Switching my Mastodon account

As we discussed previously, the idea of Federated media is that there is no central server with all accounts. Instead, there are various instances, and you choose one. In my case, I get sent an invite from my late lamented friend Craig Maloney to join on the server he was on. But I got a notice a few days ago that the instance I am on is closing. It won’t be completely shut down for 8 months, so I can’t complain about any lack of notice, but I might as well get going on it. Step one was to find good directions for migrating my account. This is actually not too bad, since as stated the Fediverse is built on an understanding that your account is a separate entity from the instance it is on, an one has incentive to “capture” users since there is no way to make money from them. Quite the contrary, I expect. It costs money to run a server, which is why I signed up to make a donation to the person running my old instance. As my old friend Door-to-Door Geek always says, support the people who support you. Anyway, I went to the invaluable site Fedi.Tips web site, and indeed found a good explanation on the page Transferring your Mastodon account to another server.

Step one is find a new server. I went to Fedi.garden and looked through several categories before finding Freeradical.zone which seemed like a good fit. So I applied for an account there, which was fairly easy, but they have to approve the application. They ask you to review their policies, and write a few words about yourself, to make sure you will be a good fit there. While waiting to hear if my application has been approved, the next steps involve exporting data from the old server. This process is not too bad, but it really should be done on a desktop computer using a Web browser, not an app. You can move all of these:

  • Followers
  • Follows
  • Bookmarks
  • Lists
  • Mutes
  • Blocks
  • Domain Blocks

Since I got my email that my account was approved the next day, I proceeded to initiate the move to my new account: @Ahuka@freeradical.zone

What does not get moved are your Followed Hashtags. If you have any, you can see them by going to the three-dot menu next to your name and looking for Followed Hashtags. You will need to write these down and manually redo them on your new server. But for the movable items above, all you have to do is go to your old server, to the three-dot menu, Preferences, then Import and Export, and select Export. You can download a CSV file for all of the above movable items except Followers. That is handled differently, because anyone following you needs to have your new address in their Mastodon account. Don’t worry, this mostly happens in background, but it can take time. But for the rest, just download the CSV files and save them to your hard drive. You can also request an Archive of your posts, but that is purely for your own reference since your old posts cannot be uploaded to your new server. In my case, I passed on that because my old posts are not that important. And if some of those categories are blank (I never created any lists, for instance), you will download a zero-byte CSV file.

Then on your new server account, go to the three-dot menu, to Preferences, Import and Export, and select Import. In the drop down box, select the appropriate category from the drop-down list for the CSV file you are uploading, Choose the file, and click upload. In this case, since you are populating a brand new account that is all you need to do, but note you have options to either Overwrite or Merge. That is all you need to do for these.

Now, back to Followers. There is a way to mostly move your followers, but it is not 100% guaranteed for a variety of reasons. But the start is to go to your New account, three-dot menu, to Preferences, Account, and scroll down to where you see Moving from a different account. Follow the directions here to create an alias. This is just your old address, and mine was @Ahuka@octodon.social. This is the first step, but it doesn’t do anything yet, and is completely reversible if for some reason you want to stop. The instructions at fedi.tips say you need to wait at least 5 minutes for the next step, so this a good time to do a little housekeeping. I used this time to copy my profile from the old account to the new one. I also added “has moved” to my name on the old site, and in my profile text I put my new address. fedi.tips says this isn’t really necessary in most cases, but it can help.

Once I did that, I went to the old site, and this is where the move actually starts. You go to Preferences, Account, Move to a new account, and enter your new address. This starts the process of moving your followers. If you followed what we said previously you know that the old server knows who you follow and who follows you. So the old server can send a message from your account to the servers of the people who follow you and update your address. Of course, this isn’t instantaneous, since now you are at the mercy of the servers of those people, so don’t be shocked if it takes a few hours, or even days, for this to all happen. For this reason, it is advised that you keep the old account for a little while just so you can see if anyone is still on your old address. You cannot use your old account once you have started the migration, but you can send someone a message from the new account and tell them to manually make the change in case the automatic move fails.

And that is all there is to migrating your Mastodon account. It probably took me longer to describe than it will take you to do it. Meanwhile, if you are interested you can follow me on my new account @Ahuka@freeradical.zone.

 Save as PDF

The New Audacity and Batch Processing Macros

Audacity is the wonderful open-source audio-processing program that I use every day. I use it for a couple of reasons.

First, I use Audacity to record and prepare my own podcast shows, which are mostly for Hacker Public Radio. I seem to have done over 200 shows for them, and I am still actively recording shows, and I expect to continue as long as I can, though at the age of 69 I can see that there may come an end sooner rather than later. And Audacity does a great job for me. I just plug in my Blue Snowball microphone, open Audacity, and press the Record button. When I am done I add a little volume boost, save the project, then export the FLAC file for upload to Hacker Public Radio.

Second, I like to listen to podcasts speeded up. I listen to a lot of podcasts, and even when I weed out the ones that just go on for too long, it is still hard to keep up. I know that people who use smartphone apps can speed up podcasts in the app, which is fine, but I don’t listen to podcasts on my phone. I use small, inexpensive MP3 players and this lets me save my phone’s battery so I get through the day without problems. So my method is to download my podcasts using GPodder on my Kubuntu box, and about once a day I will delete the ones I have finished listening to and prepare a new bunch to load on the player. And Audacity is what I use to prepare the files. I created a “chain” some years back on the old version of Audacity, which would take the files, speed them up by 70%, boost the volume a bit, and then export the finished file. And I could do it as a batch process on a whole directory of files. It would open the files one at a time, apply the “chain”, and then move on the the next file. This was very handy.

Then I made the jump from Kubuntu 18.04 to 20.04. I tend to stick to LTS releases and be fairly conservative because I would rather use my computer to do things than spend time fixing software issues, and LTS releases work well for me in this respect. In fact, I did not move from 18.04 to 20.04 until February of 2021. And with the OS upgrade came the software upgrades, including Audacity. And when I went looking for chains, they weren’t there! I did some investigating on the Web and found that they were replaced by “macros”, and instead of being on the File menu they were on the Tools menu, which is reasonable enough I guess. I looked in the Tools menu, found Apply Macro, and when I opened that I found that my chains had all been moved over to the Macros, which was great since I did not have to recreate any of them, not that it would be all that difficult to do. But I could only apply a macro to one file at a time. The process seemed to be that I had to open a file, then apply the macro. And when I tried to do that to a directory with about 20 files in it, each file opened seperately in its own window (a big mess right there), then I had to go through them one at a time to apply the macro and then close the window. Ugg.

As I considered this, it did occur to me that in all likelihood I was doing it all wrong, and that the capability was still there. I started by going to the Audacity Forum, where I did see some references to batch processing, but none of them ever explained how to do that. So I started searching for “audacity batch processing”, and the first few results got me nowhere. They either went back the to the page that referred to batch processing without explaining how to do it, or they went back to the older version with “chains”. But then I found a YouTube video called Audacity Macros – Easily Apply Effects to Multiple Files, and that was where I got my answer. On the Tools menu there was another option, called simply “Macros…”. Selecting this opened a window called Manage Macros, and on the bottom there was a section to “Apply Macro to” and you could either do it to the current project, or to a group of files. So it was there all along, I just missed it.

 Save as PDF

Why I Gave Away a 3-D Printer

Ken Fallon posted a request on the Hacker Public Radio mailing list for shows about 3-D printers, and I innocently replied that I couldn’t help since I gave mine away. This of course led to Ken saying he would love to have a show about why a hacker-type person would give away a perfectly good 3-D printer, so I was trapped.

In October of 2017 I went to Ohio LinuxFest, which I have done many times. I spent a few years running publicity for them after all, and it is a good convention for open source folks. Now how did a guy from Michigan get involved in an Ohio event? For those who are not from the Midwest of the United States, Michigan and Ohio are “friendly enemies”. There was a border war in the early 19th century, which Michigan won when Ohio was forced to take Toledo. (That is a joke. Actually we have a family membership at the Toledo Museum of Art.) And the University of Michigan and Ohio State University are football rivals that close out their seasons each year with the rivalry matchup. But the joining of this University of Michigan alumnus with the Ohio LinuxFest came about because of Penguicon, which I had been going to for some time, and where I became the Tech Track programmer for a few years after I stepped down from my position at Ohio Linux Fest.

I had gone to a panel at Penguicon where Jorge Castro of Canonical talked about how to get help with your Linux install. (Jorge recently left Canonical to join VMWare where he is Community Manager.) It was good, but I noticed something missing: he never mentioned Linux User Groups! I was at the time the leader of the Washtenaw Linux User Group, and we helped people all the time at our monthly meetings. And I was certain that there were lots of other groups out there doing the same thing. So I spoke up and asked Jorge to “correct the record”, which of course he graciously did. But then in the hallway I was approached by Beth Lynn Eicher, who said they needed someone at Ohio LinuxFest to be the Liaison with the Linux User Groups. So I agreed to take that on, working under Joe “Zonker” Brockmeier, who was in charge of publicity. The following year Zonker stepped down (He is now Editorial Director at Red Hat), and I became the head of publicity.

Now even after I stepped down a few years later I continued to attend each year, and I think 2019 was the first year I missed since 2008, my first year attending there. I had retired, my wife and I had a trip for our 40th wedding anniversary, and other family matters just filled up my schedule. And this year the event is virtual, for obvious reasons. But one of the ways Ohio LinuxFest raised some cash (and it takes a lot of money to put on an event like this) was by having a raffle. Corporate sponsors would donate items to be raffled off, and attendees would buy raffle tickets. So of course I did what I usually do and bought something like $20 worth of tickets. And when they got to the main prize, a 3-D printer, my name was the one they called out! So that is the story of how I obtained the printer. But how did I give it away?

That takes me back to Penguicon. Penguicon chooses a charity each year to receive both focus and some money that is raised through raffles and such. And in 2016 this was an organization called E-Nable, which uses 3-D printers to create prosthetic limbs for children who are missing limbs through things like birth defects. I thought this was a very good thing to be doing, and I was proud that Penguicon was promoting it. So when my name was called at the OLF raffle, I knew almost immediately what I would do. My choices were either to have a neat toy I could play with, or maybe make lives better for some children, and that was no contest at all.

The reason E-Nable was the charity that year at Penguicon was because one of the organizers was involved with the group and was making limbs. So when the printer was delivered to my home, I messaged him to see if he could use it. It turns out the one I got was a much better one than what he had been using, so he could do even more good work with it. And it is not like I like for toys in my life. I know I did the right thing, and I have never regretted it.

 Save as PDF

Android Malware Alert

A report was just released regarding malware that targets Android, called Joker. This malware has been around since 2016, but it continues to be one of the major threats to Android devices. It can steal SMS messages, Contact lists, and device information. It can also sign up users for pricey subscription services such as Wireless Application Protocol (WAP) services. This malware gets added to applications that can be downloaded from the Google Play Store, and though Google has removed many of those apps, the malware keeps coming back. So how does it do what it does?

How it works

The apps that get the Joker malware are essentially “knock-offs” of legitimate apps that can fool people into downloading them. They do not directly contain the malware, instead they contain what is called a “dropper”, code which at some future time days or weeks later will contact a remote site and then download the actual malware. This dropper code is heavily obfuscated in a variety of ways. Sometimes the code is AES encrypted, other times it masquerades as legitimate files that are common in other applications such as JSON files and CSS. The download is frequently a *.dex file (Dalvik Executable) which is the native format now for Android applications. Joker can also use code injection to hide inside of legitimate third-party packages that reside on an Android phone, such as org.junit.internal, com.google.android.gms.dynamite, or com.unity3d.player.UnityProvider. The security research firm Zscaler issued the most recent report on this, and they explained some of the methods Joker uses to download the malware.

Direct Download

In this scenario, a URL is hidden in the code via string obfuscation. This is a technique for hiding executable code by making it hard for the code to be detected. The Sucuri site gives the example of calling PHP to execute the commands where the functions are broken up into 2-3 character chunks, each chunk inside single quotes, and separated by periods. PHP will then join the chunks, remove the single quotes, and execute the function just created.

Once the URL has been “decoded”, the app will contact a Command and Control (C&C) server to get another URL which will take them to the final download of the malware payload. It also supplies a JSON file that has the configuration information for the final download. Once the JSON file is downloaded and executed, the final download takes place.

One-Stage Download

This variant downloads a stager payload first, which then leads to the final download. The URL for the stager payload is encoded using AES encryption. There are two varieties of stager payload that Zcaler has noted, either an APK file or a *.dex file. This stager is responsible for obtaining the URL for the final payload download. The stager is also responsible for executing the final payload.

Two-Stage Download

In this variant, the infected app executes code to contact the C&C server, which replies by sending a message with the URL for the first stager payload which it hides in the location header. The first stager payload is downloaded and executed, which then downloads the second stager payload, which in turn contains the hard-coded URL for the final payload. That is then downloaded.

Final Payload

Regardless of the download method, the final payload of malware is the same. To begin with, it uses DES encryption to execute the C&C activities. And it uses string obfuscation techniques to hide all important strings.

If you want a more detailed description of all the things the final payload does, you can check this site using a browser that can translate from Chinese to English.

What can you do?

Given that this malware has been infecting apps in the Google Play Store for 5 years now, it does not seem like someone else is going to fix the problem. The Zscaler report says that Google has removed these apps, but cannot remove them from your phone if you had the misfortune to download one of them. Using an anti-malware app on your phone may help, but the techniques Joker uses to hide make it challenging to detect and remove.

Step one is to check if you have one of these apps and remove it manually from your phone. You can see the latest batch of 17 apps Zscaler found at this Web page. Once that is done, there are some common sense precautions you can take.

  • Be careful to only download and install apps that serve a genuine need. Downloading lots of apps willy-nilly will only increase your attack surface.
  • Carefully check the history of the app. If it is fairly new and has relatively few downloads, you should probably steer clear. Remember that Google does remove these apps from the Play Store as soon as they are aware of them, so they don’t tend to last long.
  • Stick with developers that have a good reputation and track record.
  • For apps you rarely use or haven’t used recently, consider uninstalling them. Remember it is about the size of the attack surface.
  • Pay attention to permissions. Every time you install an app, it asks you for permissions to do things. Most people just click OK without paying attention, and that is what malware authors rely on. If a solitaire app asks for permission to access your Contacts list and your SMS, you probably shouldn’t allow it.
  • Manage your existing permissions. A good thing Android 11 does is to allow you to remove permissions for apps you haven’t used in a while. You can read more about this and how to manage permissions in this TechRepublic article.

References

 Save as PDF

Hacked?

On Thursday evening, as I was having my dinner, my wife came in to tell me that my Facebook account was hacked and I should change my password. The evidence for this was that some other people that I was already friends with were getting friend requests that appeared to come from me. Now I have been on the other end of this many times, and didn’t give it a lot of thought. Other people getting hacked is not exactly news as far as I am concerned. It sucks for them, but nothing I need to get worked up about. But having it happen to me made me think a little harder.

The first thing that puzzled me is that I have enabled Two-Factor Authentication on my account. I have to enter a code from my phone to log in to Facebook, and I didn’t see any way that someone could get in without me knowing about it. And at the time I was in fact logged in, and how could there be two different logins at the same time?

And the answer is that my account was not hacked at all. What happened was a Facebook Clone scam, something increasingly common. What the scammers do is clone your account by using all of the information Facebook makes public about you. This is not difficult at all. I decided to go through the steps of cloning (without actually doing it, of course) just to illustrate how it is done.

  • First, type in a first name into the Facebook search box, and a list of possible account names pops up. Pick one at random. I used my own account for this exercise.
  • Second, click the link under the Profile photo that says “Photos”
  • Try Photos by this person, or Profile Photos if that is there, as places where you can download their Profile photo. My Profile photo was the very first one I saw there.
  • Then, go back and next to the link to Photos you will a see a link to Friends. Click that, and you will see all of this person’s friends listed.
  • You now have everything you need to create a fake account and send out scam Friend requests.

This approach is the well-known security technique of thinking like an attacker, which is very helpful in making yourself safer.

Public Information

The key to this attack is that Facebook makes public all kinds of information about you. This particular attack is pretty obvious, but there are more insidious ones. If you go to the About link, take a look at what is there. Places you have worked? Places you have lived? Where you went to school? Family Relationships? Your birthday? Suppose you found out someone’s spouse? If they also have a Facebook account, you can get the spouse’s birthday. The point is that these are all the kinds of things that are used for “second question” authentication on other accounts. When you are setting this up for your bank account, you might think no one would know this. But in fact it is all publicly available. We had this exact thing happen in 2012 in the U.S. to a Vice-Presidential Candidate, Sarah Palin, who had her e-mail account hacked because her “second questions” were all things easily discoverable, and some kid looked up the information and get into her account. Of course, you can sometimes pwn yourself. I set up a PIN for an account many years ago and it required 4 digits. I thought I would be clever and picked a date from history (my first degree). It took me a few months to realize that my wife’s birthday matched this date, and change it. As to it being a “duplicate” request, that is not even possible even if someone managed to hack into your account. Once someone is your friend you cannot send another Friend request, period. The software won’t allow it.

Now, if this happens, what can the scammers get out of it? If they can get other people to accept this fake account as being you, maybe they can send them Malware, Russian election misinformation, promote illegal activities, or whatever. The good thing is that these days we have seen this so often that almost no one pays them any attention. But it is all a numbers game, and even a very small percentage of successful scams can be profitable when pursued on a large scale.

What you can do

As to what you can do, not a whole lot. Changing your password won’t do anything here because your account is not hacked in the first place. And I tend to be a little leery of changing passwords willy-nilly, because human nature being what it is, it usually results in passwords that get simpler and more guessable over time, which is why NIST recently came out against the requirement in many places that passwords be changed frequently on a schedule. What you can do is pretty simple. If you see someone you already are friends with send you a friend request, do them a favor and click on the profile (you can always do this before accepting a Friend request. I regularly get friend requests from suspiciously attractive females whom I have never met and who seem to have a serious lack of history.) Click the Timeline, and there is a menu on the right with three dots. Click that to report the profile as a fake profile. Of course, it may already be closed when you try to do this, because Facebook has gotten pretty good at finding and shutting down these clone accounts. And you can always check to see if anyone has cloned your account simply by searching on your name. My name is not unusual, but if I see two accounts with my same profile picture, I know one of them is bogus.

The other thing you can do if you have not done so yet is set up Two-Factor Authentication.

  • Go to your Home Page in Facebook
  • Click the drop-down arrow on the Top Right
  • Select Settings and Privacy
  • Select Settings
  • Select Security and Login
  • Go to the Two-Factor Authentication, and turn it on
  • Set up how you want to do it. I have a Facebook App on my Android phone, and that gives me a code, but you have a few options here.

 Save as PDF

The LastPass Security Dashboard

I just got an e-mail from LastPass regarding a new feature that I wanted to share. It is called the Security Dashboard, and it offers a couple of useful features.

As I have mentioned previously, I am a big believer in using a password manager, whether that be 1Password, Dashlane, LastPass, Keepass, or whatever. I actually use both LastPass and Keepass for two reasons:

  • Lastpass is designed for online use, which is great for Web sites, but problematic for some offline uses.
  • Keepass works much better on my Android phone while LastPass is awkward there and tends to get in the way instead of help me.

So, I tend to think most of them are good, the question becoming one of what works for you. The benefit, though, comes from actually using it. If you want to get some opinions on which program may be best for your needs, there are reviews available that can help you make a choice.

I could have listed many more reviews, so there is no lack of information out there. I went with LastPass years ago because Steve Gibson looked at the technical details and said they were doing it right. And Keepass is a stand-alone desktop program that has a Linux client and is licensed under the GPL. Also I can use it on multiple machines by putting the database in Dropbox where any changes I make on one machine get pushed out to all other machines.

Of course, the main reason you want to use a password manager, whichever one you choose, is so that you can put secure passwords on important web sites. And secure passwords mean long ones with a lot of entropy, as I covered in Passwords, Entropy, and Good Password Practices. Your pet’s name won’t cut it, neither does “leet speak” like substituting the @ sign for the letter “a”. If it isn’t long gibberish, it is not secure, and of course long gibberish is precisely what humans cannot remember. And that is the reason for password managers.

The big problem is that nearly every web site out there is now demanding passwords before you can do anything. And if you reuse passwords, you are at risk. I just checked in LastPass and I appear to have 478 passwords stored there. That is way more than anyone could possibly memorize, you simply have to use a password manager for that. Which brings us to the latest news from LastPass, the Security Dashboard

Security Dashboard

This feature is available to all LastPass users, including those on free accounts. But note that some features are only available to Premium users. To see your Security Dashboard in LastPass, you need to “open the vault”. Since LastPass is normally up and running on my browser (that is the first thing I do after rebooting my computer), all I have to do is click the LastPass icon to open the vault. Then on the lower left I can see the Security Dashboard. Clicking that opens the Dashboard, which has three sections: Security Score, Dark Web Monitoring, and Alerts.

Security Score

The Security Score is a calculated number based on several factors. First, of course, is how long and complex your passwords are. Then adding multifactor authentication to your LastPass account adds another 10 points to your score. A perfect score would be 100 points, but you have to have at least 50 passwords stored in LastPass to get this. That said, I am looking at the section for Security Score, and I don’t see a score anywhere. But the useful part id that I can see the “at risk” passwords, both as an overall percentage (OK, but not the most useful), and also a list of my passwords when I click the View passwords link on the right side of this box. There I can see all of my accounts and what LastPass thinks of my passwords. The information here is useful. The list has these columns in order:

  1. The Website
  2. The User Name for that website
  3. The password strength. The password is obscured, but you can click the eye icon to have it revealed.
  4. The risk if any. Red boxes have risks, green check marks are OK. The risks I see include Reused, Old, and Weak. Old is a matter of debate. I think the best research now says that making people change passwords just because they are old is more likely to reduce security than enhance it. For more on this, see SANS Security Time for Password Expiration to Die. Reused is a problem if you used the same password for anything that needs security. I don’t care if I reused a password because some blog demanded I create a password before reading an article, but I definitely care if I did so for my bank account.
  5. Action to take – This is not all that informative. If you have a green check mark, it will be blank, otherwise it tell you to change your password. But if you click this button, it will open the web site so you can do that, so it is helpful.

After reviewing my list, I noticed I have a lot of stored passwords for places I don’t go to any longer and for accounts I have closed, so no doubt a little pruning of the list is in the cards.

Dark web monitoring

This is all about whether your credentials have been found on the web sites where such things get traded around. Kind of similar to Have I been pwned in my view, but it does make things easy for you. This feature is only available to Premium users (of which I am one). For this, LastPass partnered with Enzoic to use Enzoic’s database of breached credentials. One useful feature here is that you can simultaneously monitor all of your e-mail accounts, or you can decide that some do not need to be monitored. I noticed that one “e-mail” was actually a typo I must have made at one time, and another was a work e-mail from before I retired, so I cut the monitoring there. Honestly, I don’t know that I would pay for a Premium account just to get this feature, but I like that I get it as part of the package. I could do all of this by just going to Have I been pwned and not spend money, but this is very convenient.

Alerts

This is tied to the Dark web monitoring. Right now it says I don’t have any alerts, but if one of my e-mail addresses/user names was compromised I would get an alert, and a button to click to take me through the process of changing my password.

Bottom Line

I am very happy to be a Premium user of LastPass. We have a family account for my wife and I and it works well. This update basically makes maintenance we should be doing anyway more convenient to do. And now if you will excuse me, I need to go clean up a few passwords.

Listen to the audio version of this post on Hacker Public Radio!

 Save as PDF

Penguicon 2019 Report

This is the latest in my annual recollection of my experience of Penguicon. As always, I have to emphasize that this represents just my own experience of a massive event. We have 1,466 people attending, and over 400 different sessions, each of which lasted at least one hour.  I only could attend a handful of these sessions, and had a great time, but by way of example my friend 5150 was here, and at no time were we both in the same session. So if you were to come you would probably have a somewhat different experience.

Friday, May 3

As usual, I grabbed a dinner after work on Friday, then went to the Westin in Southfield, Michigan for the Con and picked up my badge. We’ve been at this hotel for 6 years now, and it is a fantastic venue for us. I usually purchase my badge a year in advance at the previous con, so I had bought this on the last day of Penguicon 2018, and it was waiting for me when I arrived.  I made a brief tour of the Maker Space, then it was off to the Opening Ceremonies. This is where you get an introduction to the various Guests of Honor as well as hear from the Convention Committee about what to expect over the course of the weekend. Among the guest of Honor were:

  • Saladin Ahmed – An award-winning author who has now gotten involved in writing for Marvel.
  • Mikey Mason – A stand-up comedian with appearances on Nerdist.com, SyFy, and MTV Geek News.
  • Zed Shaw – A a programmer and artist who teaches programming and has a series of books (Learn Python The Hard Way, Learn Ruby The Hard Way, Learn JavaScript The Hard Way). He is most commonly known for creating the Mongrel web server for Ruby web applications
  • Daniel Hansen – Daniel Hansen created a business called Crafty Celts to sell his jewelry, and wound up creating jewelry for the TV show The Vikings. He is also active in re-enactment, and taught swordplay over the weekend.
  • Sophia Brueckner – A professor at the University of Michigan, she began as a developer at Google before becoming a designer.
  • Karen Corbeill – Karen is a maker who also loves to teach. After two years as a co-host on the Ben Heck show, she is now on YouTube as part of Element14’s The Learning Circuit

One thing you might notice is that a lot of these people do more than one interesting thing. This is not accidental, as I learned when I talked to the Con Chair, Jessica Roland. She was deliberately looking for people that could tick off different boxes, and I think she did a great job.

After the Opening Ceremonies, I went to an Anime panel on Anime Fantasy-Romance. There was a lot of Anime programming this weekend provided by Paul Kemner, Star Stramel, and A. Carina Spears. I did manage to catch a few in amongst everything else. After this, it was time to join the Ubuntu Release party, an annual event. Ubuntu’s x.04 releases usually are within a few days of Penguicon. At one time it was a place to go to pick up a CD, but no one does that any longer. So now it mostly a place to catch up with your friends. All the members of Sunday Morning Linux Review were there, and I met Jay Lacroix for the first time in person after hearing him on the podcast for a while now. I also thanked Tom Lawrence because his company, Lawrence Technology, sponsored Penguicon 2019. After this it was time to leave since it was the end of a week at work and I need to rest.

Saturday, May 4

Back to the Westin and breakfast from their breakfast buffet. The first event of my morning was Tony Bemus (Sunday Morning Linux Review) doing a presentation on DDOSs and what the average person can do about it. Tony recently changed jobs and is working for a local company on their Cloud team helping to mitigate DDOS attacks for their clients, so he definitely has the skills for a good talk, and he did not disappoint. Then it was off to Truths, Half-Truths, and Sweet, Sweet Lies a panel discussion by Ericka Kahler, Doug Johnson, and Mark Haynes about the pitfalls of being a consultant/contractor in the IT industry. I spent quite a few years doing that, so I wanted to see what they had to say. Then it was off to another anime panel, Supernatural Anime, by the same group of people I mentioned previously. Here the emphasis was more on creepy/scary types of anime. I next went to a screening of The Ghost in the Shell, which in the program was supposed to be the Anime film from 1995. But a mix-up resulted in the showing of the Scarlett Johansson film from 2017, so I left, and decided this was a good time for the Hallway track. I’ve been going to Penguicon for many years now, and I have a lot of friends I see there, so a little socializing is always good.

I decided to get a little “hands-on” next. A local makerspace from Ann Arbor called All Hands Active was on hand throughout the Con for people to drop in and do a little soldering. They offered a simple basic blinking LED badge for free, or you could purchase a more complex one that had a microcontroller and displayed LED text. Since electronics and soldering are not my strong suit, I went with the simple one this time, but I may try to step up next year. We’ll see. Then I went to a presentation by one of our Guests of Honor, Sophia Brueckner, called Critical Optimism, which I thought was fantastic. Sophia looked at how technology is powerful, but won’t necessarily solve all problems. She looks for a path between the extremes of technosolutionalism (technology will solve all of our problems) and a Luddite rejection of technology as evil. This was one of the better things I experienced this weekend. Following this, I was on a panel myself called Unconditional Basic Income, along with Matt Arnold and Zachary Blagg. We had a pretty decent turnout for this, and a lot of good discussion which continued out in the hallway. We may do something next year, and I suggested maybe healthcare would be a fruitful topic to get discussion going. We’ll see how that goes. I then went to the Con Suite to grab some food since it was early evening by this point, then came back for a panel on The Fediverse: Decentralized Social Networking, with Michael W. Lucas, Ed Platt, Matt Arnold, Craig Maloney, and Mark Felder. I was really interested in this one, because last year Ed Platt did a presentation that I thought was excellent, and I asked him if he might do something for Hacker Public Radio. He declined as he was busy, but told me I could use any of his material. So I am working on a series for HPR that will probably go up in Autumn of 2019 where I look at some of the alternative social media. What got me off of my butt on this was the closing of Google Plus, which told me it was time to look around. After this, it was time again to go home and rest up for the last day.

Sunday, May 5

Again, back to the hotel and breakfast, where I met up with Craig Maloney. Craig is the leader of the Ubuntu LoCo that put on the release party Friday night, and he is also active in the Fediverse, so I continued our discussion from last night and got some additional leads and information. And as he is a good friend I have someone I can go to with questions, which is a always helpful. After breakfast, it was time for E-learning Design: The Good, the Bad, and the Very,Very Ugly, by Ericka Kahler and Clif Flynt. Clif is old friend, and when I was teaching I actually had to do E-learning design, so I had a strong interest in the topic. There were many lessons learned here. From here, it was off to a presentation on Solar Panels by my friend Gibson Nichols. I had a strong interest here as well since my wife and I have been planning to get an RV and become “snow birds”, and solar power is very useful when you are mobile and don’t always have utility power available. My last panel of the day was Understanding USB: Why this cable works and that one doesn’t, by Henry Marshall. This was a great technical discussion of all of the different flavors of USB, and I think I learned a few things.

After this I had a few minutes free so I bought my badge for next year, as I always do. It is a little cheaper if you do this, but even if the price was the same I would do it just because I think it helps the Con to have a little working capital as they prepare for the next year. And then it was off to the Closing Ceremonies. At this point the Guests of Honor get to say a few words about their experience, and the staff gets to thank all of their helpers. Awards are given for the best room parties, and then everyone winds down. So I went home and collapsed in my chair because I was really tired.

I think this year’s event was wonderful and as always slightly different from any other year. Penguicon has a permanent Board of Directors, but they pick a new Con Chair every year, and that Con Chair really puts an individual stamp on the event. I am looking forward now to next year.


Listen to the audio version of this post on Hacker Public Radio!

 Save as PDF

Penguicon 2018 Report

Friday, May 4, 2018

As I usually do, I went to work on Friday, then grabbed dinner before heading over to Penguicon. This year was going to be different because I was not responsible for running anything other than my two talks. Last year, after 4 years of running the Tech Track, I stepped down because a) I was tired; and b) you want to bring in new blood to keep things fresh. (Pro tip to event organizers out there.) I found the Registration table, got signed in, and picked up my materials for the two panels/presentation I would be on. Then I headed for the Opening Ceremonies. This is usually an introduction to all of the Guests of Honor and any other VIPs in attendance, and it helps me to get a sense of what the weekend is going to be like. I knew from previous emails that one of the Guests of Honor, Dr. Kristine Larsen, was going to be on my Isaac Arthur panel, but I had never met her. A Guest of Honor I had met and talked to previously was Mary Robinette Kowal and I like her, so that was good.

After the Opening Ceremonies I went to join my friend Craig Maloney for the Ubuntu Release Party. Since Penguicon always happens in late April/early May it pretty much comes on the heels of the April Ubuntu release each year, so we have a get together. I mostly run the Kubuntu flavor and tend to stick to LTS releases, so I expect I will be upgrading as soon as they release to the LTS crowd. Technically it is released as a *.0 release, but they don’t offer it to LTS users until it hits a *.1 level, which will be later this summer I expect. I spent some time various friends there such as Murph who made it up from New Jersey as well as the various Michigan users.

Then I went to see Bob Trembley, Jeff Macleod and Curtis Potterveld demonstrate and discuss various space simulators. They showed several NASA programs that are free and simulate the solar system dynamics. You can use them to see what would happen if the Sun suddenly disappeared (the planets immediately move in straight lines tangent to the previous orbit), or you can look at the collision that they think created the moon when a Mars-size body crashed into the early Earth. Then we ran Kerbal Space Program, which is a pretty accurate simulation of orbital mechanics. Of course, in the best tradition of Mythbusters we made one go “boom” by flying a rocket into the Vehicle Assembly Building. And now, after three hours on top of a full day at work, it was time to go home. I knew I had an early morning ahead of me.

Saturday, May 5, 2018

Saturday morning I had a 9 am panel on Isaac Arthur, where I was joined by Jeff MacLeod and Dr. Kristine Larsen. Isaac Arthur is a very interesting fellow who has a YouTube channel called Science and Futurism with Isaac Arthur. His channel looks at extrapolations of what can happen in the future given what we know about science. Some of it can get pretty far out, but never violates any known laws, so you won’t see warp drives or faster-then-light travel. That still leaves plenty of scope for thinking big, and I enjoy the channel. Give it a look and you might find you like it too.

From there I moved on to the DIY IoT talk by Dave Putz and Connie Sieh. Connie I knew from last year when I asked her to present a panel on Scientific Linux, which she helped to create. This time the presentation was on IoT using things like Raspberry Pi and Arduino to control the cameras and sensors. I think this is the kind of topic that would appeal to Hacker Public Radio listeners, and is a good reason to plan a visit if you can here when Penguicon is on. There are great presentations every year, and Daniel Dugan did a great job of programming the Tech Track this time around. And the following presentation by Karen Burnham was called Turning Materials Science Fiction into Science Fact, and I was pretty sure it would be great. Karen had worked for NASA and for Aerospace companies, but moved to Michigan to work in electric car engineering for Ford Motor Company. I have learned that any talk she gives is going to be interesting, and this did not disappoint.

Noon brought me to Michael W. Lucas‘ talk Large Scale SSH: Keys and Certificates. Michael is a successful author, and his book on ssh was one my principle resources when I did some shows on ssh for Hacker Public Radio. And listeners to the popular Sunday Morning Linux Review will know that he is also the author of numerous books on BSD. He is not only a good author but a good speaker, and I always try to catch one of his talks at Penguicon. I can’t catch all of them because he is glutton for punishment and does way too many talks.

After that I went to a talk called Feminism and Comics, which traced the history of the comics and how the way women were portrayed in them changed over time. Then it was on Gender and Artificial Intelligence. Of course AIs don’t really have any gender, but they are portrayed as having gender. For example, the voices of devices like the Amazon Alexa and Google Assistant tend to be female, though you can change that if you wish. But it is worth some consideration as to why female is the default in this case, what that tells us about our own perceptions.

From there I went to Ask an Astronomer, a panel with Dr, Kristine Larsen, Bob Trembley, Curtis Potterveld, and Jeff Macleod. I have mentioned all of them in previous panels, but Dr. Larsen is an astronomer on the faculty of Central Connecticut State University, and very much a nerd. She has written on the astronomy of Middle-Earth, and a Harry Potter starfinder. Bob Trembley actually works for the Vatican Observatory, which is extremely cool. And both are Solar System Ambassadors for NASA.

Then I went to Tom Lawrence’s talk on Open Source Video Editing Workflow on Linux. Tom is of course well known from being one of the hosts of Sunday Morning Linux Review, and he also has a YouTube channel for his business, Lawrence Systems, which is worth checking out. As a YouTuber he does a lot of video production, and he does does it using Open Source software. So this talk was well-worth catching, particularly in light of my ongoing quest to figure out why kdenlive doesn’t like me.

Following Tom’s talk was my second talk, Diffie-Hellman-Merkle Key Exchange. I already covered this material in a show for Hacker Public Radio so download that if you are curious as to what I covered. It is the same stuff. I believe in using a talk as many times as I can after I put in the effort to write it. In any case, this was well-received by the people there.

By now it had been a long day, from my panel at 9am to my talk that went until 7pm, so I grabbed dinner and went home. That meant missing Michael W. Lucas on a panel called Making a Living as a Midlist Writer, but sometimes you just have to do what you have to do.

Sunday, May 6, 2018

The last day is always a little more laid back because everyone is tired. After breakfast I stopped by the Sunday Morning Linux Review, which was just packing up their gear having finished the show. Then I went to a presentation that seemed promising, called All Energy is Perpetual. Well, it may have seemed promising, but it ended up being pseudo-scientific nonsense. My friend Craig Maloney was getting progressively more annoyed with the speaker, and another audience member got up, said loudly “I’m sticking with science”, and stalked out of the room. It was sad, and unfortunate, but I found the head of Programming, Bagel Garrison, and told her that this was a mistake and don’t bring this person back again. I then went to a talk by my friend Jer Lance, but he never actually made it (I think he was in a meeting than ran long). So all of us in the room talked to each other for the hour. I now had a hole in my schedule, which meant it was time to hit the Dealer’s Room and view the goods on offer. I wasn’t really intending to buy anything (and didn’t) because right now my wife and I are more intent on getting rid of stuff than in acquiring more of it. But a little window-shopping never hurt anyone.

Then it was on to a panel Clamp Studio: Anime Deep Dive. I do enjoy anime, and these kinds of panels are often interesting. Clamp Studio is perhaps best known for Cardcaptor Sakura, and we got a taste of that, but they seem to have a number of interesting titles which we sampled. I followed this with a panel about dysfunctional communication on the Internet, and then finally the Closing Ceremonies. I thought the Closing Ceremonies ran about a half-hour longer than they should have, and was relieved when it ended. But I already have my registration for next year and I am sure it will be well worthy my while. As I was leaving the room I was hailed by Fifty One-Fifty, whom I had somehow not connected with at all. I was really too tired to do much more than exchange greetings with him this time, but I think we will have a little more time together at Ohio LinuxFest.

Listen to the audio version of this post on Hacker Public Radio!

 Save as PDF

Ohio LinuxFest 2017

I made the trek to Columbus yet again for my annual visit to Ohio LinuxFest, and once again I was impressed by a good event. I took the afternoon off from work to drive down from Michigan (about a 3 hour drive) and made sure to get there on time for the opening Keynote, which was Karen Sandler from the Software Freedom Conservancy on “The Battle Over Our Technology”. By an interesting coincidence I had brought her up in a discussion the day before on why I would never trust IoT security if the code was not available. Karen has always been very open about sharing her experience with getting a pacemaker installed, and trying to get a look at the code (which she couldn’t, because it is proprietary). And we have since had a recall that made about 500,000 people go the their doctor’s offices to get a code update because the proprietary code was very insecure. In talking about the importance of Open Source Karen brought up the meta-issue that it is not just about the practical issues of efficiency, but also about moral and ethical issues.

After that we had a nice happy hour sponsored by Fusion Storm that took place in the vendor room, and I got spend some time with 5150, Verbal, and John Miller while enjoying the Nacho bar, and eventually made my way to my room for the night.

Saturday started off strong with a keynote from Máirín Duffy, “Who Cares if the Code is Free? User Experience & Open Source”. Máirín is a UX expert working on the Fedora Project, and really got into the design issues with Open Source, and made a strong pitch for getting people involved outside of coding, and in particular how to get involved in UX. I appreciated this because a healthy Open Source ecosystem requires a lot of different skills, and in my view the idea that coders are the only ones who matter is a kind of sickness in our ranks. After that, there were 4 tracks:

  • Sysadmin and Development
  • /dev/random
  • Career
  • Security

As you might expect, the Security track got most of my attention, and I have to say I was impressed by the speakers there. The first was Kent Adams from SIP.US on VoIP Security Basics. As is usual in the area of Security, none of this was exactly rocket science, but when your phone service comes via Internet Protocol you have all of the usual security issues, such as how your firewall is configured, who might be sending packets your way, and is your software patched and up-to-date. It was a good talk, and Kent was a very engaging speaker. After that, Tom Kopchak from Hurricane Labs  had a talk called “Building a Malware Analysis Lab With Open Source Software”. He talked about using open source tools like Squid, Snort/Suricata, and pfSense, and tying them together with some scripting. Then it was time to break for lunch.

After lunch I started with Roberto Sanchez. Last year he did a very good talk about how he prepares his CS students by getting them involved in tools and practices like using GitHub, making pull requests, and so on. which I really loved. This year, his talk was “Secure Cloud: Linode with Full Disk Encryption”. Linode is a provider that offers inexpensive Linux virtual servers, and Roberto took us through how to do this securely by setting up your virtual server in an encrypted manner. I think a lot of what he discussed would apply in other areas as well, but taking us through the process step-by-step was valuable. Following that I decided to move over to the /dev/random track to hear Dru Lavigne discuss the new features in FreeNAS 11. Dru is someone I have talked to a variety of conferences over the years, including having breakfast together at Indiana LinuxFest a few years back, so I has glad to see her here.

But I went back to the Security track for an excellent talk called “Top 10 Easy Cybersecurity Wins for Linux Environments” by Michael Contino. This was an excellent talk by a very knowledgeable speaker. some of his tips were things I was aware of, but he also brought up some things that were new to me, and I want to follow up on those sometime. After his talk I met up with Joel McLaughlin and Allan Metzler of The Linux Link Tech Show for a little hallway conversation before Joel left, did a pass through the vendor room, then got into a hallway conversation with Michael Contino and a couple of other folks who were at his talk. Then my final Security Track talk was by Cody Hofstetter from Sovereign Cyber Industries, called “Getting Hit by an 18-Wheeler: Privacy and Anonymity in the Modern Age”. Most of what he talked about I knew, but he was such an engaging speaker that I was glad I was there.

The final keynote was Tarus Balog of The OpenNMS Group, who gave us the history of how he came to be the CEO of a successful company that sells free software, and the lessons he learned along the way. I first met Tarus when he gave the very first keynote at Indiana LinuxFest some years back, and he is both a great speaker and a great Free Software advocate. His talk was wonderful, and fitting way to round out the talks for day. We then retired to the ballroom for the after-party, and for me an unexpected finish when I won the raffle for a 3-D Printer. I am planning to donate it to a useful charity such a e-nable, which makes hands for children who lack them.

Overall, it was a very good conference, and I really enjoyed the speakers. But there is a problem here with diversity. Outside of the Keynoters, the only woman I could see presenting was Dru Lavigne, and I did not see any people of color. And based on my experience programming for Penguicon the last 4 years, this is probably because they just waited to see what proposals happened to come in. I have found that you need to pursue people to get the diversity you need, for whatever reason (I suspect “impostor syndrome” plays a role in at least some cases). For example, last spring I had a great presentation to a packed room by Connie Sieh, who created Scientific Linux. What you might not have known is that I was looking for her over a two year period before I found her (she had retired, old addresses no longer valid, etc.) And there were other people I made a point of going after because I knew what they could do. Another example is Ruth Suehle from Red Hat, who I contacted every year to get a presentation. I talked to the person at OLF who will be booking speakers for the coming year and offered to pass along some of my contacts to help in this.

Listen to the audio version of this post on Hacker Public Radio!

 Save as PDF

Penguicon 2017 Report

As always, this is my report on the things I did at Penguicon over the weekend of April 28-30, 2017. Penguicon is a huge event, with probably 500 hours of programming over all of the tracks, so joining in even a fraction of the possible activities is about the best you can do.

This was also my final year as “Track Head” for the Tech Track, a position I have held for 4 years now. I need to refocus my attention, and I think these conventions are better served by the regular infusion of new blood, so it seemed like the right time to move along. I will of course continue to attend each year, as indeed I did before becoming part of the staff, and I will be available to answer questions or provide support for my replacement.

Penguicon starts on Friday evening, and in past years I have been able to grab dinner near my office and then go up the road to Penguicon (one town over from my office). But this year I had a physical therapy appointment after work, so I was rushing around a bit. I did get to Penguicon in time to pick up a white board for the use of one of our Guests of Honor, Sumana Harihareswara. She gave a talk called Things I Wish I Had Known About Open Source in 1998.  The reference here is to when she started in Open Source software, and the lessons she had learned. I’m really glad I started my Penguicon with this talk, she was a very engaging speaker and had some valuable lessons to share.

After that I went by the Ubuntu Release Party, which was in the hotel bar, and caught up with some friends. We chatted for a while, and then I realized I was very tired between the end of a long week and the physical therapy, so I elected to go home and get a good night’s sleep to prepare for the next day.

Saturday I went back in the morning, and had a very nice breakfast at the hotel. They have a great breakfast buffet with a number of things I can actually have (a story for another day; I am diabetic). I could have raced through this to get to panels, but instead took my time, and at 11am I went to the Women in Tech panel. This was put together by Jennifer Cline from Grand Circus, a local training company that also offered several coding workshops at the event. But this panel had a couple of colleagues form Grand Circus, an entrepreneur, and someone from Google (who have a local office in Ann Arbor).  I enjoyed the discussion, and they did a great job. That was followed by a panel on Distributed Game Development: The Benefits of Open Source. The interesting (to some people) twist is that the panelists (Adina Shanholtz, Amanda Lange, Rachel White) all work for Microsoft. I know some in the Open Source community still think of Microsoft as the “Evil Empire”, but I think there is change happening, and if they want to discuss the benefits of Open Source I am happy to encourage that. These ladies did a great job, and even showed some games they had created and told us how they did it.

Then I went to a panel on Creating Webcomics: Logistical Nonsense and Shameless Self-Promotion, with Erirka Wagner and Laura Cascos. They have a comic I really like called Sidekick Girl, but this panel focused on the production issues, web hosting, etc. I then went to Marching Toward the World Brain: Chaos and Self-Organizing Networks, by Michael Grube. He gave a great talk, looking at some his own experiments, and the biggest problem I could see was the room was too small. There were more people on the floor or against the wall than were in the seats. Michael’s talk looked at network theory to see how a computer network could be decentralized and still be programmable and have goals.

Then James Valleroy made a presentation on Freedom Box, Libre Personal Server, This is a project to provide a completely open personal server, which will have its first release in Debian Stretch, and which can be run on a Raspberry Pi. I was very interested since I see a couple of needs that I have which might be met by a Free, Open Source server platform. Then at 4pm I went to panel on Ancient Egypt. That is one of the things that makes Penguicon so special, you can have all of the Technical stuff, but there is lots of other information available. This panel looked at people’s misunderstandings about Ancient Egypt, and a professor from the University of Michigan did some serious myth-busting (no, the pyramids were not grain storage facilities). Following this I went looking for the Tricorder Project Demo, but never did find it, so I instead opted for the Con Suite and some food (again, props to the Con Suite for having stuff I could eat, like fruit and vegetables).

Then it was on to Scientific Linux. This is a distro based on Red Hat that was developed at FermiLab just outside of Chicago, which is a major particle accelerator facility. they had a need for lots of computers to handle the enormous data being generated and analyze it, and turned to Linux as the solution. We had Connie Sieh, who was the founder, and Bonnie King, who took over as Team Lead when Connie retired, so this was very authoritative. Scientific Linux may have started at FermiLab, but it has spread to other facilities, and is a great resource.

I had planned to attend the panel on The Works of Miyazaki, Part 2, but the panel was canceled when the main presenter had to stay with a sick child, so I caught Karen Burnham and Bob Trembley on Space Travel Woes, with and Without Potatoes. Karen formerly worked for NASA, and Bob is with the Warren Astronomical Society, so they had some pretty good stuff to share. Then I went to the presentation All About The Tricorder Project, with Peter Jansen. This was our Hack of Honor this year at Penguicon, and Peter told us the story of how he decided to create a tricorder. This is not a medical tricorder, but it is a hand-held multi-instrument device, with things like GPS, temperature sensors, magnetic sensors, and so on. Peter explained exactly how he did it. And after htis I decided to call it a day and go home.

Sunday started out like Saturday, with a breakfast in the hotel restaurant, and then on the Astronomy 103, with Bob and Connie Trembley. This really turned into a group discussion, and I was able to recommend some podcasts and video casts that they were not aware of. Generally, this became a discussion of astrophysics and weird cosmological stuff. This was followed by Re-Dentralizing the Web, by Ed Platt. Ed looked at the problem  of social media being controlled by a few large companies, and presented alternatives, which I plan to check out, such as Mastodon, a kind of Federated alternative to Twitter. I don’t use Twitter, but I might like Mastodon.

Then it was on to Breaking Into Bots, by Gabrielle Crevecoeur. Her focus here was on creating bots that could answer questions and otherwise converse, and she demonstrated the tools she used to do this and how to to set up your bot in the cloud. I had intended to then go to another Miyazaki panel, but this too was canceled for the same reason because it had same presenter with the sick child. I hope these panels get rescheduled for next year. My wife and I love Miyazaki movies, and I was really looking forward to these panels. so without my Miyazaki fix I kind of wandered the floor and got into some conversations with other Penguicon folks.

Then at 3pm it was Closing Ceremonies time, and following that I went home. I was pretty tired (and how is it that sitting on your butt all day is so tiring?) and looking forward to relaxing a bit. But before I left the Con I made sure to purchase my pass for 2018. Penguicon gets better every year, and I want to be there to see what the next team comes up with.

Listen to the audio version of this post on Hacker Public Radio!

 Save as PDF