Android 5 and my tablet

Last week I received a notice that I can download and install Android 5.0.  I did read the online articles and I loved the look of the upgrade.  It was a smooth and painless process.  I didn't time it as I ran it over dinner and it was ready when I finished.

So far I like the changes.  There is a learning curve as some menu items are found in a different manner.  The task list I like and you can swipe off an app to close or touch the [x].  the only thing I am having issues with is that it is a bit slower and Facebook crashes regularly when I look at a persons timeline.

The graphics look great and from what I use they all have the same look-and-feel so a new person has a easier time learning how to use Android apps.

If you have an older device like mine (Google Nexus 7) you may want to check online for what others have to say before upgrading.  Right now I am holding off upgrading my wife's machine until I see what the patch release does.

I am holding off on device encryption as I am reading that you take a big performance hit, especially on older machines.

Battery life seems to be a lot better.  Before I would be charging my device daily and I am charging every other day.

Looks like the 5.0.1 update is out.  i don't know when I will get it, but, it will be loaded and I will see if it helps some of the apps run faster.

Thoughts on politicians

With all of what is happening in Canada and the world with politicians thinking they are better than the rest of us I got to writing down some of my thoughts about politicians and what I see as their role in serving us (and not us serving them).  I may work on other things about politicians and post them here instead of my using Linux (and windows) topics.

I am not a political science expert, but, after decades of watching politicians at all levels of government I would like to put into writing things we the people should do to reform the political process and make it work for the people instead of the people working for the politicians.

First and foremost the politician's primary loyalty is to his or her constituents. If the politician is at the local level it is expected that they do not represent any political party. The provincial/territorial/federal level parties need to be reminded that the people elected the politician to represent the people of the riding and the decisions of the politicians should reflect the needs of the people over the needs of the party.

Every decision they make can be traced through their documents and communications and is stored outside of their control by the government and is open to the people for review. Some may not be available for a fixed period of time due to security, personnel, contractual issues, but, are eventually open to the scrutiny of the people.

Finances

It should be a given that all politicians keep current and accurate financial record of their running their office. All records should be kept at a minimum using GAAP. All electronic records should be stored in an open format and is available to all citizens upon request. All records should be available to the auditor general of that level of government upon request and the results are published and available to all citizens. All requests should be met within one calendar month, failure should result in the suspension of all privilege and duties of the politician until the records are supplied. If the records are not supplied within three calendar months then the position of the politician is declared open and a by-election must be held within sixty days.

All contributions to the politician should be from a person. Union and corporate contributions should not be allowed. Over the decades it appears that politicians are more responsive to the needs of large organizations and lobbyist rather than the needs of the individual constituent. forcing politicians to accept contributions at the personal level would force them to listen to the people and if the people don't like what the politician has done they can make their displeasure known with their wallets along with their vote. All contributions must be recorded as part of the politician's financial records, no exceptions! At the end of their campaign their records must follow the laws laid out and if not followed, a time-line similar to their finances of office are followed.

The pay for politicians are fixed for their term and cannot be changed until the next election. Outside experts will review the pay levels and make three recommendations. The first is that the pay remains at the same level. The second is to make a minor pay increase that is at the level of the lowest pay increase given to a bargaining unit during the prior term. The last recommendation is for a specific increase and document all of the reasons that lead to that recommendation. The three choices are part of the ballot in the next election. At no point can a government grant any special pay, bonuses or any special financial arrangements to themselves.

If the politician is asked to give a speech or help out with fund raising or a charity the politician cannot receive anything in return for performing that duty as they are compensated by the people to perform their job and this is part of their job. Travel, accommodation and other expenses will be covered by the politician and the expense is recorded according to the rules of the local/provincial/territorial/federal government they represent. All receipts detailing their expenses will be kept and stored as part of their financial records.

For their pension they should all be on a defined contribution plan and not a defined benefit. The main incentive is for the politician to serve the people and not to remain in office long enough to collect a pension at the expense of the people.

GIFTS

In the simplest terms, no gifts! Politicians are paid by the people to do the job they were elected to do. There are times that people, business or governments do provide a gift it should be held in trust for the people and not by the politician. All gifts should be recorded and the list including the donor is open to the people (and auditor) on demand. Gifts of tickets to events, travel, accommodation, conferences, etc. are not allowed!

Term limits

All politicians can serve only a maximum of two full terms before stepping down for at least one full term. If the term they serve is less than one full term (depending on what a normal term is for the specific level of government) they can serve the next two full terms. For example at the local level a term is three years. If the politician is elected with two years left they can serve that term and the next two terms for a total of eight years before sitting out for the next three year term. This will force a turnover and allow new people and hopefully new ideas to serve. It will also hopefully force out professional politicians who know nothing, but, politics and allow talented people a chance to step up and serve the people. To put it bluntly, politicians should want to run for a limited number of issues they want to address and they have only two terms to get them done, or started, before leaving office. If the politician cannot get it done in two terms they probably could not get it done with unlimited terms.

Lobbyist

All activities, meetings, discussions with a politician, or his/her staff is to be logged. Even a simple meeting with their constituents is kept in a log. If the person is acting as a lobbyist then the information on who they are working for is recorded. It is expected that the politician will keep an agenda of all activities and is submitted for archiving at a minimum every quarter. The politician must sign under oath that the records are true and accurate.

Communications

A record of all communications will be retained outside the control of the politician. If the communication is in hard copy format then where possible it is scanned and stored in an open format for archival. If not then the document is turned over to the government for archival and a note in electronic format documents this and where it is stored and the retention period. The Provincial Liberal party in 2013 deleting electronic communications demonstrates the need for a group outside the politician/party controlling and archiving communications. This also will apply to communication mediums that are not official government communications. If there are communications of this nature it must be forwarded to the official account and a note sent to the originator that all government communications must use the appropriate government account. Any politician or their staff violating this must turn over ownership of the account to the government immediately.

Another machine migrated to Linux

Last year someone threw out an old Toshiba Techra laptop that was still in working order.  It was a very old machine as it had a 37 Gb hard drive 256 megs of memory, one USB port and no wireless networking.  I checked out the machine and could not see any personal information on it.  If there was anything there I would have wiped the files.  For a while I used that laptop as an emergency machine, or, if one of Emily's friends visiting needed a machine it was there for them.  This machine was running XP and it ran very slowly, but, it ran.  Since XP is not being supported I wanted something running on the machine that is a bit more secure, but, light on what it needed for hardware.  I found a lot of candidates when I searched DistroWatch and did a search.  I found one called Netbook that appeared to fit the bill and I downloaded a copy and burned it to a CD.  I had to burn a CD as the Toshiba machine would not boot from the USB stick.

I rebooted the laptop with Netbook and it didn't take very long to launch and bring up a working system.  I clicked on the network and it auto detected the USB network card and it was working!  It was moderately responsive running from the CD and I figured it was safe to install.  I followed the steps and I thought I had a working system.  I did a restart, but, the machine wouldn't boot.  I went back and read that I had to set GRUB and once I followed the menu options from the Netbook CD I had a working machine.  The next reboot worked and I was up and running.  The basic system is working and we now have a spare machine that can connect to our network.  Firefox runs well and takes maybe 5 seconds to launch on the machine.  I will be dropping off the machine in our daughters office that we set up in the basement for her and she has a nice low end machine for her friends to use when they visit and don't have a laptop.

If you have an old low-end machine that still works I would recommend checking out what DistroWatch has available for Linux distributions and try them out on CD/USB on the machine.  You can then get a bit more life out of the machine and have a secure system running.  The only downside is that Java isn't installed by default and I haven't tried to do an install for Java, but, there is only one site (Runescape) that I was interested in testing it on and I know the system wouldn't be able to run it at an acceptable frame rate.

Heartbleed from my perspective

For the record, I am not a security expert.  However, I have been working as a professional for over 32 years in the I.T. industry so I believe I can make comments on a number of items about Heartbleed.

Please try to remember is the internet was not designed to be secure.  It was originally designed for universities to communicate and they trusted everyone on the network.  Over the years bits and pieces were bolted on to help with security as the internet grew and was opened up to more and more businesses/people. 

A bit of background about myself:

1. I have a diploma in Business Administration, Programming major.
2. I can work in Assembler (PC and mainframe versions), APL, AWK, Bash, Basic, C, COBOL, Pascal, PL/1, and REXX in various levels of expertise.  (there are others that I have used, but, I have minimal knowledge of those languages)
3. Over 32 years I have worked on dozens of software projects large and small.  I performed a number of roles during this time such as developer, tester, business analyst, support and team lead.
4. Where I am currently working my role is interface expert for systems requiring access to to that system.  At this time the client is moving from FTP to SFTP and as a result I have obtained a working knowledge about SSH, SSL, certificates and private/public keys.
5. I can work with CP/M, DOS, Windows, Z/OS (AKA TSO), V/VSE, UNIX and Linux.

 

 First thing, don't panic!  

Second thing is don't change all of your passwords until the sites have updated their SSL and received new certificates.  Changing them right now probably will not protect you if the site site has been compromised.  When the site asks you to change, or, when they fix the site then change it ASAP!  Pick a moderately long password that is not easily guessed (no kids/pets/wife names/birth dates).  I usually pick two or more words not related and string them together with numbers to make it harder to guess.  One other important thing is never use the same password for different sites!  If you do get hacked, don't make it easy for them by using one password for everything.  You also should change passwords on a regular basis.

I was reading the news and some of the politicians here in Canada blame the government service cuts for this problem.  In my less than humble opinion this is complete utter BULLSHIT!  This problem has nothing to do with the government in any way, this is a very short code change in one OpenSSL module by a person several years ago and it passed a review before being deployed.  When I looked at the code fragment identified I didn't see any problem with it other than why do it just for performance reasons?  This is something that is usually bundled with the operating system if not then offered as an add-on for secure communications.  There was no reason to check this and no way to know there was a hole.  The blame is just cheap political theater and does not do anything to help fix the issue.

For those who are saying "why publish it, you are creating panic and letting hackers know about the hole?"  All I can say is:

1. True hackers (not script kiddies) probably knew about this and were making use of the hole.  Until recently there was no way the sites would be able to detect use of the hole and log the attempts to compromise the security of the system.  There are now signatures to help IDS identify possible hackers using the hole.
2. Various experts wanted to inform the general public about the issue and what they need to do, when to do it and how to do it.  These researchers who found this hole assumed hackers already knew about it!
3. Alert site owners who are using SSL to look at their operations to see if they are impacted and to determine their next steps to fix their systems if they are vulnerable.
4. If the site was compromised then the safest thing is to assume that all encrypted communications can be read until they fix the site, revoke their old certificates and publish new certificates.  If you are aware the site has been compromised you can make informed decisions as to if  you want to communicate with that site before a fix is in place.

I have seen others asking why some sites (like some banks) say they are OK.  We will need to trust those sites there, but, the likely reason is that they are not running the impacted OpenSSL module.  It would help if they could give a high level reason why they are not impacted.

Lessons learned:

1. For businesses you may want to review your BR/DR (Business Recovery / Disaster Recovery) plans to see if this type of problem is identified.  If not, then take the time and review the documents and insert what steps should be followed if there is a suspected breach in your network.
2. Software code reviews are a great way to identify potential problems before it is released.  The reviews may not catch all bugs, but, it helps confirm that good coding practices are followed at a minimum.
3. Security should be considered at the start of any code change.  It does add extra work and cost, but, it is easier to fix a bug before it gets out the door.  A process and set of test rules may also be a good way to check for specific errors.  There are packages out there that could be useful to the developers if management is willing to invest a wee bit of money.
4. Never let marketing dictate the timeline of a project, or, how the software is developed/tested.
5. Default settings for software should by default tend to be more paranoid and lock things down.  Explain each setting and the possible holes they may open up if they are changed.
6. Never have a default password, on install ask the end user what their password will be.
7. For users, never re-use your password!

 Other thoughts:

Can this happen in the future?  Optimistic me says no, realistically speaking it just may happen again.  Try to remember that a lot of the Open software is written by people who does this for the love of programming and don't get paid full time to do this and many do it without getting paid anything.  Many of the tools you are using are written by these people and the result is the wonderful rich online environment we have today.  The downside is they don't get a lot of money to pay people to do full time work where they can check for holes, review code checked in and improve the infrastructure we call the internet.

For those who say proprietary is better as they get paid my response is you don't know what the proprietary code does as we cannot review their work.  With open software we can review the code itself and in many cases make changes ourselves, compile those changes if we have a special case, you can't do that with proprietary code.

What can we do?  Well pull out your wallet and give a wee bit to the developers of the free software you are using would be a start.  Hopefully politicians and businesses see the benefit of funding a core set of people to work full time reviewing the core of the internet and make improvements as we are now dependent on the net for more and more of our daily lives.