simon – Page 21 – Simon Lyall's Blog

Linux.conf.au 2017 – Thursday – Session 2

Content as a driver of change: then and now – Lana Brindley

Humans have always told stories
Cave Drawings
- Australian Indigenous art is the oldest continuous art in the world
- Stories of extinct mega-fauna
- Stories of morals but sometimes also funny
Early Written Manuals
- We remember the Eureka
Religious Leaders
- Gutenburg
- Bible was only redistributed book, restricted to clergy
Fairy Tales
- Charles Perrault versions.
- Brother Grim
- Cautionary tales for adults
- Very gruesome in the originals and many versions
- Easiest and entertaining way for illiterate people to share moral stories
Master and Apprentice
- Cheap Labour and Learn a Trade
Journals and Letters
- In the early 19th century letter writing started happoning
- Recipe Books

Recently
Paper Manuals
- Traditionally the proper method for technical docs
Whitepapers
- Printed version will probably go away
- Digital form may live on
Training Courses
- Face to face training has it’s benifits
- Online is where techical stuff is moving
Online Books
- Online version of a printed book
- Designed to be read from beginning to end, TOC, glossary, etc

Today
MOOCS
- Quite common
Data Typing (DITA)
- Break down the content into logical pices
- Store in a database
- Mix on the fly
- Doing this sort of the since 1960s and 1970s
Single Sourcing
- Walked away from old idea of telling a story
- Look at how people consumed and learnt difficult concepts
- Deliver the same content many ways (beginner user, advanced, reference)
- Chunks of information we can deliver however we like
User-Side Content Curation
- Organised like a wikipedia article
- Imagine a side listing lots of cars for sale, the filters curate the content
What comes next?
- Large datasets and let people filter
- Power going from producers to consumers
- Consumers want to filter themselves, not leave the producers to do this
References and further reading for talk

I am your user. Why do you hate me? Donna Benjamin

Free and open source software suffers from poor usability
We’ve struggled with open source software, heard devs talk about users with contempt
We define users by what they can’t do
How do I hate thee let I count the ways
- Why were we being made to feel stupid when we used free software
- Software is “made by me for me”, just for brainiac me
- Lots of stories about stupid users. Should we be calling our users stupid?
- We often talk/draw about users as faceless icons
- Take pride in having prickly attitudes
Users
- Whiney, entitled and demanding
- We wouldn’t want some of them as friends
- Not talk about those sort of users
Lets Chat about chat
- Slack – used by OS projects, not the freest, propritory
- Better in many ways less friction, in many ways
Steep Learning curves
- How long to get to the level of (a) Stop hating it? (b) Are Kicking ass
- How do we get people over that level as quickly as possible
- They don’t want to be badass at using your tool. They want you to be badass at what using your tool allows them to do
- Badass: Making Users Awesome – Kathy Sierra
Perfect is the enemy of the good
Understand who your users are; see them as people like your friends and colleagues; not faceless icons

Linux.conf.au 2017 – Thursday – Session 1

The Vulkan Graphics API, what it means for Linux – David Airlie

What is Vulkan
- Not OpenGL++
- From Scratch, Low Level, Open Graphics API
- Stack
  - Loader (Mostly just picks the driver)
  - Layers (sometimes optional) – Seperate from the drivers.
    - Validation
    - Application Bug fixing
    - Tracing
    - Default GPU selection
  - Drivers (ICDs)
- Open Source test Suite. ( “throw it over the wall Open Source”)
Why a new 3D API
- OpenGL is old, from 1992
- OpenGL Design based on 1992 hardware model
- State machine has grown a lot as hardware has changed
- Lots of stuff in it that nobody uses anymore
- Some ideas were not so good in retrospec
  - Single context makes multi-threading hard
  - Sharing context is not reliable
  - Orientated around windows, off-screen rendering is a bolt-on
  - GPU hardware has converged to just 3-5 vendors with similar hardware. Not as much need to hid things
- Vulkan moves a lot of stuff up to the application (or more likely the OS graphics layer like Unity)
- Vulkan gives applications access to the queues if they want them.
- Shading Language – SPIR-V
  - Binary formatted, seperate from Vulkan, also used by OpenGL
  - Write Shaders HSL or GLSL and they get converted to SPIR-V
- Driver Development
  - Almost all Error checking needed since done on the validation layer
  - Simpler to explicitly build command stream and then submit
- Linux Support
  - Closed source Drivers
    - Nvidia
    - AMD (amdgpu-pro) – promised open source “real soon now … a year ago”
  - Open Source
    - Intel Linux (anv) –
      - on release day. 3.5 people over 8 months
      - SPIR -> NIR
      - Vulkan X11/Wayland WSI
      - anv Vulkan <– Core driver, not sharable
      - NIR -> i965 gen
      - ISL Library (image layout/tiling)
    - radv (for AMD GPUs)
      - Dave has been working on it since early July 2016 with one other guy
      - End of September Doom worked.
      - One Benchmark faster than AMD Driver
      - Valve hired someone to work on the driver.
      - Similar model to Intel anv driver.
      - Works on the few Vulkan games, working on SteamVR

Building reliable Ceph clusters – Lars Marowsky-Brée

Ceph
- Storage Project
- Multiple front ends (S3, Swift, Block IO, iSCSI, CephFS)
- Built on RADOS data store
- Software Defined Storage
  - Commodity servers + ceph + OS + Mngt (eg Open Attic)
  - Makes sense at 4+ servers with 10 drives each
  - metadata servce
  - CRUSH algorithm to speread out the data, no centralised table (client goes directly to data)
- Access Methods
  - Use only what you need
  - RADOS Block devices <– most stable
  - S3 (or Swift) via RadosGW <– Mature
  - CephFS <— New and pretty stable , avoid stuff non meta-data intensive
- Introducing Dependability
  - Availability
  - Reliability
    - Duribility
  - Safety
  - Maintainability
- Most outages are caused by Humans
- At Scale everything fails
  - The Distributed systems are still vulnerable to correlated failures (eg same batch of hard drives)
  - Advantages of Heterogeneity – Everything is broken different
  - Homogeneity is non-sustainable
- Failure is inevitable; suffering is optional
  - Prepare for downtime
  - Test if system meets your SLA when under load and when degraded and during recovery
- How much available do you need?
  - An extra nine will double your price
A Bag full of suggestions
- Embrace diversity
  - Auto recovery requires a >50% majority
  - 3 suppliers?
  - Mix arch and stuff between racks/pods and geography
  - Maybe you just go with manually added recovery
- Hardware Choices
  - Vendors have reference archetectures
  - Hard to get vendors to mix, they don’t like that and fewer docs.
  - Hardware certification reduces the risk
  - Small variations can have huge impact
    - Customer bought network card and switch one up from the ref architecture. 6 months of problems till firmware bug fixed.
- How many monitors do I need?
  - Not performance critcal
  - 3 is usually enough as long as well distributed
  - Big envs maybe 5 or 7
  - Don’t coverge (VMs) these with other types of nodes
- Storage
  - Avoid Desktop Disks and SSDs
- Storage Node sizing
  - A single node should not be more than 10% of your capacity
  - You need space capacity at least as big as a single node (to recover after fail)
- Durability
  - Erasure Encode more durabily and high percentage of disk used
  - But recovery a lot slower, high overhead, etc
  - Different strokes for different pools
- Network cards, different types, cross connect, use last years cards
- Gateways: tests okay under failure
- Config drift: Use config mngt (puppet etc)
- Monioring
  - Perf as system ages
  - SSD degradation
- Updates
  - Latest software is always the best
  - Usually good to update
  - Can do rolling upgrades
  - But still test a little on a staging server first
  - Always test on your system
    - Don’t trust metrics from vendors
    - Test updates
    - test your processes
    - Use OS to avoid vendor lock in
- Disaster will strike
  - Have backups and test them and recoveries
- Avoid Complexity
  - Be aggressive in what you test
  - Be commiserative in what you deploy only what you need
- Q: Minimum size?
- A: Not if you can fit on a single server

Linux.conf.au 2017 – Thursday Keynote – Nadia Eghbal

Consider the Maintainer

Is it alright to compromise or even deliberately ignore the happiness of maintainers so that we can enjoy free software?
Huge growth in usage and downloads of Open Source software
2/3s of popular open source projects on github are maintained by one of two people
Why so few?
- Style has changed, lots of smaller projects
- Being a maintainer isn’t glamorous of fun most of the time
- 1% are creating the content that 99% of people consume
“Rapid evolution [..] poses the risk of introducing errors faster than people can fix them”
Consumption scales for most thing, not for open source because it creates more work for the maintainer
“~80% of contributors on github don’t know how to solve a merge conflict”
People see themselves as users of OS software, not potential maintainers – examples of rants by users against maintainers and the software
“Need maintainers, not contributors”
“Helping people over their first pull request, not helping them triage issues”
Why are we not talking about this?
Lets take a trip back in History
- Originally Stallman said Free software was about freedom, not popularity. eg “as is” disclaimer of warranty
- Some people create software sometimes.
- Debian Social Contract, 4 freedoms, etc places [OS / Free] software and users first, maintainers often not mentioned.
- Orientated around the user not the producer
Four Freedoms of OS producers
- Decide to participate
- Say no to contributions or requests
- Define the priorities and policies of the project
- Step down or move on
Other Issues maintainers need help with
- Community best practices
- Project analytics
- Tools and bots for maintainers (especially for human coordination)
- Conveying support status ( for contributors, not just user support )
- Finding funding
People have talked about this before, mostly they concentrated on a few big projects like Linux or Apache (and not much written since 2005)
- Doesn’t reflect the ecosystem today, thousands of small projects, github, social media, etc
- Open source today is not what open source was 20 years ago
Q&A
- Q: What do you see as responsibly and potential for orgs like Github?
- A: Joined github to help with this. Hopes that github can help with tools.
- Q: How can we get metrics on real projects, no just plaything on github
- A: People are using stars on github, which is useless. One idea is to look at dependencies. libraries.io is looking. Hope for better metrics.
- Q: Is it all agile programmings fault?
- A: Possibly, people this days are learning to code but average level is lower and they don’t know what is under the hood. Pretty good in general but. “Under the hood it is not just a hammer, it is a human being”
- Q: Your background is in funding, how does transiticion work when a project or some people on it start getting money?
- A: It is complicated, need some guidelines. Some projects have made it work well ( “jsmobile” I think she said ). Need best practice and to keep things transparent
- Q: How to we get out to the public (even programmers/tech people at tech companies) what OS is really like these days?
- A: Example of Rust. Maybe some outreach and general material
- Q: Is Patreon or other crowd-funding a good way to fund projects?
- A: Needs a good target, requires a huge following which is hard to people who are not good at marketing. Better for one-time vs recurring. Hard to decide exactly what money should be used for

Linux.conf.au 2017 – Wednesday – Session 3

Handle Conflict, Like a Boss! – Deb Nicholson

Conflict is natural
“When they had no outfit for their conflict they turned into Reavers and ate people and stuff”
People get caught up in their area not the overall goal for their organisation
People associate with a role, don’t like when it gets changed or eliminated
Need to go deep, people don’t actually tell you the problem straight away
If things get too bad, then go to another project
Identify the causes of conflict
3 Styles of handling conflict
- Avoidance
  - Can let things fester
  - They come across as unconnected
  - Looks like support for the status quo
- Accommodation
  - Compromise on everything
  - Looks like not taking seriously
- Assertion
  - Going to wear down everyone else
  - People won’t tell you when things are wrong
Going a little deeper
- People don’t understand history (and why things are weird)
  - go to historical motivations and get buy-in for the strategy that reflects the new reality
- People are acting to motivations you don’t see
  - Ask about the other persons motivations
- Fear (often of change)
  - “What is the worse that could happen?”
- Right Place, wrong time
  - Stuff is going to the wrong person or group
- Help everyone get perspective
  - Don’t do the same forum, method, people all the time if it always has conflict.
What do you do with the Info
- Put yourself in other persons shoes
- Find alignment
- A Word about who is doing this conflict resolution
  - Shouldn’t be just a single person/role
  - Or only women
  - Should be everyone/anyone
  - But if it is within a big or then maybe hire someone
Planning for future conflicts
- Assuming the best
- No ad hominem (hard to go back)
Conflict resolution between groups
- What could we accomplish if we worked together
- Doesn’t look good to outsiders
- More Face-to-Face between projects (towards a common goal)

Open Compute Project Down Under – Andrew Ruthven

What is Open Compute
- Vanity free Computing ( remove pretty bits )
- Stripped Down – we don’t need, no video, minimum extra posts)
- Efficient and easy
  - Maintenance, Air flow, Electricity
- Came out of Facebook, now a foundation
- 1/10th the number of techs/server
Projects and Technologies
- 9 main areas, over 4000 people working on it.
- Design and Specs
Recent Hardware
- Some comes in 19″ racks
- HPE, Microsoft Project Olympus
In Aus / NZ
- Telstra – 2 rack of OCP Decathleon, Open Networking using Hyper Scalers
- Rackspace
- Large Gaming site
- Catalyst IT
Why OCP for Catalyst
- Very Open source software orientated company
- Have a Cloud Operation
- Looking at for a while
- Finally ordered first unit in 2016 (Winterfell)
- Cumulus Linux switches from Penguin computing, works of 12volt in Open Rack
Issues for Aus / Nz
- Very small scale, sometimes to small for vendors
- Supply chain hard, ended up using an existing integrator
- Hyper Scalers in Aus, will ship to NZ
- Number of comapnies seee to NZ
Lessons
- Scale is an issue for failures aswell as supply
- Have >1 power shelf
- Have at least 2 racks with 4 power sheleves
- Too small for vendors to get certification
- Trust in new hardware
Your Own deployment
- Green field DC
  - Use DC Designs
  - Allow for 48U racks (2.5 metres tall)
  - 2x or 4x 3-phase circuits per rack
- Existing DCs
  - Consider modifications
  - 19″ servers options
  - 48OU Open rack if you have enough height
  - 22OU is you don’t have enough height
  - Carefully check the specs
- Open Networking
  - Run collectd etc directly on your switch
- Supply Chain
- Community Support
  - OCP has a Aus/NZ Mailing list (ocp-anz)
  - Discussion on what is a priority across Aus and NZ

Linux.conf.au 2017 – Wednesday – Session 2

400,000 ephemeral containers: testing entire ecosystems with Docker – Daniel Axtens

A pretty interesting talk. It was largely a demo so I didn’t grab many notes

Community Building Beyond the Black Stump – Josh Simmons

How to build communities when you don’t live in a big city
Whats in a meetup?
Santa Rosa County, north of San Franscisco
- Not easy to get to SF
- SF meetups not always relevant
After meeting with one other person, created “North Bay web Professionals”, minimal existing groups
Multidisciplinary community worked better
- Designers, Marketers, Web Devs, writers, etc
- Hired each other
- Seemed to work better, fewer toxic dynamics
- Safe space for beginners
23 People at first event (worked hard to tell people)
- Told everyone that we knew even if not interested
- Contacted the competitors
- Contacting firms, schools
- Co-working spaces (formal of de-facto like cafes)
- Other meetup groups, even in unrelated areas.
Adapting to the needs of the community
- You might have a vision
- But you must adapt to who turns up and what they want/need
First meeting
- Asked people to bring food
- Fluffy start time so could greet people and mingle
- Went round room and got people to introduce themselves
  - Intro ended up being a thing they always did
  - Helped people remember names
  - Got everyone to say a little
  - put people in a social mindset
- Framework for events decided
- Decided on next meeting date, some prep
- Ended up going late
  - Format became. Social -> talk -> Social on each night.
Tools
- Used facebook and meetup
- 1/3 of people came just from meetup promoting automatically
- Go where people already are
Renamed from “North Bay Web professions” to “North Bay Web and Interactive Media professionals”
“Ask a person, not a search engine”
Hosted over 169 events – Core was the monthly meeting
- Tried to keep the topics a little broad
- Often the talk was narrow but compensated with a broad Q&A afterwards
Thinking of people as “members” not “attendees” , have to work at getting them come back
Also hosted
- Lunches, rotated all around the region so eventually near everywhere, Casual
- Unconfernces
- Topical meetups
- Charity Hackathon, teamed up with students and non-profits to do website for non-profit. Student was an apprentice.
- Hosted Ag+Tech mixers with local farmers groups
- Helped local cities put out tech RFPs
Q: Success measures? A: Survey of member, things like Job referrals, what have learnt

Linux.conf.au 2017 – Wednesday – Session 1

Servo Architecture: Safety and Performance – Jack Moffitt

History
- 1994 Netscape Navigator
- 2002 Mozilla Release
- 2008 multi-core CPU stuff not making firefox faster
- 2016 CPUs now have on-chip GPUs
- Very hard to write multi-threaded C++ to allow mozilla to take advantage of many cores
How to make Servo Faster?
Constellation
- In the past – Monolithic browser engines
  - Single browser engine handling multiple tabs
  - Two processes – Pool Content processes vs Chrome process
    - If one process dies on a page doesn’t take out whole browser
  - Sanboxing lets webpage copies have less privs
- Threads
  - Less overhead than whole processes
  - Thread per page
  - More responsive
  - Sandboxing
  - More robust to failure
- Is this the best we can do?
  - Run Javascript and layout simultaniously
  - Pipeline splitting them up
  - Child pipelines for inner iframes (eg ads)
Constellation
- Rust can fail better
- Most failures stop at thread boundaries
- Still do sandbox and privledges
- Option to still have some tabs in multiple processes
Webrender
- Using the GPU
  - Frees up main CPU
  - Are VERY fast at some stuff
  - Easiest place to start is rendering
- Don’t browsers already use the GPU?
  - Only in a limited way for compositing
- Key ideas
  - Retain mode not immediate mode (put things in optimal order first)
  - Designed to render CSS content (CSS is actually pretty simple)
  - Draw the whole frame every frame (things are fast enough, simpler to not try to optimise)
- Pipeline
  - Chop screen into 256×256 tiles
  - Tile assignment
  - Create a big tree
  - merge and assign render targets
  - create and execute batches
- Text
  - Rasterize on CPU and upload glyth to GPU
  - Paste and shadow usign the GPU
Project Quantum
- Taking technology we made in servo and put it in gecko
Research in progress
- Pathfinder – GPU font rasterizer – Now faster than everything else
- Magic DOM
  - Wins in JS/DOM intergration
  - Fusing reflectors and DOM objects
  - Self hosted JS
- External colaborations: ML, Power Mngt, WebBluetooth, etc
Get involved
- Test nightlies
- Curated bugs for new contributors
- servo.org

In Case of Emergency: Break Glass – BCP, DRP, & Digital Legacy – David Bell

Definitions
- BCP = Business continuity Plan
- A process to prevent and recover from business continuity plans
- BIP = Business interuptions plan
- BRP = Recovery plan
- RPO = Recovery point objective, targetted recovery point (when you last backed up)
- RTO = Recovery time objective
Why?
- Because things will go wrong
- Because things should not go even more wrong
Create your BCP
- Brainstorm
- Identify events that may interrupt, loss access to physical site, loss of staff
- Backups
  - 3 copies
  - 2 different media/formats
  - 1 offsite and online
  - Check how long it will take to download or fetch
- Test
- Who has the Authority
- Communication chains, phone trees, contact details
- Practice Early, Practice often
  - Real-world scenarios
  - Measure, measure, measure
  - Record your results
  - Convert your into an action item
  - Have different people on the tests
- Each Biz Unit or team should have their own BCP
- Recovery can be expensive, make sure you know what your insurance will cover
Breaking the Glass
- Documentation is the Key
- Secure credentials super important
- Shamir secret sharing, need number of people to re-create the share
Digital Legacy
- Do the same for your personal data
- Document
  - Credentials
  - Services
    - What uses them
    - billing arrangments
    - Credentials
  - What are your wishes for the above.
- Talk to your family and friends
- Backups
- Document backups and backup your documentation
- Secret sharing, offer to do the same for your friends
Other / Questions
- Think about 2-Facter devices
- Google and some others companies can setup “Next of Kin” contacts

Linux.conf.au 2017 – Wednesday Keynote – Dan Callahan

Designing for failure: On the decommissioning of Persona

Worked for Mozilla on Persona
Persona did authentication on the web
- You would go to a website
- Type in your email address
- Redirects via login page by your email provider
- You login and redirect back
Started centralised, designed to be uncentralised as it is taken up
Some sites were only offering login via social media
- Some didn’t offer traditional logins for emails or local usernames
- Imposes 3rd party between you and your user.
- Those 3rd parties have their own rules, eg real name requirements
Persona Failed
- Traditional logins now more common
Cave Diving
- Equipment and procedures designed to let you still survive if something fails
- Training review deaths and determines how can be prevented
- “5 rules of accident analysis” for cave diving
Three weeks ago switched off Persona
- Encourage others to share mistakes

Just having a free license is not enough to succeed
Had a built in centralisation point
- Protocol designed so browser could eventually natively implement but initially login.persona.com was using it.
- Relay between provider and website went via Mozilla until browser natively implemented
- No ability to fork the project
Bits rot more quickly online
- Stuff that is online must be continually maintain (especially security)
- Need a way to have software maintained without experts
Complexity Limits agency
- Limits who can run project at all
- Lots of work for those people who can run it
A free license don’t further my feeedom if we can’t run the software

Prolong Your Project’s Life
Bad ideas
- We used popups and people reflexively closed them
- API wasn’t great
Didn’t measure the right thing
- Is persona product or infrastructure?
- Treated like a product, not a good fit
Explicitly define and communicate your scope
- “Solves authentication” or “Authenticate email addresses”
- Broke some sites
- Got used by FireFoxOS which was not a good fit
Ruthlessly oppose complexity
- Tried to do too much mean’t it was overly complex
- Complex hard to maintain and review and grow
- Hard for newbies to join
- If it is complex then it is hard to even test that is is working as expected
- Focus and simplify
- Almost no outside contributors, especially bad when mozilla dropped it.

Plan for Your Projects Failure
“Sometimes that [bus failure] is just a commuter bus that picks up that person and takes them to another job”
If you know you are dead say it
- 3 years after we pulled people off project till officially killed
- Might work for local software but services cost money to run
- Sooner you admit you are dead the sooner people can plan to your departure
Ensure your users can recover without your involvement
- Hard to do when you think your project is going to save the world
- Example firefox sync has a copy of the data locally so even if it dies user will survive
Use standard data formats
- eg OPML for RSS providers
Minimise the harm caused when your project goes away

Linux.conf.au 2017 – Tuesday – Session 3

The Internet of Scary Things – tips to deploy and manage IoT safely Christopher Biggs

What you need to know about the Toaster Apocalypse
Late 2016 brought to prominence when major sites hit by DDOS from compromised devices
Risks present of grabbing images
- Targeted intrusion
- Indiscriminate harvesting of images
- Drive-by pervs
- State actors
Unorthorized control
- Hit traffic lights, doorbells
Takeover of entire devices
- Used for DDOS
- Demanding payment for the owner to get control of them back.
“The firewall doesn’t divide the scary Internet from the safe LAN, the monsters are in the room”

Poor Security
- Mostly just lazyness and bad practices
- Hard for end-users to configure (especially non-techies)
- Similar to how servers and Internet software, PCs were 20 years ago
Low Interop
- Everyone uses own cloud services
- Only just started getting common protocols and stds
Limited Maint
- No support, no updates, no patches
Security is Hard
Laziness
- Threat service is too large
- Telnet is too easy for devs
- Most things don’t need full Linux installs
No incentives
- Owner might not even notice if compromised
- No incentive for vendors to make them better

Examples
- Cameras with telenet open, default passwords (that can not be changed)
- exe to access
- Send UDP to enable a telnet port
- Bad Mobile apps

Selecting a device
- Accept you will get bad ones, will have to return
- Scan your own network, you might not know something is even wifi enabled
- Port scan devices
- Stick with the “Big 3” ramework ( Apple, Google, Amazon )
- Make sure it supports open protocols (indicates serious vendor)
- Check if open source firmward or clients exists
- Check for reviews (especially nagative) or teardowns

Defensive arch
- Put on it’s own network
- Turn off or block uPNP opening firewall holes
- Plan for breaches
  - Firewall rules, rate limited, recheck now and then
- BYO cloud (dont use the vendor cloud)
  - HomeBridge
  - Node-RED (Alexa)
  - Zoneminder, Motion for cameras

Advice for devs
- Apple HomeKit (or at least support for Homebridge for less commercial)
- Amazon Alexa and AWS IoT
  - Protocols open but look nice
- UCF uPnP and SNP profiles
  - Device discovery and self discovery
  - Ref implimentations availabel
- NoApp setup as an alternative
  - Have an API
- Support MQTT
- Long Term support
  - Put copy of docs in device
  - Decide up from what and how long you will support and be up front
- Limit what you put on the device
  - Don’t just ship a Unix PC
  - Take out debug stuff when you ship

Trends
- Standards
  - BITAG
  - Open Connectivity founddation
  - Regulation?
- Google Internet of things
- Apple HomeHit
- Amazon Alexa
  - Worry about privacy
- Open Connectivity Foundation – IoTivity
- Resin.io
  - Open source etc
  - Linux and Docket based
- Consumer IDS – FingBox
Missing
- Network access policy framework shipped
- Initial network authentication
- Vulnerbility alerting
- Patch distribution

Rage Against the Ghost in the Machine – Lilly Ryan

What is a Ghost?
- The split between the mind and the body (dualism)
- The thing that makes you you, seperate to the meat of your body
Privacy
- Privacy for information not physcial
- The mind has been a private place
- eg “you might have thought about robbing a bank”
- The thoughts we express are what what is public.
- Always been private since we never had technology to get in there
- Companies and governments can look into your mind via things like your google queries
- We can emulate the inner person not just the outer expression
How to Summon a Ghost
- Digital re-creation of a person by a bot or another machine
- Take information that post online
- Likes on facebook, length of time between clicks
Ecto-meta-data
- Take meta data and create something like you that interacts
The Smartphone
- Collects meta-data that doesn’t get posted publicly
- deleted documents
- editing of stuff
- search history
- patten of jumping between apps
The Public meta-data that you don’t explicitly publish
- Future could emulate you sum of oyu public bahavour
What do we do with a ghost?
- Create chatbots or online profiles that emulate a person
- Talk to a Ghost of yourself
- Put a Ghost to work. They 3rd party owns the data
- Customer service bot, PA
- Chris Helmsworth could be your PA
- Money will go to facebook or Google
Less legal stuff
- Information can leak from big companies
How to Banish a Ghost
- Option to donating to the future
- currently no regulation or code of conduct
- Restrict data you send out
  - Don’t use the Internet
  - Be anonymous
  - Hard to do when cookies match you across many sites
    - You can install cookie blocker
- Which networks you connect to
  - eg list of Wifi networks match you with places and people
  - Mobile network streams location data
  - location data reveals not just where you go but what stores, houses or people you are near
  - Turn off wifi, bluetooth or data when you are not using. Use VPNs
- Law
  - Lobby and push politicians
  - Push back on comapnies
- For technologiest
  - Collect the minimum, not the maximum

FreeIPA project update (turbo talk) – Fraser Tweedale

Central Identity manager
Ldap + Kerberos, CA, DNS, admin tools, client. Hooks into AD
NAnage via web or client
Client SSSD. Used by various distros
What is in the next release
- Sub-CAs
- Can require 2FA for important serices
- KDC Proxy
- Network bound encryption. ie Needs to talk to local server to unencrypt a disk
- User Session recording

Politely socially engineering IRL using sneaky magician techniques – Alexander Hogue

Puttign things up your sleeve is actually hard
Minimum viable magic
Miss-direct the eyes
Eyes only move in a straight line
Exploit pattern recognition
Exploit the spot light
Your attention is a resource

Linux.conf.au 2017 – Tuesday – Session 2

Stephen King’s practical advice for tech writers – Rikki Endsley

Example What and Whys
- Blog post, press release, talk to managers, tell devs the process
- 3 types of readers: Lay, Managerial, Experts
Resources:
- Press: The care and Feeding of the Press – Esther Schindler
- Documentation: RTFM? How to write a manual worth reading

“On Writing: A memoir of the craft” by Stephen King

Good writing requires reading
- You need to read what others in your area or topic or competition are writing
Be clear on Expectations
- See examples
- Howto Articles by others
- Writing an Excellent Post-Event Wrap Up report by Leslie Hawthorn
Writing for the Expert Audience
- New Process for acceptance of new modules in Extras – Greg DeKoenigserg (Ansible)
- vs Ansible Extras Modules + You – Robyn Bergeon
  - Defines audience in the intro

Invite the reader in
Opening Line should Invite the reader to begin the story
Put in an explitit outline at the start

Tell a story
That is the object of the exercise
Don’t do other stuff

Leave out the boring parts
Just provides links to the details
But sometimes if people not experts you need to provide more detail

Sample outline
- Intro (invite reader in)
- Brief background
- Share the news (explain solution)
- Conclude (include important dates)

Sample Outline: Technical articles
Include a “get technical” section after the news.
Too much stuff to copy all down, see slides

To edit is divine
Come back and look at it afterwards
Get somebody who will be honest to do this

Write for OpenSource.com
opensource.com/story

Q: How do you deal with skimmers? A: Structure, headers
Q: Pet Peeves? A: Strong intro, People using “very” or “some” , Leaving out import stuff

Linux.conf.au 2017 – Tuesday Session 1

Fishbowl discussion – GPL compliance Karen M. Sandler

Fishbowl format
- 5 seats at front of the room, 4 must be occupied
- If person has something to say they come up and sit in spare chair, then one existing person must sit down.
Topics
- Conflicts of Law
- Mixing licences
- Implied warrenty
- Corporate Procedures and application
- Get knowledge of free licences into the law school curriculum
“Being the Open Source guy at Oracle has always been fun”
“Our large company has spent 2000 hours with a young company trying to fix things up because their license is not GPL compliant”
BlackDuck is a commercial company will review your company’s code looking for GPL violations. Some others too
- “Not a perfect magical tool by any sketch”
- Fossology is alternative open tool
- Whole business model around license compliance, mixed in with security
- Some of these companies are Kinda Ambulance chasers
- “Don’t let those companies tell you how to tun your business”
- “Compliance industry complex” , “Compliance racket”
At my employer with have a tool that just greps for a “GPL” license in code, better than nothing.
Lots of fear in this area over Open-source compliance lawsuits
- Disagreements in community if this should be a good idea
- More, Less, None?
- “As a Lawyer I think there should definitely be more lawsuits”
- “A lot of large organisations will ignore anything less than [a lawsuit] “
- “Even today I deal with organisations who reference the SCO period and fear widespread lawsuits”
Have Lawsuits chilled adoption?
- Yes
- Chilled adoption of free software vs GPL software
- “Android has a policy of no GPL in userspace” , “they would replace the kernel if they could”
- “Busybox lawsuits were used as a club to get specs so the kernel devs could create drivers” , this is not really applicable outside the kernel
- “My goal in doing enforcement was to ensure somebody with a busybox device could compile it”
- “Lawyers hate any license that prevents them getting future work”
- “The amount of GPL violations skyrocketed with embedded devices shipping with Linux and GPL software”
People are working on a freer (eg “Not GPL”) embeded stack to replace Android userspace: Toybox, Toolbox, No kernel replacement yet.
Employees and Compliance
- Large company helping out with charities systems unable to put AGPL software from that company on their laptops
- “Contributing software upstream makes you look good and makes your company look good” , Encourages others and you can use their contributions
- Work you do on your volunteer days at company do not fill under software assignment policy etc, but they still can’t install random stuff on their machines.
Website’s often are not GPL compliance, heavy restrictions, users giving up their licenses.
“Send your lawyers a video of another person in a suit talking about that topic”

U 2 can U2F Rob N ★

Existing devices are not terribly but better than nothing, usability sucks
Universal Two-Factor
- Open Standard by FIDO alliance
- USB, NFC, Bluetooth
- Multiple server and host implimentations
- One device multi-sites
- Cloning protection
Interesting Examples
- U2F Zero – u2fzero.com
- Tomu – tomu.in – Not 100% there yet
User experience: Login, press the button twice.
Under the hood a lot more complicated
- Challenge from site, send must sign challenge (including website url to prevent phishing site proxying)
- Multiple keypairs for each website on device
- Has a login counter on the device included in signature, so server can panic then counter gets out of sync from a cloned device
Attestation Certificate
- Shared across model or production batch
Browserland
- Javascript
- Chrome-based support are good
- Firefox via extension (Native “real soon now”)
- Mobile works on Android + Chrome + Google Authenticator