Saturday, July 04, 2020

The Geek and the pseudo inclusive peer pressure

Discrimination based on social skills and social groups exists and geeks experience it a lot.

One facet of it is the pseudo inclusive peer pressure.

The desire to belong to a group is strong in anyone so people would accept many things just to fit in.

At the same time, a few understand this game quite well, can get meta about it and specifically target geeks to mock them by appearing to be inclusive.

Nothing causes more pleasure to such dark 'master minds' than tricking a geek into ridiculing itself!

Not only for the ridicule but for the mere fact that the geek believed they would thus become part of the in-group: this was never on the table! They will never be part of the in-group!

After a few such experiences some geeks develop a good sense for this situation.

There is no surprise then that some react quite hard in the grown up world. Their senses are screaming: it's a trap!

But the master minds are also grown ups now, and they want small things, all in the name of being inclusive.


Tuesday, June 30, 2020

Open Source sustainability is not about the individual

There was a lot of buzz a while back about Open Source sustainability. Small and large companies as well as individuals discovered it's near impossible to survive financially doing Open Source.

It occurred to me that this might be an emergent property of Open Source and a reason why many foundations (like Apache) as well as users intuitively look at the "community" first.

The community is like a swarm, a Redundant Array of Individual Contributors (RAIC) that carries on regardless if a particular individual drops out. So, a "good" Open Source project is one where the community achieved this chain reaction while the others are at a stage where individual contributors make or break the project.

This conclusion is quite ruthless about a specific company or individual though: the better your Open Source project is, the more precarious your position.

The role of BDFL (Benevolent dictator for life) might be the only one guaranteeing some stability for an individual, but this means the swarm can only sustain one queen (I mean, dictator). Conceptually this role might be required to provide some coherence to the swarm.

Thursday, June 04, 2020

Instant Thought: another open source supply chain attack

It seems not a day goes by without another open source supply chain attack.

The latest, uncovered by the security researcher "JK" is called "Instant Thought" and was noticed in the most popular Java IDE, combined the the very popular build system Gradle.

One might assume that just opening a Gradle project to read the source code is a safe operation, but Instant Thought shows this is not the case.

Gradle projects might have an unassuming settings.gradle file with a tiny block which gets executed by the IDE as soon as the project is loaded.

Root cause analysis showed the problem is the gradle.projectsLoaded hook which is able to run code with the full permissions of the user account:

gradle.projectsLoaded { g ->
  // do bad things
}

"This is not unlike the Word macro viruses seen in late '90s" said another analyst. "Which just shows how behind the times the IDEs are with security".

It is not clear how widespread Instant Thought is but suffice to say developers have to think long and hard before executing or even opening unknown projects.

According to the vendor, this is a low priority issue: "[Our IDE] automatically configures the project during the import (which is quite similar to executing gradle command) and it causes the code execution. The current behaviour seems not to be a high severity security problem thus it won't be fixed in the near future."

Thursday, January 23, 2020

Roam Like at Home is a regression for Romania

On June 15th 2017 the EU launched "Roam Like at Home", a set of rules that removed roaming charges. It was a great idea to harmonise telecom infrastructure and remove another invisible border separating people within the EU.

Romania was hit particularly bad by these rules. They introduced new borders where before there were none.

Previously, roaming was available to any telecom user either on a subscription plan or on a pre-paid card in Romania. The only limitation was that, rarely, the operator might ask for a warranty (say, 100 euro) so you don't rack up too many fees while abroad.

Internet and mobile services are particularly cheap in Romania and fast. We used to be ranked on the 5th place world wide based on internet speed alone.

So, by having such cheap prices a problem for Romanian telecom operators was that this might encourage abuse from Romanians going abroad and downloading too much, or by other EU people buying Romanian SIM cards to use instead of their expensive national SIM cards.

In order to contain this potential problem the EU was flexible with the "Roam Like at Home" rules and allowed a "fair use policy".

But the biggest blow was that the EU allowed contracts without roaming services. Guess what all Romanian telecom operators started rolling out immediately? They removed roaming from all the subscription plans under a price they considered acceptable!

A reasonable, entry-level, subscription plan that would have had roaming before 2017 suddenly became useless when crossing the border.

Note that without roaming nothing works! You have no data but no calls or SMS either. You are stranded with a non-functioning telephone in another EU country. This was an "interesting" experience for Romanian tourists early 2018. All they could call is 112.

Getting roaming temporarily on a subscription plan is just not possible anymore. Either you upgrade the whole plan to a more expensive one, forever, or you have no phone abroad.

A pre-paid card has more advantages. You can activate a more expensive roaming plan at any time, but you are still penalised by losing all the benefits you had until then, regardless how much the 'national' plan costed or how much you used from it.

In conclusion Roam like at Home reduced the quality of the telecom offer in Romania and introduced a quite visible border separating Romanians from the rest of the EU. One cannot imagine under what scenario the concept of 'roaming services' for SIM cards sold within the EU to EU citizens should even exist.

Another change that this measure did introduce in Romania is a bigger churn on SIM cards and operators. If Romanians manage to separate their identity from the SIM number and the operator is just a dumb carrier then it will not have been all for nothing.

Friday, August 16, 2019

Wayback Machine Downloader

Internet Archive's Wayback Machine is a gift to the world. For quick checks you just enter the URL and you get the archived version going years back.

A whole little cottage industry seems to have been formed around the Wayback Machine. They offer you whole-site download and conversions for the low price of $5 or $15 or $45 or however much they can convince you their service is worth.

Among these busy bees, the free Ruby based Wayback Machine Downloader is a little gem.

You just install it then run

wayback_machine_downloader -c 10 -s http://www.example.com

and you get everything! Total cost: $0.

Installing the actual gem on macOS as a non-admin user seems to have contradicting info online. There's a `gem install --local` command but it doesn't seem to do what one expects -- installing in the home folder of the current user.

What did the trick for me was:

gem install -i ~/.gem/ruby/2.3.0/ wayback_machine_downloader

and this after I manually downloaded the proper .gem file from rubygems.org

Some were even recommending to add a http (versus the default https) source to gem but that seemed foolish and even gem itself complained about using http in 2019.

Whatever road you pick with downloading from Wayback Machine, remember all the work the Internet Archive is doing for all this to be available to you and donate to them.

Saturday, June 08, 2019

Fair Source and the Fair Source Initiative

There's been some uproar about the MongoDB Server Side Public License which tries to prevent cloud vendors like Amazon take all the money in the MongoDB market.

Many are pointing out that this new license does not respect the Open Source Definition published by the Open Source Initiative.

In truth many users and companies would find the license acceptable. A legal advisor will clear the license, the software will be used and nobody except a vendor in a similar position like Amazon will care.

What this move towards a financially sustainable open source ecosystem needs is branding.

I suggest calling this new type of open source "fair source". Most people and companies understand that some money is necessary to keep a project alive and would find it palatable that the once you are big enough to disrupt the market for the author you should pay.

In order to help smaller companies that do not have a legal advisor at hand, a Fair Source Initiative foundation should be created. This foundation would review such fair source licenses and define them as acceptable or not.

In many ways in the same way as "open source" was introduced to make free software more acceptable to businesses, "fair source" will be about making an open source business model more sustainable.

Open Source was about dethroning the Free Software Foundation. Fair Source must dethrone the Open Source Initiative.

Perhaps the Open Source Initiative board will realize this and redefine the way they classify licenses. Otherwise they will find themselves irrelevant for a buzzing section of the software world.

The Geek and the pseudo inclusive peer pressure

Discrimination based on social skills and social groups exists and geeks experience it a lot. One facet of it is the pseudo inclusive pee...