Es geschehen noch Zeichen und Wunder. Die BILD macht zu! Endlich! 

2015-10-13 - BILD macht dicht:

Ganz grosses Kino:

gcc blah.c -o blah.c

funktioniert klaglos, d.h. gcc überschreibt den Sourcecode einfach mit dem compilierten Binary. Sonst geht's ja auch noch oder?!

Rysiek hat die bislang beste Erklärung für den neuesten Anlauf der US- und UK-Regierungen, staatliche Backdoors bei Verschlüsselung vorschreiben zu wollen:

The very fact of wanting to stay secure and keep your privacy will become a criminal offence.

Genau. Es geht darum, Verschlüsselung zu kriminalisieren (so wie ohnehin immer mehr bislang völlig normales Verhalten kriminalisiert wird), um im Zweifel gegen bestimmte Leute etwas in der Hand haben zu können. Dass das mit den Backdoors nichts wird, dürfte Cameron und Obama schon klar sein.

As I already wrote elsewhere, I'm using separate users, email addresses and passwords for any account I create somewhere. For the passwords I use diceware passwords, which are the most secure ones. Until now I "generated" them myself without really using dices or some kind of dictionary. A somewhat boring process, so I decided to do something about it and wrote a little tool for this: dicepwgen.

 

It's written in C, licensed under the GPL version 3 and doesn't have any special dependencies, that is, it shall compile on almost any unix platform. The tool uses a dictionary file (there's a built-in default location, but it can be changed via the -f flag). It does a couple of "tricks" to fullfill the diceware process: since a dictionary file has way more entries than reachable via five dices (in fact, a diceware word list contains only 7776 entries), it jumps over a random number of lines when reading in the dictionary file. It indexes each entry with a "dicey" number, that is, a number consiting of 1,2,3,4,5,6. 

Then there are two operational modes: in the default mode it generates a couple of dice rolls (by default 4, which can be changed as well), looks up the matching words from the list and prints them. In interactive mode, which can be enabled by setting the -t switch, it asks the user to enter the dice rolls. In that mode the user has to roll physical dices and enter whatever shows up. Passwords generated this way are truly random.

It should be noted that dicepwgen only uses words consiting of plain ASCII characters (a-zA-Z) and ignores all others. So, passwords generated with dicepwgen do not contain UTF8 or latin1 characters or whatever encoding the dictionary file may use. This behavior is intentional, since it is not wise to use UTF8 or other non-ASCII characters for passwords anyway. It also ignores words which are too short or too long, however these parameters can be tweaked (with -l or -m).

Usage example (default mode, the tool "rolls" the dices):

% dicepwgen
granting frightens parrakeet flukes

And here is how it looks if the user rolls the dices:

% dicepwgen -t
dice roll 1 - enter 5 digits, each between 1-6: 34112
dice roll 2 - enter 5 digits, each between 1-6: 62155
dice roll 3 - enter 5 digits, each between 1-6: 33431
dice roll 4 - enter 5 digits, each between 1-6: 16261
Gonzalo armrest Capistrano eaters 

Ok, not much to see :) But good tools are simple to use, aren't they?

Update 2016-08-26:

I added a new flag -y which causes whitespaces to be replaced with dashes and adds %8 to the end of the generated passphrase.

Often I stumble upon sites with so called "password policies" and in many cases it's not possible to use unaltered diceware passphrases on such sites. Either they do not support whitespaces or they require numbers and non-letter characters to be present.

So, this is what -y does: satisfy those sites with their horrible policies while still being able to use a diceware passphrase. This is possible because it doesn't matter if the dice words are separated with a dash, a whitespace or even nothing. Entropy is the same. That -y adds a constant %8 to the end, doesn't matter either: the security lies in the dice words.

Github now has an Open Code of Conduct as well. While I support the general idea to have such a code, which makes it possible to hold non behaving community members accountable, I do not agree with everyting.

Be welcoming: We strive to be a community that welcomes and supports people of all backgrounds and identities. This includes, but is not limited to members of any race, ethnicity, culture, national origin, colour, immigration status, social and economic class, educational level, sex, sexual orientation, gender identity and expression, age, size, family status, political belief, religion, and mental and physical ability.

Just no. If I would be the one to maintain an opensource community, I'd not welcome everyone. For instance, I would not accept contributions by intelligence agency employees, or by members of the military (from whatever country, including my own). I would also not welcome government officers or employees in general, of any government. I would not accept Theo de Raadt (not that he would ever try to join my hypothetical community *g*). Although I accept religious people I would reject religious comments from them or arguments about the software on religious grounds, in fact I would even reject such people if they are not able to hold their religion private. The same applies for political or any other views. If the community is about some piece of software, then we can talk about that software, not about political ideologies or idiocy.

On the other hand the list above excludes a couple of potential members: what about an artificial intelligence? Or an alien being? So, it might be better (more future proof) to state, that All Sentient Beings are welcome as long as they want to contribute to the software in one way or another.

Be careful in the words that you choose: we are a community of professionals, and we conduct ourselves professionally.

Nope. In most cases opensource developers might have a daytime job in the industry, but they are participating in projects in their spare time. This makes them "hobbyists" as they say, although I don't like the term. However, I, working on a project, am not acting as a professional, but as a private citizen exercising my constitutional rights by trying to contribute to a higher matter, i.e. making the lives of others better. And I, like many others, am doing it for free. No one has to pay me for my work on opensource. I'm already fullfilled with satisfaction if 1 Users finds a use for my software. But I'm not acting as a professional and I'm not behaving as such. Of course I've got a decent education and try always to be polite and respectful. As long as the peer does so as well. If she doesn't, I'll either tell her or stop communicating. I will always tell the truth, argue based on facts, not on feelz, wether the other person likes it or not.

Diversity Statement

We encourage everyone to participate and are committed to building a community for all. Although we will fail at times, we seek to treat everyone both as fairly and equally as possible. Whenever a participant has made a mistake, we expect them to take responsibility for it. If someone has been harmed or offended, it is our responsibility to listen carefully and respectfully, and do our best to right the wrong.

I'd assume, that if some organisation has no such statement about diversity, that actual diversity is the default. Why do I have to state the ovious?

And I do not think it is a good idea to "right the wrong". That sounds utterly like Facebook's "Report User" function. User A claims, that User B offended her. User B denies. In most cases it might be obvious what counts as offending like calling someone names, threat someone with violence or reveal private information to the public. But what about the more subtle cases (as they happen every day on Facebook)? Is it really the role of the community to act as investigator, prosecutor and judge in unison? And who is "WE" anyway? Some unspoken kind of elected governmentally body within the community?

Let me digress a little. Once I operated a forum. It was public, subscription was totally anonymous and I had disabled all logging. Even an email adress wasn't required to join. And I was the sole dictator. The forum was no democracy, because where I live, in germany, the site operator might be responsible for what users on that site are doing. And so I told my users a simple rule: if two of them had a problem with each other and if it was not easily recognizable who is right or who is the offender, I deleted them both. Because I am not the one to judge upon the idiocy of others or to decide which one is the idiot. So if in doupt, I dropped them altogether. They knew it very well in advance. And you know what? I did never delete a user because of that rule! They just behaved. Lo and behold!

Anyone asked to stop unacceptable behavior is expected to comply immediately. If an individual engages in unacceptable behavior, the representative may take any action they deem appropriate, up to and including a permanent ban from our community without warning.

This is actually dangerous. We've seen such rules before. A user complains, an admin "reviews" the case and as a result deletes another user. What was not known, is that the complaining user and the reviewing admin had a relationship. Oops.

Now let me digress a little more. I'm a huge fan of democracy. You know why? Because I actually fought for it. 1989 on the streets of Leipzig in east germany. I grew up in a dictatorship. One of the fundamental features of a dictatorship is fear. And the easiest way to seed fear among the populace is to let do it to each other. If you don't like someone and want him to disappear, all you had to do was to report the person to the authorities, telling them the person acts suspiciously. Then they took care of that person. And care they took! People have ben incarcerated merely for having ideas. Thinking crimes were a common cause of going to prison in east germany pre 1989.

The very same happend during the third reich. But during those times reported people had a different fate. They've been sent to concentration camps and eventually been killed. Torture was mandatory. All you had to do during that times in order to get someone out of your way was to tell the SS, that the person was a jew or was helping jews. Bam! Dead!

So, this is a complicated issue. Once you state you take responsiblity to solve conflicts between people, you cannot do this anymore in a fair way unless you have a justice system in place like in a democracy state. Everything else is dictatorship and it will be definitely abused sooner or later. In my opinion either you just don't take that responsibility or state that the community is a dictatorship in the first place. Otherwise this is just brainwashing.

Yes, an old fool's rant that is. Sorry.

Update 2015-10-07:

And here we can watch more of this bullshit: Sarah Sharp quits from Linux kernel development because "verbal abuse" and stuff like this.

Actually, this view of hers is not new. In fact she did the same thing in 2013. Linus' answer to this bullshit underlines my argument above:

[..]
Because if you want me to "act professional", I can tell you that I'm not interested. I'm sitting in my home office wearign a bathrobe. The same way I'm not going to start wearing ties, I'm *also* not going to buy into the fake politeness, the lying, the office politics and backstabbing, the passive aggressiveness, and the buzzwords. Because THAT is what "acting professionally" results in: people resort to all kinds of really nasty things because they are forced to act out their normal urges in unnatural ways.

(please read the full post!)

The same thread contains these two contributions:

One thing you should keep in mind in your discussion is what can happen if people get too polite with each other.

I have seen this happen at two large companies I worked for. Early on, flames are acceptable and expected as response to someone publishing bad code which breaks everything for everyone. Then, at some point, it is not acceptable anymore to flame, and one is expected to be polite and friendly at all times. "Your code breaks the build for every platform. Would you please kindly consider fixing it ?" Result is that code quality suffers, to the point where images don't even build anymore.

I hope the Linux kernel never gets into that stage. To avoid that, I am willing to be cursed at by Linus if I am the responsible party.

and:

Didn't Jim Zemlin show some research where there were two groups: One that did a bunch of brain storming where no idea was a bad idea. The other required you to defend your idea while the others bashed it. The results always showed that the second group not only did a better job, but also faster and more efficient. I'm afraid if we worry too much about politeness, we will fall into that first group.

Finally, Fefe has some say about this as well [german]. So, if you ever come across such demands, there are lots of arguments against it.