not going Javascript right from the start. I haven’t really gotten in to R or Python yet, but I can see that on the horizon.

Graphics, typography and design

  • Scribus – in the past year I’ve had to do quite a few posters, thank you certificates and so on – and Scribus has been my go to tool. The user interface is a little awkward in places, but it provides around 60% of the functionality of desktop publishing tools like QuarkXPress and InDesign – for free.
  • InkScape and GIMP – my go to tools for vector and raster work respectively. Although, I have started to experiment a little with Krita lately. One of the things I’ve found a little frustrating with both InkScape and GIMP is the limited range of palettes that they ship with, so I started writing some of my own.
  • Typecatcher – for loading Google fonts on to Linux.

Next steps

Thin client computing seems to be taking off in a big way – virtualised desktops are all the rage at the moment, but I don’t think they would work for me, primarily because I tend to work in low bandwidth situations. My home internet is 4-5Mbps, and my 4G dongle gets about the same, but is pre-paid, so data is expensive. For now, I’ll have to manage my own desktop environment!

What do you think? Are these choices reasonable? Are there components in the stack that should be replaced? Appreciate your feedback 😀