Summary: Skills involving BSD, GNU, and other toolsets deserve coverage (at least by name) in the context of Free/Open Source software
THERE was recently a lot of coverage about jobs in Free/Open Source software (FOSS) and days or weeks later the Linux Foundation weighed in with its press release  about a study it had funded to frame this as a “Linux” boom. The Linux Foundation is run and managed by branding experts like Zemlin (they don't always do branding right) and marketing people, so this should not be shocking. The only problem is, they rewrite history to make it look as though only Linux counts (the big lie which gives the Linux Foundation power at the expense of camps like GNU/FSF). I am not an opponent of the Linux Foundation; I am a big fan of Linux, but I also care about accuracy and truth in reporting — something which the marketing community is unable, by definition, to care about.
Looking at the sort of headlines generated by the Linux Foundation’s latest marketing drive (e.g. 2-8]), it’s all about “Linux” but not about the rest of the stack (FOSS). The Linux Foundation is not the only entity which does this by the way. But what they call “Linux skills” often means command-line skills and basically familiarity with GNU utilities, not Linux (the kernel does not have many utilities of interest). Some tools, like OpenSSH, are from BSD. If we mislead the public by collectively referring to all those small programs as “Linux”, then we not only do a disservice to other projects but we also reinforce the philosophy of Linux, which does not stress or insist so much on freedom.
To give example of better actions from the Linux Foundation (as of late), it shared a story about a Pennsylvania high school adopting GNU/Linux and it generated some good headlines . Its marketing staff issued a somewhat provocative, stereotypes-reinforcing (connoting Linux with scarce social/love life) Valentine’s post , not to mention today’s Facebook promotion  (people have openly complained about the Linux Foundation’s support for surveillance like Facebook for years). On the other hand, the Linux Foundation sets up new conferences that are named only after the kernel  (even when the conferences cover things beyond it ), which is another matter worth mentioning.
Ultimately, it would be fair to stress, not only the Linux Foundation calls/labels “Linux” a much broader system, exploiting a common misunderstanding/misconception. The Linux Professional Institute (LPI) too is doing that . It often teaches GNU, but students are led to believe that it’s all “Linux”. We can do better than that. █
Related/contextual items from the news:
With hiring managers beefing up their plans to bring aboard talent with Linux skills over the next six months, a bright future awaits those professionals who know Linux.
Tech recruitment firm Dice and The Linux Foundation have released the 2014 edition of the Linux Jobs Report. The two found that the growing demand for Linux talent is “driving salaries for Linux above industry norms.”
Today in Open Source: Download the free 2014 Linux Jobs Report.
Penn Manor High School in Lancaster, Pennsylvania will embrace the open source Linux platform, installing it on more than 1,700 laptops. Every student at Penn Manor HS received an Acer TravelMate laptop powered by the Ubuntu 13.10 OS – and the student body was encouraged to explore the OS and push its limits.
How does the penguin community celebrate February 14 every year? Is it with a box of chocolates? Maybe if it’s sitting next to our keyboards alongside multiple coffee mugs. What about little Necco Sweethearts? Those “luv you” messages seem a little too general to fully express the amorous thoughts of those with Linux already seeded deep in their hearts.
After trying to conceal its Facebook posts from the world for nearly a decade, Linux’s Look Back Facebook video leaked today.
The Linux Professional Institute (LPI), the world’s premier Linux certification organisation, announced that Master Affiliate for the Western Balkans Region LPI-Greece recently appointed CACTTUS as LPI Sub-Affiliate for Kosovo, a company which has a strong experience in the market of Kosovo in technology and trainings.
Send this to a friend
Photo by Alex Dawson, 2002
Summary: Cult of Personalities takes over the news again — news which, if anything, proves Stallman’s points to be valid
EARLIER this week Nvidia made an important announcement  that was picked up by the press [2-8]. Nvidia shows some signs of changing, conceding its purely proprietary culture. Finally there is a response with actions, not just words. Interestingly enough, a little message from Torvalds in Google+ almost generated more headlines than the original news [9-11] (a lot of the aforementioned links overemphasise Torvalds), especially because he previously gave Nvidia the finger (as in, “up your rectum”). Imagine what the reaction would be if Stallman had done that. When Torvalds does provocative stuff in order to attract attention then it’s portrayed as “cool” or “funny”, whereas the father of GNU gets smacked down if he even dares to try. The person who all along preached in favour of source code freedom is Stallman, not Torvalds, who had also created Linux as a proprietary kernel at first (so basically the same as Nvidia). █
Related/contextual items from the news:
This Tegra K1 Nouveau support is still proof-of-concept but it is a sign that Nvidia is getting more open saucy having committed to better open source graphics support in September.
Chip maker NVIDIA has a long history of making sure there are Linux drivers for its graphics cards. But they’re usually closed-source drivers which means they’re not easy for OS developers and open source enthusiasts to work with. Linux founder Linus Torvalds was not amused by this approach.
“This time I’m raising a thumb for Nvidia. Good times,”Torvalds said Sunday night on Google+, a strong contrast to a June 2012 speech in which Torvalds instead offered Nvidia a middle finger for its non-cooperation. Nvidia has preferred to offer proprietary binary drivers to let operating systems use its graphics chips, not open-source software that others can adapt, modify, and debug.
Send this to a friend
Unable to cover up the deeds
Summary: Microsoft’s partner Tuxera is claimed to be violating the GPL, adding insult to injury (helping Microsoft make money from Linux shakedowns, using code that was illegally copied)
LAST year we campaigned with great success for Samsung to obey (i.e. comply with) the GPL after it had gotten caught violating it [1, 2. 3], specifically when it served Microsoft with patent traps (exFAT). Samsung’s GPL violations go years back and they show that this company, which has just liaised with Google on patents (Google too is becoming patents-greedy), is no friend of FOSS. Samsung also commits crimes, but that’s beyond the scope of our coverage.
Another company which can easily be confused or mishandled as a FOSS company because it uses Linux (but mostly provides proprietary software with Microsoft patents) is Tuxera. Like Xamarin, all it really does is promote Linux dependence on Microsoft patent traps (the ones that allegedly have Samsung paying Microsoft for Linux). exFAT (promoted by Samsung and Tuxera) as well other forms/variants of FAT are not really needed, we need to abolish them.
The woman who told us about Samsung’s GPL violations contacted us earlier today to say that based on this file (forked to https://github.com/rxrz/asuswrt-merlin just in case), Tuxera is violating the GPL.
As the reporter of this violation put it, “download the blob, run `modinfo` on it:
description: Extended Macintosh Filesystem
author: Brad Boyer
vermagic: 18.104.22.168 mod_unload MIPS32_R2 32BIT
“it’s MIPS32, so `strings` won’t give the function names, rather something like this:
`strings /tmp/thfsplus.ko | grep -i tux`:
<6>Tuxera HFS+ driver 3013.11.18
“Seems like a GPL violation to me,” she concluded. “I’d like to have that source code now, since it’s been based on native code from Linux.” █
Send this to a friend
Can you read the source code in this microchip?
Summary: Why the hype about “accelerated” cryptology (like polygons rendering, but for cryptographic purposes) is a dangerous trap that should be shunned and perpetually avoided
THE QUICKEST and most convenient way to undermine all encryption is to weaken random number generation, e.g. lower the entropy, making keys more predictable and thus easily crackable by supercomputers (or even standard computers). This is effective against everything, including online financial transactions, simply because it cracks the very core components of today’s security: SSL, PGP, etc. My doctoral degree involved a great deal of work with entropy and my daytime job too sometimes involves it, so the subject is not foreign to me. I have been watching the NSA closely for a number of years, and always with great concern and suspicion. Now we know that the NSA compels (and even bribes) US companies to help undermine privacy, if not by direct handover of data (PRISM) then by making encryption too poor, setting up back doors, forcing companies to obey NSL/subpoenas, network wiretapping/DPI, or even a combination of all those things. No need for hypotheses anymore; there’s plenty of hard proof now.
Intel, a cleverly-named criminal company (serving the intelligence community), whose hardware-level random number generator (hidden in silicon) FreeBSD refuses to trust (OpenBSD too is historically very critical of Intel) is no longer the only x86 player seeking to manufacture consent (blind trust) for encryption with no source code, just minuscule circuits of semiconductors. AMD, another US company, is now following suit with ardware-level cryptology (i.e. cryptic algorithms for cryptology, which is a non-starter). This is bad just because AMD is a US company (FreeBSD did not single out the US); any company from any country should not be trusted with this type of task. It’s no better — and it is probably much worse — than proprietary software for one’s security. To quote Michael Larabel’s article about it: “Back in November was when patches first emerged for an AMD Cryptographic Coprocessor on Linux. This co-processor provides hardware encryption and other hashing functionality for the AES crypto API, AES CMAC, XTS-AES, and SHA cryptographic interfaces within the Linux kernel.
“Not much information is publicly known on this AMD Cryptographic Coprocessor but it’s believed to be part of AMD’s embedded ARM Cortex-A5 processor on upcoming server-class Opterons with TrustZone technology.”
“Have we learned nothing at all from Snowden’s explosive leaks?”So, Linux 3.14 will try to offload something so sensitive to proprietary code concealed in silicon. Bad idea. Very bad idea. Sure, it’s Linux, but it does open itself to some blobs (e.g. Microsoft’s hypervisor and more famously drivers for peripheral cards that handle graphics), firmware, and now peripheral, embedded-in-hardware proprietary algorithms. Have we learned nothing at all from Snowden’s explosive leaks? Just look what Microsoft has done (total complicity with the NSA). A new poll at FOSS Force asks: “Do you think Red Hat is cooperating with the NSA by building back doors into RHEL?”
The responses may surprise you. Only 42% say “No”. 28% say “I don’t know” and 30% say “Yes”. This relates to an article that alludes to Techrights. It was read by thousands and has been linked to by numerous news sites. I rarely ever comment in sites where identity cannot be verified (because of fakers), but this one challenged my claims and I had to respond. Here are my three replies:
It is not purely speculative. If you think that it is, then you must not have paid close enough attention.
I have been spending at least 2 hours per day since 2012 reading about the NSA. I knew what Snowden showed even before it was publicly known and I spoke about it with RMS on numerous occasions (he came to the UK to meet Assange and then myself, focusing on mass surveillance).
The truth of the matter just needs a little digging because the corporate press is not helping the general public find it out, just like it knowingly ‘buried’ a captured agent in Iran for several years (this leaked out in November).
Similarly, GNU/Linux sites did a very poor job covering (if at all) what happened in recent months regarding Linux. Let me summarise some facts (without links, as I don’t want to be put in the moderation queue again):
- Torvalds’ father said that the NSA had approached his son regarding back doors.
- Linux had a back door added to it about a decade ago. It got removed quickly afterwards and it wasn’t known who had added it. There was press coverage about it, but it was scarce.
- RSA received a bribe from the NSA to promote security standards with back doors.
- NIST and others had NSA moles and bogus (corrupt) peer review process to help usher in security standards with back doors.
- NSA is a large Red Hat client.
- The NSA sends patches to Red Hat, which in turn sends those for Linus Torvalds to put in Linux.
(the above two are now confirmed to me by Red Hat staff)
- BSD does not trust hardware-level random number generators, suspecting — quite rightly given the NSA’s track record — that it has too low an entropy.
- Several top-level Linux developers found vulnerabilities in Linux random number generation. They quietly (without much press coverage anywhere) addressed the issue (raising the entropy) a few months back. Only the latest kernel release has the fixes applied AFAIK (I don’t know if Greg K-H backported any of it because coverage is too scarce). To lay out the magnitude of this issue, it compromises SSL, PGP, etc. (pretty much everything with encryption, even passwords) not just at client side (desktop, tablet, smartphone) but also the server side (i.e. the Internet). This is huge! But the media hasn’t covered it.
Suffice to say, Red Hat has not done anything to convince me I was wrong. Instead, I notice that Red Hat staff is stalking me in LinkedIn and I see my article cited in several news sites which wrote about the issue in several languages (3 articles in Google News are in Spanish).
If you found holes in the above statements or if you want links attached, please request them and I will provide citations. I wrote about everything before, even years ago (NSA involvement in SLE* and RHEL I covered around 2007 or 2008).
I am frustrated to see people turning against the messenger rather than the message. I see a lot of the same done to Sam Varghese. We are making ourselves more vulnerable by refusing to listen to what seems uncomfortable.
I was thinking along the same lines — that Edward Snowden’s leaks (by the way, they’re not just his anymore, as anonymous people from the NSA reportedly leak more and more documents to be published under his name for their safety) can at some stage show encryption undermined at more levels (hardware level, or even kernel level). We already know that encryption was undermined at RSA and NIST by NSA moles, using bribes too. We also know that Linux (kernel) developers recently revised random number generators, after they had found a weakness.
Several state officials (in 6 state at the very least) now work to stop the NSA locally. Some call for a ban on companies that facilitate the NSA (that would include Red Hat), under the premise that they are complicit in crime. I am not kidding, watch the news this week (I don’t want to paste links here as the last time I did so my comment took half a day to appear).
Lastly, there are numerous E-mails sent from and to Red Hat. These further validated my suspicions.
I saw a lot of personal attacks (trying to discredit me or even remove links to my analyses). I even heard the usual personal attacks against Sam Varghese (which I expected from Red Hat because he dares to do real journalism, i.e. journalism that companies don’t like).
Trusting Red Hat should be based on its record, not emotional leanings and faith.
Don’t get me wrong. I was not offended by you and you oughtn’t be offended by my response. I am used to this type of divisive treatment (people trying to ostracise me) since the days I criticised Novell — only to be proven right throughout and at the very end (Novell gave its patents to Linux foes).
I hope you will wait patiently for more information and assess the facts based on their merit. Don’t rely purely/solely on what you read in OpenSource.com (Red Hat). I saw Novell doing its self-delusional spiel (IP “peace of mind”) and fortunately, at the end, Novell did not find enough fools to sell its lies to.
I have been frank in my analysis of Red Hat (on patents, build process, etc.) and if you want links for particular bits of my claims, just ask. I have a repository of tens of thousands of links I collect while researching. Sometimes people refuse to accept even a well-sourced claim because of cognitive dissonance — something I’ve had a lot of experience with when dealing with Microsoft spinners.
“Journalism is printing what someone else does not want printed: everything else is public relations.”
― George Orwell
Here is my original reply, challenging the counter-arguments:
This article starts with an incorrect assertion that I accuse “Red Hat of being in cahoots with the NSA.”
No, NSA is a big client of Red Hat (this was not just revealed but also confirmed to me by Red Hat staff some days ago, by E-mail) and it was also confirmed that NSA submits patches to Linux through Red Hat (think of NIST and RSA; we don’t even have NSA E-mail address to keep track of). Back doors can also be added outside the scope of source code, during a build process. My job involves dealing with this risk. I don’t think you read an essential earlier post:
This, in turn, links to proof that the NSA did try to put back doors in Linux, as noted by Torvalds the father. See:
Defending Red Hat makes sense, but mischaractering my position is a little unfair. I note that trusting Red Hat is not easy and based on articles I read half a decade ago, NSA was involved in the build process of Windows, OS X, SUSE, and Red Hat (only those 4 were mentioned).
The bottom line is this. Do not have blind trust in Linux. Not even access to source code is enough because the build process needs to be carefully checked and validated; moreover, Linux is joined with some proprietary code and even hardware-level code, so trust is seriously harmed. Now that we know about Red Hat’s relationship with the NSA we should ask ourselves if the NSA is once again trying to put back doors in Linux, or worse, maybe it already did. Letting blobs enter the pipeline helps the NSA achieve (but hide) what it already said it wanted to achieve. █
Send this to a friend