Healthcare and Free Software

September 2, 2009 | etbe

The Washington Monthly has an interesting article about healthcare and Free Software [1]. It seems that a free system named “VistA” from the US Veterans Affairs department (not to be confused with the unpopular OS “Vista” that Microsoft released a few years ago) is competing against a range of proprietary software for managing patient data.

VistA has apparently performed very well, it’s cheap and easy to install, the data can be shared with other programs, and it was largely written by doctors and nurses so it’s optimised to their needs. It has been proven that VistA has saved many lives through better management of medicines and through permitting statistical analysis of the results of various treatments. It has also allowed medical staff to work more quickly which reduces waiting times and medical expenses.

But as you would expect in the US, whenever there is a way of saving lives while also saving money there are companies lobbying for the opportunity to make money while allowing innocent people to die. Of course there are established medical companies who are doing this now and have been doing so for some time.

But the latest news is that Microsoft, Intel, Cisco, and Allscripts, are sponsoring the Electronic Health Record Stimulus Tour – an aggressive measure to railroad doctors into buying proprietary software now.

MS is known for totally ignoring the law when it gives them an opportunity to gain market share, but this is a new low. What will MS do next? Sell drugs to children?

[1] http://www.washingtonmonthly.com/features/2009/0907.longman.html

The Streisand Effect and Chinese Barratry

September 1, 2009 | etbe

Bruce Everiss has received two threatening letters from a NSW law firm representing the Chinese game company Evony. Here is the latest where they whinge about his publication of their first letter [1] (NB if threaten to sue a blogger you have to expect your letter to be published, it’s not discourteous it’s just the way things work). Here is the first letter from the law firm [2] – Bruce has illustrated the post with one of the advertising pictures that Evony uses (apparently ripped from a lingerie catalog).

I’ve seen some of the Evony adverts on my blog, the ones with a provocatively dressed woman (lingerie advert?) and the title “Come Play, my Lord“.

Ken has an amusing and insightful post on the issue [3] – which also makes some amusing jokes about the Australian legal system.

Bruce’s blog has some good insights into the gaming industry and culture, I’ve added his blog to my feed.

It seems that Bruce will gain a lot of readers due to these legal threats, while Evony seems unlikely to gain anything other than bad PR.

Free K-12 Text Books

August 29, 2009 | etbe

The CK12 project is developing free (CC by SA) textbooks for the K-12 market (with a current focus on the early years of high school) [1]. Their primary aim seems to be flex-books – text books that can be localised and modified to better suit the needs of the students. But of course there are many other benefits, according to my best estimates storing text books on an ebook reader or one of the lighter NetBooks is necessary to avoid childhooh back injuries [2].

Another major benefit of flexible text books is the possibility of teaching a wider range of subjects. A subject does not need the level of interest that is required to get a publishing contract (which generally means acceptance by the education department of a state) to have a text book. Independent schools and home-schoolers can select subjects that are not in the mainstream curriculum.

The information for potential authors of text books is here (they didn’t make it particularly easy to find) [3].

One thing I would like to see is a text book about computer security. I really don’t think that this would be an overly difficult subject for an 11yo who is interested in computers. When I was 11 I read a text book on nuclear physics in the form of a comic book, I don’t think that computer security is inherently more difficult or harder to teach than nuclear physics. Naturally full coverage would require several texts aimed at different ages. But that’s possible too. It would probably be easiest to start with an age of ~16. Also as computer security is a subject that is both difficult at one end of the scale and essential at the other it would be necessary to have A and B streams (as is done with maths in the Australian education system).

Please leave a comment if you are interested in participating in the development of computer security related text books. Incidentally it would be good to get a contributor who has had experience in teaching teenagers even if they don’t have any knowledge of computer security – I don’t expect to find someone with good technical skills and teaching experience.

Increasing Productivity through Clean Air

August 29, 2009 | etbe

Kamal Meattle gave an interesting TED talk about using plants to produce enough oxygen to support people in sealed buildings [1]. The combination he advocates is Areca Palm for the living-room (four shoulder-high plants per person), Mother-in-law’s Tongue for the bedroom to produce oxygen at night (six to eight waist-high plants per person), and Money Plant to remove formaldehyde and other volatile chemicals.

A study by the Indian government has found the health benefits from using such plants in an office environment to give a 20% increase in productivity. It seems reasonable to assume that the benefits would be smaller in a city such as Melbourne which doesn’t have serious pollution problems. But even a 5% improvement in productivity would pay for the cost of installing plants! The Indian research also indicated a 15% energy saving through having less “fresh air”.

It seems that now is not a great time to ask for a pay rise, but asking for more plants to be installed in the office is probably viable.

[1] http://www.ted.com/talks/lang/eng/kamal_meattle_on_how_to_grow_your_own_fresh_air.html

NBD and PXE Booting on Debian

August 23, 2009 | etbe

I have a Xen server that I use for testing which is fairly lightly loaded. I considered making it diskless to save some electricity use (which also means heat dissipation in summer) and also some noise.

The first step is to setup a PXE server. This is reasonably well documented in the Debian Administration article on setting up PXE [1]. Basically the DHCP configuration needs to include the line “filename “pxelinux.0”;” to tell the workstation the name of the file to download. This file is downloaded from a TFTP server, so you need to install one (I chose the tftpd-hpa package). The pxelinux.0 is provided by the syslinux-common package, I believe that the Debian Administration article errs in not mentioning this fact, they recommend using wget to download it which means that there is no verification of the file contents.

It appears that the way PXE works is that you are expected to have a directory named pxelinux.cfg under the root of the TFTP tree which then contains PXE configuration files. The Debian Administration article gives an example of using a file named default but you can also name a file for the MAC address of the workstation, a number which appears to be a GUUID for the workstation, and the IP address in hexadecimal (if that doesn’t exist then it will be truncated one nibble at a time, so 10.10.10.100 will result in searches for 0A0A0A64, 0A0A0A6, … 0). That’s what my HP test machine does.

The Debian Administration article shows how to configure PXE for installing Debian. But I wasn’t interested in that, I wanted to convert a system that is running as a regular workstation to be diskless. The first step in doing this is to install the nbd-client package which results in rebuilding the initrd to have support for diskless operation. Then you have to install the nbd-server package on the file server. The documentation for this package suggests that it is designed to serve regular files as block devices, but it appears to work OK with LVM devices. Adding an export section such as the following to /etc/nbd-server/config causes an LV to be exported via NBD:

[export]
exportname = /dev/vg0/workstation0
port = 12345
authfile = /etc/nbd-server/allow
listenaddr = 192.168.0.1

Then it’s just a matter of copying the filesystem from the hard drive to the LV that is used for NBD. I piped tar through ssh to copy the root filesystem of a running system. But I could have copied the block device or used debootstrap to create a new image from scratch.

NBD has an interesting design in that it exports block devices (which can be backed by files or real block devices) to a particular set of IP addresses and uses a particular TCP port for the export. So if you have two NFS exports from one server you might have 192.168.0.1:/home and 192.168.0.1:/data as exports but if you have two NBD devices you might have 192.168.0.1,12345 and 192.168.0.1,12346. This could be considered to be very sensible or utterly wrong.

The final thing to do is to setup a PXE configuration file. I put the following in a file named pxelinux.cfg/default, if I was going to deploy this seriously I would replace default with the IP address of the system.

DEFAULT lenny_i386

LABEL lenny_i386
kernel lenny/vmlinuz-2.6.26-2-686
append selinux=1 nbdroot=192.168.0.1,12345 initrd=lenny/initrd.img-2.6.26-2-686 root=/dev/nbd0 ip=dhcp --

The only things I needed to change in the image that I’m booting after transferring it from the hard drive is /etc/fstab and the network configuration /etc/network/interfaces – obviously if the network start scripts change the IP address of the workstation and thus make the root filesystem unavailable then things will break.

Wouter has some more background information on this [2]. He recommends using partitioned NBDs, that’s a matter of opinion, if I was going to use this in production I would use two NBDs, one for the root filesystem and another for LVM which would be used for everything else. I really like to be able to create snapshots and to change the size of LVs at run-time.
The down-side of LVM is that it can be really inconvenient to access LVM volumes when not running the machine that owns them – there is no support for using an LV as a PV (IE nested LVM) or for having two VGs with the same name running on the same machine.

Wouter also seems to be planning to write Debian Installer support for using NBD as a target. This would be a nice feature.

Now the next thing is to use Xen. Xen makes it a little more exciting because instead of having two essential files to be loaded (the kernel and the initrd/initramfs) you have three (the Xen kernel plus the other two). So we need to chain to a different boot loader. The Gentoo Wiki has good information on installing this [3].

The summary is that you need to chain the mboot.c32 loader from PXE which is then used to load the Xen kernel, the Linux kernel, and the initrd. Below is an example that I attempted. This loaded the correct files, booted Xen, and then hung. I didn’t investigate the cause.

DEFAULT mboot.c32 xen-3.2-1-i386.gz dom0_mem=258048 --- lenny/vmlinuz-2.6.26-2-xen-686 ro xencons=tty console=tty0 selinux=1 root=/dev/nbd0 ip=dhcp nbdroot=192.168.0.1,12345 --- lenny/initrd.img-2.6.26-2-xen-686

The configuration for mboot.c32 is particularly ugly. I think it would be better to have a replacement PXE loader which includes the mboot support.

I ended up deciding not to use NBD for the machine in question, the process of upgrading kernels (which is not uncommon on a test machine) would be made more difficult by the process of copying them to the tftp server, I guess I could write a script to rsync them. I had a problem with the system shutdown scripts killing the nbd-client process and hanging the system, I guess I could patch the shutdown scripts to ignore certain processes (this would be a good feature) or I could use SE Linux policy to prevent nbd-client from being killed by any domain other than sysadm_t. But generally it seemed to be more effort than saving 7W of power is worth.

Mail Server Security

August 20, 2009 | etbe

I predict that over the course of the next 10 years there will be more security problems discovered in Sendmail than in Postfix and Qmail combined. I predict that the Sendmail problems will be greater in number and severity.

I also predict that today’s versions of Postfix and Qmail will still be usable in 10 years time, there will be no remote security problems discovered other than DoS attacks.

I’ve been having arguments about MTA security with Sendmail fans for over 10 years. I would appreciate it if the Sendmail fans would publish their own predictions, then we can wait 10 years and see who is more accurate.

I don’t recommend using Qmail (Postfix is what I use). But I think he wrote code that is unlikely to be exploited.

ReWine

August 19, 2009 | etbe

I have just discovered an innovative Melbourne company that has apparently been running for five years. ReWine is a wine seller that sells bottles of wine and then refills the same bottles for a lower price [1] (a saving of $2 per bottle). There have been many schemes for selling various liquids in reusable bottles, but a major failing of the business models has been the health issues related to cleaning the bottles. If I am going to drink wine from a bottle that some unknown person has used then I want it to be cleaned really well. But when I take back my own bottle for refilling the hygiene requirements are much smaller as I know where it’s been!

ReWine suggest that people rinse each bottle twice with warm water, a fairly simple cleaning process.

The wine that ReWine sells is described in terms of which region of Australia that it comes from and by the variety of grape. They make no claims about the wine being from a single vineyard or that the wine will come from the same vineyards next season. This is fairly common among the less expensive wines.

The prices for the wine are very low. A refill of a 750ml bottle of Chardonnay costs $5.50 and 750ml of Shiraz costs $9.80. 750ml of what is called “Port” in Australia (but is considered to be just a fortified wine in Europe as “Port” is a trademark for the Oporto region of Portugal) costs $5.80 and 750ml of Muscat costs $16.

I have bought bottles of “Port” and Muscat. The port is quite nice, not the greatest – but when considering the fact that any bottle of similar fortified wine costs more than $20 from a liquor store it’s very good value for money. It’s good for a quick night-cap. The Muscat is great! I would pay twice as much for it and still be satisfied that I had got my money’s worth!

I didn’t try the white wines because still white wine is not my thing. I tried the Shiraz, it was quite nice.

The technical aspects of the ReWine operation seem quite sound. The wine is stored in sealed barrels and pressurised nitrogen is used to force the wine out, this keeps out oxygen to avoid spoiling the wine while also allowing the bottles to be rapidly filled.

The business model of ReWine makes a lot of sense, it offers cheaper wine to customers while avoiding all the waste from the production of single-use glass bottles.

One final thing to note is the high quality of the bottles. The screw-top lids are very solidly constructed. A solid glass bottle with a quality lid can be used for many things, so even if you decide not to refill it from ReWine it will probably be handy – and worth $2.

[1] http://www.rewine.com.au/

CEO Pay

August 19, 2009 | etbe

The latest news is that the CEO of the new NBN (National Broadband Network) will receive a $2 million salary [1]. This has been defended as “the price required to secure the best person for the job“. The problem with this idea is that it’s not the first time that a multi-million dollar salary has been paid from tax money for a CEO of a communications company. Sol Trujillo did an absolutely awful job of running Telstra and was paid a package of $11 million (including bonuses) for doing so [2]. After finally quitting Telstra Sol then had a whinge about Australians supposedly being racist – he apparently didn’t realise that we would have loved him if Telstra’s monopoly services had operated well and if he had returned value for the stock-holders. Sol should have been sacked long ago, the government’s voting power (through owning half of Telstra) was enough to force him out.

Now the CEO of the NBN is going to be employed entirely at taxpayer expense (the NBN will initially be entirely government owned). So it seems reasonable to compare the pay of the NBN CEO to the pay of the Prime Minister of Australia [3] – which is currently $330,300. If we consider the perks of the job (free travel etc) to be worth an additional $200,000 (just a wild guess) then the Prime Minister gets paid 25% the proposed salary of the CEO of the NBN. Every day the PM makes decisions that are much more important than any that will be faced by the CEO of a communications company. So it appears that we can get someone suitably skilled for less than $2 million (I know some people believe that every PM has done a bad job – but I have not seen any evidence to suggest that the typical political leader is any less skilled than the typical CEO).

There has been a reasonable amount of research which can be applied when determining how to get people to do good work. One good analysis of some of the issues is Bruce Schneier’s blog post about Risk Intuition [4]. He points out that if there are penalties for employees who obey security procedures (in terms of unpaid overtime or bad reviews for not getting work done) and no penalties for breaking them then most employees will ignore the security procedures. It seems to me that CEOs have no real penalty for running a company into the ground (having a whinge after leaving the country with more than $40 million hardly counts as a penalty). So anyone who believes that paying more money gets more skilled people would have to believe that paying more for a CEO will tend to get a CEO who is more skilled at bilking the company (which appears to be the core skill).

It seems to me that most CEOs have little confidence in their own ability. Someone who believed that they could really do a good job as a CEO wouldn’t want a high salary, they would aim to have the company stock price improve in value at a rate that exceeds the average of the top 100 companies (or some similar index) and ask for a bonus in proportion to that!

For a government owned company (such as the NBN) a CEO who was confident in their ability would want a bonus paid after they had achieved their goals. The payment for the NBN CEO was incorrectly described as 0.3% of the project budget, according to my calculations $2M salary over 8 years is about 0.03% of the $43 billion budget. If a candidate for the CEO position believes that they can get the project completed on time and under budget while achieving all the goals then they should ask for 0.06% of the budget as their bonus payment if they succeed and a very low salary in the mean-time. If they believe that the project can’t be completed according to the plan then they should be saying so before the work starts. If however they are not confident in their ability then of course the smart thing to do would be to demand a high salary…

Now I think it’s worth considering someone who is known to be good at running a company. There are lots of bad things you can say about Bill Gates, but his skills at running a corporation tend not to be criticised. In 2004 Bill Gates (then the Chief Software Architect of Microsoft) and Steve Ballmer (MS CEO) each received $901,667 in salary and bonuses [5]. If we were to try and find a CEO who could be claimed to have a better record of running a corporation than Bill Gates then possible candidates include Michael Dell (of Dell computers) and Eric Schmidt, Sergey Brin, or Larry Page of Google. Given that it’s not going to be possible to hire such people it seems like a bad idea to offer someone with significantly less apparent skill than Bill Gates a significantly higher salary.

While on the topic of CEO pay, it would be good if the employment agreement would specify that no special golden-handshake would be awarded to the CEO when the NBN is privatised (we don’t want the CEO to be tempted to down-play the value of the company to encourage the buyer to give him a good payout). It would also be good if government ministers could be prohibited from being employed by the company that does the buyout – we don’t want another Bob Carr [6].

The Lack of Browser Security

August 18, 2009 | etbe

For a long time the use of HTTP cookies [1] for tracking the web browsing habits of users has been well known. But I am not aware of any good solution to the problem. A large part of the problem is the needless use of cookies, it seems that many blog servers use cookies even though they provide no benefit to the user. A major culprit in this regard is the Google Analytics service which sets a cookie with a two year expiry time when you first visit a web site. The CustomizeGoogle.com Firefox plugin allows you to block the Google Analytics cookies [2] and much more.

It’s unfortunate that Firefox/Iceweasel seems to lack the cookie management functions of Konqueror. Konqueror (the KDE web browser) can be configured to prompt the user for the appropriate action when a cookie is offered, the options include once-only accept or reject and permanent accept or reject status for the site in question. Of course even this has some issues, when a web site is on the “permanently block cookies” list it is one that has obviously been viewed intensively on at least one occasion (IE many page views) or viewed on multiple occasions, in some situations this may be a fact that the user does not want revealed. An option to store a list of the hashes of the names of web sites which should be blocked would be useful. It’s also unfortunate that Konqueror (like most browsers) is unable to use Firefox plugins, so given a choice between Konqueror and Firefox I’m always going to lose some features.

Update: Andrew Pollock points out that Firefox does allow you to control when cookies are accepted [5]. It’s listed as “Keep Until” with the value of “ask me every time“.

The next issue relates to the storage of cookies. It is a good security feature to have certain types of cookie expire after some period of time. Unfortunately the expiry process requires that the user run the web browser in question. So if for example my browser preferences were to change then I would probably end up with the cookies from the old browser remaining in my home directory for years after their planned expiry date. My home directory has the untouched configuration and data files of many programs that I have not used for four years or more. I’m not sure whether any of them include cookies from web browsers (I have used many web browsers over the years).

I think that the best solution to this problem would be to have a common directory such as ~/.session-state which has files with an MTIME indicating when they should expire. A program that wants to store such session data could create a subdirectory such as ~/.session-state/Firefox and then use one file per cookie under that directory. Then the user could have a cron job which deletes all session state files that are older than the current date. Such a cron job would not need to know anything about the actual data in the files, it would just delete the files that are out of date. The exact format of the files would be determined by the application, so if there were thousands of cookies (which would lead to a performance problem on some systems if one file was used for each) then there could be one file for each week (if deleting the old cookies as much as 6 days too late is a serious problem then you are probably going to suffer anyway). Such a state directory could be used for any data which has a fixed expiry time, it would not need to be limited to cookies.

This would be a minor misuse of the mtime field, but it’s the most reliable way of implementing this and making it difficult to mess it up (in terms of exposing private data). Note that the MTIME would not have to be the sole source of such data, an application such as Firefox could reset the MTIMEs on the files to values it considers appropriate (based on file name, file contents, or some metadata stored elsewhere). It is expected that certain backup/restore operations among other things can result in the timestamp data on files being lost.

Now cookies are not the extent of the problem. It seems that Macromedia/Adobe have some similar functionality in the Flash player [3], but the insidious thing is that Flash cookies are used to respawn HTTP cookies if the user deletes them! After reading about that I discovered some Flash cookies that were stored on my laptop since 2005 (which was probably the last time I ran Flash). It seems that if you desire security you need to first avoid software from companies that are at best disinterested and sometimes seem overtly hostile towards the privacy needs of users – this is why I haven’t used Flash on machines that matter to me for many years. If I had a lot of spare time I would help out with the GNASH project.

One thing I have been considering is to change my browsing habits to use a different account for untrusted content. The switch user functionality that has been in most Linux distributions for a few years seems to have the potential to alleviate this. I am considering setting up a system to allow me to ssh to a guest account to open a web browser window. Then I can switch to the X desktop that has untrusted web sites open and read them. It would be nice if I could extend a web browser to add an extra entry to the menu that is displayed when the secondary mouse button is pressed on a link, then I could make that run a script to launch the URL in a new window. I could also use that when I’m at home to launch the URL on a different system.

One thing that I have to do is to get XGuest (the SE Linux Kiosk Mode) [4] running in Debian. It’s been in Fedora since version 8. With the XGuest used for untrusted browsing nothing gets stored.

This is not the extent of security issues related to web browsing. It’s just a small set of issues that need to be fixed, we have to start somewhere.

School Reunions

August 17, 2009 | etbe

I’ve never understood the point of school reunions. The past students association of a secondary school can potentially be of some use when you are looking for your first job, but once your career gets started it seems to be of minimal benefit. But apart from that there is no direct benefit.

I didn’t enjoy school and I feel sorry for anyone who regards high-school as one of the best parts of their life – the rest of their life must be sucking quite badly.

Of the people I knew from school, I am still in contact with the ones I want to know, there are a bunch of others that I feel fairly indifferent about, and many who I would only want to see in an obituary.

For the ones I feel indifferent about, if I was to meet them then I would probably find that I have even less in common with them than I did 19 years ago (for high school) or 25 years ago (for primary school). I could easily attend a Meetup.com meeting that is related to something which interests me and be in a room full of people with whom I have something in common. I have been much easier to find via Google (and previously Alta-Vista or Yahoo) than most people I went to school with, so I presume that everyone who I have not been in contact with has not been interested in finding me for 19 or 25 years.

But I’m not trying to discourage anyone from making contact with me. Anyone who I used to know (from school, university, work, or elsewhere) who reads my blog and thinks that they have significant things in common with me is welcome to send me an email and suggest a meeting. I occasionally receive email from random people who read my blog or my posts to various mailing lists and want to meet me, I sometimes meet such people at LUG meetings etc.

etbe – Russell Coker

Linux, politics, and other interesting things