Episode 72: I’ve just confused myself

Download: Episode 72.

This episode we’re talking about Wickr’s use of domain-fronting and other anti-censorship techniques, HashWick vulnerability, Verizon throttling emergency responders data cellular connections, licensing shenanigans.

Show Notes

Devopsdays Portland – SEPTEMBER 11-13, 2018 – RECOMPILERFRIENDS 20% discount
http://devopsdays.org/events/2018-portland/
RECOMPILERFRIENDS is a 20% off discount

Community Event Planning pre-order
https://community-events-2.backerkit.com/hosted_preorders

Survey for event organizers
https://airtable.com/shrvbemYqHvL1Z7tt

Call for Contributors, Issue 12 Machines and Things
https://recompilermag.com/2018/07/24/call-for-contributors-for-issue-12-machines-things/

Wickr has a new plan for dodging internet blocks – The Verge
https://www.theverge.com/2018/8/23/17770384/wickr-psiphon-partnership-internet-censorship

HashWick V8 Vulnerability
https://darksi.de/12.hashwick-v8-vulnerability/

Node.js and the “HashWick” vulnerability
https://nodesource.com/blog/node-js-and-the-hashwick-vulnerability/

Verizon throttled fire department’s “unlimited” data during Calif. wildfire | Ars Technica
https://arstechnica.com/tech-policy/2018/08/verizon-throttled-fire-departments-unlimited-data-during-calif-wildfire

Use Debian? Want Intel’s latest CPU patch? Small print sparks big problem
https://www.theregister.co.uk/2018/08/21/intel_cpu_patch_licence/

Redis: This is not the license change you are looking for 👋🏼
https://blog.tidelift.com/redis-this-is-not-the-license-change-you-are-looking-for-

Software Freedom Ensures the True Software Commons
https://sfconservancy.org/blog/2018/aug/22/commons-clause/

Redis licensing
https://redislabs.com/community/licenses/

Skills for our software future / Audrey Eschright
http://lifeofaudrey.com/2018/09/06/3rd-wave.html

Oregon DEQ map
https://oraqi.deq.state.or.us/home/map

HRRR-Smoke Model Fields – Experimental
https://rapidrefresh.noaa.gov/hrrr/HRRRsmoke/

Now Broadcasting LIVE most Fridays

We broadcast our episode recordings LIVE on most Fridays at 12pm PT. Mark your calendars and visit recompilermag.live to tune-in.

We love hearing from you! Feedback, comments, questions…

We’d love hearing from you, so get in touch!

You can leave a comment on this post, tweet to @recompilermagor our host @christi3k, or send an email to podcast@recompilermag.com.

Transcript

CHRISTIE: Hello and welcome to The Recompiler, a feminist hacker podcast where we talk about technology in a fun and playful way. I’m your host, Christie Koehler.

Hello, everyone.

AUDREY: Hello.

CHRISTIE: Welcome to our live recording of The Recompiler Podcast Episode 72. We’re recording Friday, August 24th, 2018. This week, we’re going to talk about Wickr’s use of domain-fronting and other anti-censorship techniques, the HashWick vulnerability, Verizon’s throttling of emergency responders data cellular connections, and licensing shenanigans. First, I bet we have some announcements.

AUDREY: Yes, we do. We are both looking forward to DevOpsDays Portland coming up September 11th through 13th. The DevOpsDays events are a worldwide series of technical conferences. They cover software development, IT infrastructure, all of those things and people too. We have a discount code for 20% off – RECOMPILERFRIENDS. And we’ll have a link in the show notes. I do expect tickets will sell out. So if you’re planning to go, you should get yours now.

CHRISTIE: I’m nodding. And I also just lost the tab for our show thingies. So, what’s the next announcement?

AUDREY: Here it is.

CHRISTIE: I’m a pro at this. It’s great. I think we’re still doing some pre-orders for the Community Event Planning, right?

AUDREY: Yes, we are.

CHRISTIE: And so if you missed out on the Kickstarter, there’s still time to get in on that preview process. Get some preview chapters and have an opportunity to provide us feedback on that. We’ll also ensure that you get a copy of the book for yourself.

AUDREY: Yes, absolutely. There were two things I was going to add to that. One of them is that the initial content is going to be about starting your planning process and about hospitality, inclusion, accessibility, things like that. And that also I can tell you from shipping The Responsible Communication Style Guide that print copies run fast. We run out pretty fast when we have them. So if you want to make sure that you’re getting a print copy of this, the pre-order helps make sure that we order enough.It

CHRISTIE: It turns out people still like physical books.

AUDREY: They do, especially for references.

CHRISTIE: All right. So, that’s on BackerKit and we’ll include a link in the show notes. And then we also have a survey for event organizers that we’re doing as part of our research for the book for the second edition. And that survey is up and running. Did you want to say anything more specific about that?

AUDREY: No, just that we’re hoping to hear from a lot of different people with different kinds of events, whether those are user groups, conferences, small community events, big events and whether or not they’re directly in technology. I’d love to hear from different fandoms, from people working in different professional spaces and be able to compare notes about what people are doing, what’s working, and what kind of challenges we face.

CHRISTIE: Awesome. So, we’ll link again for that in the show notes. And then, one more announcement.

AUDREY: Yes. We also have open call for contributors for Issue 12: Machines and Things. And we’re looking to talk about the intersection of machine learning and the internet of things and all of the technical and human aspects of that. And you can put your pitch in now until September 4th and we pay contributors.

CHRISTIE: Excellent. All right. First up: a few episodes ago, I will track down which episode and put it in the show notes. We talked about how Signal which is a secure messaging app or encrypted messaging app was using a technique called domain-fronting to circumvent censorship in certain regions of the world. And that Google and Amazon were now disallowing that from their Terms of Service. And so little bit of news came out sort of caught my attention because of this and there’s a…have you heard of Wickr before?

AUDREY: No, just this week.

CHRISTIE: I hadn’t heard of it. But it’s basically secure communications, collaborations like platform basically. In the website: Securing the World’s Most Critical Communications. They announced that they’re going to use domain-fronting in their products and also other techniques to combat, circumvent, whatever you want to call it, censorship and that they’re doing this in partnership with a service called Psiphon. It says: We’ll be available to enterprise users starting today and rolling out to free users in the weeks to come. Similar to VPN, Psiphon will disguise Wickr traffic through proxies and other routing protocols designed to make the traffic hard to spot and even harder to block. There’s not a whole lot here. We wanted to mention it because it seemed like a useful follow up.

AUDREY: It seems very useful and I’m happy to hear that this isn’t just being looked at as a liability for the big cloud computing providers, that other folks are looking at how to solve that gap and make services available. They really do address the censorship aspects of this.

CHRISTIE: I don’t know anything about Wickr aside from this, so I’m not necessarily endorsing it but I’m kind of curious to know more about it.

AUDREY: And who’s able to make use of it, what the impact is.

CHRISTIE: Right. And hey, yet another messaging app to install. HashWick.

AUDREY: I thought it was kind of funny that we had Wickr and HashWick back to back.

CHRISTIE: Doesn’t it sound like a neighborhood in London or something?

AUDREY: I thought you were going to say The Sims.

CHRISTIE: You know, I’ve never actually played The Sims, for whatever reason.

AUDREY: It’s fun. I open it up every couple of months.

CHRISTIE: Is it on the consoles? Is there an XBox?

AUDREY: I think it’s on every platform possible.

CHRISTIE: Okay, I should check it out. I read through this. I didn’t totally [inaudible] it, Audrey, so I’m hoping you can kind of fill in the gaps. But this is basically denial-of-service Plus and also…is the primary point of this is denial of service or is it actually to get information about the target system? I wasn’t sure.

AUDREY: The primary utility of it is denial-of-service.

CHRISTIE: Okay.

AUDREY: It’s possible that it could be used to leak information but that seems like a much more complicated endeavor. In itself the way that the hack is described isn’t necessarily an easy thing to pull off and the person who disclosed it does not provide a specific implementation. I mean, it’s doable. It makes sense why this would be an issue. And I’ve read some things about mitigating it too.

CHRISTIE: So it involves sending JSON in a post request to a server to a Node.js server and basically eating up compute power because of the way that the hash seed or one of the hashing functions is implemented.

AUDREY: And reading about this, I thought it was an interesting vulnerability to talk about because to understand it, you have to dig into a couple different layers of things. One of them is what’s the external access point and that’s open APIs which are plentiful. And then the other part of it is to understand how hashes work in JavaScript and those are called lots of different things in different libraries but they’re basically key value stores. And so if you know something about how those are allocated, how those are assigned, how the keys are stored, and it turns out that those have a predictable sequence, then you can start trying to access them if you’re able to determine that initial sequence.

CHRISTIE: And in this particular vulnerability, there is something about how…that one of the checks of the hash takes a bunch of extra time. And so part of what this is determining is or you can infer things about the values by the time that it takes to return from the request.

AUDREY: Yeah. The other part of it, the way that the seed can be determined is timing detection attack.

CHRISTIE: And then I sort of got the sense that this is not…I mean, obviously security things are things to pay attention to but it says, “My unoptimized PoC sends about 2 gb of JSON data to the server, collects the timing information, and computes the Hash Seed in a couple of minutes (this includes OpenCL brute-force time).” Two gigabytes is a lot of data.

AUDREY: It is, yeah. This is something where you could probably stop it by rate limiting. That’s the first mitigation that came up when I was reading about it. Also, the use of load balancing so that they aren’t necessarily hitting the same server every time and a little bit of sanitization of inputs.

CHRISTIE: Yeah and then it also said, “The hash seed size has to increase from 32 bits to 64 bits.” I guess that’s already been done in the V8 engine. And then, “The hash function has to be changed to SipHash or other hash function with PRF (Pseudo-Random Function) properties.” I’m guessing SipHash is another implementation.

AUDREY: It’s interesting. You probably won’t have a big immediate impact. There are definitely things that people can do upfront to address it if they’re concerned about it. But it reminded me a little bit of the cache servers, the denial-of-service attack that was around…why am I not remembering the name of it now?

CHRISTIE: Was it memcache?

AUDREY: Yeah, the memcache one.

CHRISTIE: I think that was an amplification attack, too.

AUDREY: And how there was a fairly simple thing of not putting those servers publicly accessible online, and how some of these are just about the easy access that happens because default settings not looking at the security of it upfront. If you’re focused on just getting the thing out the door, sometimes it’s easy to overlook this stuff.

CHRISTIE: So, you can mitigate certain things by proxying this or putting an nginx or something in front of this and proxying to it?

AUDREY: I don’t know if I saw that specifically but load balancers were mentioned a bunch and any kind of rate limiting [inaudible] like if it takes 2 gigs of data, you can probably stop things before it gets to that point.

CHRISTIE: Right. That seems like a lot. And is that in one single post request.

AUDREY: No, I think it takes multiple requests.

CHRISTIE: Okay.

AUDREY: Yeah.

CHRISTIE: All right, was there anything else in the NodeSource…I didn’t read the NodeSource article. I didn’t see it until just before we started. Was there anything in particular in that to call attention to?

AUDREY: It’s just that it breaks down a lot of the basics pretty nicely to understand better how JavaScript implements these things, and to get a little bit more of the why.

CHRISTIE: The risk of taking a hornet’s nest. I wonder if there’s a class of things that are going to come up because JavaScript was envisioned originally as a [inaudible] inside the browser and then it’s become the server side thing. I don’t know. I’m just interested to know.

AUDREY: Yeah, that was something that we’ve talked about a couple of times in terms of various kinds of timing attacks. It has to be very precise. There has to be a lot of depth to the system. And because JavaScript was initially conceived of as something that existed just in this shallow [inaudible], a lot of capabilities have been added without everyone being able to see the whole cohesive picture of it, what exactly can be accessed. And so as people continue to poke at it, I would expect to see more vulnerabilities to come up.

CHRISTIE: I’ve had this question before and I can’t remember if I’ve answered it for myself, but V8 is the JavaScript engine that Google developed, I think for using Chrome. Can you use Node with…can you plug and play…are the JavaScript engines swappable with Node or is it always linked to V8? Do you know?

AUDREY: I don’t know. I don’t really have any Node experience.

CHRISTIE: I’ll look that out. I think it might be tied to just V8.

So once upon a time, we had net neutrality. And then we elected a government destroying executive branch. Well, not we; some of us did. And got a new SEC chairman and they promptly threw out net neutrality which may or may not…

AUDREY: [Crosstalk] thing than to give more equitable access.

CHRISTIE: And they also throw out other stuff like you can no longer file complaints if you’ve been unfairly treated by your telco, things like this. This is coming up again and has been a few times since early 2017 related to first responders and the firefighters because when there’s massive wildfires, like there all are across the west right now which unfortunately means that we’ve had the worst air quality ever. Finally better today. But mobile data, cellular data becomes really important because the first responders use that to communicate and their sort of mobile command centers that they set up have a high need for data. And evidently, what’s been happening is that during wildfires, mobile command unit, this one in particular…I like the specificity of this, OES 5262 has been hitting its cap and then it automatically gets throttled for a Verizon. And throttled significantly.

AUDREY: Right, from having pretty good bandwidth to just almost nothing.

CHRISTIE: Yeah and I think we’ve all experienced that and this is kind of a separate issue. But the modern web really doesn’t work so well on very, very low bandwidth. Our broadband at the house here is decent but what I noticed is that when the power goes out and then I want to use my mobile, I can tell that everyone in the vicinity is also doing that because then I have almost no throughput speed.

AUDREY: Oh, yeah.

CHRISTIE: That’s usually when you start getting panic messages from me because I feel so cut off from the world.

AUDREY: We really have to get you a ham license.

CHRISTIE: Yeah I think so because then I could at least talk to people because or maybe I should go to the library. Anyway…But then I’m like, “I don’t want to leave the animals.” And then I’m like, “Well, they don’t care if the power is out!” It’s not like it’s in the middle of winter; they’re not going to freeze.

AUDREY: I mean, radio is a good fallback. I’m sure that the firefighters are using radio as a fallback but there’s a lot of data that you can’t as easily transmit that way.

CHRISTIE: Yeah, think of all the mapping. I just think about all the tools I’ve been using to check on the wildfires and the air quality. There’s some debate as to whether or not this would still be prohibited under net neutrality rules because under those, the telcos still reserve the right to do what they call network management. But people are making the case that under the old rules, people could only be rate limited if they had exceeded a certain threshold if the network was already congested. Whereas in this case, Verizon is basically doing it automatically and telling the fire department to basically upgrade their plan.

AUDREY: They were charging them three times as much, over three times as much.

CHRISTIE: Various jurisdictions already have or enact laws against price gouging during emergency situations.

AUDREY: I think Oregon has a state-wide one.

CHRISTIE: Does it? That’s good. Yeah it came up again because Hurricane Lane or I don’t know if it’s still hurricane down there. It is hitting Hawaii now and Hawaii has the same state law. But I saw people tweeting screenshots of airfares out of Honolulu that were ridiculous.

AUDREY: Oh, yeah. It’s noteworthy that the fire departments are suing.

CHRISTIE: Yes. I think that’s partially why we have some of the specificity we do because the pulled some misinformation from court documents. And this has been something going on, like I said, several times and it’s happening each time.

AUDREY: They’ve been noticing it over months and months. And I got a definite sense of frustration reading about their interactions with Verizon. And Verizon is, of course, saying this is a customer service problem, like poor communication and the fire departments are saying, “No, you’re supposed to sell us unlimited data. If you say you’re doing that and you don’t do that, then that’s inappropriate.” And hazardous.

CHRISTIE: Yes.

AUDREY: Why would you want to make wildfire firefighters upset? That’s a fairly ridiculous and short-sighted thing to do.

CHRISTIE: It’s interesting to know that…well, there’s two things. One: Verizon got rid of their “unlimited plans” basically when net neutrality was enacted and then reintroduced them when it was repealed. And you got to use giant air quotes with this because it’s not truly unlimited. You hit the 25 gigabyte cap or whatever and then they severely restrict. I don’t know, I’m really frustrated. I’m not totally opposed to companies having decent business models but I get really frustrated that they’re able to call things unlimited when they’re not.

AUDREY: And that they were sitting there saying that they wouldn’t actually give them their data access back unless they immediately upgrade [inaudible] plan in the middle of a major incident. It’s so inappropriate.

CHRISTIE: And the other thing that stuck out to me is that I think part of the frustration was that the line people that are in the mobile command center, the area where they’re trying to battle the wildfire, aren’t necessarily authorized to increase the plan. So, there’s also this issue. It sounds like there’s issues of bureaucracy sort of on both sides.

AUDREY: Yeah. I don’t know. I hesitate to call the other part of it bureaucracy, I guess.

CHRISTIE: I mean, what’s the word for when you’re not authorized to make an expenditure of $50?

AUDREY: Oh yeah, I mean that but also it’s the instant command system. Like the fire crews can’t be the people who are doing the financial stuff.

CHRISTIE: Right. Bureaucracy to me is not automatically a bad word.

AUDREY: No. I don’t mean that. I think of it as a different rule set, I guess.

CHRISTIE: I guess what I was trying to point out is that it’s even more important for Verizon to have sort of short circuits. They can make like, “Okay, just upgrade this person or give them a credit right now,” so that the incident response people can can have their data back rather than putting the onus on them to go track down the approvals when they’re trying to coordinate with all the firefighters.

AUDREY: Right. Obviously somebody at Verizon can do it whether or not they were the ones on the phone at that time. I don’t know. I just read about this and I was so frustrated to see Verizon’s response and to think about the impact of that and the way that they’re just hedging it around like these Terms of Service things when…I don’t know. This is such a major thing.

CHRISTIE: Also, this is ridiculous. I guess the “truly unlimited plan” is $99 a month for the first 20 gigabytes and 8 gigabyte thereafter. That makes no sense to me.

AUDREY: So an unlimited plan is just a plan that allows you to keep buying data.

CHRISTIE: Yeah. They shouldn’t be allowed to use those words.

AUDREY: No. And how do you plan your spending then? I mean, how do you estimate how much data you’re going to use over the course of a wildfire season?

CHRISTIE: I don’t know that you can.

AUDREY: I really doubt that you can.

CHRISTIE: Because this is another situation where the consumer is not in control of that. The consumer does not make decisions about, for the most part…I mean, the fire department may run some of their own IT services they’re trying to connect with. But think of all the services, like I don’t have any control over the size of payloads like from Gmail, Google makes that decision.

AUDREY: Right. So, good luck with the lawsuit.

CHRISTIE: And this is another case where I think California is one of the states that is trying to enact net neutrality within the state.

Last episode, we talked about…I’ve already forgotten the name of it. What was another speculative execution vulnerability in Intel chips?

AUDREY: Oh, it was…yeah, it had a letter number code.

CHRISTIE: You can tell we’re [inaudible] with this the fact that they’re all blurring together.

AUDREY: I really thought before we started that maybe I should have made a wall chart.

CHRISTIE: Foreshadow. But also I think this is also related to Spectre. But anyway, so Intel released a patch code, specifically code to be applied within operating system realm. And they also included some new interesting licensing terms.

AUDREY: The first response that we saw was from one of the Debian developers saying that they have pretty specific restrictions on what they consider an open license for distribution. And they were not going to distribute patches that restricted people from…what was it? Analysis, examination, stuff that can be used in benchmarking.

CHRISTIE: That was a clause that they added. You will not and we’ll not allow any third party to publish or provide any software benchmark or comparison test results. Why would they have done that, Audrey?

AUDREY: I don’t know. I mean, that is somebody getting paranoid in the wrong direction. Of course, the benchmarking is going to happen and everybody knows that these patches are going to slow things down.

CHRISTIE: But that’s what it reads as a knee-jerk response to the fact that the first round, the initial patches addressing Spectre and Meltdown really created a performance hit and people have been talking about it.

AUDREY: Given that, the best thing that they could do and that they are going to do now, but the best thing that they could do is let people add some specificity to that. It’s better to know exactly how much is going impact performance than to give people sort of a big hand wavy guess that it will be bad. And if you’re telling them not to look, then I would assume the worst.

CHRISTIE: I mean, there’s nothing that’s going to attract people’s attention more than like, “Nothing to see here. Nothing to see here.”

AUDREY: Right. “Don’t look.”

CHRISTIE: “Don’t go in that room!” They’ve taken it out now.

AUDREY: Which is good and probably somebody feels really embarrassed.

CHRISTIE: I’m very curious how this happened. Is it just a case of each team at Intel kind of doing their thing and then boom! Push out the product. Or was there some internal argument that anyone pushback and legal goes like, “No, it’s got to be in there.”

AUDREY: Yeah, it’s a big organization. So, it could be a lot of things.

CHRISTIE: I think in my own experience, I’ve encountered a lot that within companies, people will treat feedback from legal as mandates versus a discussion. And I mean, I’m sure this varies significantly by organization but I always treat it like a discussion. And I encourage people to be clear about what their goals are and communicate that to legal and communicate their level of…of course, not everyone within an organization is going to be in this position to do this but communicate what your goals are, what your level of risk tolerance is, and have a discussion about the way to achieve goals and balance that with liability.

AUDREY: I guess I generalize that even further to think that most people don’t realize how negotiable most situations actually are.

CHRISTIE: You mean just in general?

AUDREY: Yeah, in general. But anytime you have competing requirements.

CHRISTIE: Do you think it’s a form of conflict diversion?

AUDREY: Possibly, yeah. Not knowing how to negotiate, not knowing how to address that especially if you fear that they might have really strong feelings about it or with legal stuff where people think they’re going to get in trouble.

CHRISTIE: You mean just kind of automatically if lawyers or legal people are involved?

AUDREY: Yeah. Somebody will be doing something wrong, there will be consequences.

CHRISTIE: It’s sort of like it’s not all that dissimilar from involving your security professionals in the design of your products, right?

AUDREY: Yeah. Again, you’re going to do risk assessment and decide what you want to do from there. But if you don’t have the information, then you can’t make a good decision.

CHRISTIE: And you want to engage those folks not just in emergencies but as part of the product development process.

AUDREY: Yeah.

CHRISTIE: On the subject of licensing shenanigans. We had a new one come up this week with Redis.

AUDREY: Which is?

CHRISTIE: I was just trying to remind myself what Redis is. Is it message queueing?

AUDREY: I think so.

CHRISTIE: Oh my, God. This is embarrassing.

AUDREY: I’ve used it not recently but there was just something that struck me as like inherently funny that I saw people talking about this for a few days now and nobody was like, “Redis, the thing that does…”

CHRISTIE: Open-source in-memory data structure project implementing a distributed, in-memory key value store with optional durability.

AUDREY: And anyhow, it’s important to know that it’s a backend component that a lot of applications depend on.

CHRISTIE: Yeah. Redis Labs is the sort of company that supports or sponsors development on it. And they announced a licensing change, I guess, for not the core part of the project but certain modules that they would use. The modules have different licenses: BSD, MIT, all permissive licenses. It says, “Certain modules created by Redis Labs including RediSearch, Redis Graph, ReJSON, Redis-ML, and Rebloom are licensed Apache 2.0 modified with Common(s) Clause.” What is this Common Clause thing?

AUDREY: It’s something I read through a couple of times this morning trying to understand the details of it. The Commons Clause.

CHRISTIE: Oh yeah, sorry. It doesn’t help that I change the name of it. It is Commons Clause.

AUDREY: Yeah. The Commons Clause is this addendum to other software licenses that says that if you are selling the thing, the software, that you can’t and you can’t sell something that is primarily the software service that is just about handing over the software.

CHRISTIE: You basically can’t do software service version of these things. And they basically said, “Hey look, lots of companies are making money off this and not contributing back monetarily. And so we’re going to protect these particular modules.”

AUDREY: And I can understand where this is coming from in terms of the cloud computing providers potentially charging people to add on these modules. And in a way, that cuts Redis Labas entirely out of the loop.

CHRISTIE: Or even not necessarily charging for them, but just reaping the benefits of an add-on, charging for hosting and the reason people go with that hosting is because these modules are available.

AUDREY: Right.

CHRISTIE: As with any licensing change, there’s been much discussion and fervor that I almost don’t want to talk about on the podcast because I find it so tedious.

AUDREY: I had to convince you.

CHRISTIE: You did. You seem to think we have relevant…well, I know we have relevant expertise.

AUDREY: And that we’re probably going to say things that I hadn’t already read online.

CHRISTIE: So, let’s summarize sort of what’s the…there’s one camp that is basically, in a way the free software and the open-source camps are kind of united in this, that that kind of restriction makes the software not open-source, not free software.

AUDREY: Right.

CHRISTIE: And that is bad.

AUDREY: That’s the big leap that proprietary licenses are bad and source available licenses are proprietary which is to say it’s not open source in a freely reusable way but you can see the source. And so, a company moving from one to the other is bad and it could dilute open source or something like that, make it meaningless.

CHRISTIE: I think it’s important to be clear that free software folks and open source folks that you can put your source code available online for free. You can stipulate that people can do whatever they want with it personally. But if you restrict their ability to redistribute it or make money off of it like resell it or resell it as a service, that’s a boundary that shall not be crossed.

AUDREY: Unless that restriction is copyleft. You can force people to distribute their own work, as a consequence.

CHRISTIE: Yes, I would argue that’s a different direction, that’s orthogonal. You’re pointing out the distinction between permissive and copyleft.

AUDREY: And that the effect in terms of companies adoption is significant. There are lots of places that will not use GPL code.

CHRISTIE: Yeah, because free software licenses stipulate that if you make any changes to the code, you must re-release it back. Oh no, wait. I’ve just confused myself because why did they have to do AGPL then?

AUDREY: Because software as a service applications don’t distribute code. I mean, they don’t distribute software, so they couldn’t…the GPL says if you distribute software, you have to distribute code. But since they host software and they allow access to it, that doesn’t automatically force them to distribute their own source code under the GPL.

CHRISTIE: Okay. This stuff gets really arcane.

AUDREY: It does. And I think that contributes to the vitriol because it takes a lot of effort to understand what’s going on in the first place and the people who expend the effort often have very strong ideological points of view on this. Are you reading something?

CHRISTIE: Yeah. I thought I had the distinction between GPL and AGPL straight. Because GPL says if you make changes, you don’t have to distribute. Wait a minute.

AUDREY: No. It’s sort of like the way that I guess I think about it is like if you compile software and you distribute that software, that compiled software, then the GPL says that you also have to provide the source code. If you create software and you deploy software like in an online sense, and so you provide access to that software but not self installable copy of it, then the GPL doesn’t affect that aspect of it.

CHRISTIE: You mean it’s not binding?

AUDREY: Not in that respect, Yeah.

CHRISTIE: Okay.

AUDREY: So, the GPL itself won’t force say, Google Gmail to release the source code to Gmail just because they use GPL’d software. So then the AGPL adds another bit that says, “Okay, so in that situation, these software as a service applications, then that is also part of distributing software.” It’s basically changing what it means to distribute.

CHRISTIE: Right. Okay.

AUDREY: That’s what the AGPL adds. And then the Commons Clause says, but cloud computing services even under the AGPL they’ll say, “Well, we’re not creating an application. We’re not creating an application that embeds that item.” So they’re saying, “Okay, you can’t do that.”

CHRISTIE: Well, you wouldn’t add Commons Clause onto AGPL because…or wait a minute. It’s not exactly…

AUDREY: You can’t. There’s a specific way that that doesn’t work.

CHRISTIE: Because it would require…okay. AGPL would compel anyone using software license that way to release any changes they made to it, to run in there, that they had to make to monetize it. It wouldn’t prevent them from monetizing it. That’s the main difference.

AUDREY: Yeah.

CHRISTIE: This shows you how arcane this crap is because I am relatively knowledgeable and I still end up chasing my tail within the definitions. I’m getting confused.

AUDREY: I guess my mental framework is about understanding how people make money. That helps a lot. Because that’s really what this is getting into, the licensing. And it reminds me a lot about what we were talking about with copyright last week in the music industry. Licensing is one of the only levers that people in free and open source software have to control what happens after they release their software and the financial aspect of it. So those things become tied together. The business need and any other aspect of releasing source code and releasing software become tied together because licensing is the only framework that controls what happens.

CHRISTIE: Because if you published code on the internet without any sort of license, I think like any other copyrighted work, it’s implied. Well, I think this might slightly vary by state law. But it’s implied that you would have to contact the author for permission to [Crosstalk].

AUDREY: …source code.

CHRISTIE: Is that what it would be or would it also be…

AUDREY: It’s like recipes. A copyright doesn’t affect the compiled work.

CHRISTIE: If that’s true then why can’t ROMs be freely distributed.

AUDREY: Well, that’s a question.

CHRISTIE: Oh, my God. Let’s stay in the path and let’s not walk off into the dark deep jungle.

AUDREY: Okay, back to this thing of like why are people worked up about this. There’s a bunch of different reasons. Some of them are because licensing is really complicated to understand and to understand the implications of it means that you need to know both the legal parts of the licensing, how they’re used, how they affect businesses, what business strategies are used for different licenses. You have to have a handle on all of that to make sense of what’s going on here.

CHRISTIE: Right. But wait, you’re saying that software binary is more like a recipe and not more like a movie?

AUDREY: Hmmm.

CHRISTIE: Interesting.

AUDREY: I think I can probably pull up a specific reference for that.

CHRISTIE: Yeah. It’s just so confusing how the copyright acts and here we’re talking US law because it’s going to vary by jurisdiction.

AUDREY: But there are some international agreements about this stuff.

CHRISTIE: Yeah, but that adds another layer of complexity. There’s different buckets of copyright and different set of laws apply to them. I don’t know what the important thing is to talk about here.

AUDREY: Well, do we think that this is diluting the nature of open source in a problematic way?

CHRISTIE: No. I don’t care. I’m not sure what the right answer is.

AUDREY: No, I mean…but that’s one of the points of contention.

CHRISTIE: The parts of the open source definition and the 4 Freedoms that give me the most pause are the ones about freely redistribute and use for whatever purpose. I think it makes perfect sense that consumers of technology should be able to have available the source code of the technology they run and be able to inspect it and make changes to it. That I’m fine with. I am not fine with giving up entirely my right to have a say in how my creation is used within a given period of time. I don’t think we should have unlimited copyright terms for any intellectual property work. I’m not on the side of ‘let’s not have any intellectual property protection’. That doesn’t make a lot of sense to me. Do I think it should be for like 120 years? No, because I think there’s value in being able to preserve and archive cultural works.

AUDREY: And there are some definite consequences to software becoming unavailable through these sorts of things, source code and software becoming unavailable. Things disappear in a way that even books don’t.

CHRISTIE: So I’ve really been trying to figure out what is at the root of this obsession with absolutely no restriction on use or redistribution. I’m having trouble understanding that and the value of that.

AUDREY: I think it’s just part of that absolutist free speech value system that the idea of software freedom is tied to the idea of unlimited free speech. And both of those things don’t look at the social consequences.

CHRISTIE: Yeah. So that’s what I want to do more of.

AUDREY: Look at the social consequences?

CHRISTIE: Yeah, and get people to be explicit about their ideology around free speech and that they are connected. I feel like we never even do that. Like I’m not sure that the link that’s creating these ties behind the scenes, I don’t think everyone realizes that.

AUDREY: And it’s really worth asking: what do you think the consequence of that is? What do you think the consequence of unlimited software freedom is under that 4 Freedoms structure? And we’re going to have different answers to that. But some of those answers do involve negative use of it. They involve having to care whether your software or your platform are ever truly neutral which is not likely because there are people involved. So those things have to be explicit or else we just have these things that go round and round and round.

CHRISTIE: And I think especially people coming into open source and free software, I mean everyone finds their way to these different movements in different ways. But I think a lot of people sort of accept the basic assumptions or the axioms or whatever. And I kind of want us to re-interrogate those.

AUDREY: It feels like this is where I give a plug for the keynote I’m doing in a couple of weeks.

CHRISTIE: You should.

AUDREY: At the Libre Application Summit, I’m going to be talking about the history of free and open source software and where we are now, our current challenges including around licensing, and the skills that we need to build something better.

CHRISTIE: All right.

AUDREY: And this is all super relevant to that, understanding those frameworks of what open source softwares defined us, what free softwares defined us, what we’ve actually done with it. The sustainability. I mean, that’s what the Redis folks are saying. It has a financial impact and it’s kind of painful to watch big organizations make money off of what you’ve done in a way that benefits you not in the slightest. I mean that’s difficult and I would want Google to pay me. I can understand where they’re coming from with this.

CHRISTIE: And I have a suspicion that, and I’m not saying everyone involved in open source has ulterior motives that they’re being disingenuous about. But I think there is some unspoken ulterior motives like the open source definition was created as an alternative to free software to make it more commercially viable. Or not viable but more attractive to corporations. So it had this specific intent of allowing the corporations to capitalize on free software.

AUDREY: And there is this massive implicit belief that if all software becomes open source software then we will collectively benefit in some way. I mean, now that it’s happened, what do you think? But that’s just core to this or core to the less capitalistic aspects of promoting this that if all software becomes open source software, then we benefit.

CHRISTIE: I mean, open source won, we’re not seeing these massive benefits.

AUDREY: No, I agree. I think we need to ask for the benefits that we’re really interested in.

CHRISTIE: What I’m saying is we’ve more than hit the point of where we should be seeing this massive return. I don’t know what people are waiting for.

AUDREY: I don’t know.

CHRISTIE: Okay. We’ve got some things we love on the internet this week.

AUDREY: We do. Do you have one?

CHRISTIE: I’m going to piggyback on yours.

AUDREY: Oh, okay. So mine is related to our current air and weather situation which is the Oregon DEQ Air Quality Map. It has a lovely illustration of the readings off of their quality sensors. There are graphs, there’s data, and it’s the thing that I refresh every hour to find out if I can go outside yet.

CHRISTIE: And it’s awesome. I look at it several times today. So, the DEQ map is really good for finding out current conditions. This other thing which is this experimental forecast using [inaudible] but it’s from NOAA’s Earth System Research Laboratory. It’s called the High Resolution Rapid Refresh. And it’s a 24-hour, it’s not a rolling forecast. They generate it, I think that’s 12:00 UTC. So like minus 8, 4:00 in the morning. But you can look at forecast for all kinds of things including your surface smoke.

AUDREY: Yes.

CHRISTIE: So, I’ve been using this. I use it when conditions are variable. I look at it every night to see, do we leave the windows open tonight or not basically. And it’s been amazingly useful for that. If you live in the areas impacted by wildfire smoke which basically means if you live in any of the Western states except maybe the extreme southwestern ones, you possibly have gone to bed when the air is fine and then woken up and your throat hurts and it’s all smoky.

AUDREY: That happened last year with the Eagle Creek fire where I woke up and realized I could smell smoke.

CHRISTIE: Yeah it happened to me I think the year before and of course, it affected my breathing. But it also really affected my eyes. My eyes got so irritated and swollen, I couldn’t read and it totally freaked me out. I thought there was something wrong with my brain.

AUDREY: No, it’s intense. Our air quality has been some of the worst in the world this week. And yeah, it’s bad. A lot of people have taken to wearing masks and respirators just to go outside.

CHRISTIE: And this HRRR thing is it’s the whole United States, too. So, it’s applicable for no matter where you are in the States.

Okey dokey. I think that’s our episode. Thanks, Audrey, for joining me. The licensing discussion was not too bad except for getting off in the weeds.

AUDREY: It’s hard.

CHRISTIE: It is.

AUDREY: Another thing we need charts and graphs for.

CHRISTIE: I evidently do, yes. Have a good week everyone.

AUDREY: Bye.

CHRISTIE: And that’s a wrap. You’ve been listening to The Recompiler Podcast. You can find this and all previous episodes at recompilermag.com/podcast. There you’ll find links to individual episodes as well as the show notes. You’ll also find links to subscribe to The Recompiler Podcast using iTunes or your favorite podcatcher. If you’re already subscribed via iTunes, please take a moment to leave us a review. It really helps us out. Speaking of which, we love your feedback. What do you like? What do you not like? What do you want to hear more of? Let us know. You can send email feedback to podcast@recompilermag.com or send feedback via Twitter to @RecompilerMag or directly to me, @Christi3k. You can also leave us an audio comment by calling 503 489 9083 and leave in a message.

The Recompiler podcast is a project of Recompiler Media, founded and led by Audrey Eschright and is hosted and produced by yours truly, Christie Koehler. Thanks for listening.