The dot-io boom, or how open source projects are breeding startups

You may remember that some months ago I stopped updating the blog. Part of it was a technical problem of having the content on Typo (for more than a few reasons), part of it was disappointed in the current free software and open source scene. I vented this disappointed to the people over at FSFE that and they suggested I should have gone to the yearly meeting in Berlin to talk about them, but I was otherwise engaged, and I really felt I needed to withdraw from the scene for a while to think things over.

Open source and free software have, over the years, attracted people for widely different reasons. In the beginning, it was probably mostly the ethics, it also attracted tinkerers and hackers of course. I was attracted to it as an user because I liked tinkering, but as a developer because I was hoping it would lead me to find a good job. You can judge me if you want, but growing up in a blue collar family, finding a good job was actually something I was taught to be always mindful of. And it’s not fair, but I had the skills and time (and lack of extreme pressure to find said job) that I managed to spend a significant amount of time on free software development.

I went to a technical school, and the default career out of it when I joined was working for a fairly big insurance company, whose headquarters were (and as far as I know still are) not far from where I grew up. Ending up at the Italian telco (Telecom Italia) was considered a huge score — this was a time before university was considered mandatory to do anything at all wherever you wanted to go (not that I think that’s the case now).

My hopes were to find something better: originally, that meant hoping to move to a slightly bigger city (Padua) and work at Sun Microsystems, that happened to have a local branch. And it seemed like the open source would get you noticed. Of course at the end I ended up slightly more North than I planned – in Ireland – and Sun is gone replaced by a much bigger corporation that, well, let’s just say does not interest me at all.

Was open source needed for me to get where I am? Probably yes, if nothing else because it made me grow more than anything else I could have done otherwise. I see many of my classmates, who even after going to university ended up in the same insurance company, or at the local telco, or one of the many big consultancy companies. The latter is the group that tends to be the most miserable. On the other hand I also have colleagues at my current company who came from the same year of the same high school as me — except they went on to university, while I didn’t. I’m not sure who got the better deal but we’re all happy, mostly.

What I see right now though, and that worries a bit, is that many people see open source as a way to jump-start a startup. And that is perfectly okay if that’s how you present yourself, but it is disingenuous when you effectively hide behind open-source projects to either avoid scrutiny or to make yourself more appealing, and what you end up with is a fake open source project which probably is not free software in the license, and easily so even in the spirit.

I have complained before about a certain project, that decided to refuse my offer to work on a shared format specification because they thought a single contributor not part of their core team can leave the scene at any moment. Even leaving aside the fact that I probably maintained open-source code for more than they were active on said scene, this is quite the stance. Indeed when I suggested this format is needed, their answer was that they are already working on that behind closed doors together with vendors. Given how they rebranded themselves from a diabetes management software to a quantified self tool, I assume their talks with vendor went just as about everybody expected.

But that was already just a final straw; the project itself was supposedly open-source, but beside for the obvious build or typo fixes, their open source repository only had internal contributions. I’m not sure if it was because they didn’t want to accept external contributions or because the possible contributors were turned down by CLA requirements or something like that, it’s not really something I cared enough to look into. In addition to the open source repository, though, most of the service was closed-source, making it nearly impossible to leverage in a free way.

My impression at this point is that whereas before your average “hacker” would be mostly looking to publish whatever they were working on as an open source project, possibly to use it as a ticket to find a job (either because of skill or being paid to maintain the software), nowadays any side project is a chance to a startup… whether a business plan is available for it or not.

And because you want at some point to make money, if you are a startup, you need to have at least some plan B, some reserve on the code, that makes your startup itself valuable, at least to a point. And that usually makes for poor open source contributions as noticed above, and as, good timing, CyanogenMod turned out to be. Similar things have happened and keep happening over time with OpenWRT too, although that one probably already went through the phase of startup-importance into a more community-driven project, although clearly not a mature enough one.

So here it is, I’m grumpy and old at this point, but I think a lot of us in the free software and open source world should do better to consider the importance of maintaining community projects as such, and avoid hiding targets of “startupizzation”, rather than just caring about firmware lock-in and “tivoization.” I wish I had a solution to this but I really don’t, I can only rant, at least for now.

Ethical implications of selling routers

I write this while back in Italy at my mother’s. As with many of my peers, visiting the family back in old country means having to do free tech support for them. I loathe that, but for politeness I may oblige.

In this particular case, my neighbour asked me to look at his tablet, because it was showing up scammy ads every time he was visiting the website of University of Venice. I checked, and beside some fake-protection apps (sigh) the tablet looked fine. I told him to avoid using the stock Samsung browser and prefer Chrome or Firefox, but then I realized something else was amiss.

A very brief check on his home router found that the problem was clearly with that one: the admin password was the default of admin, the router admin page is accessible from the WAN interface (that is, to the whole Internet) and indeed the DNS servers were hijacked. Stop-gap solution was changing the default admin password, and setting Google Public DNS as the new server in DHCP.

Unfortunately the proper solution (disabling remote access to the admin interface) is not viable for this router, because this router model (TP-Link TD-W8961N v2) does not have a firmware update to fix the absurd ACL system that should lock you up from the outside, and that doesn’t, really. Indeed, the firmware that is installed on the device looks newer than the one on TP-Link’s website, but that’s just because it’s the Italian localized version.

Note: make sure you change the default password of your router even if remote access is disabled! While I used not to care and keep admin:admin/admin:password pairs, it’s getting way too easy to hijack browsers and sidestep the remote access limitations.

Up to here it would be your usual tale of people who don’t (and really shouldn’t need to) have a clue about security being caught on the crossfire. Things changed when he told me that he brought the router to service to the store he bought it from, because he needed to enable port forwarding for some videogame (didn’t say which ones.) Which means a store sold this insecure device, serviced it, and left the customer in a horribly insecure state.

Unfortunately there is really not much I can do about that store. Even though I could leave a negative review to it, I doubt anybody would be checking those reviews over here. And because they are friendly my neighbour is unlikely to stop going to that store, even though I advised against him. He was also sure he found a good deal with this router — it was available online for €55 but they sold it for just €29 — but I have a hunch that the online version would have been the same model in V3 form (which includes a firmware to fix the vulnerability above), while the store sold their previous stock of V2.

This goes again to my previous point that technologists have a responsibility towards their users, whether they are geeks or not. I think OpenWrt was a very good starting point for this, unfortunately for what I see the project stagnated and instead a number of commercial projects around it flourished, which only help to a point. Also, while OpenWrt works great if you need a “pure router”, it becomes vastly useless the moment when you live in a country like Italy, where most of the broadband still arrives in form of DSL, and you then need to look for a modem/router.

FSFE boasts a campaign to let you use whichever router you want but, beside being a very local campaign (compulsory routers were never a thing in Italy, for instance, and as far as I can tell, their campaign only focused on the German market), it also opens the possibility that users will choose cheaper, significantly less secure devices because they don’t care or more properly because they don’t realize how bad that is for them and Internet as we know it.

Some time ago, someone on the Italian parliament (I completely forgot who and I don’t care about it right now) proposed a law for which you would have to have a license to be able to install customer-premises equipment — most of the free software people have been against this proposal, including me. But I sometimes wonder if it made sense, to a point. Unfortunately I doubt acquiring that license would provide you the ethics necessary for this kind of job.

I don’t have easy solutions, but I do think we should be thinking about them. We need devices that are actually secure by default, and where the user has to try to make them insecure. We need ways to reuse devices without having to spend more money for them to be replaced, and after-market ROMs or WRT-style firmwares are that, except, because of targets, too many of those don’t apply to the people who need them the most.

Technology and society, the cellphone example

After many months without blogging, you can notice I’m blogging a bit more about my own opinions than before. Part of it is because these are things I can write about without risking conflicts of interests with work, so that makes it easier to write, and part of it is because my opinions differing from what I perceive as the majority of Free Software advocates. My hope is that providing my opinions openly may, if not sway the opinion of others, find out that there are other people sharing them. To make it easier to filter out I’ll be tagging them as Opinions so you can just ignore them, if you use anything like NewsBlur and its Intelligence Trainer (I love that feature.)

Note: I had to implement this in Hugo as this was not available when I went to check if the Intelligence Trainer would have worked. Heh.

Okay, back on topic. You know how technologists, particularly around the Free Software movement, complain abut the lack of openness in cellphones and smartphones? Or of the lack of encryption, or trustworthy software? Sometimes together, sometimes one more important than the other? It’s very hard to disagree with the objective: if you care about Free Software you want more open platforms, and everybody should (to a point) care about safety and security. What I disagree with is the execution, for the most part.

The big problem I see with this is the lack of one big attribute for their ideal system: affordability. And that does not strictly mean being cheap, it also means being something people can afford to use — Linux desktops are cheap, if you look only at the bottom line of an invoice, but at least when I last had customers as a -Sysadmin for hire- Managed Services Provider, none of them could afford Linux desktops: they all had to deal with either proprietary software as part of their main enterprise, or with documents that required Microsoft Office or similar.

If you look at the smartphone field, there have been multiple generations of open source or free software projects trying to get something really open out, and yet what most people are using now is either Android (which is partly but not fully open, and clearly not an open source community) or iOS (which is completely closed and good luck with it.) These experiments. were usually bloody expensive high-end devices (mostly with the excuse of being development platforms) or tried to get the blessing of “pure free software” by hiding the binary blobs in non-writeable flash memory so that they could be shipped with the hardware but not with the operating systems.

There is, quite obviously, the argument that of course the early adopters end up paying the higher price for technology: when something is experimental it costs more, and can only become cheaper with enough numbers. But on the other hand, way too many of the choices became such just for the sake of showing off, in my opinion. For instance in cases like Nokia’s N900 and Blackphone.

Nowadays, one of the most common answers when talking about the lack of openness and updates of Android is still CyanogenMod despite some of the political/corporate shenanigans happening in the backstory of that project. Indeed, as an aftermarket solution, CyanogenMod provides a long list of devices with a significantly more up to date (and thus secure) Android version. It’s a great project, and the volunteers (who have been doing the bulk of the reverse engineering and set up for the builds) did a great job all these years. But it comes with a bit of a selection bias. It’s very easy to find builds for a newer flagship Android phone, even in different flavours (I see six separate builds for the Samsung Galaxy S4, since each US provider has different hardware) but it’s very hard to find up to date builds for cheaper phones, like the Huawei Y360 that Three UK offers (or used to offer) for £45 a few months back.

I can hear people saying “Well, of course you check before you buy if you can put a free ROM on it!” Which kind of makes sense if what constraints your choice is the openness, but expecting the majority of people to care about that primarily is significantly naïve. Give me a chance to explain my argument for why we should spend a significant amount of time working on the lower end of the scale rather than the upper.

I have a Huawei Y360 because I needed a 3G-compatible phone to connect my (UK) SIM card while in the UK. This is clearly a first world problem: I travel enough that I have separate SIM cards for different countries, and my UK card is handy for more than a few countries (including the US.) On the other hand, since I really just needed a phone for a few days (and going into why is a separate issue) I literally went to the store and asked them “What’s the cheapest compatible phone you sell?” and the Y360 was the answer.

This device is what many people could define craptastic: it’s slow, it has a bad touchscreen, very little memory for apps and company. It comes with a non-stock Android firmware by Huawei, based on Android 4.4. The only positive sides for the device are that it’s cheap, its battery actually tends to last, and for whatever reason it allows you to select GPS as the timesource, which is something I have not seen any other phone doing in a little while. It’s also not fancy-looking, it’s a quite boring plastic shell, but fairly sturdy if it falls. It’s actually fairly well targeted, if what you have is not a lot of money.

The firmware is clearly a problem in more than one way. This not being just a modified firmware by Huawei, but a custom one for the provider means that the updates are more than just unlikely: any modification would have to be re-applied by Three UK, and given the likely null margin they make on these phones, I doubt they would bother. And that is a security risk. At the same time the modifications made by Huawei to the operating system seem to go very far on the cosmetic side, which makes you wonder how much of the base components were modified. Your trust on Huawei, Chinese companies, or companies of any other country is your own opinion, but the fact that it’s very hard to tell if this behaves like any other phone out there is clearly not up for debate.

This phone model also appears to be very common in South America, for whatever reason, which is why googling for it might find you a few threads on Spanish-language forums where people either wondered if custom ROMs are available, or might have been able to get something to run on it. Unfortunately my Spanish is not functional so I have no idea what the status of it is, at this point. But this factoid is useful to make my point.

Indeed my point is that this phone model is likely very common with groups of people who don’t have so much to spend on “good hardware” for phones, and yet may need a smartphone that does Internet decently enough to be usable for email and similar services. These people are also the people who need their phones to last as long as possible, because they can’t afford to upgrade it every few years, so being able to replace the firmware with something more modern and forward looking, or with a slimmed down version, considering the lack of power of the hardware, is clearly a thing that would be very effective. And yet you can’t find a CyanogenMod build for it.

Before going down a bit of a road about the actual technicalities of why these ROMs may be missing, let me write down some effectively strawman answers to two complaints that I have heard before, and that I may have given myself when I as young and stupid (now I’m just stupid.)

If they need long-lasting phones, why not spend more upfront and get a future-proof device? It is very true that if you can afford a higher upfront investment, lots of devices become cheaper in the long term. This is not just the case for personal electronics like phones (and cameras, etc.) but also for home hardware such as dishwashers and so on. When some eight or so years ago my mother’s dishwasher died, we were mostly strapped on cash (but we were, at the time, still a family of four, so the dishwasher was handy for the time saving), so we ended up buying a €300 dishwasher on heavy discounts when a new hardware store just opened. Over the next four years, we had to have it repaired at least three times, which brought its TCO (without accounting for soap and supplies) to at least €650.

At the fourth time it broke, I was just back from my experience in Los Angeles, and thus I had the cash to buy a good dishwasher, for €700. Four years later the dishwasher is working fine, no repair needed. It needs less soap, too, and it has a significantly higher energy rating than the one we had before. Win! But I was lucky I could afford it at the time.

There are ways around this: paying things by instalments is one of these, but not everybody is eligible to that either. In my case at the time I was freelancing, which means that nobody would really give me a loan for it. The best I could have done would have been using my revolving credit card to pay for it, but let me just tell you that the interests compound much faster on that than with a normal loan. Flexibility costs.

This, by the way, relate to the same toilet paper study I have referenced yesterday.

Why do you need such a special device? There are cheaper smartphones out there, change provider! This is a variation of the the argument above. Three UK, like most of their Three counterparts across Europe, is a bit peculiar, because you cannot use normal GSM phones with them, you need at least UMTS. For this reason you need more expensive phones than your average Nokia SIM-free. So arguing that using a different provider may be warranted if all you care about is calls and text, but nowadays that is not really the case.

I’m now failing to find a source link of it, but I have been reading this not too long ago (likely on the Wall Street Journal or New York Times, as those are the usual newspapers I read when I’m at a hotel) how for migrants the importance of Internet-connected mobile phones is significant. The article listed a number of good reasons, among which I remember being able to access the Internet to figure out what kind of documents/information they need, being able to browse available jobs opening, and of course to be able to stay in touch with their family and friends that may well be in different countries.

Even without going to the full extreme of migrants who just arrived in a country, there are a number of “unskilled” job positions that are effectively “at call” — this is nothing new, the whole are of Dublin where I live now, one of the most expensive in the city, used to be a dormitory for dock workers, who needed to be as close as possible to the docks themselves so that they could get there quickly in the morning to find job. “Thanks” to technology, physical home proximity has been replaced with reachability. While GSM and SMS are actually fairly reliable, having the ability to use WiFi hotspots to receive text and SMS (which a smartphone allows, but a dumbphone doesn’t) is a significant advantage.

An aside on the term “unskilled” — I really hate the term. I have been told that delivering and assembling furniture is an unskilled job, I would challenge my peers to bring so many boxes inside an apartment as quickly as the folks who delivered my sofa and rest of furniture a few months ago without damaging either the content of the boxes or the apartment, except I don’t want to ruin my apartment. It’s all a set of different skills.

Once you factor in this, the “need” for a smartphone clearly outweighs the cheapness of a SIM-free phone. And once you are in for a smartphone, having a provider that does not nickel and dime your allowances is a plus.

Hopefully now this is enough social philosophy for the post — it’s not really my field and I can only trust my experience and my instincts for most of it.

So why are there not more ROMs for these devices? Well the first problem is that it’s a completely different set of skills, for the most part, between the people who would need those ROMs and the people who can make those ROMs. Your average geek that has access to the knowledge and tools to figure out how the device works and either extract or build the drivers needed is very unlikely to do that on a cheap, underpowered phone, because they would not be using one themselves.

But this is just the tip of the iceberg, as that could be fixed by just convincing a handful of people who know their stuff to maintain the ROM for these. The other problem with cheap device, and maybe less so with Huawei than others, for various reasons, is that the manufacturer is hard to reach, in case the drivers could be available but nobody has asked. In Italy there is a “brand” of smartphones that prides itself in advertisement material that they are the only manufacturer in Italy — turns out the firmware, and thus most likely the boards too, are mostly coming from random devshops in mainland China, and can be found in fake Samsung phones in that country. Going through the Italian “manufacturer” would lead to nothing if you need specs or source code. [After all I’ve seen that for myself with a different company before.

A possible answer to this would be to mandate better support for firmware over time, fining the manufacturers that refuse to comply with the policy. I heard this proposed a couple of times, particularly because of the recent wave of IoT-based DDoS that got to the news so easily. I don’t really favour this approach because policies are terrible to enforce, as it should be clear by now to most technologists who dealt with leaks and unhashed passwords. Or with certificate authorities. It also has the negative side effect of possibly increasing the costs as the smaller players might actually have a hard time to comply with these requirements, and thus end up paying the highest price or being kicked out of the market.

What I think we should be doing, is to change our point of view on the Free Software world and really become, as the organization calls itself software in the public interest. And public interest does not mean limiting to what the geeks think should be the public interest (that does, by the way, include me.) Enforcing the strict GPL has become a burden to so many companies by now, that most of the corporate-sponsored open source software nowadays is released under Apache 2 license. While I would love an ideal world in which all of the free software out there is always GPL and everybody just contributes back at every chance, I don’t think that is quite so likely, so let’s accept that and be realistic.

Instead of making it harder for manufacturers to build solutions based on free and open source software, make it easier. That is not just a matter of licensing, though that comes into play, it’s a matter of building communities with the intent of supporting enterprises to build upon them. With all the problems it shows, I think at least the Linux Foundation is trying this road already. But there are things that we can all do. My hopes are that we stop the talks and accusations for and against “purity’ of free software solutions. That we accept when a given proposal (proprietary, or coming out a proprietary shop) is a good idea, rather than ignore it because we think they are just trying to do vendor lock-in. Sometimes they are and sometimes they aren’t, judge ideas, formats, and protocols on their merits, not on who propose them.

Be pragmatic: support partially closed source solutions if they can be supported or supportive of Free Software. Don’t buy into the slippery slope argument. But strive to always build better open-source tool whenever there is a chance.

I’ll try to write down some of my preferences of what we should be doing, in the space of interaction between open- and closed-source environments, to make sure that the users are safe, and the software is as free as possible. For the moment, I’ll leave you with a good talk by Harald Welte from 32C3; in particular at the end of the talk there is an important answer from Harald about using technologies that already exist rather than trying to invent new ones that would not scale easily.

My opinion on internet ads

You may or may not remember that I did post about my (controversial) privacy policy and some of my thoughts on threat models. A related, though should probably be separate, topic is how to handle internet advertisers, and tools like AdBlock, so I thought I would write down my personal preference and how I work.

First of all, I should point out the obvious elephants in the room: not only I work for a company that sells internet ads, but I also use ads on both this blog and Autotools Mythbuster — mostly to try reducing the cost of running these operations, which are mostly a personal whim. On the other hand, the opinions I express in this post are all personal, and are not being influenced by this. They have been forged over time and experience, and some of said experience may have been related to these, though.

Once this is clarified, I should describe my current setup, since that will spark the rest of the content of the post. I (still) use AdBlock Plus extension for Chrome — even with all the possibly shady behaviour that the current owners are behind, I have not found a good replacement; uBlock Origin is not a replacement, as I’ll get to later. I’ve set the extension to behave as an opt-in, rather than opt-out: ads are not blocked anywhere until I ask it to. Chrome for Android does not have AdBlock or similar, so I have nothing really there, on the other hand it’s less of an issue there because I usually just look at the same dozen websites most of the time.

To make ads generally less annoying, I signed up for Google Contributor which allows me to declare a target monthly contribution to use to replace Google Ads with whatever set of images (or nothing at all.) I set it to show me cats, including my own.

As I said above, I set my AdBlock to not block ads by default, so when do I decide to turn it on? Well, to start with I run it on my own websites (except when I’m testing them), since otherwise it’s a bit of a mess with the Terms of Service of AdSense, so this is easier. Other than that, I usually turn it on for various sites when I land on a page and I find it “scammy.” The definition of scammy is of course up to debate, so let me try to explain where I come from.

Also, I need to make this point here, so that if you completely disagree with my idea here, you can probably stop reading (and please don’t comment either): I don’t believe that advertising and marketing are inherently evil. I know plenty of privacy extremists take an issue with the statement, so if you do feel free to move on and read something else altogether.

Not all internet ads are created equal, I think this is obvious to essentially anybody who has been browsing the Internet for more than a few months. Ads may be more or less intrusive, they may be more or less relevant to your interests and they may or may not always be legal. While no supplier is immune, most of the big names thrive hard to avoid ads that outright lie, or that try to pass off for something else. The results are usually mixed as everybody knows already.

On the other hand, there are suppliers that explicitly go for the scams, and some website operators accept them quite willingly. The reason is usually monetary: these networks pay off much better, as the “advertisers” are happy to pay premium to get their (frequently) malware advertised. To give you a bit of an idea, I suggest you read or watch this presentation from the USENIX Security conference.

This is not all, of course. There are also the self-defined “content discovery networks”, that purport to point people at other content they should be interested in, mixing content from the same site with “sponsored links.” Even I tried it once before I noticed how useless it ended up being. Nowadays a lot of those kind of links are coming from two networks: Taboola and Outbrain; in my experience, the latter actually provides kind-of relevant content, the former has lots of almost definite scams that I do not appreciate.

To give you an idea, if I’m reading an article about Brexit, I find it perfectly reasonable to get links to articles suggesting cheap vacation to the UK, an ad for Transferwise and an ad for (which is, as far as I know, a totally legit tradit website I have no affiliation with, but just seem to spend lots of money in advertisement, as I see it on every other website.) If, on the other hand, a different article on the same topic proposes me links such as “This one trick hated by doctors to lose weight” and similar, then I think there is more than a little bit of a problem.

But you can get worse than this! Some months ago I was traveling to London, and an acquaintance of mine shared on Facebook an article he wrote for an Italian newspaper (since he’s still living around where I’m from.) Since I was curious about the topic, I looked at it and … well, you can see it by yourself:

Scammy ads from Italian newspaper site

Two things are kind of obvious when looking at it: “Make ¤NNN a day” scams are freaking common not only in comment-spam, and people really seem to believe you can look 30 years younger by buying something. Out of eight “links”, only half actually point back to the newspaper, two point to possibly fake cosmetics (from two “different” sites — which are clearly the same), and two points to outright scams that suggest you can make money without doing anything (these reporting the same site name at least.) It’s also apparent that those two sets are auto-generated by taking a set of stock images, a set of stock headline templates, and throwing different currency symbols, numbers and country names.

Now you may ask why a newspaper – one for which a friend of mine even writes! – would use such a blatantly scammy ad network. The answer is that they did not realize it was a scammy network until I showed him the screenshot. Indeed, from within Italy their ads are useless, but at least legit; it isn’t until you’re visiting from the outside that they start providing you with scam. This is, by the way, why sometimes you may find spam that simply links to a blog post of a newspaper or other site in a non-English language: they still want you to “see” these ads, if they are the only thing you understand in the page, that’s still okay. If you don’t know better, you may still fall for it.

There are more cases, but these are the major ones. So if I see any of these scammy ads, I just go and enable AdBlock for the whole domain. Usually, I also try to stay away from that website altogether, but sometimes it’s not as easy. For instance Wikia – yes, headed by the same Jimmy Wales that keeps insisting he doesn’t want ads on Wikipedia by putting a 50%-height banner of his face on it from time to time – uses the medium-grade scammy Taboola — it’s not quite outright illegal activity, but clearly it’s not something I care to see. So there goes AdBlock.

In addition to the actual scammy, I enable AdBlock plus if I see other ads that, whether legit or not, are just an active pain in the arse. For instance, some sites, particularly I noted around hardware reviews, use ad networks that hook on-hover ads to words. So if you’re like Randall and me and go on selecting text to remember where you were reading if you’re distracted, you may end up playing one of their stupid (sometimes scammy, sometimes not) ads. Bam. Auto-playing video ads with audio gets the AdBlock hammer too. Bam. And so do those sites that just get my CPU to spin though it’s not obvious there is any ad playing already. Bam.

So with all this explained, let me go back to uBlock Origin, which seems to be the only alternative to AdBlock Plus that is ever suggested. This extension is clearly written by privacy extremists. I already had a couple of times people replying to my complaints about it on twitter trying to be funny with “well, that’s intended” or “I don’t see a problem” — that does not make you smart, that makes you completely tone-deaf.

The extension does not only block ads, but it keeps insisting it wants to block all the client-side tracking. As I said before there is still plenty of space for server-side tracking, particularly for malicious purposes; client-side tracking is usually done for marketing purposes, and so I don’t really mind it.

It goes beyond that. The rulesets in uBlock Origin are designed to block based on regular expressions; some of these expressions are of significantly wide reach, for instance when I tried it I couldn’t even go and check my own AdSense console. Or even access SourceForge! — as much as I really disliked SourceForge’s turning to bundling malware last year, marking the whole site off-limits is crazy.

More bothersome for me, was the way the extension decided that any of the tracking-click from Skymiles Shopping were ads and so just decided it was a good thing to block them. For those who don’t know Skymiles Shopping, or one of its many other incarnation for hotels, airlines and other loyalty programs, it’s essentially a way to bridge the referral system of various online shopping venues with your own interests, pretty much the same as Socialvest used to do. When you click on a given offer from the portal, they ask you for your loyalty identifier (in my case a Delta SkyMiles frequent flyer number), then send you to the shopping site with a personalized tracker. After you order from the site, they get a referral commission, and credit you with something — in the case of Socialvest back in the days, you could donate that to non-profits, or get it added to your Flattr wallet, in the case of Skymiles Shopping, they give you a number of Delta rewards miles.

Am I trading part of my privacy away for some benefit? Yes. I’m okay with that, as I said. And so is, very likely, the majority of people out there. So without providing an option to disable this behaviour, and insisting that it’s the correct one, the only way they can read it is that the extension is not for them, and they will fallback to either the (possibly shady) AdBlock Plus, or to no extension whatsoever — and with badvertising being an actual problem, that’s not good either.

For you it might be that your privacy is just that valuable, but there are indeed enough people for which these cash-back, custom tailored offers, or generally legit, non-scammy ads are important. It’s not far from the toilet paper problem.

Indeed, this kind of tone-deaf response from many privacy and Free Software activists is what turned me significantly away from the movement over the past few months. I plan on writing more of it, but I thought this would be a good place to start.

My thoughts on the Self-Hosting Solution

You probably noticed that in the (frequent) posts talking about security and passwords lately, I keep suggesting LastPass as a password manager. This is the manager that I use myself, and the reason why I came to this one is multi-faceted, but essentially I’m suggesting you use a tool that does not make it more inconvenient to maintain proper password hygiene. Because yes, you should be using different passwords, with a combination of letters, numbers and symbols, but if you have to come up with a new one every time, then things are going to be difficult and you’ll just decide to use the same password over and over.

Or you’ll use a method for having “unique” passwords that are actually comprised of a fixed part and a mobile one (which is what I used for the longest time). And let’s be clear, using the same base password suffixed with the name of the site you’re signing up for is not a protection at all, the moment more than one of your passwords is discovered.

So convenience being important, because inconvenience just leads to bad security hygiene, LastPass delivers on what I need: it has autofill, so I don’t have to open a terminal and run sgeps (like I used to be) to get the password out of the store, it generates the password in the browser, so I don’t have to open a terminal and run pwgen, it runs on my cellphone, so I can use it to fetch the password to type somewhere else, and it even auto-fills my passwords in the Android apps, so I don’t have to use a simple password when dealing with some random website that then patches to an app on my phone. But it also has a few good “security conveniences”: you can re-encode your Vault on a new master password, you can use a proper OTP pad or a 2FA device to protect it further, and they have some extras such as letting you know if the email you use across services are involved in an account breach.

This does not mean there are no other good password management tools, I know the name of plenty, but I just looked for one that had the features I cared about, and I went with it. I’m happy with LastPass right now. Yes, I need to trust the company and their code a fair bit, but I don’t think that just being open source would gain me more trust. Being open source and audited for a long time, sure, but I don’t think either way it’s a dealbreaker for me. I mean Chrome itself has a password manager, it just feels not suitable for me (no generation, no obvious way to inspect the data from mobile, sometimes bad collation of URLs, and as far as I know no way to change the sync encryption password). It also requires me to have access to my Google account to get that data.

But the interesting part is how geeks will quickly suggest to just roll your own, be it using some open-source password manager, requiring an external sync system (I did that for sgeps, but it’s tied to a single GPG key, so it’s not easy for me having two different hardware smartcards), or even your own sync infrastructure. And this is what I really can’t stand as an answer, because it solves absolutely nothing. Jürgen called it cynical last year, but I think it’s even worse than that, it’s hypocritical.

Roll-your-own or host-your-own are, first of all, not going to be options for the people who have no intention to learn how computer systems work — and I can’t blame them, I don’t want to know how my fridge or dishwasher work, I just want them working. People don’t care to learn that you can get file A on computer B, but then if you change it on both while offline you’ll have collisions, so now you lost one of the two changes. They either have no time, or just no interest or (but I don’t think that happens often) no skill to understand that. And it’s not just the random young adult that ends up registering on xtube because they have no idea what it means. Jeremy Clarkson had to learn the hard way what it means to publish your bank details to the world.

But I think it’s more important to think of the amount of people who think that they have the skills and the time, and then are found lacking one or both of them. Who do you think can protect your content (and passwords) better? A big company with entire teams dedicated to security, or an average 16 years old guy who think he can run the website’s forum? — The reference here is to myself: back in 20002001 I used to be the forum admin for an Italian gaming community. We got hacked, multiple times, and every time it was for me a new discovery of what security is. At the time third-party forum hosting was reserved to paying customers, and the results have probably been terrible. My personal admin password matched one of my email addresses up until last week and I know for a fact that at least one group of people got access to the password database, where they were stored in plain text.

Yes it is true, targets such as Adobe will lead to many more valid email addresses and password hashes than your average forum, but as the “fake” 5M accounts should have shown you, targeting enough small fishes can lead to just about the same results, if not even better, as you may be lucky and stumble across two passwords for the same account, which allows you to overcome the above-mentioned similar-but-different passwords strategy. Indeed, as I noted in my previous post, Comic Book Database admitted to be the source of part of that dump, and it lists at least four thousand public users (contributors). Other sites such as MythTV Talk or, both also involved, have no such statement ether.

This is not just a matter of the security of the code itself, so the “many eyes” answer does not apply. It is very well possible to have a screw up with an open source program as well, if it’s misconfigured, or if a vulnerable version don’t get updated in time because the admin just has no time. You see that all the time with WordPress and its security issues. Indeed, the reason why I don’t migrate my blog to WordPress is that I won’t ever have enough time for it.

I have seen people, geeks and non-geeks both, taking the easy way out too many times, blaming Apple for the nude celebrity pictures or Google for the five million accounts. It’s a safe story: “the big guys don’t know better”, “you just should keep it off the Internet”, “you should run your own!” At the end of the day, both turned out to be collections, assembled from many small cuts, either targeted or not, in part due to people’s bad password hygiene (or operational security if you prefer a more geek term), and in part due to the fact that nothing is perfect.

How it feels to know you’re unwell?

Today’s most retweeted news in my stream seems to be an ultimatum sent by the US FDA (Food and Drugs Administration — don’t be confused by the name, as they work more like what in Europe would be a Ministry of Health) toward a service called 23andme. I got curious as I did not know the service, but the kind of reactions I read made me reach for my hand, and facepalm: most commentaries, with very few exceptions, seem to be either attacking regulation altogether, calling up for a conspiracy of drug companies (why? I’m pretty sure they’re pretty happy if third parties will tell people they have some disease for which they have treatments), or companies that do full blown genome sequencing (which seems a broken idea given that 23andme is not a service that replace them — it just provides an alternate, affordable alternative for the layman). After some ping-pong on Twitter with Jürgen I said I would write a bit about my experience and why my reaction is not the same as your average Internet user.

It’s a bit awkward for me to write thinking back to 2007, first because it’s impressive for me to get remembered it was now over six years ago this happened. But also because, as I’ll try to explain in a moment, my perspective changed considerably since then. I think the most visible difference is to be found in this post, a few months before my hospitalization:

I find this funny because lately I’ve been a bit tortured with myself about an opportunity I don’t want to miss.. but that requires me to take an airplane, and I’m terrified by the whole concept of airplane; and I’m trying to watch Nodame Cantabile to see how the protagonist (who also suffer from this problem) will get over it. Pathetic, I know.

Well, the opportunity I did not talk about in that post was an on-site interview at Google, in Mountain View, for a position of SRE in Dublin. I’ll leave the readers who haven’t paid attention to my recent move to guess where and for who I’m working right now. Yet this only happened almost six years after I was originally offered that on-site. It took a friend of mine convincing me with force to get on a plane for me to get over my fear, at least in part. As of now, I flew 14 legs this year. I’m flying two more to get back to Dublin. Last year I flew 18 legs. I got over my fear, sort of.

But the changes don’t only stop there. And they really did not move only in one direction, things are difficult. I’m pretty sure I can say that, compared to most of the people commenting around 23andme’s FDA kerfuffle, I have a better idea of my genetic risks, which I did not intend to have — this knowledge has been forced on me by what happened to me. I know for example that I almost definitely suffer from Gilbert’s syndrome and I have been thus avoiding paracetamol. Honestly, having known for sure that was the case before I was hospitalized would have helped, as then the doctors would have refrained to tell my mother that I definitely lied and drank the night before — the last beer glass I had at that point was already five years before, at the table, with my parents; I knew already that I don’t stand alcohol, and I found out afterwards (more on that later) that I’m a mean drunk.

I’ve been also told, but without certainty in this case, that the root cause of my health issues was most likely genetic — a predisposition to gallstones, gallstones that have been overlooked by my GP when I reported the abdominal pain that was the first symptom of the pancreatitis, and that even half my teachers in school expected to be a way to avoid tests — it was only if the test was for math, I hated that teacher and refused to study math for the best part of three years. My complex relationship with diabetes is also, according to some (but not all) the doctors who visited me, partly inherited. A tendency to diabetes is to be found in my father’s family, and manifested during my sister’s pregnancy as well. But at least according to the specialist who’s following me in Ireland, the primary cause of my current diabetes is the pancreatitis itself, which could have lead to mistreatment in Italy, where assuming inheritance (as my pancreas did seem to be working up to a point) brought it to be considered a full-blown type 2, instead of something that behaves vastly like Type 1, and still not being LADA.

I don’t know if HIT can be ascribed to genetics as well — but here’s where I find the idea, that people throw around, that once you talk with a doctor he or she will know everything that you have to do, is pure fantasy. When I was sent to the ICU, I was given, like everybody else, heparin, an anticoagulant – the idea is that if you’re forced to stay in bed for extended amounts of times without the ability to even stand up, you don’t want to risk thrombosis. Unfortunately, in me the end results of heparin are the exact opposite. I’ve been very lucky to survive that one — the hematologist at the hospital knew about the chance of that happening. But when I relayed this to the chief gastroenterologist at a different hospital one year later, he was convinced it couldn’t be possible.

I underwent a few further tests, and so did my siblings, when, after the ICU, and just before dismissing me, I got a high fever, and none of the stuff they kept trying to give me worked. They ended up sending cultures around different hospitals, and kept drawing blood from me daily. I can only imagine that if there was something else in my genetics that was going to distract them, they might have overlooked the fact I had a central venos catheter installed for over a month, and that caused a bad infection. After a full week of fever, it was a nurse in training telling me, and my father, his suspicion on the CVC being the problem, and admitting he couldn’t really say that to the rest of the doctors without risking losing his training spot. My father had to find the doctor responsible for the ICU, who stormed the unit, screamed at the equipe that was ignoring the CVC, and took it out himself. My fever was gone the next day.

So what I said up to now only covers some of my first reasons to think that services like 23andme, while being definitely something I’m happy to know exist, should not go unregulated. While knowing of things like Gilbert’s syndrome could have helped me, diabetes predisposition was a red herring for me. And having multiple known issues that could be the cause for a high fever would probably have killed me. I find it’s on the level of full body scans: I’m glad it exists but I’m not getting one (another?) for a long time.

But there is another side to consider, and that is the psychological issue: if you were to read every single blog post of mine between the time I went to the hospital and some time after I had surgery you can probably see that my mood was quite different than before and after. Why? Well, I lived that whole year expecting not to live until the month that was to come. I’m not kidding or exaggerating. I made my mother cry multiple times during that year because I wasn’t even planning to survive the month. I felt lonely and I ended up looking for companionship from a person that deserved better than a desperate, ready to die at any time, zombie like I was. I did not attempt suicide, as my mother understandably worried about, but you can probably see already that it had been in my mind the whole time. Spending over a month in a hospital, including two weeks in intensive care is not something I’d like to go through again — and I did end up at the hospital a few times since. I would be lying if I wouldn’t admit that every time I ended up in the ER (or A&E if you prefer), my thought was along the lines of “If it’s bad, please make it quick.” as I don’t think I have the strength, even now, to go through it again.

Again Jürgen shared a post by @mntmn that gives a glimpse of how easy it is for a software bug to give someone deadly worries. I wish I had his strength to just go through the results again independently, I doubt I would do the same — I know that the first thing I’d do would be to go see my GP, but would I have the strength of doing that, rather than just look for a quick way out? I wouldn’t bet on it right now. I feel much better, and much more optimistic about life nowadays than six years ago. It has been thanks to a bunch of friends who stuck with me while I was going down very bad roads, people who I met after who understood my fears. And yet, even without having a picture even half complete as the one 23andme would give me, I already came to term with the idea that I don’t really want children, as my genetic inheritance is more akin to a curse — not that there is any risk of that happening, given how I’m keeping single at 28.

I know people who wouldn’t be as strong as me either (and admittedly I’m not that strong), people whose first reaction would be to get a knife and be done with it. After all if the doctors need to tell you bad news, they usually call you to go to their office — and in my experience they ask you to not come alone. In Ireland I noticed quite a few ads for public service lines to support people who have been given news of cancer, and that nowadays can be less of a death sentence compared to other genetic risks. Which is what most worries me about 23andme in particular: while they make it abundantly clear for your rational mind that their results are not clinical, and that anything pointed out by them should be passed on to a doctor for a real diagnosis, people are not rational in regard to their life — not all of them at least. I know I’m not.

The final nail for me, for which I understand FDA’s position in regard to this service, has to do with what has been happening in Italy over the last year or so. A TV programme, started as a comedy but then entering some kind of “public service” kind of deal, started painting what had been considered an “experimental treatment” as a cure for a bunch of incurable syndromes and diseases. And lo and behold, to satisfy all the hatred for “big pharma”, and all the conspiracy theorists of the country, they declared that the bad Ministry closed down the Foundation that was administering said treatment just for spite. The fact of the matter is that the laboratory was inspected after an inquest was started after one of the few patients died, and they found not only code violation, but seriously threatening conditions of work. Further investigations pointed out that the so-called “Doctor” who has been brought to the attention of the media is actually a literature major. It’s basically a fraud, but people who are desperate still believe the fraudsters.

And before you say “It’s their problem”, after the media scandals on the Ministry shutting down the laboratory, judges had to allow the previous patients to get the treatment still, but to do so safely, national hospitals are used. Which means that now the Italian national health service is paying for people to get a fake treatment. Which is not something I’m proud of.

So to conclude, my opinion at this point is that I’m partial to get services like 23andme regulated — which does not mean shut down! But they need scrutiny in what they assert; bugs like the one @mntmn wrote about can kill people, it’s not a hyperbole, I’ve seen people in the hospital after the bad news. I know how they felt. And I know of some who didn’t get the strength to keep going afterwards.

Myself, I’m wondering — would I try my luck with the service? I’m living happy (or the closest thing i can afford) now, I wouldn’t want to stir up trouble. On the other hand, information is power. I’m not sure, I think I’ll speak with my doctor next week (I have an appointment already for when I’m back in Ireland), and if the service is still running then, and he thinks it can be of help, I’ll go through it. I know at least that if something comes up on the results, I would be able to call him immediately.

But this is my point of view, the point of view of somebody who has gone through the bad side of medicine and stared into some of his genetics issues… I don’t want to sound self-righteous, but I’m afraid Jürgen, with a relatively clean bill of health – the PPI response is indeed something useful to know on how much to get, but it’s not a deal breaker, given how quickly doctors seem to provide it – cannot feel how it feels to be given bad news.

Just accept it: truth Hurds

Okay the title is a very lame pun. But in this post I’d like to argument a bit more my reasons for not liking the Hurd project, at least in the way it is still being developed nowadays, which I announced on yesterday. This might sound quite strange coming from the guy who dedicated time and soul to Gentoo/FreeBSD.

First of all let’s put into context what Hurd is nowadays: it is not something viable, or usable. Twenty (20!) years after its original inception, Hurd is still nothing that you’d think of using on your desktop, or your server — nor should you, I guess. The class of operating system this belongs to is the same as Gentoo/FreeBSD, Debian’s GNU/kFreeBSD , Haiku, Plan9 and so on, a toy project. Or if you want to make it sound less childish, a research project, but I prefer the shorter version.

But while there are so many toy projects operating systems, I’m singling out Hurd, and there two main reasons for my feeling; they can be considered mostly personal, non-technical opinion, but I’ll stand by them.

First of all, most other toy systems have given us steady improvements in different areas; take Plan9 for instance: ten years older than Hurd, but recently Linux gained access to paravirtualized filesystems, based on what? On the Plan9 protocols. Good research going — even though it does seem tremendously silly when you look into it for the first time. And even though I was sceptic the first time I looked into it, GNU/kFreeBSD has probably made glibc a bit more … malleable.

But most importantly is that the whole Hurd project at the moment does not have any real technical reason to exist, it only has one huge symbolic value for the GNU project, beginning with the idea that “Linux is not the Free operating system”.. which I could accept if it wasn’t coming from the project sponsored by FSF. The same FSF that insists that you should not use any proprietary operating system, that you should only and always use Free software and so on so forth.

Is Hurd the example of Free Software people should use? Do they insist on their argument even when it is totally, technically, unsound? I’m afraid some of the people in the FSF do. Luckily, FSF is not just those, and there are numbers of reasonable, hard-working and capable people. Which is why even I have signed copyright assignments to FSF with a bit of rant attached), and why I try to contribute to GnuPG when I can (given I use it).

Once again, though, what’s the problem if a bunch of elitist developers feel like working on a toy system? It really isn’t something new; heck Plan9 is, as far as I can tell, mostly developed for that. With a few difference: most of the people I saw involved with Plan9 are also involved in the suckless projects (and I rarely, if at all, agree with the premises of such projects), and they definitely are not very interested in making more users for any software at all, so their approach is well suited to their goals, not so for the GNU people, but oh well.

The problem I have, with actually any toy project, is with the people who keep insisting to find philosophical reasons to show others why their project is really, very, so much important. It happens (awfully often on with both Plan9 but, more often lately, with Hurd. And when I do show my disagreement, I usually end up flooded with defences of said projects (“they don’t bother you”, “everybody should keep using what they prefer”, … sure of course — then why can’t I voice my personal opinion?).

This brings me with categorizing most of the people involved in toy project (or actually, any project — with mainstream projects it is a bit more shady to go from one category to the other) in three categories: the silent doers, the vocal doers, and the advocates.

For the silent doers, those who know they are working on a toy project and have no expectancy for people to consider it “important for the greater good”, I have fondness: you go with it and try to get something good out of it — I have done something like that with G/FreeBSD: Gentoo has had libarchive (bsdtar) from way before it went mainstream as a dependency of GNOME and KDE.

I’m a bit more polemic with the vocal doers: sure, you’re entitled to advertise your choice, no way I’m going to argue against it; but I’ll also not refrain from stating my disagreement. That shouldn’t be a problem, no? And I’m sorry, but I’m also not going to generally be convinced by your reasons to keep developing. It’s not a lack of respect, and I’m sorry if you feel this way, but… I don’t really care. If you want to show me something, show me technical reason why your work could be important to me, or to others, but technical.

But please, spare me the advocates. They talk just too much (after a passing reference to Hurd I get three, continued messages, trying to argue for it? I’m going to be a bit disappointed — I reply and I get another three? I’m seriously cranky), and of the wrong arguments. I really don’t care about the philosophy of a subproject. I subscribe to the basic philosophy of Free and Open Source Software, and I maintain that it can be technically superior if the project accepts that proprietary software can (and usually enough does) have better technical aspects. Survival of the fittest, for me, is happening only in technical terms.

Clear enough now?

Backward free software advocacy

Another funny thing I noticed on the comments for my guest post about Free Software Fundamentalists is that there is a very strange conception of how to interact with proprietary software when you’re definitely forced to.

Quoting the comment on why you shouldn’t use proprietary software:

When you use proprietary software, you give them market share, which further funds their development, which widens the gap between them and their free competitors. It’s like buying then freeing slaves: you do it out of good intention, but unintentionally you empowers the slave traders, who enslave even more people. True, you can get a mostly free software, but you still empower the proprietary software.

Now, beside the fact that the particular author of that comment really needs some reality check done (comparing software and slavery first, and torture later, would show some serious lack of perspective on their part), one would expect that the problem is the “market share” thing. And indeed, I know that quite a bit of “Free Software Advocates” seem to be sustaining ideas like the Pirate Party, and other kind of “freedom no matter what” activities. Don’t get me wrong, I can understand them to a point, but I’m not really agreeing with them fully.

I can understand very well the point of “civil disobedience” related to the non-availability of some kind of content or software, or so on. As I said before I also download, unauthorized, Bill Maher’s show since it’s unavailable in Italy (for no good reason I can think of). On the other hand I’m not proud of that and, given the choice of paying to watch it, I’d be definitely fine with paying for it.

What I really can’t get my head behind is the idea that, to avoid giving funds to proprietary software developers, you should copy, crack, or otherwise hinder the distribution of that software. Sorry, but respecting copyright is what the Free Software movement has been basing itself on, thanks to the GPL. Now, I know that Stallman now declared that the GPL was a “workaround” and that getting rid of copyright altogether is the way to go… I’m quite sure I don’t agree; we do need a reform in copyright almost everywhere, but I still don’t think that it’s going to help free software to kill copyright entirely.

Piracy is definitely not the way to go, in my view. Of course I’m not the kind of person who says “piracy is bad so get rid of all the tools allowing it”, because I do see that a lot of the tools actually used for piracy are used for very legit cases as well: being able to decrypt and rip a DVD does not always mean that you are going to distribute it illegally; you might want to have it available on an HDD-based set-top-box on your TV; you might want to put it on your iPod or PSP, or whatever, and so on. The same goes for CD.

Piracy is, at many levels, detrimental to Free Software; let me give you an example, getting back to the family unit I described before where pirated software was the norm, even when it only required functions well covered by free software like Gimp, Inkscape or OpenOffice. Now, in their case I was able to bring them on board with the free alternatives based on the fact that, obviously, pirated software often is a truck loaded with viruses and other kind of malware. If it wasn’t for that, their reasoning would have been “If I have to choose between a mediocre software that is available for free, when I could have, as free as that, software that costs lots of money and is thus obviously better?”.

Now, any half-decent computer geek knows very well that “costs lots of money” doesn’t necessarily mean “it’s good” (Windows, anyone?). On the other hand, normal people almost always reason in that sense (and can be seen in so many ways it’s not even funny, be it software, hardware, or stuff that has nothing to do with computers); to ignore this is silly if your target is advocating free software. So you got to find another way to explain it to them.

The usual argument about the philosophy comes up to a point; especially when you sanction piracy, this really starts to be watered down. The argument about lock-ins also doesn’t really count with “commoners” since the lock-in will only mean they’ll keep pirating the same software, and will make sure that all the computers they have have the same pirated software on them. (It would be much better if software companies really tried to struck down heavily on piracy).

What remains is simply this: make sure that the Free Software gets better, and better, and better than proprietary software. To do that, though, you need to get out of the mental shelter of “it doesn’t matter if it’s mediocre, you have to prefer it”. And now please let me cover my ass about one very likely rebuttal that I have seen before: “Well, to me it’s more important that the software is free than it is perfect”; it’s a valid point for you. And I’m definitely not going to tell you “use that proprietary software, it’s better!”.

On the other hand if you wish to force suggest other people to use Free Software, you should learn that most of the users out there care first to get their work done, and then whether the software is free or not. Those who use computers to do any kind of job not directly involved with development will use whatever tool allows them to get paid at the end of the month (and somebody compares that to torture and war? oh my…); those who use a computer just for entertainment will care even less about what they are using, since they don’t even expect reliability out of it (mostly because of Microsoft’s past operating systems, I guess).

Guess who’s really widening free software’s reach? Advocates who have lost contact with reality and the masses of users out there? Or me and the rest of the pragmatic guys who work hard every day to create more and better free software?

*Note: I have already said it before but I want to make it explicit once again (with the “right tone” for the issue). I know that a lot of developers out there don’t give a f♥♥k about “widening free software’s reach” and would most likely prefer that “the masses of users out there” stood the f♥♥k away from them. To them I’m not really saying anything, they are free to do whatever they prefer. I’m simply upset by those who declares themselves “advocates” or “evangelists” and then behave in that way.*

Some notes about Google Wave

I’m still not sure about the whole hype around Google’s new service, Wave. Thanks to Jürgen, I got an invite as well and I’ve been fiddling with it from time to time… I’m not saying it’s useless, but I don’t think it’s excessively useful either.

What I think Google was able to do here was a lot of pre-hype of something that, generally, is once again mediocre (and definitely the code was; the first days I tried it out, the “something went wrong, please refresh” message was absolutely common). And again the whole “invite frenzy” is working very well for them. The idea that it’s something that just a “limited set” can look at makes the product much more desired than it would be if it was simply accessible to anybody.

And to be honest, every time I read about people “stealing invites” and tricking others about entering the preview I start to worry about the destiny of humanity as a species. At least, I have yet to see a literal telephone sanitizer around. Although I’m not entirely positive that this will keep to be the case in the future. Again, don’t get me wrong, I was curious about Wave as well, given how much I read about it, also on twitter/identica from other FLOSS developers, but at the same time, I wasn’t really going to jump through any hoop to find out how much that was relevant or not.

So, first note I have to make is that the interface seems really to be designed to be part of those web applications that try to replace the standard desktop, with the widgets that behave like standard windows and so on. I don’t really like that idea because I still think that a standard desktop is very useful (I’m a bit worried about Gnome Shell as well, to be honest); I don’t make excessive use of Apple’s Dashboard, nor I use stuff like iGoogle, or the widget support in my Bravia LCD TV. But I guess this might actually be Google’s strategy for their Chrome OS thing.

Behind all the hype around it, I define Wave (to Luca’s laughs) as the Mailing List’s equivalent of what IM is for the email: never going to replace it, but sometimes easier to deal with. It’s probably a good thing somewhat given that we’re still using IRC as the main many-to-many communication channel… and that’s not something I definitely like (for the multitude of shortcomings of the IRC protocol). On the other hand, I find this quite crippled by the fact there are no ways to define groups, or lists, of contacts (it’d be nice to have them, because then I could just “send a wave” to the Gentoo developers in there to ask for some help or plan something out, and so on); somewhat a strange thing to lack, given that both Facebook and Twitter seems to have taken pride in implementing those lists in the months that passed between the Wave announce and the actual opening of the public beta.

One interesting thing is that, while Google implemented a new schema for addresses ( – which sounds quite pointless to me, one thing I liked about Google Talk is that it allowed me to use the same address for both email, Jabber and MSN – it is adding by default the Google Talk contacts to the Google Wave contact list as they register. I guess this can be considered a minimum feature share (the same contact thing applies to Google Reader subscribers). But what I definitely liked about all that is the way it handles the contacts’ names.

For those who actually set up a proper name in their Google profile, Google Wave uses by default the First Name for display (so you’d probably find me as Diego Elio — or Diego, I’m not sure); though, when there are more than one contact with the same name, it displays the start of the surname as well (so I got Jason S and Jason A in my contacts right now). Some other software should probably learn from that. And that means both open source and proprietary software.

All in all, what I can judge for now is mostly the interface at a first glance; while my contact list is starting to fill up, I don’t see anything in there yet that makes it more usable than a standard IM chat… it might have been even less useful if Jabber/GTalk had working multi-user chats, akin to MSN’s or Skype’s (don’t get me started with the “usability” of Jabber rooms). The fact that it needs the page to stay open (and the fact that the JavaScript in it seem to slow Firefox down positively — I guess that’s their main reason to push for Chrome at this point, or the other way around Wave is their way to push for Chrome), really makes the whole thing a lot less useful in the whole; even just adding a bot to GTalk to tell you when Waves went updated would have been much more useful.

And finally, just one little, tiny note for Google: why on earth you cannot seem to find a single interface style between different applications? Already Google Reader and Gmail have different interfaces; Wave has a drastically different one as well; Google Code even have the navigation bar on the right (when all the rest have it on the left). The two services that have the most common interface seem to be Gmail and Google Calendar, but there are quite a few subtle differences between the two… and that anyway only applies to the default Gmail theme, anyway.

I’m tired of “Free Software Fundamentalists”

This article was originally posted on Boycott Boycott Novel. Since the site is now gone, I reposted it here.

You might know I’m an hybrid kind of guy: I run Free Software as much as I can, but if I have to run proprietary software to have something that works, and that pays the bills, I will. Lately, I’m getting more and more irked by the “Free Software Fundamentalists” that preach that no proprietary software has the right to exist any longer.

Now, as I said I’m running Free Software as much as I can, and whenever I have the chance I contribute to other Free Software projects to improve the situation and make it feasible to have better implementations for the
stuff I care about. Unfortunately, a lot of the people who preach, don’t even try to do that, and only despise any proprietary software, whether that’s really worse than the Free alternative or not.

I don’t like this kind of people, they are detrimental to Free Software as a whole: to accept that software that is, objectively, mediocre has to be preferred just because it’s Free, means condemning users to mediocre software. Developers should keep open-minded, and look at the proprietary alternatives as well; not to be discouraged, but rather to learn and adapt, and improve upon that.

So when I hear that “Ogg is perfect”, my mind quickly moves to Matroska, a format that, in my opinion, is definitely superior to any other, but has little support out there because “Ogg is enough”. The same goes to FLAC and WavPack.

You know, if you really care about the users, and not just about your ego, you’d be looking forward for the challenge, and build up upon any new technology, whomever is offering it to you, as long as it satisfies the strict requirements.

And of course, RMS is at the centre of this kind of fundamentalism… I’m pretty sure that when he started, he really cared about the users, this can be seen in the sheer amount of work he’s done, and I am (as many others are) glad he did that, we owe him respect for that; but with time passing, he probably took his part as a “priest” way too seriously, and seems like many people now insist on a RMS-ego-stroke tax on any Free Software user.

But it’s not just Stallman who tends to have ego-stroke moments, mind you. Miguel (de Icaza) also had his moments (funnily enough, a slashdot article is linking to a post of mine trying to label Miguel as a troll… I was just saying that he should try to mind his irony, he’s not alone); and so does Theo de Raadt of OpenBSD fame, and even more.

Let’s face it: I know of no developer who’s doing free software development exclusively for the users; some do it for the money, others for the fame, a lot for the ego stroke… I fall partly in all these categories (although I’m not really paid for so much work), since I like the feeling of “having the power” to make something. It’s a good plus that I also help others, but it’s not really my only motivation.

To quote Bill Maher “We’ve got to worship principles, not people.”