Ubuntu

You know the lock icon in your browser that tells you your banking Web site is safe and you are secure? As of yesterday we've learned this icon may be meaningless. Yesterday a presentation was given at the Chaos Communication Congress that exposed a flaw in the way SSL certificates are handed out. In their presentation they explained that this icon, in some cases, can be completely spoofed. When you combine this with the fact that people can ALSO spoof your domain name you have the potential to have a banking Web site that looks and feels EXACTLY like your banking Web site (and even "validates" as your bank) that is...well...not your bank.

Not all hope is lost though. There's a good way (SHA-1) and a bad way (MD5) to make these certificates. So your bank might be completely fine and things will carry on as per usual. But here's the kicker: it's impossible to know which of the two were used to create the certificate that is authenticating the Web site you are using. Expect to see more information in the weeks and months to come as security experts try to figure out how to get us out of this colossal mess.

The technical information is available from MD5 Considered Harmful Today (the paper). Video from the CCC presentation is also available from their site, sort of. I think you need to download the whole day of video for that room. Please correct me if you know otherwise, or leave a link to the actual video in the comments.

And to bring in the new year and to "celebrate" this minor security catastrophe, I'll spend the evening at home quilting in front of the wood stove. If you're local, please drop by and say hello.

PS Thanks to Matthew and Leigh and Nik for the heads up and the explanations about why I needed to care (and why you should too).

/me facepalms. Seriously? Falling in love all over again? Blind love can't possibly lead to usable design and good power management practices. Blind love is bad. It might be what keeps Mac users firmly attached to the latest Apple gadget, but it shouldn't be what powers the development of products. If we are to compete and "win" we must remember that games are won with strategy. And strategy must be based on needs and wants and desires (sometimes these are clearly defined, sometimes they are not). The strategy must play into what people love and want and lust after, but it cannot be fueled on love alone.

A long time ago I had a conversation with someone that completely turned my world upside down. I was sitting in a very nice Web design studio and looked up at one of the shelves to see a whole row of Adobe software packages. I made some kind of comment about how much "better" pirated software was and the response I got was something to the effect of, "a carpenter doesn't steal a hammer; why would it be appropriate for me to steal my tools?" Within a very short amount of time I had switched all of my software tools from pirated software to freeware/open source or paid software. I stayed with Windows (which I had purchased with my computer) until it was time to upgrade. And then I switched my desktop platform as well. I've gotten huge support from the software community as I've stumbled through the learning curve of each of the tools I use to earn my income. The support communities define, to a large extent, the tools I use today. But that's not why I love Ubuntu.

For me The Ubuntu Ethos has nothing to do with falling in love with a product or a community. It doesn't have to do with love at all. Oh sure I may say that I "love" Drupal or "love" Ubuntu every now and then. But that kind of love is more about not wanting to go through a learning curve of new products (all over again). Love doesn't pay the mortgage or the grocery bill or the hydro bill that keeps my computer running. The thing that keeps me attached to Ubuntu is the same thing that attracted me to free software in the beginning--the freedom to earn a living. I am free of software licenses and free to move my data around as I wish. I am free to contribute and to benefit from the contributions that others have made before me. You can't survive on love alone.

I am a member of the the Ubuntu community and the Drupal community. They are very, very different. But here's one thing that I love about the Drupal community--the social structure of the community allows me to contribute to the software AND make money from it too. I've had more than one conversation about how Drupal can help you to earn even more money. The Drupal community started as a labour of love (and efficiency). And it is one that I have donated both my time and my money to (yes, actual cash-money). Having given away money, I think my commitment to Drupal could probably be defined as "larger" than my commitment to Ubuntu.

My contributions in the Ubuntu community lean towards advocacy and documentation. When I create within this space it's because I want to help you work more efficiently so that you can spend more time with your family, or perhaps (you should see this one coming), earn more money. I want work and volunteer with people who are committed to seeing "our" project do better. Of course friendships are inevitable. And I love participating in the tit-for-tat of a meritocracy (and have spent hours trying to figure out why diacritics weren't showing up in Romanian PDFs). Quite frankly the more esoteric the problem, the more interesting it is to me. Within the Ubuntu community I've contributed to projects that have helped people directly with their salaried income and with their hobby projects--with no discrimination between the two because I don't know what kind of help I'll need tomorrow. But none of it made me fall in love with Ubuntu. As long as Ubuntu helps me, stays out of my way when I'm trying to work, and gives me random esoteric problems to solve, I will stay interested and committed. But you don't want me to be in irrational and in love.

As Jeremy Allison said at the Ontario Linux Fest back in October--of course open source is going to win. We don't need the money. But that doesn't mean that we can't earn a little along the way. Thinking past our own needs and to those of the consumers is going to make Ubuntu a stronger product. Looking beyond our own community and thinking about the social value consumers put on closed-source products may reveal part of the ethos that has made the closed source products so successful within their own market. Thinking about ways to market (and money from) Ubuntu will help us focus on new kinds of users. We can't beat Bug #1 by looking only to ourselves and our own love of the projects we work on. We need to look outside, over there, to see what they will fall in love with. And once we see what it is they want to love, we need to deliver it to them a bow or perhaps dill pickles. Yes, dill pickles. They're in love with proprietary software--obviously the rules of the game are already irrational.