Category: Everything Open

I skipped a couple of talks to do Hallway track and other stuff

Koha – not your average library system by Aleisha Amohia

• Name because software was made open source as a gift to the community
• Started in 1999
• First fully web-based opensource library system
• Bugs and external patches soon after
• Customizable and Configurable
• Used in 18,000+ libraries
• It is just a big database
  • Can be used as not just a library system
  • Can be used to catalog other stuff at organisations other than libraries like documents
• Configurable via CSS, fonts, languages, CMS, feature toggles, etc
• Customisable views for each branch are possible
• Special Beyond the code
  • Offline circulation
  • Supports non-ascii characters
  • Translation capability
• Is it harder to find people to work on stuff since it is writter in perl which is effectively a legacy language? – Has a good onboarding and support for devs and things still work
• What are challengers with it being open source? –
  • People worry about quality of OSS. Fix: Good robust quality procedures
  • Think it is free – Have good support that is worth paying for
  • DB backend – MySQL and MariaDB

The circle of life: The Digital Skills GitBook project by Sara King

• Working on project for last 5 years that is in the process of winding up
• tinyurl.com/5539zzpx <- more information
• Starting early 2019
• 5 years later project is coming to the end of a natural cycle
• Context
  • Group of 60 libraries looking for projects – CAUL Digital Librarians
  • Is there a book that teaches modern not-quite-technical computer skills?
• With Pandemic lockdowns everybody started working from home
• Why Gitbook?
  • “Book” is in the term helped
  • Similar project using github etc
  • CAUL eventually went Pressbooks, but not till later
  • Also qualified for free version
  • Learning git was a useful thing
• Did the community really need this? – Wasn’t checked in detail, but seemed a cool idea
• Happened at start of pandemic
  • Everyone online
  • Supportive community was good at start of pandemic
• Took some courses in git and other tools
• Did a prototype book on another subject to get the hang of the tech
• “Gave ourselves permission to not know what we were doing”
• Created chapters of the books to give outline
  • Each Chapter had 3 levels of knowledge in it. Novice, proficient, advanced
• Went public in late-2021
• Also did code of conduct, license, contributions guidelines
• Told people about it via various methods
• Worked to get people to contribute ad-hoc
• But didn’t get the amount of contributions they were expecting
• In 2023 University libraries having problems, budgets shrinking etc
  • People leaving or too busy
  • Some used experience on the project to get new more technical jobs
• No new people joining to replace those leaving
• 2025 reflecting on the project
• Process and product are different
• We equated enthusiastic about the idea and the process. But didn’t join in or wasn’t super into the product
• Not shared a lot or got many hits
• Goal of training people to create stuff was a big success
• People gained lots of confidence with new tech
• Support of CAUL was great, but no longer availbale
• Next? – If people like the process maybe we should talk about that
• Create a roadmap for other projects
• Hand it over to somebody else? Doesn’t seem to be interest

Skill Trees: Gamifying The Hard Things by Steph Piper

• A list of skills
• Each area has a series of skills that can be colored in.
• Design
  • Hexagons are good
  • Can be done in any order, hard to connect meaningfully
  • Simple, flexable milestones
• Reception
  • First on was 3d printing & modeling
  • Tested on makerspace student staff members. Good to identify gaps
• Benefits
  • Reduce imposter syndrome or on the other size overconfidence
  • Target areas for improvement
• Online on git – https://github.com/sjpiper145/MakerSkillTree
• How to make a skill tree
  • Flexibility, not too cost restrictive, globally applicable
  • Peer reviewed
  • Final skill tree and translation
• Book – The Learning Game by Ana Lorena Fabrega
• Beta testing book of a collection of these skills.
  • Good published through “Make: Magazine”
  • 68 tiles per tree, 1020 skill tiles in the book
• Tips for writing
  • Continue to evolve and improve
  • Do own illustrations was huge time saver from the publisher
  • Confidence in your work. The publisher will only do the final publishing
• Looking to fill the gaps
• Working on a kids version of the book

The Token Wars: Why not everything should be open by Kathy Reid

• The Token Wars
  • A resource conflict fought through technical, social and legal means
• What is a token?
  • An atomic unit of text taken from a larger collection called a corpus
  • text -> subwords tokens -> vectorization
  • Transformer architecture
  • Word embeddings capture semantic closeness of words
• Scaling up to billions of tokens
  • Train the relationships between tokens based on all the text
• The value of tokens and token economics and the actors in the token wars
  • Are the a public good?
  • No the are rivalrous either excludable or non-excludable
  • LLMs in 2024 were trained on 4 orders of magnitude data than 5 years ago.
  • Estimated 60-160 trillion tokens on the public web and some LLMs are trained on close to all of those
  • Synthetic Data especially low quality slop is polluting the Internet
  • Scrapers pick this up and train on it, concern about Model Collapse ( like a photocopy of a photocopy). Reduces the diversity of what it will produce.
• Key actors in the token wars
• Individual content creators
  • Included in corpus without permission
• Platforms with user-generated content
  • Seeking to get paid for their content ( eg Reddit deal with OpenAI )
• Archival Institutions
  • Australian National Film and Sound Archive: Maintain Trust, Transparancy, Create Public Value
• Private Companies
  • Anthropic: Model Context Protocol
• The AI Companies
  • Have used fair-use. Although some countries don’t have those
  • Companies blocking the common crawl
• Governments
  • Having trouble balancing interests
• Token Tactics – Protecting your token treasure
  • Data poisoning
  • Blocking bots and scrapers
• Data Sovereignty
• Futures
  • Hunt for more tokens
  • Better ways to block/prevent
  • Better understanding of the alateral damage of the resource conflicts

The Storage Shift by Steven Ellis

• Storage Data is critical for business
• Requirements are always growing
• Organisations already have existing solutions and relationships
• Three Dimensions of data
• Participants ( dev, ops, product ) all have different requirements and views
• Where did you first store your data?
  • As spinning drives have gotten smaller the capacity has increased
  • Now people have small local storage and storage is not directly attached
• Storage platforms / API driven storage
  • Block vs Files vs Object
• Options for Kubernetes storage.
  • CSI operates on all levels
  • Able to create an destroy storage at kubernetes speed rather than waiting for storage admin (or even cloud storage API)
• Workload Examples
  • Kubevirt and Kubernetes centric but applicable elsewhere
• What about prosumer
  • Be careful with clouds except as backups
  • zfs and btrfs
  • Stephen uses TrueNas
  • 3 copies of all data. RAID isn’t a backup

What happened in production?! Instrumenting with OpenTelemetry by David Bell

• A sample problem
  • Microservice based system
  • What happened in Production?
  • Errors up high, response time went bad
• What about the logs?
  • 200s and then 500s . What does that mean?
• Kept happening at 2pm every day. Sometimes bad, sometimes worse
• O11y and OpenTelemetry
  • Find the internal state of a system just by asking questions
• What about metrics
  • Pre-aggregated, No “connective tissue”, Can’t drill down
  • Answering known questions, good for alarms, graphs and dashboards
  • known-knowns and known-unknowns
• What about Logs?
  • unstructured strings
  • Many logs lines per piece of work. Maybe with a request-id but not often
  • no schema or index So can be quite slow to parse
  • structured logs sometimes work
  • expensive to store yourself or pay to have stored
  • But we should still log – audit logging and security logging
• Tracing is good
  • separate tooling from logs and metrics
  • often limited fields
  • often limited traces to even look at ( just the bad ones)
• OpenTelemetry
  • covers metrics, logs and traces
  • wide language support and auto-instrumentation out of the box
  • Easy to get started
  • wrappers and external hooks
  • distributed tracing
• Otel Traces
  • Traces are Directed Acyclic Graphs ( DAGs) of Spans
  • Spans are sort of structured logs with required firlds
  • Spans contain many attributes
  • Attributes can have high cadinality
  • Spans have high dimensionality
• Otel isn’t for everything
  • Don’t put you secret data
  • Maybe not business logic
  • no guarantee on delivery ( sometimes traces get lost )
  • No for secuity/audit loggin
• Sampling can be useful
  • head-based sampling ( based on head at start )
  • rule-based/tail-based grabs all and keeps some that are interesting
• Setup ( for python ) – no code changes
  • install a couple of packages. One to gather, one to send
  • send in some env variables
  • Change docker run command to wrap your existing code
• Setup (code changes )
  • Import packages
  • Shove attributes into a span in code (see example code in talk)
• Demo of App (using Honeycomb)

Please don’t forget my parents! – Digital Exclusion is happening, so you all better know about it by Sae Ra Germaine

• Various Background Stuff
• Her Parents retired to rural property near outer suburb of Melbourne
• Two phone lines
• Mobile reception only available standing outside of the house
• Wireless point-to-point wireless. Approx 1Mb/s but vulnerable to animals chewing through it
• NBN
  • Originally was going to be Fiber to the premises.
  • Then got cheaper and fiber-to-the-curb or fiber-to-the-node and copper rest of the way
  • Today 98% on NBN but not everybody well connected
  • Parents land line got cut off regular due to errors
  • Then 3G got cut-off. 4G at parents place doesn’t really work
• Digital Divide
  • Everything is now all online ( jobs, doctors, social services )
  • Satellite based Internet a lot more expensive than comparable options in cities
  • During covid lockdowns they were over 5km from various services which was a problem with movement restrictions
• Libraries had to pivot during lockdows
  • wifi hotspots outside, accepting deliveries
  • Mobile libraries provide access to government services
  • Various other stuff on libraries

Open source voice interfaces in 2025 by Kit Biggs

• Big changes in the last 12 months
• AI has zoomed past inflated expectations and is now in the trough of disillusionment
• Where are we with conversation user interfaces
• What are the steps/software needed for this?
• Get the sound
  • Digital microphones are good and do the first rough filtering
• Is somebody actually speaking?
  • xiao_respeaker – example software project
• Wake word recognisers
  • Commercial software work with a “wake word” ( Hey Siri )
  • Used to be hard to do, now easier
• Word recognition just looks for specific words
  • Getting better
• Contentious voice recognition
  • Also better
• Intent recognition
  • Usually hooked in with communication to outside world
• Feedback
  • Speech Synthesis is pretty much a solve problem
• Looking at software you can use. Not cloud based
• Wake Word
  • Picovoice Porcupine ( non commercial or licensed ) . 16 languages
  • OpenWakeWord
    • Great docs
    • Trains on Synthetic speech
    • More than good enough
• Speech to Text
  • OpenAI Whisper was leader
  • Lots of new ones. Look at Moonshine
• Text to Speech
  • Piper is the stand-out, actively developed
  • Others mostly good for english-only
  • Emotional synthesis is getting better
• Hardware
  • Raspberry Pi 4 or 5
    • 5 has ability to plugin an accelerator
  • Rockchip Arm64 with neural coprocessor
  • AI in A Box ( Radxa Rock 5A)
• Voice on a Microcontroller, the time has arrived
• ESP32 processor is the most common option – $10 each
  • Dev board plus microphone maybe for $20 or so
  • Can do the wakeword stuff and then stream audio to something with more spec
• How small can you go?
  • What can you do with a small board just by itself?
  • Speech recognition on micro-controller not there yet but phrase and wake word recognition works
• Glasses display looking almost there
  • Can have microphones
  • Avoid cameras to avoid privacy concerns

Keynote: Sustaining Open Source Software by Justin Warren

Good talk. Advise you have a watch it on Video. Good thoughts on the economics of Open Source

Sandboxing untrusted code with WebAssembly by Katie Bell

• Works for MongoDB. Webscale!
• Untrusted Code
• Example Shopify
  • Supports 3rd party apps
  • What happens when 3rd-party apps goes offline and is used by a lot of stores
  • What if slow and inserts itself into customer flow making experience bad
  • Decided to hosted 3rd party apps in their cloud to provide better reliability
  • Shopify decided to go with webassembly
• Some alternatives for sandboxing
  • Small VM like firecracker – 4MB memory, 125ms startup
  • Docker – Using Shared Kernel still
  • V8 Isolates – Used to isolating processes within a chrome tab. Cloudflare runs many workers in a process, startip 5ms
  • But not fair comparison. Lots of tradeoffs on how secure vs speed vs flexability
• Webassembly
  • Designed to compile big apps to run in a browser (eg photoshop)
  • Is a compile Target – .wasm binary
  • Originally designed to usually be called from javascript ( in browser )
  • Is a tiny simulated computer, very locked down, can’t interact with anything outside. Can just provide and call functions
  • When you build compiler will usually create a javascript wrapper to make it easier to use so you don’t have to call wasm directly.
• WASI
  • An API lets you run webassembly programs as regular programs
  • wasmtime – program to run .wasm directly
  • Keeps things sandboxed but can’t optionally provide with with a very limited set of stuff that must be explicitly provided
• Sandboxing Webassembly in the real world
  • Shopify use this. See their docs and definitions
  • Firefox and Graphite font shaping library
    • Compiled from native code into wasm to ensure memory safety rather than audit or re-write in rust
• Is it secure?
  • Sometimes. But WASI is built with holes intentionally so can have bugs
  • Wasmtime has a lot of work put into sandboxing though
  • Use multiple layers of security
• WASI standard is in progress ( webassembly itself is fairly stable )

80% faster, 70% less memory: building a new high-performance, low-cost Prometheus query engine by Joshua Hesketh, Charles Korn

• Works at Grafana Labs on Mimir database
• Explains time-series database. (Name+Labels)+time+number
• Talk covers the query app which turns promql requests into a result
• Memory used by the old software was bouncing, had to be over-provisioned which wastes money or sends back errror to use if runs out of memory.
• Prometheus Promql engine has little room for extensions
• Problem
  • Prom promql engines loads the entire series into memory before processing it further
  • Fix would require a new new rewrite.
  • Which they did
• MQE engine
  • Loads a bunch of samples and then streams to operator(s). Then repeats a bit at a time
  • Will fallback to Prometheus engine of function is not yet implimented
  • Very efficient on range queries
• He explained memory allocation strategy using pooling. I got a little lost
  • “That was a very oversimplified example”
• query-tee
  • Send queries to two different engines and ensure they return the same result for testing
  • Has test group for data that can run this over as well as live queries. Might to fizzy query testing in future
• Engine is available and can be switched in via command line
  • Does fall-back if things are not implemented
  • Implements the most common queries (above 90% of actual request)

Keynote: Intelligent Interfaces: Challenges and Opportunities by Aaron Quigley

• Eye Tracking of the user
  • DiffDisplays – Eye tracking and when you looked away from a screen it frooze it. When you looked back it gave you a summary/diff of what you missed
  • Bought this down to the widget level, a widget got notification when user looking or away and could decide what to do
• Change Blindness (different from attention blindness)
  • When phone far away simplify phone interface, more detail when closer
  • People don’t see details of displays slowly fading in and out as distance from display changed
• Phone on table, screen up or screen down
  • SpeCam – Facedown screen can have light and detect what it is sitting on. Guess material it is sitting on
  • Accuracy same/better than a proper spectrometer
• MicroCam – Phone placed with screen face up
  • Placement aware computing
• OmniSense
  • 360 Camera
  • Track what the user’s whole body is doing
  • Tracks what is happening all around the user. Danger sensors, context aware output
• BreathIn control. Breath pattern to control phone
  • User camera in a watch potion to detect handle gestures (looking at top/back of hand)
• RotoSwype – Smart ring to do gesture keyboard input
• RadarCat – Radar + Categorization
  • More Socially acceptable that cameras everywhere and always on
  • Used to detect material
  • Complex pattern of reflection and absorption that returns lots of information
  • Trained on 661 feature and 512 bins
  • Radar signal can ever detect different colours. Different dyes interact differently
  • Can detect if people are wearing gloves
  • Application – Scales at self-checkout supermarket to detect what is being weighed
  • Radar in shoe can recognise the surface and layers below (carpet on weed etc)

Passwordless Linux – Passkey and External IdP support in FreeIPA by Fraser Tweedale

• Passwords
  • Users are diligent (weak reuse)
  • Using passwords securely imposes friction and cognitive load
  • Phishable
• Objectives – Reduce password picking risks, phishing, friction,frequency of login
• Alternatives
  • 2FA, Smartcard, Passkeys / WebAuthn, Web SSO Providers
• 2FA
  • HOTP / TOTP etc
  • phishable
• Smart Cards
  • Phishing Resistant
• Passkeys
  • Better versions of MFA Cards
  • Phishing resistant
  • “passkey” term is a little vague
• Web SSO
  • SAML, OAuth2
  • Using an existing account to authenticate
  • Some privacy concern
  • Keycloak, Redhat SSO, Okta, Facebook
  • Great on the web, harder in other context
• What about our workstations?
  • pam has hooks for most of the above (Web SSO less common) or pam_sss does all
• FreeIPA / Red Hat Identity Management
• DEMO

Locknote: Who gets to work in STEM? And who is being left out? by Rae Johnston

• Poor diversity affects the development of AI
• False identification much higher by facial recognition for non-white people
• Feed the AI more data sets?
• Bias might not even be noticed if the developers are not diverse
• Only around 25% of STEM people are Women
• Only 15% of UK scientist came from Working Class backgrounds (35% of the population)
• 11% of Australians don’t have access to affordable Internet or don’t use it.
• The digital divide is narrowing but getting deeper. Increasing harder to function if you are not online
• Male STEM graduates are 1.8x more likely to be in jobs that required the array than women. Mush worse for indigenous people

Lightning Talks

• Creating test networks with Network Namespace
  • ip netns add test-lan
• Rerap Micron
• Haystack Storage System
  • Time-bases key/value store
• AgOpenGPS
  • Self Steering System for Tractors
• Common Network Myths
  • End to end packet loss is the only thing that matters
  • Single broadcast domain is a SPOF, broadcast storms etc
  • Ping and ICMP is your friend. Please allow ping
  • Don’t force 1500 MTU
  • Asymmetric routing is normal
  • non-standard port number doesn’t make you secure
• radio:console for remote radio
• WASM
  • FileSender – Share large datasets over the Internet

Keynote: How Adversaries Use AI by Jana Dekanovska

• Adversary
  • Nation States
  • Ecrime
  • Hactivism
• Trends
  • High Profile Ecrime attacks – Ransomware -> Data extortion
  • Malware-Free Attacks – Phish, Social engineering to get in rather than malware
  • Cloud Consciousness
  • Espionage – Focuses in Eastern Europe and Middle East
  • Vulnerability Exploitation – Not just zero days, Takes while to learn to leverage vuls
  • Cloud Consciousness – Adversary knows they are in the cloud, have to operate in it.
• Generative AI
  • Code Generation
  • Social Engineer – Help people sound like Native Speakers, improve wording
  • Prompt Injection
• Big Four States sponsoring attacks – China, North Korea, Iran, Russia
• North Korea – Often after money
• Russia, Iran – Concentrating on local adversaries
• China
  • 1m personal in Cyber Security
  • Get as much data as possible
• Elections
  • Won’t be hacking into voting systems
  • Will be generating news, stories, content and targeting populations
• Crime Operations
  • GenAI helps efficiency and Speed of attacks
  • Average Breakout time faster from 10h in 2018 to 1h now
  • Members from around the world, at leats one from Australia
  • Using ChatGPT to help out during intrusions to understand what they are seeing
  • Using ChatGPT to generate scripts

Consistent Eventually Replication Database by William Brown

• Sites go down. Lets have multiple sites for our database
• CAP Theorem
• PostgresSQL Database
  • Active Primary + Standby
  • Always Consistent
  • Promote passive to active in event of outage
  • Availability
  • But not partition tolerant
• etcd
  • Nodes elect active node which handles writes. Passive nodes go offline then others are still happy
  • If active node fails then new active node elected and handles writes
  • Not availbale. Since if only one node then it will go to sleep cause it doesn’t know state of other nodes (dead or just unreachable)
• Active Directory
  • If node disconnected then it will just keep serving old data
  • reads and writes always services even if they are out of contact with other nodes
  • Not consistent
• Kanidm
  • identity management database
  • Want availability and partition tolerance
  • Because we want disconnected nodes to still handle reads and writes (eg for branch office that is off internet)
  • Also want to be able to scale very high, single node can’t handle all the writes
• Building and Design
  • Simultaneous writes have to happen on multiple servers, what happens if writes overlap. Changes to same record on different servers
  • ” What would Postgres do? “
  • Have nanosecond timestamps. Apply events nicely in order, only worry about conflicts. Use Lamport Clock (which only goes forward)
  • What happens if the timestamps match?
  • Servers get a uuid, timestamp gets uuid added to it so one server is slightly newer
  • Both servers can go though process in isolation and get the same outputted database content
• Lots more stuff but I got lost
  • Attribute State + CRDT
• Most of your code will be doing weird paths. And they must all be tested.
• Complaint that academic papers are very hard to read. Difficult to translate into code.

Next Generation Authorisation – a developers guide to Cedar by Ricardo Sueiras

• Authorisation is hard
• Ceder
  • DSL around authorisation
  • Policy Language
  • Evaluation and Authorisation Engine
  • Easy to Analise
• Authorisation Language

Managing the Madness of Cloud Logging by Alistair Chapman

• The use case
• All vendors put their logs in weird places and in weird sorts of ways. All differently
• Different defaults for different events
• Inconsistent event formats –
• Changes must be proactive – You have to turn on before you need it
• Configuration isn’t static – VEndor can change around the format with little worning
• Very easy to access the platform APIs from a VM.
• Easy to get on a VM if you have access to the Cloud platform
• Platform Security Tools
  • Has access to all logs and can correlate events
  • Doesn’t work well if you are not 100% using their product. ie Multi-cloud
  • Can cost a lot, requires agents to be deployed
• Integrating with your own SIEM platform
  • Hard to push logs out to external sources sometimes
  • Can get all 3 into splunk, loki, elastic
  • You have to duplicate with the cloud provider has already done
• Assess your requirements
  • How much do you need live correlation vs reviewing after something happened
  • Need to plan ahead
  • OSCF, OTel, ECS – Standards. Pick one and use for everything
  • Try log everything. Audit events, Performance metrics, Billing
  • But obvious lots of logs cost logs of money
  • Make it actionable – Discoverability and correlation. Automation
• Taming log Chaos
  • Learn from Incidents – What sort of thing happens, what did you need availbale
  • Test assumptions – eg How trusted is “internal”
  • Log your logging – How would you know it is not working
  • Document everything – Make it easier to detect deviations from norm
  • Have processes/standards for the teams generating the events (eg what tags to use)
• Prioritise common mistakes
  • Opportunity for learning
  • Don’t forget to train the humans
• Think Holistically
  • App security is more than just code
  • Automation and tooling will help but not solve anything
  • If you don’t have a security plan… Make one
• Common problems
  • Devs will often post key to github
  • github has a feature to block common keys, must be enabled
• Summary
  • The logs you gather must be actionable
  • Get familiar with the logs, and verify they actually work they way you think
  • Put the logs in one place if you can
  • Plan for the worst
  • Don’t let the logs overwhelm you. But don’t leave important events unlogged
  • The fewer platforms you use the easier it is