Suramya's Blog : Welcome to my crazy life…

July 1, 2021

Never used foo/bar/baz as variable names, can I still call myself a programmer?

Filed under: Humor,My Thoughts,Techie Stuff — Suramya @ 4:14 PM

Just realized today that in my 24+ years of programming I have never named a variable foo, bar or baz. These are the goto names for placeholders in code & metaphysical variables and have decades of history behind them. Most programmers use them for temporary variables or place holders. Since I have never used them, can I still call myself a programmer? 😀

Jokes aside, you should use good variable names in your code that are meaningful, easy to read and concise. Some guidelines on how to do that are below:

Also, another point to keep in mind is to avoid acronyms that can have a different meaning in a different language or resemble rude words etc. See the screenshot below for an example of a ‘bad’ variable name:

Example of a bad variable name
Example of a bad variable name

Well this is all for now. Will post more later.

– Suramya

June 12, 2021

Linus educates anti-vaxxer on Linux Kernel Mailing list

Filed under: Interesting Sites,My Thoughts,Techie Stuff — Suramya @ 4:36 AM

There have been times in the past when Linus’s posts on the Linux Kernel mailing list have been less than polite and he was in fact asked to stop abusing colleagues on mailing lists. He then took a break from maintaining the kernel and took empathy training. Since then his responses have been pretty restrained and polite (for the most part). However, a few days ago someone named “Enrico Weigelt” posted a typical anti-vaxxer message on the Linux Kernel Mailing list:

> And I know *a lot* of people who will never take part in this generic
> human experiment that basically creates a new humanoid race (people
> who generate and exhaust the toxic spike proteine, whose gene sequence
> doesn’t look quote natural). I’m one of them, as my whole family.

This was in response to folks asking if the rising number of vaccinated people meant that the “Maintainers / Kernel Summit 2021″ would be an in-person event or if it would remain a virtual one for now. Linus responded to his message with his customary wit and technical response (though not as ‘colorful’ as his past responses).

I love that he started off his response with a blunt statement:

Please keep your insane and technically incorrect anti-vax comments to yourself.

You don’t know what you are talking about, you don’t know what mRNA
is, and you’re spreading idiotic lies. Maybe you do so unwittingly,
because of bad education. Maybe you do so because you’ve talked to
“experts” or watched youtube videos by charlatans that don’t know what
they are talking about.

Then he went on to explain what mRNA does and how it doesn’t stay in your body for more than a couple of days. You can read the full response below. I am posting a copy here so that I can refer people who send me anti-vaxx nonsense to it. Vaccines save lives. That is a fact. The study that links vaccines to autism has been debunked so many times that it is not even funny. But still there are people who fall for the trap. The problem is that the science is complicated enough that people don’t understand it and the denialist’s use simple language that is easy to understand (even though it is wrong). This makes it easy for people to think they understand the science behind it and become rabid anti-vaxxers.

Dealing with conspiracy theorists is difficult and I usually end up ignoring them or yelling at them. The lovely @OkieSpaceQueen has a great thread on talking to conspiracy theorists that I found very useful, along with their earlier thread focusing on how to talk to Flat Earther’s. They are a lot more patient than what I usually am and I am going to try to use the techniques in the thread going forward.

All that being said, I just want to close with a request to get vaccinated as quickly as possible. It can and does save lives.

On Thu, Jun 10, 2021 at 11:08 AM Enrico Weigelt, metux IT consult
wrote:
>
> And I know *a lot* of people who will never take part in this generic
> human experiment that basically creates a new humanoid race (people
> who generate and exhaust the toxic spike proteine, whose gene sequence
> doesn’t look quote natural). I’m one of them, as my whole family.

Please keep your insane and technically incorrect anti-vax comments to yourself.

You don’t know what you are talking about, you don’t know what mRNA
is, and you’re spreading idiotic lies. Maybe you do so unwittingly,
because of bad education. Maybe you do so because you’ve talked to
“experts” or watched youtube videos by charlatans that don’t know what
they are talking about.

But dammit, regardless of where you have gotten your mis-information
from, any Linux kernel discussion list isn’t going to have your
idiotic drivel pass uncontested from me.

Vaccines have saved the lives of literally tens of millions of people.

Just for your edification in case you are actually willing to be
educated: mRNA doesn’t change your genetic sequence in any way. It is
the exact same intermediate – and temporary – kind of material that
your cells generate internally all the time as part of your normal
cell processes, and all that the mRNA vaccines do is to add a dose
their own specialized sequence that then makes your normal cell
machinery generate that spike protein so that your body learns how to
recognize it.

The half-life of mRNA is a few hours. Any injected mRNA will be all
gone from your body in a day or two. It doesn’t change anything
long-term, except for that natural “your body now knows how to
recognize and fight off a new foreign protein” (which then tends to
fade over time too, but lasts a lot longer than a few days). And yes,
while your body learns to fight off that foreign material, you may
feel like shit for a while. That’s normal, and it’s your natural
response to your cells spending resources on learning how to deal with
the new threat.

And of the vaccines, the mRNA ones are the most modern, and the most
targeted – exactly because they do *not* need to have any of the other
genetic material that you traditionally have in a vaccine (ie no need
for basically the whole – if weakened – bacterial or virus genetic
material). So the mRNA vaccines actually have *less* of that foreign
material in them than traditional vaccines do. And a *lot* less than
the very real and actual COVID-19 virus that is spreading in your
neighborhood.

Honestly, anybody who has told you differently, and who has told you
that it changes your genetic material, is simply uneducated. You need
to stop believing the anti-vax lies, and you need to start protecting
your family and the people around you. Get vaccinated.

I think you are in Germany, and COVID-19 numbers are going down. It’s
spreading a lot less these days, largely because people around you
have started getting the vaccine – about half having gotten their
first dose around you, and about a quarter being fully vaccinated. If
you and your family are more protected these days, it’s because of all
those other people who made the right choice, but it’s worth noting
that as you see the disease numbers go down in your neighborhood,
those diminishing numbers are going to predominantly be about people
like you and your family.

So don’t feel all warm and fuzzy about the fact that covid cases have
dropped a lot around you. Yes, all those vaccinated people around you
will protect you too, but if there is another wave, possibly due to a
more transmissible version – you and your family will be at _much_
higher risk than those vaccinated people because of your ignorance and
mis-information.

Get vaccinated. Stop believing the anti-vax lies.

And if you insist on believing in the crazy conspiracy theories, at
least SHUT THE HELL UP about it on Linux kernel discussion lists.

Linus

Original thread Linus’s response on Linux Kernel mailing list to Anti-vaxxer message

– Suramya

June 11, 2021

Dangers of online ‘free’ html editing services: Your site is now part of SEO scam for shady services

Filed under: Computer Tips,My Thoughts,Techie Stuff — Suramya @ 10:52 PM

There are a lot of free services available online for various tasks that historically required you to download and install software. For example, if you want to convert a .doc file to pdf or if you wanted to edit your image or even clean up / optimize your HTML files, you can use online free services for it. As with anything you need to take a look at who is running the site before you decide to upload your personal data to it. In addition it might be a good idea to take a look at the privacy policy & data retention policy of any such sites before you use them. If a site doesn’t have a privacy policy/data retention policy and wants you to upload your private data/files to it then it is a red flag.

Most recent case of such a misuse came into my notice a few days ago, where a few of the highly-ranked online tools for editing / cleaning your html code were secretly injecting scam/spam links into the code being edited to push themselves and their affiliated sites up the search engine rankings. SEO or Search Engine Optimization gives extra weight to sites that are linked to from other legitimate sites and when a html cleaner program adds links to their solutions into each site/page that they are editing they get a leg up on every other product because their have a lot more weighted links than their competition. (Links to the site are not the only thing SEO use to raise their profile but SEO optimization is a huge topic that I won’t be covering here in this post).

Caspar over at casparwre.de found this out while trying to figure out why he couldn’t be the top result for ‘online scoreboard’ on Google. You can check out the full write up here

For instance, I saw a blog post from the German Football Association containing a link to Scorecounter. The word that was linked was “score” – yet having a link here made absolutely no sense in the context of the article. What was going on? 🤔

Here are some more examples of links I found on random domains (you need to search for “score” on the page).

Macworld Shop
NBC Washington
RICE University (The link has now been removed)
Intuit Quickbooks (The link has now been removed)


So that was the secret: the creators of Scorecounter also made an online HTML editor which injects links for certain keywords. The beauty of this scam is that by injecting links to their own HTML editor, they have created a brilliant positive feedback loop: the higher the editor rises in the search rankings, the more people use it and the more secret links they can inject.

In one way this is a fantastic (if shady) way to ensure that your product is at the top of any search for a given text/question. But usually it is only a matter of time before people figure it out and then you loose a lot of goodwill and get a reputation for shady practices. How many people will continue to use their product if they knew that their site will be used to hawk products that they personally have not selected/validated?

I took a look at the privacy policy and the general website over at: html-cleaner.com and they don’t have any note letting people know that the site introduces links to it’s own services and other sites into your text. This is shady behavior. Some of the reputable sites that I have seen in the past, let you know that they will be adding a subtext or a note at the bottom of the page being edited stating that it was created using xyz service. Adding the links into the text of the site makes it seem that the owner of the site is endorsing the service, which obviously isn’t the case here.

To close the post, I just want to say you need to be careful where you upload data or what program you are using to edit/create things because if it is created by people with bad ethics they can and often do steal your private data or modify your data or use it for purposes other than what you intended when uploading it.

– Suramya

June 8, 2021

Great book on Military Crypto analytics by Lambros Callimahos released to public

Filed under: Computer Security,Computer Software,My Thoughts,Techie Stuff — Suramya @ 9:58 PM

I find Cryptography and code breaking to be very interesting as there are huge implications on Cyber security. The current world is based on the presumption that cryptographic algorithms are secure, it is what ensures that we can use the internet, bank online, find love online and even work online. Cryptography historically has been a field working under heavy classification and there are multiple folks we don’t know about because their existence and work was classified.

Lambros Callimahos was one such Cryptologist, he was good enough that two of his books on Military Cryptanalytics covering code breaking (published in 1977) were blocked from public release till 1992. The third and last volume in the series was blocked from release till December 2020. It is now finally available for download as a PDF file so you can check it out.

The book covers how code breaking can be used to solve “impossible puzzles” and one of the key parts of the book is it’s explanation of how to use cryptodiagnosis to decrypt data that has been encrypted using an unknown algorithm. It has a whole bunch of examples and walks you through the process which is quite fascinating. I am going to try getting through it over the next few weeks if I can.

Check it out if you like to learn more about cryptography.

– Suramya

May 20, 2021

Thoughts on NVIDIA crippling cryptocurrency mining on some of its cards

Filed under: Computer Security,Computer Software,My Thoughts,Techie Stuff — Suramya @ 8:11 PM

You might have heard the news that NVIDIA has added code to it’s GPUs that make them less attractive for cryptocurrency mining by reducing the efficiency of such computations using a software patch. On one side this is great news because it means that GPUs will be less attractive for mining and be available for gamers and others to use in their setup. However, I feel that this is a bad precedent being set by a company. In effect they are deciding to control what you do with the card after you have bought it. A similar case would be a restriction in your car purchase to stop you from using it on non-highway roads. Or to stop you from carrying potatoes in the trunk.

This all comes back to the old story about DRM and how it is being used to restrict us from actually owning a device. With DRM you are essentially renting the device and if you do anything that the owner corporation doesn’t agree with then you are in for a fun time at the local jail. DRM/DMCA is already being used to block farmers from fixing their farm equipment, medical professionals from fixing their health equipment and a whole lot more.

Cory Doctorow has a fantastic writeup on how DRM works and the problems caused by it. DRM does not support innovation, it actually forces status-quo because it is illegal to bypass it.

I have an old X-Box sitting in my closet collecting dust, I want to run Linux on it but that requires me to break the law because I would need to bypass the DRM protections in order to install a new OS. Today we are ok when they are blocking cryptocurrency, what if tomorrow the company gets into a fight with a gaming company and decides that they will degrade the game performance because they didn’t pay the fees for full performance. What if tomorrow they decide, to charge a subscription fee to get the full performance from the device? What is to stop them from degrading or crippling any other activity they don’t agree with whenever they feel like? The law is in their favor because of DRM, laws like DMCA (and other such laws) make it illegal to bypass the protections they have placed around it.

This is a slippery slope and we can’t trust the corporations to have our best interest at heart when there is money to be made.

There is more discussion on this happening over at HackerNews. Check it out.

– Suramya

May 14, 2021

NTFS has a massive performance hit on Linux compared to ext4

Filed under: Computer Software,Linux/Unix Related,My Thoughts,Techie Stuff — Suramya @ 12:47 PM

NTFS has long been a nemesis of Linux. I remember in the 2000’s getting NTFS working on linux required so much effort and config changes that I stopped using it on my systems as FAT32 was more than sufficient for my needs at that time. Initially the driver was very unstable and it was recommended that you only use it for Read operations rather than Read/Write as there was a high probability of data corruption. That has changed over the years and the driver is stable. However, there is a massive performance hit when using NTFS vs ext4 on a Linux machine and I saw this when I tried using a NTFS partition on my laptop instead of ext4.

I have a 1 TB drive on my laptop along with a SSD. I dual boot the laptop (need it for my classes) between Windows & Debian and wanted to have all my files available on both OS’s. When I last tried this, ext support on Windows was not that great (and I didn’t feel like searching for options) so I decided to format the drive to NTFS so that I would have access to the files on both OS. The formatting took ages and once the drive was ready I was able to copy my files from the desktop to the laptop. While the files were being copied I noticed very high CPU usage on the laptop and the UI was lagging randomly. Since I was busy with other stuff I let it be and ignored it.

Yesterday I was trying to move files around on the laptop so that the root partition had enough space to do an upgrade and I again noticed that file copy and most of the disk operations were taking way longer than I expected. For example there would be a second of delay when I tried listing the directory when it had a lot of files. So, I decided to test it out. My data on the Laptop is an exact copy of the files on the Desktop. I timed the commands on the desktop with the same command on the laptop and there was a significant difference.

My desktop is obviously a lot more powerful than the laptop so I decided to try an experiment where I would run a command on the NTFS drive, then format the drive to ext4 and run the same command. (after copying all the files back). When I did this I saw that there was a massive difference in the time it took to run the command. On ext4 the command took less than 1 second (0.107s) whereas it took almost 34 seconds (33.997s) on NTFS parition. The screenshot for both commands are below:


du -hs command on a ext4 partition


du -hs command on a NTFS partition

That’s a ridiculous amount of difference between the two. So I obviously have to switch back to ext4 which brought us back in a full circle – I still needed to be able to access my files from Windows as well as from Linux. Decided to go a search on the Internet for options and found out that Windows 10 now lets you mount Linux ext4 filesystems in WSL 2. I haven’t tried it yet but I will test over the next few days once I am done with some of my assignments. If there is something interesting I will blog about it in the near future.

As of now, I am back to using ext4 on the laptop and the OS performance is a lot better.

Well this all for now. Will post more later.

– Suramya

April 8, 2021

Moving a Windows install to another drive on the same computer shouldn’t be this hard

Filed under: Computer Software,Linux/Unix Related,My Thoughts,Techie Stuff — Suramya @ 11:27 PM

I recently bought a new SSD drive for my Laptop because even after upgrading everything else (except the CPU) the system was still slow and looking at the process use I could see that it was waiting for disk read/write for the most part and that was causing the slowness. Once I got the new drive, I had to move the existing OS installs from the old disk to the new one. I have three operating systems (OS) on the disk: Windows, Debian and Kali. I need the windows OS for my classes (my proctored exams have to be taken on a windows machine) and others are for my tinkering and general use computing. The disk layout on the old drive was as follows:

root@Wyrm:~# fdisk -l
Disk /dev/sda: 931.51 GiB, 1000204886016 bytes, 1953525168 sectors
Disk model: ST1000LM024 HN-M
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 4096 bytes
Disklabel type: dos
Disk identifier: 0x0f04ad34

Device     Boot     Start       End   Sectors   Size Id Type
/dev/sda1  *         2048   1126399   1124352   549M  7 HPFS/NTFS/exFAT
/dev/sda2         1126400 102402047 101275648  48.3G  7 HPFS/NTFS/exFAT
/dev/sda3       102402048 135956479  33554432    16G 82 Linux swap / Solaris
/dev/sda4       135956480 468862127 332905648 158.7G  5 Extended
/dev/sda5       135958528 175017985  39059458  18.6G 83 Linux
/dev/sda6       175022080 237936641  62914562    30G 83 Linux
/dev/sda7       237940736 468862127 230921392   675G 83 Linux

I partitioned the new disk as a copy of the old drive, except for the data partition which was smaller as the disk was smaller. I used dd to clone each partition on to the corresponding new partition using the following command: (where sdb was the new drive).

dd if=/dev/sda1 of=/dev/sdb1 bs=2k

Once I copied the partitions over, all I had to do was refresh the GRUB boot loader config using the following command:

update-grub

After the config was updated, I was able to boot into Linux from both my Debian and Kali partitions on the new drive. However, that didn’t work for Windows. It gave be a screen-full of random characters like what you see when you try to open a binary file in a text editor and refused to boot. Thankfully I had not deleted the old windows partition so I was able to try a few more things, but *nothing* worked. Windows would just refuse to boot from the new drive. The only solution I found that could have potentially worked was a Paid software that supposedly allows you to clone your windows install on new disks/computers. Since I didn’t want to spend money on something I should have been able to do for free, I didn’t try it.

In the end after wasting a lot of time on this, I was tired of trying various things so just decided to reinstall windows on the new drive. It wasn’t a major loss because I didn’t have much data on Windows but I still dislike the fact that I had to do so just to put in a new drive. Imagine the hoops I would have had to jump if I wanted to move to a new computer. Actually I don’t have to imagine, I did jump thorough them when I moved my install from my old laptop to this one.

My linux install on the laptop is an exact clone of my desktop install. I used dd to create an image of my Linux install on the desktop and then wrote the image on the laptop. It worked perfectly fine at the first try. All I had to change was the hostname so that my DHCP server didn’t have a nervous breakdown but other than that everything worked without a single problem. Even the graphics drivers auto adjusted on the new machine. Imagine if we could do the same thing for a Windows install.

– Suramya

March 25, 2021

Fools deleting company data after being fired and how to protect against this threat

Filed under: Computer Security,My Thoughts,Techie Stuff — Suramya @ 4:34 PM

Over the past few years I have seen multiple news articles and stories about idiots who were unhappy with their job or were fired and decided to take revenge by deleting data, accounts or destroying company property. The common factor in all the stories was the fact that the person was subsequently arrested and jailed. The most recent story I saw was this one, where a genius decided to delete 1200 Microsoft Office accounts after being fired and ended up in jail for his troubles.

Destroying company property when you leave is a good way to ensure you are never hired again by any company. I mean if I was interviewing a candidate and I found out that the candidate had deleted critical data when they left the company I would probably never hire them. End of the day if you have demonstrated that you are not mature enough to deal with a loss but rather delete data/information then you are not a fit to work in my team. I know a lot of people will come and say that people should be given a second chance and what not but this is a serious issue. There would be a major lack of trust in play here and with that the person’s efficiency would be horrible and multiple other folks would have to keep monitoring what this person was doing on the servers which is an overhead I wouldn’t need.

So, now looking at this from the company’s side. How do you prevent something like this from happening? The basic step is to ensure that the access rights of the person are terminated as soon as they are let go. Secondly, they should not be allowed to access their system after they are fired. In one of my previous companies, the physical security team would escort a person off-premises without allowing them to log on to their computer or anything. By the time the person was off premises their accounts were already de-activated. They should also be removed from any company related mailing lists, chat rooms, telephone trees etc immediately. Any commonly known account passwords should be changed immediately and if the person had admin access a check should be made for any unauthorized accounts with admin access and for any backdoor’s being installed.

In the case of a threat where the person hasn’t been fired yet you need to have systems in place to perform regular audits of all admin/root activity. There are a lot of other steps that can be taken and out of scope for this blog post. SANS has a great paper on Protecting Against Insider Attacks and RSA has a list of best practices that you can check out as well.

If you need help securing your network/system please reach out and we can discuss in more detail.

– Suramya

March 7, 2021

Syncing data between my machines and phones using syncthing

I have talked about how my Backup strategy has evolved over the years. I am quite happy with the setup I explained in my previous post except for one minor point. I still had to manually sync the data from my laptop, Jani’s laptop and my phone to my desktop manually. Once it is there on the desktop the various backup processes make sure that it is backed up and secure. The issue is that I still had to manually sync the data between the devices.

For my laptop, I used Unison to manually check for changes and then sync them over which works great but I had to ensure that the sync happened in the correct direction. For Jani’s laptop I mounted my drive on her computer over ssh using these steps and then running robocopy to copy the files over. This worked intermittently well. For some reason the system would refuse to overwrite changed files randomly with permission denied errors even when the permission was set to 777. The only way to fix was to delete all the files on my computer and then do a fresh sync. This worked, but was not userfriendly and required me to manually kick off a backup which I did infrequently. My phone on the other hand was backed up manually to my computer using sftp. This was very crumbersome and I really disliked having to do it.

I have in the past looked into various technologies that allow multiple devices to sync data with each other. Unfortunately, all of them required an external connection with a copy of the data being stored in the cloud. Since that was a show-stopper for me, I never got around to setting up my systems to automatically sync with each other. Then a few weeks ago, I came across this great article on how to create A Simple, Delay-Tolerant, Offline-Capable Mesh Network with Syncthing (+ optional NNCP). In the article John talked about Syncthing, which allowed him to create a local serverless, peer-to-peer, open source alternative to Dropbox that allowed his machines sync directly with each other without a server. In other words a perfect fit for what I wanted and needed to do. So I spent a little bit of time researching syncthing and then decided to take the plunge and setup my laptop and desktop to sync with each other. Before starting the setup I backed up all my data so that in case something went wrong I still had a backup. Thankfully nothing did, but it is always good to have a backup.

Syncthing’s installation is pretty simple for all major operating systems, except for iPhones which are not supported. In Debian, installation just required the following steps

  • Run the following commands to add the “stable” channel to your APT sources:
  • echo "deb https://apt.syncthing.net/ syncthing stable" | sudo tee /etc/apt/sources.list.d/syncthing.list
    curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
  • Once you have added it, run the following command to install syncthing
  • sudo apt-get update
    sudo apt-get install syncthing

    Once the software is installed execute the syncthing binary. On my computer it is installed in /usr/bin/syncthing. Once the software starts, it will start the web interface automatically. There is also a Desktop application, but I prefer the web-ui. Instructions on how to configure the folders and nodes are available at the Getting Started Guide over on the project website so I am not going to repeat them here. Basically, you need to define the nodes and connect them to each other, if the devices are not added on both sites then the folders will not sync.

    The software has a cool feature of discovery, which makes it easy to add devices on a given node. As soon as you connect to the same network they detect each other and give you the option of connecting both. After the devices are connected, you configure the folder you want to sync and select the devices you want it synced with. The best part is as soon as you configure one node, the other nodes will get a message stating that Node 1 is attempting to share a folder with them. Clicking on accept, allows you to configure the folder path etc on the node and that’s it. The system will detect the files which need to get synced over and will copy them quickly. You can configure the sync to be bi-directional or one way. Most of the folders in my setup are set as that, the only exception are Jani’s files which is a one-way sync because I know that I am not going to modify the files on the server.

    Below is what the setup looks on my desktop, as you can see I am syncing data from 3 different computers/phones to it and the sync’s are really fast. I have copied files over to the folder on one computer and within minutes (depending on the size) they were replicated on the other computers/phone.


    My Syncthing setup

    I have the android client running on my phone as well, and it instantly syncs any new photos etc from my phone to the desktop. All I need to do is connect to the same LAN network (can be over wired or wireless) and the devices connect and sync automagically. There is an option to do so even over the WAN using relay server but since I didn’t want that I disabled it in the setup.

    Now all my data is synced to the desktop machine without me having to worry about anything or manually copying files around. Check it out if you want to sync your devices without using an external server.

    – Suramya

February 22, 2021

Should software be “classified” if it is used by government agencies?

Filed under: My Thoughts,Techie Stuff — Suramya @ 10:25 PM

Software should not be classified when used in government agencies except in some very rare exceptional cases. For example, software used to launch nuclear missiles and ensure they hit their targets might be an exception however, these should be an exception rather than the rule in my opinion. The reason I say that is because when a software is classified it means that a limited no of people are using it and that means only a limited no of developers are working on it as any given time. Plus, when something is classified it can not be security tested by external entities without having to sign multiple Non-Disclosure Agreements (NDA’s) and other similar hoops whereas regular software is used and tested by lots of people like corporate’s who test the solution before they implement it in their environment. This gives us multiple groups of people testing the software in various ways making it easier to identify security issues making it more secure.

Secondly, making classified versions of existing software doesn’t seem like a good use of resources to me. Why spend extra money creating a classified ‘Word’ when the commercial version (with some modification) would work perfectly well?

Coming to open source, I don’t think government should be prohibited from using Open Source. There are two ways government’s can be blocked from using opensource software. Firstly, the software license might prohibit government use. If this is the case, then the license no longer meets the requirement to be called open source since the Open Source Definition specifies that Open Source licenses may not discriminate against persons or groups. In-fact there was an attempt back in 2006 by GPU which is a Gnutella client to create a license that disallowed the use of their software by the military. It didn’t go anywhere because of strong opposition by the Open Source Initiative (OSI) to calling the license open source. Second, The government might not allow its use due to internal policy: This is primarily because they are worried about one or all of the following: Security, Cost, or licensing.

There is a misconception that opensource software is less secure than commercial software and even though majority of the servers worldwide run on opensource software (Linux, Apache etc) the detractors still persist. In every large company I have worked with so far, whenever I try promoting opensource software this point invariably comes up and I have to spend time explaining why this is not the case.

Another reason why companies might not allow OSS is because of the license the software might be under. If the software is licensed under the GPL they need to be extra careful when using it within their setup because the GPL is what is known as a viral license. It requires the source code of the entire “derived work” – i.e. the combination of GPL code and proprietary code – to be made available under the terms of the GPL publicly. Due to this most companies do not allow software licensed under the GPL to be used inside them. (Libraries licensed under GPL are fine because they don’t trigger the ‘viral’ clause). However, there are other licenses that do not have this clause and can be safely used.

Ultimately, I feel it is better if they use opensource software rather than pay ridiculous amounts of money as software licensing fees.

Older Posts »

Powered by WordPress