I love that he is so excited that he can barely speak. It’s absolutely great that someone from one of the older generations (read: alive before the 1990′s) can get into and find uses for technology that kids take for granted.

With “tablets” and smart-phones (iPhone, iPad, Android and others) the whole landscape has shifted to a point where a computing device can be used by anyone without any prior computing experience or training. Finally we’re at a point where technology is becoming a facilitator rather than something for only for geeks. These devices are delivering on the unspoken promise that the founders of the internet made to the world; information will be freely accessible by everyone, anywhere, and at any time.

HotSpotSystem.com has the benefit feature of allocating people a username and password which they may use. This is instead of Coova’s insistence on creating new access codes which the user must check their email for before they disconnect else they will have to buy more time to regain access again.

HotSpotSystem.com, however, last I used the system, did not allow easy reimbursement to a user following a prolonged network outage. By which I mean when most a user’s access time has elapsed before services come back online. Coova.net, by virtue of tieing directly into your PayPal account allows for refunds in the standard PayPal way. Coova.net also allows for arbitrary access granting via one-time access codes without requiring any further payments. (I am unsure whether HotSpotSystem.com does this, but hoping for pleasently surprising information to the contrary.)

HotSpotSystem.com, by utilising a proper payment processor instead of relying upon PayPal’s system, has more of a professional e-commerce feel than Coova.net’s system. This improves the image of my company.

HotSpotSystem.com’s reporting features are very good and surpass Coova.net’s by a long shot!

Plus, HotSpotSystem.com allows remote monitoring and command execution on my Access Point(s) with no extra configuration required.

All-in-all I prefer HotSpotSystem.com for the more professional system when comparing to Coova.net, and will be glad once I get the transition back sorted.

I had some problems with failed handshakes from XChat for Windows when connecting to my freshly rebooted server running InspIRCd 1.2. XChat for Windows was reporting:

* Connection failed. Error: [336151568] error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

My attempts to fix this problem were two-fold: I checked OpenSSL was correctly installed on my server and recompiled InspIRCd to make sure it was linking to the correct library. After restarting the server I still couldn’t connect, so I moved to my second step where I verified that my saved SSL certificate from StartSSL was not corrupted by removing the file from my InspIRCd folder and replacing with a symlink to a known-good copy in a different folder.

After verifying that the known-good file is still intact by utilising the OpenSSL command line program with the following incantation, I restarted the InspIRCd daemon and tried connecting again.

$ openssl verify -purpose sslserver -CAfile /path/to/intermediate.pem /path/to/certificate.pem

Unfortunately, while the OpenSSL verify command succeeded, I still couldn’t connect to the server with the same Connection failed errors from XChat for Windows. It was at this point that, after pulling some more of my hair out, I decided to reconfigure InspIRCd to look directly at the SSL files instead of the symlinks. Once I had done this I finally found a more usable error message with XChat for Windows now reporting:

SSL   Verify: [20] unable to get local issuer certificate
* Connection failed. Error: SSL failure

More hair-pulling later I have now replaced OpenSSL on my server with GNUTLS and managed to get up to XChat for Windows reporting:

SSL   Verify: [19] self signed certificate in certificate chain

I have, at least, managed to discover the cause of my issues being my recent installation of NMap for Windows which included OpenSSL libraries on the default windows search path. This caused XChat for Windows to bypass its default SSL subsystem for the OpenSSL provided by NMap. It also seems that some other people are also hair-pulling over OpenSSL and StartSSL’s certificates, so at least I can take comfort that I’m not alone. Removing NMap from my default PATH fixes it on my client for the moment, but I worry now about users on Linux-based systems using OpenSSL as their provider library causing the same problems until they specifically tell their IRC client to “ignore invalid certificates” which will open a huge security hole on their system allowing for MitM (Man in the Middle) attacks.

However, my comment today is about an exciting new effort from the the Electronic Frontier Foundation, which has published a call-to-arms over the short-term goal of getting more networks to open a portion of their bandwidth to passers-by, and the long-term goal of creating a new wireless standard that allows for encrypted communications over free wireless networks. (Free referring to the freedom to connect.) The crux of this issue is the need for a new standard that allows anybody to connect to a specified Wireless network while still maintaining complete security via encryption methodologies.

The idea is to allow each third-party to connect to the network but be unable to see the communications of other third-parties. One example way of achieving this exampled by the EFF Article uses the SSH protocol as it’s inspiration, which allows for one security certificate to create multiple session encryption keys which are then used by the user. Also in this scheme is the “Trust-On-First-Use” paradigm which prompts the user when they first connect to the station to accept the security certificate and to then use that as the basis for future un-prompted communication. If the certificate ever changes then the user knows with a high degree of accuracy that either: the network has changed somehow (e.g. by changing the connected station), or the connection has just been intercepted by a Man-in-the-Middle (MitM) beginning an attack, or that a previous MitM attack has just ended.

If I could allow my network’s users to connect in a more secure manner then I would do so. However, as this proposed protocol is only at the planning stage at the moment, and there is no guarantee that a wireless working group would accept the protocol for a future standard, then I cannot easily allow encrypted communication via my wireless stations. Ideally the Captive Portal suites such as CoovaChilli should provide a means to utilise 802.11x for RADIUS-backed encryption for a user once they have a valid credential for the network. Especially as CoovaChilli and others are backed by RADIUS anyway.

Another related issue, however, is that supposedly I may become liable for my users’ mis-behaviour on the internet via my connection. Technically, I’m an individual on a residential connection and therefore I am not allowed to resell access. This puts me at odds with my ISP’s T&Cs. Also, while I am technically on a residential connection am I able to claim that I am an ISP to my clients? This puts me at odds with the legal system. My position is that I am an ISP in the sense that yes I do provide an internet service to users of my network; I also state that I am not technically reselling my connection, I am selling my firewalling of the user from internet nasties and then providing free internet access on the back of that without resale.

Related articles

• Why we need an Open Wireless movement (eff.org)
• Lock Down Your Wi-Fi or the FBI Might Come Knocking (pcworld.com)

Note Section 1.3(g) states that:

[signatory shall not nor allow a third party to] (g) modify any open source version of Appcelerator’s software source code (“Original Code”) to develop a separately maintained source code program (the “Forked Software”) so that such modifications are not automatically integrated with the Original Code or so that the Forked Software has features not present in the Original Code;

And section 5.4 states that:

Notwithstanding anything to the contrary contained in this Agreement, Sections 1.4 (“License Restrictions”) …” – I believe that is a mis-numbering of 1.3 judging by the textual title of the section – “… shall in all cases survive any expiration or termination of this Agreement.

I read those clauses as a _permanent_ ban on _legitimate_ open source development based upon the code previously released by Appcelerator under an open source license. This I feel is completely against the spirit of open-source and potentially a conflict of the two license grants Apache 2.0 vs Appcelerator Titanium+Plus Modules License, which would need testing in court to find which holds precedence.

As I didn’t know who to contact about this flagrant betrayal of the term “Free”, I figured I would post this blog entry and email the Free Software Foundation for guidance.

I’m still waiting on a response from the FSF.

Update (19/01/2012): I failed to post this at the time, so I’m doing so now. I actually received a reply from Yoni Rabkin from the Free Software Foundation’s Licensing department on the 2nd May (my original email was 13 April) with the following:

> Note Section 1.3(g) states that:
> “[signatory shall not nor allow a third party to] (g) modify any open
> source version of Appcelerator’s software source code (“Original
> Code”) to develop a separately maintained source code program (the
> “Forked Software”) so that such modifications are not automatically
> integrated with the Original Code or so that the Forked Software has
> features not present in the Original Code;”

Indeed such a restriction renders the software non-free and therefore,
of course, also GPL-incompatible.

The Apache 2.0 license is not a copyleft license and therefore permits
use in proprietary software. This is one of the reasons the FSF
recommends licensing your software under a strong copyleft license such
as the GNU GPL. If there is copylefted software involved (with copyright
holders who are not Appcelerator) then there would be a potential
copyright violation to pursue, otherwise what we have is a case of
misleading advertisement.

I would recommend contacting the Appcelerator people and explaining the
problem; if they can make clear that they distribute both free software
and proprietary software people will be able to choose to avoid the
proprietary parts.

But please note that if you are into mobile development you will run
into much worse problems once you attempt to actually release your
software via these “app stores” as they actively support proprietary
software (Google’s Android, for example) and some go as far as banning
free software completely (Apple’s products, for example).

Music files such as MP3 have the option to store so-called “metadata” or (information/data about data) which describes the music stored within the same file. This is the so-called id3 tagging system. When you rip a music CD you can lookup the track numbers and names with a service such as CDDB and then write this information within the file.

This is useful, but sometimes you get incorrect or incomplete info back or the information stored in your local copies gets corrupt over various backups and moving from place to place. That is where a service like TuneUp comes into play.

This downloadable program for Windows and Mac scans the files you point it to for a digital fingerprint that allows it to uniquely identify the piece of music contained within. To achieve this, TuneUp will actually “listen” to your music rather than rely on metadata such as the id3 tags or filename.

I’ve used this tool to scan my own music collection and it reports that as much as 75% of my metadata is incorrect or missing. I am now slowly going through my entire collection with TuneUp, again, in clean mode rather than scan mode and am getting it to retag as much of my music as it can recognise. This is a tedious process, however, as sometimes it can get a completely different track than the one you’re relabelling; which means that it requires a bit of babysitting, but the amount of time and energy saving is still considerable, especially for larger collections or those that are wildly mislabelled.

We operate using the open source InspIRCd software as the main controller along with “services” provided by the Anope software. (Services provide the facility to maintain control over your own name and rooms while you are not connected to the network.) We have tried as best we can to create a highly redundant system that allows for any one server to go offline without adversely affecting the chat experience.

To connect to the network you can either use the Web-Based interface at http://web.freech.at/ or you can connect using an IRC program such as mIRC (http://www.mirc.com/) or XChat (http://www.xchat.org/). The details you need to use these programs are:

Server Name: irc.freech.at
Port: 6667

The servers can also all be accessed directly using either uk1.freech.at, uk2.freech.at, irc.wnsi.co.uk or irc.invaliddomain.com. Wellard offers other services besides just IRC at his site www.invaliddomain.com. Cubezero also has more besides just IRC at www.wnsi.co.uk.

random service update

At least I can be of some use; to that end I’ve been reorganising the FreeCh.at DNS servers to hopefully improve our load-balancing “round robin” which randomly sends users to each of the four servers. I’ve also moved the FreeCh.at wiki onto the same servers which power the chat service, and upgraded the software at the same time, ensuring that the wiki stays live even when a single point in the “system” fails.

more important: twitter

During these late nights and early mornings I also enjoy keeping up with American twitterers’ mumblings. The latest post from Google’s @mattcutts caught my eye, which alludes to a usage of voice recognition and synthesis via their recent acquisition of SayNow to help Egyptian protestors. Those bright sparks at Google have created a service which listens on a few various international phone numbers and allows Egyptian citizens to listen to and post through the twitter service using just their voice. The idea is that while the internet is cut off Egyptians can phone a nearby number and post happenings “from the ground” to twitter complete with #hashtags just by speaking what they wish to share. They can also keep up to date with news from twitter via having the latest tweets spoken to them.

human spirit

This is an exciting use of technology that allows old-skool technology to marry up with modern-day citizen journalism via the Internet. In this way, the human spirit cannot be broken! Until a regime can completely isolate all it’s citizens from the outside world and even from each other, then there is still a way to the freedoms to which everyone – even those who have barely dared to dream – aspires. I am a great believer in the human spirit and it’s capability to strive for more no matter how high the obstacle; and we have seen this over these past seven days playing out in a far-off land, yet despite being miles away we stop and wonder as humanity overcomes oppressions.

And all the while we share our experiences through our use of technology. The very thing that personifies freedom itself, the Internet, is able to reach these pockets of humanity no matter how strong the hand of oppression. Egypt may be cut off from the Internet at-large, but the message of support can still get through using technologies created to leave a message for random celebrities.

the spice information must flow

The Egyptians will yearn to keep information flowing especially now that said information is in limited supply. Once you’ve dared to dream the genie can never be put back in the bottle, and it’s the same with information; the Egyptians have experienced the wonders of the Internet age, they know what they are missing, and so as the knee-jerk reaction of the oppressive regime cuts off the flow of information the citizens just protest harder until the service is restored.

We must also take stock of the ease with which the Egyptian authorities severed the connection with the rest of the world. Do we trust our politicians to not do the same in the face of fierce protests organised via the Internet? And then there’s the net neutrality problem; we see in the Egypt problem just how vital it is that the Internet be free from arbitrary blocks and throttling. If we allow our ISPs to unilaterally decide who we are able to communicate with then we lose very important freedoms which are believed to be universal. And once the ISP is able to take these decisions the Government may start to use the capability in legislature to further erode the freedom of you and I.

wrap it up

On that note I will end what began as a simple post outlining a cool new technology but ended up as a rant about freedoms we hold dear yet are being whittled away while you read this.

Over to you: is this new Google service a good thing for democracy and the Egyptian people; is the human spirit as unbreakable as I give it credit; am I just scaremongering about erosion of civil liberties? Leave a comment below and let me and others know what you think; I love hearing others’ ideas especially when they may be contradictory to my own.

That network of servers is called the “Domain Name System”. DNS has the ability to publish arbitrary information assigned to specific names such as thehoneymonster.com or www.thehoneymonster.com (where the two are different entities). This arbitrary related information system (known as TXT records) is used by the SPF project to assign a special chunk of information which details the computer addresses which are allowed to send email that purports to be from thehoneymonster.com (or whichever domain you implement the scheme upon).

I have now implemented a set of SPF rules on all the domains that I have access to including a few client domains. If you find problems with sending email from a domain which I administer, please let me know and I can try to find a solution which still minimises the possibility for spammers to use your domain name for their spams’ “from” address. The main issue I can foresee is where a client may be using a third-party webmail service or sending email through an ISP email-server instead of via XYZi’s.

For those who have not delegated responsibility to myself over their Domain Name(s) the correct TXT record to insert for hosting on XYZi’s Pressflow/Drupal cluster is as follows:

Name: Not Specified - leave empty
Value: v=spf1 include:xyz-network.com -all
TTL: any value, default is fine

And for those hosting via IND-Web.com’s system, then the following is correct;

Name: Not Specified - leave empty

Value: v=spf1 include:ind-web.com -all
TTL: any value, default is fine

I got to the fourth video and couldn’t will myself to go any further. What he says souds idealistic, but implementing it would be somewhat harder than he seems to think. Also, I think I disagree with his premise that the public has no say as it stands at the moment.

For e.g. we have a hung parliament now because the public couldn’t agree on any one party enough to push them past the post (on our “archaic” system). So, if proportional representation were used to it’s fullest degree of capability and the same set of votes were cast, I envisage that all three main parties would have had an equal standing and a bunch of racist parties snapping at their heels.

PR is great for isolationist parties because they don’t need to win outright anywhere and yet still get a few people as MPs; once they have a member in parliament they can tout how well they’ve performed standing up for the rights of the everyman and gain more votes, more MPs, leading in a viscious downward spiral towards getting enough MPs to be able to take us to 1984!

As it stands, First Past The Post is keeping the extreme-right parties under control.

And then there’s his idea that the Swiss have which involves getting together a bunch of your mates and forcing referenda. In theory that sounds great, but if an organised group get ahold of enough people who tow-the-line regularly then they can consistently force expensive referenda for every legislation conceived. This will prevent government from functioning completely, and the offending group would be able to hold the country to ransom until they get their own way.

If that “way” is for them to be voted into power, then when the public get fed up with the constant lack of progress they might decide to vote for this group just to get something, anything, done! And that could lead to 1939-45 all over again!

I think through that thought process I’ve pretty much convinced myself that our current system is the best for us.