A selection of good papers from USENIX Security ’17

I have briefly talked about Adrienne’s and April’s talk at USENIX Security 2017, but I have not given much light to other papers and presentations that got my attention at the conference. I thought I should do a round up of good content for this conference, and if I can manage, go back to it later.

First of all, the full proceedings are available on the Program page of the conference. As usual, USENIX open access policy means that everybody has access to these proceedings, and since we’re talking academic papers, effectively everything I’m talking about is available to the public. I know that some videos were recorded, but I’m not sure when they will be published1.

Before I go into link you to interesting content and give brief comments on them, I would like to start with a complaint about academic papers. The proper name of the conference would be 26th USENIX Security Symposium, and it’s effectively an academic conference. This means that the content is all available in form of papers. These papers are written, as usual, in LaTeX, and available in 2-columns PDFs, as it is usual. Usual, but not practical. This is a perfect format to read the paper when doing so on actual paper. But the truth is that nowadays this content is almost exclusively read in digital form.

I would love to be able to have an ePub version of the various papersto just load on an ebook reader, for instance2. But even just providing a clear HTML file would be an improvement! When reading these PDFs on a screen, you end up having to zoom in and move around a freaking lot because of the column format, and more than once that would be enough for me to stop caring and not read the paper unless I really have interest in it, and I think this is counterproductive.

Since I already wrote about Measuring HTTPS Adoption on the Web, I should not go back to that particular presentation. Right after that one, though, Katharina Krombholz presented “I Have No Idea What I’m Doing” – On the Usability of Deploying HTTPS which was definitely interesting to show how complicated still is setting up HTTPS properly, without even going into further advanced features such as HPKP, CSP and similar.

And speaking of these, an old acquaintance of mine from university time3, Stefano Calzavara, presented CCSP: Controlled Relaxation of Content Security Policies by Runtime Policy Composition (my, what a mouthful!) and I really liked the idea. Effectively the idea behind this is that CSP is too complicated to use and is turning down a significant amount of people from implementing at least the basic parts of security policies. This fits very well with the previous talk, and with my experience. This blog currently depends on a few external resources and scripts, namely Google Analytics, Amazon OneLink, and Font Awesome, and I can’t really spend the time figuring out whether I can make all the changes all the time.

In the same session as Stefano, Iskander Sanchez-Rola presented Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies, which easily sounded familiar to me, as it overlaps and extends my own complaint back in 2013 that browser extensions were becoming the next source of entropy for fingerprinting, replacing plugins. Since we had dinner with Stefano, Iskander and Igor (co-author of the paper above), we managed to have quite a chat on the topic. I’m glad to see that my hunches back in the days was not completely off and that there is more interest in fixing this kind of problems nowadays.

Another interesting area to hear from was the Understanding the Mirai Botnet that revealed one very interesting bit of information: the attack on Dyn that caused a number of outages just last year appears to have as its target not the Dyn service itself but rather Sony PlayStation Network, and should thus be looked at in the light of the previous attacks to that. This should remind to everyone that just because you get something out personally from a certain attack, you should definitely not cheer on them; you may be the next target, even just as a bystander.

Now, not all the talks were exceptional. In particular, I found See No Evil, Hear No Evil, Feel No Evil, Print No Evil? Malicious Fill Patterns Detection in Additive Manufacturing a bit… hypy. In the sense that the whole premise of considering 3D-printed sourcing as trusted by default, and then figure out a minimal amount of validation seemed to be stemming from the crowd that has been insisting that 3D printing is the future, for the past ten years or so. While it clearly is interesting, and it has a huge amount of use for prototyping, one-off designs and even cosplay, it does not seem like it got as far as people kept thinking it would. And at least from the talk and skimming the paper I couldn’t find a good explanation of how it compares against “classic” manufacturing trust.

On a similar note I found not particularly enticing the out-of-band call verification system proposed by AuthentiCall: Efficient Identitiy and Content Authentication for Phone Calls which appears to leave out all the details of identity verification and trust system. And assumes a fairly North American point of view on the communication space.

Of course I was interested in the talk about mobile payments, Picking Up My Tab: Understanding and Mitigating Synchronized Token Lifting and Spending in Mobile Payment, given my previous foray into related topics. It was indeed good, although the final answer of adding a QR-code to do a two-way verification of who it is you’re going to pay sounds like a NIH implementation of the EMV protocol. It is worth it to read to figure out the absurd implementation of Magnetic Secure Transmission that is used in Samsung Pay implementation: spoilers, it implements magnetic stripe payments through a mobile phone.

For the less academic of you, TrustBase: An Architecture to Repair and Strengthen Certificate-based Authentication appears fairly interesting, particularly as the source code is available. The idea is to move the implementation of SSL clients into an operating system service, rather than into libraries, so that it can be configured once and for all at the system level, including selecting the available cipher to use and the Authorities to trust. It sounds good, but at the same time it sounds a lot like what NSS (the Mozilla one, not the glibc one) tried to implement. Except that didn’t go anywhere, not just because of API differences.

But it can’t be an interesting post (or conference) without a bit of controversy. A Longitudinal, End-to-End View of the DNSSEC Ecosystem has been an interesting talk, and one that once again confirmed the fears around the lack of proper DNSSEC support in the wild right now. But in that very same talk, the presenter pointed out how they used a service Luminati to get access to endpoints within major ISPs networks to test their DNSSEC resolution. While I understand why a similar service would be useful in these circumstances, I need to remind people that the Luminati service is not one of the good guys!

Indeed, Luminati is described as allowing you to request access to connections following certain characteristics. What it omits to say, is that it does so by targeting connections of users who installed the Hola “VPN” tool. If you haven’t come across this, Hola is one of the many extensions that allowed users to appear as if connecting from a different country to fool Netflix and other streaming services. Beside being against terms of services (but who cares, right?), in 2015 Hola was found to be compromising its users. In particular, the users running Hola are running the equivalent of a Tor exit node, without any of the security measures to protect its users, and – because its target is non-expert users who are trying to watch content not legally available in their country – without a good understanding of what such an exit node allows.

I cannot confirm whether currently they still allow access to the full local network to the users of the “commercial” service, which include router configuration pages (cough DNS hijacking cough), and local office LANs that are usually trusted more than they should be. But it gives you quite an idea, as that was clearly the case before.

So here is my personal set of opinions and a number of pointers to good and interesting talks and papers. I just wish they would be more usable by the non-academics by not being forced only in LaTeX format, but I’m afraid the two worlds shall never meet enough.


  1. As it turns out you can blame me a little bit for this part, I promised to help out.
    [return]
  2. Thankfully, for USENIX conferences, the full proceedings are available as ePub and Mobi. Although the size is big enough that you can’t use the mail-to-Kindle feature.
    [return]
  3. All the two weeks I managed to stay in it.
    [return]

Threat models: the sushi place’s static website

At the USENIX Security Symposium 2017, Adrienne Porter Felt and April King gave a terrific presentation about HTTPS adoption and in particular showed the problems related with the long tail of websites that are not set up, or at least not set up correctly. After the talk, one of the people asking questions explicitly said that there is no point for static websites such as the one of the sushi place down the road to use HTTPS. As you can imagine, many of the people in the room (me included) disagree with this opinion drastically, and both April and Adrienne took issue with that part of the question.

At the time on Twitter, and later that day while chatting with people, I brought up the example of Comcast injecting ads on cleartext websites – a link that itself is insecure, ironically – and April also pointed out that this is extremely common in East Asia too. A friend once complained about unexpected ads when browsing on a Vodafone 4G connection, which didn’t appear on a normal WiFi connection, which is probably a very similar situation. While this is annoying, you can at least guess what these ISPs are doing is benign, or at least not explicitly malicious.

But you don’t have to be an ISP in the common sense to be able to inject into non-HTTPS websites. You can for instance have control over a free WiFi connection. It does not even have to be a completely open, unencrypted WiFi, as whoever has control of the system routing a WPA connection is also able to make changes to the data passed through that connection. That usually means either the local coffee shop, or the coffee shop’s sysadmin, MSP, or if you think you’re smart, your VPN provider.

Even more importantly, all these websites are the targets for DNS hijackers, such as the one I talked about last year. Unsecured routers where it’s not possible to get a root shell – which are then not vulnerable to worms such as Mirai – can still have their DNS settings hijacked, at which point the attacker has space to redirect the resolution of some of the hostnames.

This is even more trivial in independent coffee shops. Chains (big and small) usually sign up with a managed provider that set up various captive portals, session profiling and “growth hacks”, but smaller shops often just set up a standard router with their DSL and in many cases not even change the default passwords. And since you’re connecting from the local network, you don’t even need to figure out how to exploit it from the WAN.

It does not take a particularly sophisticated setup to check whether the intended host supports HTTPS, and if it does not, it’s trivial to change the IP and redirect to a transparent proxy that does content injection, without the need for a “proper” man in the middle of the network. DNSSEC/DANE could protect against it, but that does not seem to be something that happens right now.

These are all problems to the end users of course, rather than the problems of the Sushi restaurant, and I would not be surprised if the answer you would get from some of the small shops operator is that these problems should be solved by someone else and they should not spend time to figure it out themselves, as they don’t directly cause a problem to them. So let me paint a different picture.

Let’s say that the Sushi restaurant has unfriendly competition, that is ready to pay some of those shady DNS hijackers to particularly target the restaurant’s website to play some tricks. Of course everything you can do at this point through content injection/modification you can do by defacing a website, and that would not be stopped by encrypting the connection, but that kind of defacement is usually significantly simpler to notice, as every connection would see the defaced content, including the owner’s.

Instead, targeting a subset of connections via DNS hijacking makes it less likely that it’ll be noticed. And at that point you can make simple, subtle changes such as providing the wrong phone number (to preclude people from making reservation), changing the opening hours to something that makes it unwelcoming or even change the menu so that the prices look just high enough not to make it worth visiting. While these are only theoretical, I think any specialist who tried to do sysadmin-for-hire jobs for smaller local business has at least once heard them asking for similarly shady (or worse) tasks. And I would be surprised if nobody took these opportunities.

But there are a number of other situations in which a non-asserted content integrity can be interesting to attackers in subtle ways, even for sites that are static, not confidential, and even not controversial — I guess everybody can agree that adult entertainment websites need to be encrypted. For instance, you could undercut referral revenue by replacing the links to Amazon and other referral programs with alternative ones (or just dropping the referral code). You could technically do the same for things like AdSense, but most of those services would check where the code is embedded in and make it very easy to figure out these types of scams, the referral programs are easier to play around with.

What this means is that there are plenty of good reasons to actually spend time making sure small, long-tail websites are actually available over HTTPS. And yes, there are some sites where the loss of compatibility is a problem (say, VideoLAN, that still gets users of Windows XP). But in this case you can use conditional redirects, and only provide the non-HTTPS connection to users of very old browsers or operating systems, rather than still keeping it available to anyone else.

Gentoo Miniconf 2016

Gentoo Miniconf, Prague, October 2016//embedr.flickr.com/assets/client-code.js

As I noted when I resurrected the blog, part of the reason why I managed to come back to “active duty” within Gentoo Linux is because Robin and Amy helped me set up my laptop and my staging servers for singing commits with GnuPG remotely.

And that happened because this year I finally managed to go to the Gentoo MiniConf hosted as part of LinuxDays in Prague, Czech Republic.

The conference track was fairly minimal; Robin gave us an update on the Foundation and on what Infra is doing — I’m really looking forward to the ability to send out changes for review, instead of having to pull and push Git directly. After spending three years using code reviews with a massive repository I feel I like it and want to see significantly more of it.

Ulrich gave us a nice presentation on the new features coming with EAPI 7, which together with Michal’s post on EAPI 6 made it significantly easier to pick up Gentoo again.

And of course, I managed to get my GnuPG key signed by some of the developers over there, so that there is proof that who’s committing those changes is really.

But the most important part for me has been seeing my colleagues again, and meeting the new ones. Hopefully this won’t be the last time I get to the Miniconf, although fitting this together with the rest of my work travel is not straightforward.

I’m hoping to be at 33C3 — I have a hotel reservation and flight tickets, but no ticket for the conference yet. If any of you, devs or users, is there, feel free to ping me over Twitter or something. I’ll probably be at FOSDEM next year too, although that is not a certain thing, because I might have some scheduling conflicts with ENIGMA (unless I can get Delta to give me the ticket I have in mind.)

So once again thank you for CVU and LinuxDays for hosting us, and hopefully see you all in the future!

On the conference circuit

You may remember that I used not to be a fan of travel, and that for a while I was absolutely scared by the idea of flying. This has clearly not been the case in a while, given that I’ve been working for US companies and traveling a lot of the time.

One of the side effects of this is that I enjoy the “conference circuit”, to the point that I’m currently visiting three to four conferences a year, some of which for VideoLAN and others for work, and in a few cases for nothing in particular. This is an interesting way to keep in touch with what’s going on in the community and in the corporate world out there.

Sometimes, though, I wish I had more energy and skills to push through my ideas. I find it curious how nowadays it’s all about Docker and containers, while I jumped on the LXC bandwagon quite some time ago thanks to Tiziano, and because of that need I made Gentoo a very container-friendly distribution from early on. Similarly, O’Reilly now has a booklet on static site generators which describe things not too far from what I’ve been doing since at least 2006 for my website, and for xine’s later on. Maybe if I wasn’t at the time so afraid of traveling I would have had more impact on this, but I guess (to use a flying metaphor) I lost my slot there.

To focus bit more on SCaLE14x in particular, and especially about Cory Doctorow’s opening keynote, I have to say tht the conference is again a good load of fun. Admittedly I rarely manage to go listening to talks, but the amount of people going in and out of the expo floor, and the random conversation struck there are always useful.

In the case of Doctorow’s keynote, while he’s (as many) a bit too convinced, in my opinion, that he has most if not all the answers, his final argument was a positive one: don’t try to be “pure” (as FSF would like you to be), instead hedge your bets by contributing (time, energy, money) to organizations and projects that work towards increasing your freedom. I’ve been pleasantly surprised to hear Cory name, earlier in that talk, VLC and Handbrake — although part of the cotnext in which he namechecked us is likely going to be a topic for a different post, once I have something figured out.

My current trip brings me to San Francisco tonight, for Enigma 2016, and on this note I would like to remember to conferencegoers that, while most of us are aiming for a friendly and relaxed atmosphere, there is some opsec you should be looking into. I don’t have a designated conference laptop (just yet, I might get myself a Chromebook for it) but I do have at least a privacy screen. I’ve seen more than a couple corp email interfaces running on laptops while walking the expo floor this time.

Finally, I need to thank TweetDeck for their webapp. The ability to monitor hashtags, and particularly multiple hashtags from the same view is gorgeous when you’re doing back-to-back conferences (#scale14x, #enigma2016, #fosdem.) I know at least one of them is reading, so, thanks!

Report from SCaLE13x

This year I have not been able to visit FOSDEM. Funnily enough this confirms the trend of me visiting FOSDEM only on even-numbered years, as I previously skipped 2013 as I was just out for my first and only job interview, and 2011 because of contract related timing. Since I still care for going to an open source conference early in the year, I opted instead for SCaLE, the timing of which fit perfectly my trip to Mountain View. It also allowed me to walk through Hermosa Beach once again.

So Los Angeles again it was, which meant I was able to meet with a few Gentoo developers, a few VideoLAN developers who also came all the way from Europe, and many friends who I have met at various previous conferences. It is funny how I end up meeting some people more often through conferences than I meet my close friends from back in Italy. I guess this is the life of the frequent travelers.

While my presence at SCaLE was mostly a way to meet some of the Gentoo devs that I had not met before, and see Hugo and Ludovic from VideoLAN who I missed at the past two meetings, I did pay some attention to the talks — I wish I could have had enough energy to go to more of them, but I was coming from three weeks straight of training, during which I sat for at least two hours a day in a room listening to talks on various technologies and projects… doing that in the free time too sounded like a bad idea.

What I found intriguing in the program, and in at least one of the talks I was able to attend, was that I could find at least a few topics that I wrote about in the past. Not only now containers are now all the rage, through Docker and other plumbing, but there was also a talk about static site generators, of which I wrote in 2009 and I’ve been using for much longer than that, out of necessity.

All in all, it was a fun conference and meeting my usual conference friends and colleagues is a great thing. And meeting the other Gentoo devs is what sparked my designs around TG4 which is good.

I would like to also thank James for suggesting me to use Tweetdeck during conferences, as it was definitely nicer to be able to keep track of what happened on the hashtag as well as the direct interactions and my personal stream. If you’re the occasional conferencegoer you probably want to look into it yourself. It also is the most decent way to look at Twitter during a conference on a tablet, as it does not require you to jump around between search pages and interactions (on a PC you can at least keep multiple tabs open easily.)

Conferencing

This past weekend I had the honor of hosting the VideoLAN Dev Days 2014 in Dublin, in the headquarters of my employer. This is the first time I organize a conference (or rather help organize it, Audrey and our staff did most of the heavy lifting), and I made a number of mistakes, but I think I can learn from them and be better the next time I’ll try something like this.

_MG_8424.jpg
Photo credit: me

Organizing an event in Dublin has some interesting and not-obvious drawbacks, one of which is the need for a proper visa for people who reside in Europe but are not EEA citizens, thanks to the fact that Ireland is not part of Schengen. I was expecting at least UK residents not to need any scrutiny, but Derek proved me wrong as he had to get an (easy) visa at entrance.

Getting just shy of a hundred people in a city like Dublin, which is by far not a metropolis like Paris or London would be is an interesting exercise, yes we had the space for the conference itself, but finding hotels and restaurants for the amount of people became tricky. A very positive shout out is due to Yamamori Sushi that hosted the whole of us without a fixed menu and without a hitch.

As usual, meeting in person with the people you work with in open source is a perfect way to improve collaboration — knowing how people behave face to face makes it easier to understand their behaviour online, which is especially useful if the attitudes can be a bit grating online. And given that many people, including me, are known as proponent of Troll-Driven Development – or Rant-Driven Development given that people like Anon, redditors and 4channers have given an even worse connotation to Troll – it’s really a requirement, if you are really interested to be part of the community.

This time around, I was even able to stop myself from gathering too much swag! I decided not to pick up a hoodie, and leave it to people who would actually use it, although I did pick up a Gandi VLC shirt. I hope I’ll be able to do that at LISA as I’m bound there too, and last year I came back with way too many shirts and other swag.

I don’t do it for the beer!

This is a rant that might sound silly, but this is one thing that has started to irk me significantly. I’m tired of people that paint all developers out there as beer drinkers, even more so when they actually seem to akin them to drunkards who code under influence.

I do not drink. I can’t, to be precise, but even if I could, I don’t like getting drunk, I never got drunk really but I know enough of what would happen to me because I had, at one point, to use Xanax, and I don’t want to do that anymore. It wasn’t fun! This does not mean that I have a problem with people, or developer, drinking or having fun. Those who know me, know that I’m very socially liberal at heart, I really don’t care what you do with your own free time, as long as it’s not causing trouble to me or others.

When I went to FOSDEM, the pre-conference event is a beer event. I can understand that: it’s Belgium, and the Délirium is on the Guinness Book of Records after all. Last VDD there was a beer event as well, but the place was definitely apt and if you got upstairs (which I didn’t, bad me!) you would have found a number of other things, including non-alcoholic cocktails — me and Luca came back the weekend after VDD, although I didn’t try any because I didn’t have my blood sugar test strips and I didn’t want to risk getting too high for comfort.

But in both cases, this is just a mingling event, and it doesn’t really bother me at all. First you can get other drinks as well (at FOSDEM you usually see me with a Diet Coke or water), and second this stops the moment the conference actually starts… to a point. The VideoLAN people didn’t give us barrels of beer during the conference, but a rather more general refreshment, for which I’m definitely grateful (the croissants were delicious, seriously!) Thanks guys!

But then there are posts like our own Donnie’s that tick me off a bit. Then we got tweets such as the one today from Chad Windnagle of Joomla. Seriously? Donnie actually tooting the (mangled) responses of a survey by one company (Zend) which extrapolates that the majority of developers love beer (compared to what? teachers? teenagers?), and people at GSoC proclaiming that the unifying factor is beer?

I know it’s a tiny minuscule offence in comparison, but to me, this is still a shade of the “brogrammer” stereotype that is also giving us the grief of sexist pigs in our communities, in the bigger picture. Which does not mean that everybody (or anybody) who drink is part of the sexism problem – it is not, and I wouldn’t blame Donnie to be offended if I was to suggest this; he’s the first person who fights against it – but these remark do make me understand how women in tech feel. I do feel shunned every time a point is made across that if I’m a developer I have to enjoy beer; when a major point is made of a conference about the amount of beer available, I do feel less welcome than I should.

To me it still feels like there’s this stereotypical bad example of “the developer” (either opensource or not) that is the pimply overweight sexist who lives in the basement of his parents, and can’t wait for a conference to get drunk. And that’s hurting us, because some developers take this stereotype as a license to indulge in the negative aspects of it, ruining it for everybody.

So let’s start with a simple rule

Developers, open-source or not, are all different from one another. They have different genders, different goals in life, different lifestyles, even different values. Communities are formed when you share some (but not strictly all) of these characteristics. Open-source communities for the vast part are formed by developers (and not) who like to see, and to show, how things work.

And now let’s make sure we shatter that outdated stereotype, as I really really enjoy getting to know the diversity of people I work with.

Afterthoughts on the VideoLan Dev Days and FOMS 2012

I’ve spent the first weekend of September in Paris, as j-b organized the yearly VideoLan Dev Days un-conference. I’m happy to have been there, because it was definitely great to be around all the friends and colleagues, and work on libav and discuss what we also need to work on.

What hasn’t been entirely that great, unsurprisingly, has been being around the Google people — both at VDD and at FOMS. The main problem with them is that they are never there to think that they can learn from the others, or that they can be wrong — the feeling that me and others got is that they came with all the answers and we all have to accept them and their options. This is obviously just a generalization — Andrew and Dale has been very pleasant to speak to, outside of the infamous talk which boiled down to “We can’t, or don’t want to, speak about this, but let us tell you again how nice we are for considering using your software and saying we won’t”.

Honestly, I’m surprised that Chrome works at all with the kind of attitude they have — I guess the answer is that the non-media people are saner or, simply, they know what they are doing, instead of just thinking they know what they are doing.

At any rate at least one good thing is coming out of this is that – also thanks to Hanno who pointed me to harvester – is that we’ll soon have a Planet Multimedia to aggregate blog feeds for people working on open multimedia projects — no matter what the project!

More posts on the various topics might come up depending on how much time I have for blogging over the next few weeks.

FOSDEM!

Those knowing me from my blog for a long time will probably be .. amazed to know that I’m typing this while on an American Airlines flight over the USA … I left from Brussels with Luca directed to Los Angeles, but that’s a story for another day.

I’m happy I’ve been able to be at FOSDEM this year — and I hope I’ll be at the one next year sa well! I almost didn’t make it (or to be precise I almost decided to fly back to Venice ASAP) once my flight was diverted through Luxemburg, instead of landing to the Brussels National airport, due to weather conditions, but after a three hours bus ride, and a very welcome (although not really comforting) taxi ride with Luca and Josh, I was able to be at the beer event as well.

Funny tidbit: when I departed I took my hat with me, as I knew it was cold.. I got it just before the new year’s eve in “a new shop” that opened at the mall near me. Most of my friends and acquaintances found it funny and strange, so I was intending to use it as a way to be easily spotted … I did not consider that Celio (the “new shop”) is based in France, and seems to be well established in Belgium as well, even if it’s really just arrived in Italy… I have seen that most of the hats in Brussels, especially among the locals outside of FOSDEM, were not much different from it..

Honestly I haven’t been able to assist to many talks, although there was one I couldn’t miss, from the CentOS guys, about their efforts at applying continuous integration on the distribution; with my interest in the tinderbox it was natural for me to be interested in their method as well. While they didn’t solve the API/ABI compatibility checks in a more complete way than us, like I was hoping, they did give me an idea for the chance to implement a pkg_test() function, which would run post-installation tests, designed to be used only on tinderbox-like builds, and not user (nor developer) installs.

I was happy I finally met Fabio, Donnie, Sejo and the many other Gentoo developers (and ex-developers as well); I was also able to get back in touch with Jo (directhex) from the Mono team, and to greet famous developers like Charles from JRuby and Michael Meeks (now from LibreOffice), who was the one introducing me to the magnificient and scary work of ELF symbols’ collisions, and thus the main motivator (unbeknown to him!) for me to write Ruby-Elf together with the symbol collision script. And of course, I finally met the VLC developers, and I promised I’ll do my best to be in Paris at the next DevDays.

Unfortunately Hans couldn’t be there (and I hope to hear from him soon), so me and Petteri took over his talk — if you look up the video, please do not laugh too hard; I’m not used to speak in public and I think it was something like my third public talk in my whole life, and the first in English. Maybe I’ll prepare something more complete for next year, it might be interesting. In that case I hope Charles will be able to assist as it’ll certainly talk about JRuby!

For those who wondered why I wasn’t at the keysigning event; beside the weather, the printable list of keys has arrived on thursday when I was just tidying up a few customers’ tasks and I ended up not having the time to actually print it out.. this was made worse by changing my plan the very last day to get to LA instead of going straight back to Venice.

If you followed my twitter stream during the event you know already I’m very opinionanted about one of the talks I assisted… but that’s yet another story for yet another day, I’d rather not waste time writing about it here.

Anyway, just wanted to say I’m very happy to have been there, very happy to have met developers and users – and I’m sorry I’m not naming everyone here, it would be a very long list! I hope to be around more often for sure.

P.S.: if anybody who’s reading this has seen a clumsy guy with a black man-purse falling down the stairs within the AW building on Saturday morning.. that was me. Ouch! I hurt myself, but luckily nothing extremely serious.