FOSDEM and the dangerous IPv6-only network (or how to lose the trust of newcomers)

Last year I posted about FOSDEM and the IPv6-only network as a technical solution with no problem: nobody should be running IPv6-only consumer networks, because there is zero advantage to them and lots of disadvantages. This year, despite me being in California and missing FOSDEM, their IPv6-only experiment expanded into a full blown security incident (Archive.is), and I heard about it over Twitter and Facebook.

I have criticized this entrenched decision of providing a default IPv6-only network, and last night (at the time of writing) I ended up on a full-blown Twitter rage against IPv6 in general. The FOSDEM twitter handler stepped in defending their choice, possibly not even reading correctly my article or understanding that the same @flameeyes they have been replying to is the same owner of https://flameeyes.blog/, but that’s possibly beside the point:

@flameeyes @pallotron that guy probably missed the opening talk where we clearly mentioned that there is still a v4 enabled network also

— FOSDEM (@fosdem) February 6, 2017

//platform.twitter.com/widgets.js

Let me try to be clear: I do know that the dual-stack network is available. Last year it was FOSDEM-legacy, and this year is FOSDEM-ancient. How many people do you expect to connect to a network that is called ancient? Would you really expect that the ancient network is the only one running the dual-stack routing, rather than, say, a compatibility mode 2.4GHz 802.11b? Let’s get back to that later.

What did actually happen, since the FOSDEM page earlier doesn’t make it too clear: somebody decided that FOSDEM is just as good a place as BlackHat, DEFCON or Chaos Computer Congress to run a malicious hotspot on. So they decided to run a network called “FOSDEM FreeWifi by Google”, with a captive portal asking for your Google account address and password. It was clearly a a low-passion effort, as I noticed from the screenshots over twitter, and by what an unnamed source told me:

the login screen looked almost original, but asked for both username and password on the same form, Google never does that;
the page was obviously insecure;
the page was served over 10.0.0.0/8 network.

But while these are clearly signs of phishing for a tech user, and would report “Non Secure” on modern Chrome and Firefox, that does not mean they wouldn’t get a non-expert user. Of course the obvious answer of what I will from now on refer to as geek supremacists is that it’s their own fault if they get owned. Which is effectively what FOSDEM said above, paraphrasing: we know nothing of what happened on that network, go and follow Google’s tips on Gmail security.

Well, let me at least point out to go and grab yourself a FIDO key because it would save your skin in cases like that.

But here is a possible way this can fall short of a nice conference experience: there’s a new person interested in Free Software, who has started using Linux or some other FLOSS software and decided to come to what is ostensibly the biggest FLOSS conference in Europe, and probably still the biggest free (as in gratis) open source conference in the world. They are new to this, new to tech, rather than just Linux, and “OpSec” is an unknown term to them.

They arrive at FOSDEM and they try to connect to the default network with their device, which connects and can browse the Internet, but for some reason half the apps don’t work. They ignored the “ancient” network, because their device is clearly not ancient – whether they missed the communication about what it was, or it used the term dual-stack that they had no understanding of – but they see this Google network, let’s do that, even though it requires login… and now someone has their password.

Now the person or people who have their password may be ethical, and contact HIBP to provide a dump of usernames involved and notify them that their passwords were exposed, but probably they won’t. With hope, they won’t use those passwords for anything nefarious either, but at the same time, there is no guarantee that the FreeWifi people are the only ones having a copy of those passwords, because the first unethical person who noticed this phishing going on would have started a WiFi capture to get the clear-text usernames and passwords, with the certainty that if they would use these, the FreeWifi operators would be the ones taking them blame, oops.

Did I say that all the FOSDEM networks are unencrypted? At least 33c3 tried providing an anonymous 802.1x protected/encrypted connection. But of course for the geek supremacists, it’s your fault if you use anything unencrypted and not use a VPN when connecting to public networks. Go and pay the price of not being a geek!

So let’s go back to our new enthusiastic person. If something does happen to the account, it get compromised, or whatever else, the reaction the operators are expecting is probably one of awe: “Oh! They owned me good! I should learn how not to fall for this again!” — except it is quite more likely that the reaction is going to be of distrust “What jerks! Why did I even go there? No kidding nobody uses Linux.” And now we would have alienated one more person that could have become an open source contributor.

Now I have no doubt that FOSDEM organizers didn’t intend for this malicious network to be set up. But at the same time, they allowed it to happen by being too full of themselves, that by making it difficult to users to use the network, they lead to improvement in apps that would otherwise not support IPv6. That’s what they said on twitter: “we are trying to annoy people”. Great, bug fixes via annoyance I’m sure they work great, in a world of network services, that are not in control of the people using them, even for open source projects! And it sure worked great with the Android bug that, fixed almost a year before, kept receiving “me too” and “why don’t you fix this right now?” because most vendors have not released a new version in time for the following FOSDEM (and now an extra year later, many have not moved on from Android 5 either).

Oh and by the way, the reason why it’s called “ancient” is also to annoy people and force them to re-connect to the non-default network. Because calling it FOSDEM-legacy2017 would have been too friendly and would make less of a statement than “ancient”: look at you, you peasant using an ancient network instead of being the coolest geek on the planet and relying on IPv6!

So yes, if something malicious were to happen, I would blame the FOSDEM organizers for allowing that to happen, and for not even providing a “mea culpa” and admitting that maybe they are stressing this point a bit too much.

To close it off, since I do not want to spend too much time on this post on the technical analysis of IPv6 (I did that last year), I would leave you to Todd Underwood’s words and yes, that is an 11 years old post, which I find still relevant. I’m not quite on the same page as Todd, given how I try hard to use IPv6 and use it for backend servers, but his point, if hyperbolic, should be taken into consideration.

FOSDEM and the unrealistic IPv6-only network

Most of you know FOSDEM already, for those who don’t, it’s the largest Free and Open Source Software focused conference in Europe (if not the world.) If you haven’t been to it I definitely suggest it, particularly because it’s a free admission conference and it always has something interesting to discuss.

Even though there is no ticket and no badge, the conference does have free WiFi Internet access, which is how the number of attendees is usually estimated. In the past few years, their network has also been pushing the envelope on IPv6 support, first providing a dualstack network when IPv6 was fairly rare, and in the recent (three?) years providing an IPv6-only network as the default.

I can see the reason to do this, in the sense that a lot of Free Software developers are physically at the conference, which means they can see their tools suffer in an IPv6 environment and fix them. But at the same time, this has generated lots of complaints about Android not working in this setup. While part of that noise was useful, I got the impression this year that the complaints are repeated only for the sake of complaining.

Full disclosure, of course: I do happen to work for the company behind Android. On the other hand, I don’t work on anything related at all. So this post is as usual my own personal opinion.

The complaints about Android started off quite healthy: devices couldn’t actually connect to an IPv6 dual-stack network, and then they couldn’t connect to a IPv6-only network. Both are valid complaints to begin with, though there is a bit more to it. This year in particular the complaints were not so healthy because current versions of Android (6.0) actually do support IPv6-only networks, though most of the Android devices out there are not running this version, either because they have too old hardware or because the manufacturer has not released a new build yet.

What does tick me though has really nothing to do with Android, but rather with the idea that people have that the current IPv6-only setup used by FOSDEM is a realistic approach to IPv6 networking — it really is not. It is a nice setup to test things out and stress the need for proper support for IPv6 in tools, but it’s very unlikely to be used in production by anybody as is.

The technique used (at least this year) by FOSDEM is NAT64. To oversimplify how this works, it is designed to modify the DNS replies when resolving hostnames so that they always provide an IPv6 address, even though they would only have A records (IPv4 addresses). The IPv6 addresses used would then map back to IPv4, and the edge router would then “translate” between the two connections.

Unlike classic NAT, this technique requires user-space components, as the kernel uses separate stacks for IPv4 and IPv6 which do not allow direct message passing between the two. This makes it complicated and significantly slower (you have to copy the data from kernel to userspace and back all the time), unless you use one of the hardware router that are designed to deal with this (I know both Juniper and Cisco have those.)

NAT64 is a very useful testbed, if your target is figuring out what in your stack is not ready for IPv6. It is not, though, a realistic approach for consumer networks. If your client application does not have IPv6 support, it’ll just fail to connect. If for whatever reason you rely on IPv4 literals, they won’t work. Even worse, if the code allows a connection to be established over IPv6, but relies on IPv4 semantics for things like logging, or (worse) access control, then you now have bugs, crashes or worse, vulnerabilities.

And while fuzzing and stress-testing are great for development environments, they are not good for final users. In the same way -Werror is a great tool to fix your code, but uselessly disrupts your users.

In a similar fashion, while IPv6-only datacenters are not that uncommon – Facebook (the company) talked about them two years ago already – they serve a definite different purpose from a customer network. You don’t want, after all, your database cluster to connect to random external services that you don’t control — and if you do control the services, you just need to make sure they are all available over IPv6. In such a system, having a single stack to worry about simplifies, rather than complicate, things. I do something similar for the server I divide into containers: some of them, that are only backends, get no IPv4 at all, not even in NAT. If they ever have to go fetch something to build on the Internet at large, they go through a proxy instead.

I’m not saying that FOSDEM setting up such a network is not useful. It actually hugely is, as it clearly highlights the problems of applications not supporting IPv6 properly. And for Free Software developers setting up a network like this might indeed be too expensive in time or money, so it is a chance to try things out and iron out bugs. But at the same time it does not reflect a realistic environment. Which is why adding more and more rant on the tracking Android bug (which I’m not even going to link here) is not going to be useful — the limitation was known for a while and has been addressed on newer versions, but it would be useless to try backporting it.

For what it’s worth, what is more likely to happen as IPv6 adoption needs to happen, is that providers will move towards solutions like DS-Lite (nothing to do with Nintendo), which couples native IPv6 with carrier-grade NAT. While this has limitations, depending on the size of the ISP pools, it is still easier to set up than NAT64, and is essentially transparent for customers if their systems don’t support IPv6 at all. My ISP here in Ireland (Virgin Media) already has such a setup.

Sharing my doubts about the FreedomBox presentation

Okay this is one of the things that I was supposed to write about right after FOSDEM. Too bad that I left Brussels for the wrong country, and I couldn’t find the time to write until I was back home — hopefully this won’t happen during my next trip, either because I get the Efika to run as I need it to, or because I’ll write from the iPad like I’ve done a couple of time recently; I followed Jb’s suggestion and got a Bluetooth keyboard, or to be precise, I got Belkin’s keyboard cover that, while bulky, makes it a perfect choice for writing on the train, or at a customer’s while I’m waiting.

The closing speech at FOSDEM this year was about FreedomBox a project I already knew from Matija and that I didn’t care much about. If anything, I was quite upset with the idea of a similar project due to the results coming from the Diaspora debacle and the pretence to just set something up and expect it never to require update and maintenance.

I was honestly hoping for some reassurance on the maturity of the project’s goal with that speech, but instead I found it the same as before: a bit too vague, a bit too concerned with how things appear rather than how they work. While the idea of working within the constraints of Debian has its advantages, just saying that “All Free Software will be packaged by Debian” is not going to make it true. Debian has had its share of issues with projects that are by all count Free Software, but not in the way they want them to be; think Schilling. I am generally in agreement with their choices on when not to package something, but that still does not make space for such a blanket statement.

They spent quite a bit of time talking about the DreamPlug computer they are using; while interesting, I haven’t read much about it n the past few months, as most of the excitement seems to have gone when more issues with overheating came through.. I haven’t worked with the hardware and thus I can’t make much of a review for that, but having heard a few of the issues with it while in the room, but not coming from the speaker at all, it seems like they have been sugar-coating the truth about the hardware a bit. Knowing one project’s limitations is generally a good idea.

But I think the main issue I got with the whole charade has been in the original presentation. With the name “FreedomBox” I was thinking that the whole spirit of the project would be sparked by the “usual” anti-corporatism that you find thriving in the Free, Open Source Software community, and which I don’t like to partake to most of the time. That’s what usually get people to complain if you host your blog with blogspot, or you use GMail for email, and so on so forth.

For those wondering: I host my own blog because I like being able to customize it, and while I no longer use the gmail.com domain, my email is handled through Google Apps for Business… I find it more efficient than running my own mail infrastructure given that I only need two mailboxes: work and everything else.

Instead, what the speech went to talk about is … something much more iffy: from one point it would be much more serious than the anti-corporatism I already noted, but from the other I think it opens up a Pandora’s vase much more complex than it solves. Because what Bdale Garbee started talking about was how Facebook and other companies allow the US Government to scan for facial recognition the photos you upload on them.

Interestingly, he started with admitting that there are good uses for such an access, and then moved to say that it’s also a technology open to abuse on human rights. It’s hard to debate against this, but that’s also true of most of the possible technologies you have out there. That’s because no technology is, by itself, ethical or unethical: it’s the way you use it that make it one or the other. So I don’t think anybody would be arguing that there is no way that any government would abuse a technology that would allow them to identify a person by looking through the gigabytes of photos people upload to Facebook and other similar services. At the same time I guess it is hard to argue that such a technology would never be used for good, which I guess is the reason Mr. Garbee admitted right away that it has positive uses.

But that brings me to the issue that most irked me with the whole speech: he didn’t consider that the FreedomBox’s technology has the same capability to be abused. And this is one thing that really upsets me in most of the talks around software and services that allow you to “disappear”, they expect that being Free or Open Source software means they are by default intrinsically ethical. No way.

Americans seem to be used to the “terrorist cell” example; in Italy I’d probably use the Mafia example; but I think we can find everywhere in the world an example of some group of people who’d like to be invisible to the government, against everyday’s people interest, even where the government itself is against the people’s. Yes I know the famous Benjamin Franklin quote about freedom, but honestly even if a great person said something, doesn’t make it true by default any more than making software Free makes it ethical by default.

Anyway all of this is just my opinion, of course. You can agree or not, but honestly if Bdale Garbee is the best speaker on the topic, I’m not sold at all about the FreedomBox as it is.

So… that’s how I sound speaking English, sigh! Oh it’s my FOSDEM talk…

I’m actually quite ashamed of the bad English in my talk, but I hope the content is understandable. I’m sorry Hans couldn’t make it to FOSDEM for the presentation, but I thank Petteri for giving me the chance to try this out.

I’m honestly disappointed with myself, but I hope things will improve at some point.

FOSDEM!

Those knowing me from my blog for a long time will probably be .. amazed to know that I’m typing this while on an American Airlines flight over the USA … I left from Brussels with Luca directed to Los Angeles, but that’s a story for another day.

I’m happy I’ve been able to be at FOSDEM this year — and I hope I’ll be at the one next year sa well! I almost didn’t make it (or to be precise I almost decided to fly back to Venice ASAP) once my flight was diverted through Luxemburg, instead of landing to the Brussels National airport, due to weather conditions, but after a three hours bus ride, and a very welcome (although not really comforting) taxi ride with Luca and Josh, I was able to be at the beer event as well.

Funny tidbit: when I departed I took my hat with me, as I knew it was cold.. I got it just before the new year’s eve in “a new shop” that opened at the mall near me. Most of my friends and acquaintances found it funny and strange, so I was intending to use it as a way to be easily spotted … I did not consider that Celio (the “new shop”) is based in France, and seems to be well established in Belgium as well, even if it’s really just arrived in Italy… I have seen that most of the hats in Brussels, especially among the locals outside of FOSDEM, were not much different from it..

Honestly I haven’t been able to assist to many talks, although there was one I couldn’t miss, from the CentOS guys, about their efforts at applying continuous integration on the distribution; with my interest in the tinderbox it was natural for me to be interested in their method as well. While they didn’t solve the API/ABI compatibility checks in a more complete way than us, like I was hoping, they did give me an idea for the chance to implement a pkg_test() function, which would run post-installation tests, designed to be used only on tinderbox-like builds, and not user (nor developer) installs.

I was happy I finally met Fabio, Donnie, Sejo and the many other Gentoo developers (and ex-developers as well); I was also able to get back in touch with Jo (directhex) from the Mono team, and to greet famous developers like Charles from JRuby and Michael Meeks (now from LibreOffice), who was the one introducing me to the magnificient and scary work of ELF symbols’ collisions, and thus the main motivator (unbeknown to him!) for me to write Ruby-Elf together with the symbol collision script. And of course, I finally met the VLC developers, and I promised I’ll do my best to be in Paris at the next DevDays.

Unfortunately Hans couldn’t be there (and I hope to hear from him soon), so me and Petteri took over his talk — if you look up the video, please do not laugh too hard; I’m not used to speak in public and I think it was something like my third public talk in my whole life, and the first in English. Maybe I’ll prepare something more complete for next year, it might be interesting. In that case I hope Charles will be able to assist as it’ll certainly talk about JRuby!

For those who wondered why I wasn’t at the keysigning event; beside the weather, the printable list of keys has arrived on thursday when I was just tidying up a few customers’ tasks and I ended up not having the time to actually print it out.. this was made worse by changing my plan the very last day to get to LA instead of going straight back to Venice.

If you followed my twitter stream during the event you know already I’m very opinionanted about one of the talks I assisted… but that’s yet another story for yet another day, I’d rather not waste time writing about it here.

Anyway, just wanted to say I’m very happy to have been there, very happy to have met developers and users – and I’m sorry I’m not naming everyone here, it would be a very long list! I hope to be around more often for sure.

P.S.: if anybody who’s reading this has seen a clumsy guy with a black man-purse falling down the stairs within the AW building on Saturday morning.. that was me. Ouch! I hurt myself, but luckily nothing extremely serious.

I’ll be at FOSDEM

This is just a short post to let my followers know that I’ll be at FOSDEM next month. I’ve booked the flight back in September and I booked the hotel yesterday, so it’s all set. I just hope not to get lost through Bruxelles.

The only reason why I’m posting this is, actually, that I need some suggestion from somebody who knows Belgium: both my phone operators lack dedicated roaming up there, so I’ll probably end up with an hefty bill waiting for me back home. Given in Italy you really can’t get a local pre-paid SIM to user your phone if you’re a tourist, I’m not sure if the same holds true in Belgium. And most importantly, whether I could re-use such a SIM over the years (as I plan on coming to FOSDEM with regularity, if I survive the trip alone this time).

At any rate, if you want to discuss anything in person, I’ll be the guy with the strange hat and the ~~purse~~ satchel (geek points for getting the reference), hanging around with the Gentoo or libav folks.

FOSDEM 2010 Recap

So, for the first time in my life, if we exclude the local Linux Day events, I attended a conference! FOSDEM 2010 has been my first time properly meeting other developers out there. It actually was a bit more travel than just Bruxelles, for me; I actually took a long way to get there. Since I was still afraid of planes, I didn’t want to go up there alone. Add to that, the fact that I’m neither used to Bruxelles area, nor I speak any decent French any more (I studied it in middle-school, so I could at least ask for, and listen to, directions, but in over ten years not using it, it really just went away), so I got there with Luca who lives in Turin (in the other side of Italy).

The end result looks something like this: I left Mestre (the Venice inland city, which is where I actually live) by train, I changed in Milan, then arrived in Turin; I went to dinner with some friends I only met online before (colleagues and fellow Ultima OnLine players), and slept at Alessandro’s – from lscube – flat. In the morning me and Luca took the plane for Rome, then changed to the one for Bruxelles. Our luggage decided to take a later plane (d’oh!). The same travel (minus the luggage nuisance, fortunately) applied to the way back. This resulted in something like five trains (one from the Bruxelles Airport to the Gare du Nord — we took a cab to go back), and four planes. I think my fear of planes was totally cured this time.

FOSDEM itself was lots fun! I finally met lots of other Gentoo developers (including Luca for the first time), the other FFmpeg guys, some of the VLC guys, and quite a few users who knew me, even though I didn’t know them before, which I have to say has a nice feeling to it. And I even met with a Mono team delegation, and with the one guy that I had a rough start with – Jo Shields, “directhex” – I should report every misunderstanding is cleared. I was also able to (very briefly) meet Lennart, but that was when me and Luca really had to hurry to catch our plane back.

I really would have liked to stay the whole Sunday and leave on Monday, but Luca was actually due to be back in Turin for other reasons, so we had to live early on Sunday to get back to Italy before all planes stopped flying.

Now, during FOSDEM I picked up a few extra tasks other than all the stuff that I’ve had already planned, and this means that the next few days will get me almost no time to breath, to take a break, or to go out with friends. That’s fine, I had four days that relaxed me quite a bit, so this is not too bad to do. Just so I can name some of the tasks that I’m looking forward for, beside the key signing (that was a “cool” party… even though it was maybe too cold), is writing something more about release notifications as it seems like I’m not the only person having a problem with that, trying to write some more about upstreaming patches, and packaging SIP Communicator – a demo of which was available next to the FFmpeg stand in the AW building… looked very promising, and getting an hash table implementation in libavutil for FFmpeg, so that we can use it on feng and libnemesi and thus get a good parser, finally!

Anyway this is enough for today, hope the other people at FOSDEM found it at least as fun, for me is time to hit (finally, my) bed.

New OpenPGP key

After seven years of “service”, I finally decided to discard my old OpenPGP key. I was already planning on doing so for a while (especially since it was still a 1024-bit DSA key), but the tipping point was reached today for two reasons: the first is that I received the FSFe Fellowship smartcard (as “Lefty” put it, FSFe seem to be concerned with matters more at hand than those the main FSF is concerned with, so I feel much more at ease to help FSFe rather than FSF itself), the second is that this year I should finally be able to attend FOSDEM (thanks to the fact I can finally board a plane without risking a heart attack; on the other hand I’m not going to board a plane alone so I’m going to take a train to Turin and then move with Luca).

FOSDEM here is a key reason for my switching key: my current key has no web of trust, the only signatures are those from the PGP Directory (automated non-human signatures), so it’s almost impossible to be sure I really exist. Finally being able to meet friends and colleagues is going to be helpful to fix that as well, and at this point starting from a new, clean key (which does not list outdated user IDs, nor my “old”
name) sounded like a good plan.

Anyway, I’d like to thank Daniel Kahn Gillmor (dkg from Debian) for his howto on key migration (although it still is signing with SHA1 — I wonder if it’s because of the card not supporting other digests?), and for his template for replacing the old key, in my case it’s available here and is signed with both my old and new keys for verification.

I’m currently uncertain on whether to replace my Gentoo manifest signing key with a sub-key of the new key after I got it signed, so that it also gets to be part of the web of trust.

Anyway, to finish it off, my new new key details are these:

pub   2048R/BB592443 2010-01-16
      Key fingerprint = F204 568C 03BD FD49 60EC  2DCC 1A82 AD57 BB59 2443