Category Archives: tech

Android – The new open source cathedral

In a new blog post by Andy Rubin, Google VP of Engineering, Andy defends Android’s open-source credentials, commenting that:

  • “As always, device makers are free to modify Android to customize any range of features for Android devices”
  • “Finally, we continue to be an open source platform and will continue releasing source code when it is ready”
  • “As soon as this work is completed, we’ll publish the code”

When Andy talks about this, he reconfirms that Google will continue to publish the Android source code under an open-source licence, but he also seems to confirm that Google don’t really believe in the open source development model for Android.

By withholding the “unfinished” code (is code ever finished?) from both the public and device manufacturers like HTC, who have said they will only be able to start work on Android 3.0 once it’s released, Google are limiting the outside input into Android.

This model of “closed open source” is heavily discussed in the “The Cathedral and the Bazaar“, published by ESR in 1996, that defined much of open source development of the period, and has continued to guide people on developing open source projects. It discusses the success of open source projects such as Linux which accepted code contributions from anyone, and the failure of other open source projects where the maintainer considers only their own code to be “good enough” for release, and instead chooses to work alone, only letting people work on the new code when the developer feels ready.

If you read the paper, I think you can only come to the conclusion that Google believe in the “cathedral” development model, occassional (perhaps rare) releases that noone outside the cathedral can contribute to.

Rather than encourage unity in the Android code base, this is more likely to decrease unity, and introduce new forks, as each manufacturer has to work separately to introduce new features, which they wait for the cathedral to perform the new ceremony.

What does this mean for Android in the long-term? I’m not sure, but I’m pretty sure that HTC, Samsung, and the other device manufacturers are well down the road of their own internal forks of Android 2.3, just in case Android 3.0 never quite makes it out of Google’s currently closed door…

France requires new silly data retention policies

Yes, this isn’t as exciting and dramatic (and traffic generating) as “France outlaws hashed passwords”, the headline on slashdot and Hacker News, but it’s the reality of the situation.

France has passed a new law, requiring companies store “…users’ full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.”

While it’s a pretty stupid to require the storing of passwords that can be handed over to authorities (probably to allow them to use those passwords to access services outside France), there’s nothing which prevents the continued secure use of password hashes.

A simple system which meets these new requirements is:

  • Store password hash with salt in live database as is best practice
  • Encrypt the plain text password using public key encryption, and store the encrypted value in another database in a record along with the plain text username. If the username already exists, replace the stored value with the new one.
  • Store the private key offline in a secure bank vault (or 2), using multiple USB keys for data protection
  • If and when the government require access, company director goes to bank vault, retrieves USB key, uses private key to decrypt stored password value of that single user, then returns USB key to bank vault

It’s a hassle, and it’s definitely a bit silly, but this new law doesn’t “require” any massive reduction in security if implemented correctly. Yes, the private key could provide access to all usernames’ plain text passwords, but this is an existing issue around things like hashing algorithms, salts, and source code security.

And if a company doesn’t implement it correctly? Well, the same recommendation as always applies – never reuse passwords for multiple sites, especially your email accounts, which can be used to retrieve or reset passwords using most website “Lost your login details?” functions.

Bulk IPv4 Addresses for sale, $200 a go?

IPv4 addresses have always had a value, though the price for them has always (officially at least), been $0, though ISPs often charged administration fees to people who applied for small chunks of them.

Now that IPv4 addresses have all but run out, and with the news that Microsoft has bought a large chunk of IP addresses from the bankrupt Nortel at a price of $11.25 per IP, the first question that entered my head was “How high will the price go as the addresses get rarer?”.

There’s 10,000s of organisations that each have a small chunk of IP addresses directly assigned to them, and millions with 1 or more assigned via an ISP. Each one of those organisations should now realise that the IP address has both a value and a market price, and Universities and corporations that joined the Internet early on, with their huge and under-utilised IP address ranges, will surely be looking at what they can do with them.

A follow on from this is that organisations can now put an internal cost on assigning each user an individual IPv4 address, rather than an IPv6 address, and perhaps start to justify the cost of upgrading their network. If an ISP has 1 million ADSL subscribers online all the time, that’s millions of dollars of IPv4 assets in use, and realistically not needed, that could be migrated to IPv6 then sold.