2014-04-17 23:25:43

What is this private key doing in my random pool?

As a consequence of the Heartbleed bug, the OpenBSD community has taken up the challenge of auditing the OpenSSL source code and improving its general quality. Given the recent events this is a very necessary and just cause and should by all means be supported.

A necessary prerequisite to editing OpenSSL code however should be either some amount of knowledge about how cryptosystems work or, alternatively, guidance by people who have such knowledge. The underlying issue is that crypto source code tends to be extremely fragile since a lot of the effort needs to go into preventing so-called “oracles”, which are code paths which reveal information about the success or failure of cryptographic processes either through differences in the error message, through differences in timing of the involved methods in case of success or failure, or through differences in power consumption or heat radiation caused by different code paths being taken.

This is not about this kind of oracles though, but right now we're talking about a relatively simple matter: random pools.

Random Pools and Non-Random Data

The inner workings of random pools are relatively simple. Essentially, each pool has a given size and quality. Data which is used for encryption can only be withdrawn from the pool if the randomness of the data in the pool, the so-called entropy, has passed a given theshold. Until then, any attempts to withdraw random data from the pool will simply block until enough random data is available. This is the main reason why virtual machines sometimes take such a long time doing SSL handshakes.

The pool is usually fed from a variety of random sources. One of these sources can be key presses, which aren't very random per se but there is some amount of jitter in latency even if you are just typing away at a word. So this would feed into the pool as a source with a relatively low entropy value. You can also measure the timing differences between issuing read or write commands to the disk and getting a result back. Since this is not influenced by humans, the entropy of this source might be a lot higher. Finally, some people attach actual diodes to the serial or USB port of their machines and gather actual physical entropy, which would of course be the highest known level of entropy.

So essentially you would want an algorithm which, for every byte of entropy from the keyboard gives you perhaps 0.3 bytes of entropy from the pool, and for every byte of entropy from the hard disk you get to read 0.7 bytes of entropy out of the pool, and for each byte of entropy from the diode you get 1 byte of entropy from the pool. That's why the RAND_add function in OpenSSL takes a third parameter named “entropy”. It simply specifies a factor which should be applied to the size of random data passed into the pool to know by how much the pool size can be advanced.

Typically this is achieved by using a XOR operation of the already-pooled random data with the data being passed in. As long as data is not XORed against itself (which yields 0), it will always come out at least as random than it went in.

Using entropy from untrusted sources

A nice game played by some nerds on IRC is called “random number exchange”. Essentially, you send someone a random number to be fed into the pool — but with the entropy of 0. This will not advance the pool of the other person a single bit. However, it has 2 possible outcomes:

  1. The data is not of good quality. The worst case of this would be a value that is all-ones or all-zeroes. Clearly, such a number is not random at all. In the case of all-zeroes, the contents of the random pool are unchanged. In the case of all-ones, the contents of the random pool end up being its binary complement. The binary complement of a random number is just as random as the original number.
  2. The data is actually random. In that case, the actual entropy in the random pool is increased, since the existing data is XORed against other random data. That makes it more unpredictable what will be returned next from the pool.

So as you can see, whatever data you feed into the random pool at entropy 0 can only increase the entropy of the pool data but never decrease it.

Feeding sensitive data into the random pool

What the OpenBSD audit had found was that OpenSSL was feeding sensitive data — user passwords and cryptographic secret keys — into the random pool. The code doing so was deleted from the OpenBSD OpenSSL repository with a question in the commit message: “What were they thinking?!”

What they were thinking is actually a good question. As we learned already, any data that is fed into the random pool at entropy 0 cannot harm the quality of the random data. In the case of the code which was deleted, the entropy parameter of RAND_add was always 0. Also, the manual page of RAND_add clearly states:

RAND_add() may be called with sensitive data such as user entered passwords. The seed values cannot be recovered from the PRNG output.

Can we justify this claim?

Yes, we can. The important part here is that the data is fed into the pool at entropy 0, which means that no bytes will be released from the pool until enough entropy has been gathered so we can confidently state that the data returned is random. At that point, we essentially XORed the sensitive data with high-entropy random data. This algorithm is known as a One-Time Pad. As long as the random data used in the XOR is guaranteed to be high-entropy and as long as it is never ever re-used, whichever data is XORed against it becomes indistinguishable from random noise. This means that adding the sensitive data into the random pool may have increased the entropy of the pool or not, but it also means that we can never tell what has been written into the pool.

So the patch which was committed by the OpenBSD people actually has the potential to weaken the entropy of the OpenSSL random pool, but it was never a security or privacy concern, so the patch doesn't fix anything. As such I would suggest that it should be backed out.


In addition to the technical side of things, the OpenBSD community is currently in the process of falling victim to a rather massive administrative fallacy in Open Source development. They are producing a rather large set of patches against OpenSSL. As recently outlined by Kristian Köhntopp (in German), this operation runs at high risk of the patches never making their way back into OpenSSL because it would be too much effort to go through all of them. So essentially, OpenBSD is creating a fork of OpenSSL.

Given their minuscule manpower, I don't think they're up to that…

2013-12-08 20:57:33

A tale from the world of Bad Licensing™

A while ago, we had to buy a laptop for running Windows so we could operate the vinyl cutter at our makerspace. So we went for a refurbished T61 with Windows 7 and installed the cutter software on it.

To activate the license of the cutter software, you have to connect to the Internet (which is already something we didn't really want to do, but in the world of Closed Source software you already know you don't usually get what you want). So we tried to fire up the online activation feature, but it failed right away stating that the support has been notified of the failure.

Since we're a volunteer driven organization, we are mostly present outside of working hours, so we tried to use the half-offline activation workflow. We generated a license request file and uploaded it to the website of the vendor. We received a license file back. The web site also stated that we'll receive an e-mail with details on how to install the license.

In the meantime, our Windows had noticed that it has been connected to the Internet. Windows Defender fired up, installed some update and then notified us that it had found and deleted an “activation hack”. Then, Windows claimed that we had an illegal version installed and offered us to buy a new license for a mere 169.- CHF.

Luckily, the shop which sold us the refurbished laptop was around at the time and told us to just go through the activation process again. We typed all the numbers in once more and our Windows was happy again.

However, in all this time we had not yet received an activation e-mail from the vinyl cutter vendor. The vendor was not available for comment. So we looked through the documentation, trying to figure out what we should do with the license file. The documentation said: “Just execute the license file”, however, it was merely a text file.

We assumed that what they meant was to open the text file using the cutter software, but starting the cutter software only asked to enter a license key (which would create another license request file). So we thought that running the cutter software with the license file as a parameter might do the trick.

Unfortunately, it didn't. It opened the cutter software in some weird mode where it showed all options but no cutter could be selected. We assumed the license would be accepted now, but when we re-opened the cutter software, it asked us to enter the license key again.

So to summarize, we cannot use the software for the cutter we bought and we randomly had to re-activate our operating system. For now I'm back to the land where the license says “Keep the copyright license, use and distribute it as you like but don't blame me!”

Posted by Tonnerre Lombard | Permanent link | File under: broken

2013-12-03 15:16:35

The female Hurricane

Not sure if you ever realized, but the song works for a different group of our population as well.

Pistol shots ring out in the barroom night
Enter Ruben Valentine from the upper hall
He sees the bartender in a pool of blood
Cries out, “My God, they killed them all!”
Here comes the story of Miss Hurricane
The girl the authorities came to blame
For somethin’ that she never done
Put in a prison cell, but one time she could-a been
The champion of the world

Three bodies lyin’ there does Ruben see
And another man named Bello, movin’ around mysteriously
“I didn’t do it,” he says, and he throws up his hands
“I was only robbin’ the register, I hope you understand
I saw them leavin’,” he says, and he stops
“One of us had better call up the cops”
And so Ruben calls the cops
And they arrive on the scene with their red lights flashin’
In the hot New Jersey night

Meanwhile, far away in another part of town
Patty Carter and a couple of friends are drivin’ around
Number one contender, female middleweight crown
Had no idea what kinda shit was about to go down
When a guy pulled her over to the side of the road
Just like the time before and the time before that
In Paterson that’s just the way things go
If you’re a girl you might as well not show up on the street
’Less you wanna draw the heat

Alfred Bello had a partner and he had a rap for the cops
Him and Arthur Dexter Bradley were just out prowlin’ around
He said, “I saw two girls runnin’ out, one looked like middleweights
They jumped into a white car with out-of-state plates”
And Sir Ruben Valentine just nodded his head
Cop said, “Wait a minute, boys, this one’s not dead”
So they took him to the infirmary
And though this man could hardly see
They told him that he could identify the guilty ones

Four in the mornin’ and they haul Patty in
Take her to the hospital and they bring her upstairs
The wounded man looks up through his one dyin’ eye
Says, “Wha’d you bring her in here for? She ain’t the fry!”
Yes, here’s the story of Miss Hurricane
The girl the authorities came to blame
For somethin’ that she never done
Put in a prison cell, but one time she could-a been
The champion of the world

Four months later, the ghettos are in flame
Patty’s in South America, fightin’ for her name
While Arthur Dexter Bradley’s still in the robbery game
And the cops are puttin’ the screws to him, lookin’ for somebody to blame
“Remember that murder that happened in a bar?”
“Remember you said you saw the getaway car?”
“You think you’d like to play ball with the law?”
“Think it might-a been that fighter that you saw runnin’ away?”
“Don’t forget that you're a man”

Arthur Dexter Bradley said, “I’m really not sure”
Cops said, “A poor boy like you could use a break
We got you for the motel job and we’re talkin’ to your friend Bello
Now you don’t wanta have to go back to jail, be a nice fellow
You’ll be doin’ society a favor
That feminazi bitch is brave and gettin’ braver
We want to put her ass in stir
We want to pin this triple murder on her
She ain’t no social girl”

Patty could take someone out with just one punch
But she never did like to talk about it all that much
It’s my work, she’d say, and I do it for pay
And when it’s over I’d just as soon go on my way
Up to some paradise
Where the trout streams flow and the air is nice
And ride a horse along a trail
But then they took her to the jailhouse
Where they try to turn a girl into a mouse

All of Patty’s cards were marked in advance
The trial was a pig-circus, she never had a chance
The judge made Patty’s witnesses helpless and bewitched
To the male folks who watched she was a hateful feminist bitch
And to the girlfolks she was just a crazy whore
No one doubted that she killed them all
And though they could not produce the gun
The D.A. said she was the one who did the deed
And the all-male jury agreed

Patty Carter was falsely tried
The crime was murder “one,” guess who testified?
Bello and Bradley and they both baldly lied
And the newspapers, they all went along for the ride
How can the life of such a girl
Be destroyed without causing a stir?
To see her obviously framed
Couldn’t help but make me feel ashamed to live in a land
Where women are a game

Now all the criminals in their coats and their ties
Are free to drink martinis and watch the sun rise
While Patty's like Marissa in a ten-foot cell
An innocent girl in a living hell
That’s the story of Miss Hurricane
But it won’t be over till they clear her name
And give her back the time she’s done
Put in a prison cell, but one time she could-a been
The champion of the world

Posted by Tonnerre Lombard | Permanent link | File under: gender_equality

2013-02-04 23:20:50

NetBSD support for Intel kernel Mode Setting

A few versions ago, Intel started releasing drivers for their graphics cards which would rely on the kernel to switch between graphics modes (a new development from the Linux/FLOS world). This would, for example, ease the transition between framebuffer consoles and X11.

Since however the NetBSD kernel doesn't yet (as of version 6.0) support setting graphics modes, this means that later Intel drivers don't work under current NetBSD releases.

And there our hero, Grégoire Sutre, comes to play. He started a project on GitHub to port DRM/GEM to NetBSD from OpenBSD, which had a paid person implementing it for them under a BSD license.

Testing it on the stable release

A while ago, I replaced my old Thinkpad T61 with a T520. Unfortunately, this meant I also had to switch from NetBSD to Debian GNU/Linux because NetBSD wouldn't run on the T520 and I didn't have the time to change that. Also, at that time, neither of the BSDs supported kernel mode setting.

A few days ago, prompted by the announcement of the CONFIG_VT deprecation under Linux, I decided to make another attempt at getting NetBSD to run on the T520 and stumbled across Grégoires work. It was a bit awkward to take his changes and to apply them to NetBSD 6.0, because they were made for NetBSD-current and had to be modified first. Nonetheless, I managed to apply them relatively sensibly.

The rest doesn't take a lot of time to lay out. I built a release with the changes and applied it to my NetBSD system. There, everything worked. I had Intel graphics.

So I decided to upload a patch to my FTP server. In addition to that, I also built the release sets and an installation ISO image and uploaded them. You can find everything on ftp.bsdprojects.net under NetBSD-6.0-drmgem-20130203.

How to apply the patch to NetBSD-6

The distribution method Grégoire chose was a bit awkward to use (as described above), so I decided to create two patches (one for src, one for xsrc) and distribute those instead for NetBSD-6. The rest of the procedure is pretty straightforward. First, fetch the patches:

% ftp http://ftp.bsdprojects.net/pub/bsdprojects/NetBSD/NetBSD-6.0-drmgem-20130203/netbsd6-drmgem-src-20130203.diff.gz
% ftp http://ftp.bsdprojects.net/pub/bsdprojects/NetBSD/NetBSD-6.0-drmgem-20130203/netbsd6-drmgem-xsrc-20130203.diff.gz

Then, get the source code from CVS.

% cvs -d anoncvs@anoncvs.xy.netbsd.org:/cvsroot co -P -rnetbsd-6 src
% cvs -d anoncvs@anoncvs.xy.netbsd.org:/cvsroot co -P -rnetbsd-6 xsrc

Apply the patches:

% (cd xsrc && zcat ../netbsd6-drmgem-xsrc-20130203.diff.gz | patch -p0)
% cd src && zcat ../netbsd6-drmgem-src-20130203.diff.gz | patch -p0

… and build the tools and release:

% ./build.sh -j 9 -x tools
% ./build.sh -j 9 -x release
% ./build.sh -j 9 -x install=/

Then ensure that all your pkgsrc packages are linked against the X.Org release installed from the base. Things might work ok if you link the clients against X.Org from pkgsrc, but the pkgsrc X server certainly won't work. And if you already use X.Org from base anyway, why not use it for everything.

The Future

Right now the drmgem code is in a state where Intel kernel mode setting works. However, all the DRM modules have been deactivated in the X.Org source. This is because they don't seem to work yet. So the patch cannot yet be committed as it is, because for everybody who's not using Intel, it would be a step back.

So this means that the patch needs some brushing up. But it's good, solid work and will hopefully be ready to be committed into the source base some day soon.

What's left to say: Thank you, Grégoire Sutre, for your good work! If we can help you somehow, please let us know.

Flattr this

2013-01-29 20:40:35

The Apple Experiment: Conclusions

At this point I've used the iPhone continuously as a main phone for a month in a row. I've made serious attempts to replicate all workflows I used on my Android phone, with varying results.

Holding it Wrong

The first thing you'll notice is that data transfers appear to be really slow over GSM most of the time. It's ok for reading Twitter using the app, but if you open a web site it can take a number of minutes before you finally have at least the text to read in front of you. Under the same conditions, the Android phone could load the web site in a matter of seconds (still slow, but it's mobile, so well). Using the same carrier, of course.

There's the old joke that people are simply holding the iPhone wrong. I think it was Steve Jobs who came up with this joke when he was still alive. Either way, I tried various ways of holding the phone, including upside down, and nothing would improve the page loading speed.

To add to the pain, the iPhone interpretes touchscreen presses which arrive while the screen is darkened (to announce impending screen lock). So if you tap somewhere on the screen to keep it awake while loading the page, it suddenly follows some not-yet-displayed link and you'll never see the page you wanted to go to.

An additional annoyance is the switch to turn sounds on and off. It is generally a good idea, however, you will always end up switching sounds on and off like mad with your pocket.

Which brings us to the general point that the iPhone hardware is incredibly fragile. Android devices appear relatively sturdy with their gorilla glass. If you drop them by accident, they aren't usually damaged. If you drop an iPhone on the floor, the glass will typically be shattered, and worse effects may occur.

Multi-singletasking in Mind

One of the biggest points you will notice quite quickly is that there is an enormous lack of integration of the different apps. Imagine for example that you want to share a link to something. You have Twitter, Google+, Delicious, Soup (well ok, they don't have an iPhone client), mail, chat, etc. on the phone. However, there is no common sharing dialog like in Android. Every App has to integrate all those programs itself in its own sharing dialog. This means that you can only share to whatever the App writer was aware of.

Likewise, there are no URL namespaces. If you get a Google Docs link in mail (not GMail, which tries to work around this), it will be opened in the browser. YouTube links? Open them in the browser. Google+ links? Open the browser, too. It would be much more valuable to use the dedicated apps for those purposes instead so people can use the service more efficiently, especially given the painfully slow page loads.

To address this problem, App implementors have written the most useless workarounds. If you click on a link in the Twitter app, a new embedded browser will be launched inside Twitter, because Twitter doesn't want to lose everything which was currently open. That makes sense for Twitter, but not as a whole, especially since that embedded browser lacks some controls and is really awkward to use. Especially as you now have two back buttons. And you can't switch to a different tab from the main browser instance, because it is not the browser.

Another issue is copying and pasting. Just like in early Linux days, it works part of the time and sometimes you get inexplicable results. Some Apps just don't seem to care though and just don't offer copying and pasting. I would have expected this to work ok in anything implemented after 1993.

To add insult to injury, apps which don't get the focus for a while are quit. This is quite annoying when you use a Jabber client on the phone, because you have to get it back into the foreground every couple of minutes to prevent it from quitting and being disconnected. As a workaround, many Jabber clients send you push notifications a minute or two before they're terminated. But that's nothing more than an ugly, annoying hack and far from the nice integration of Jabber clients as background tasks in Android.

Notify … but about what?

Notifications (”push messages“) are another issue where the current solution is unbearable. It appears that every app has its own notification process which cannot communicate with the main process. This goes even as far as to add a counter to the app icon. For example, you have 2 Twitter notifications. They are displayed on your screen lock, although truncated. You unlock the screen and find that the Twitter icon has a small ”2“ besides it, indicating that two unread notifications have been received.

Then you open Twitter and you don't see anything at all. It doesn go to the replies tab because apparently the App doesn't know you want that. You open the replies tab and realize it doesn't have your reply yet because it hasn't been reloaded since the message arrived. Given that Twitter ran in the background, that's kindof logical, but it isn't helpful and not a way in which I would want to implement my Apps. And it doesn't just affect Twitter: it's everywhere! TweetDeck has it, Mail has it, GMail has it, even the App Store has it. If we're fetching all that data for the notification, why can't we just have it in the app as well? What kind of notifications are those? Especially given the poor data transfer rates of the iPhone you really don't want to wait for all your replies to be downloaded again.

Even worse, it's quite difficult to actually follow notifications because when you click on one, all the others tend to go away. So you will know that something happened but you have no way of following up without looking through your phone and installed Apps. Why?!

And since I mentioned the icon: there is no reasonable way to sort a list of generic things other than alphabetically. The phone knows the language of the user and thus the sorting alphabet to use. Yet all apps appear in the order in which they have been installed. That's cool if you just installed something, but in a few days you won't remember if you installed SecureChat before or after pterm. So either let the user categorize the icons into desktops, with grouping functions, all by themselves, or don't assume anything and just order the icons alphabetically. I know that SecureChat comes after pterm in the latin alphabet.

If you buy an iPhone, you must be rich

Another really big minus is the pricing of iPhone apps. On Android, you get a great variety of good apps for free. For example, you have ConnectBot, a decent SSH client which someone implemented. People like to share stuff for Android for free. And the average Android app in the market costs CHF 1.99, so not terribly expensive.

On the iPhone, the general idea appears to be ”You paid a lot of money for your phone, so you can pay a lot of money for your Apps“. The most reasonable SSH client appears to be pTerm, which costs CHF 5.-. It's merely a port of PuTTY to the iPhone, so it's based on Open Source software, yet you pay more for it than you pay for a loaf of bread.

The regular iPhone port of the RealVNC viewer is sold for CHF 10.-. It's even twice as expensive as the already-expensive SSH client. It costs more than a loaf of bread and a decent piece of cheese. Nagios clients cost between CHF 15.- and 20.-. A client for a web interface which lets you view fields and click buttons.

In this respect the so-called ”Genius“, a function in the App Store which advertises you Apps you could buy, becomes even more ridiculous.

Welcome to the iCloud, where everything

And then there's the iCloud. I already mentioned all the fun I had with trying to create an account there. Once I had my account I couldn't import my calendar from anywhere. Because why would you want to do that? Now that you have an iPhone you can make totally new, more shiny friends!

Then I tried exporting an ical file from a web site and importing it into iCloud. The phone didn't really know what an .ics file is supposed to be, so I tried using the web interface. It's full of fancy features for creating calendar events, but the one thing it cannot do is importing calendars. The data is siloed in the iCloud, no communication with the outside is permitted. No matter which way.

What went well

There are two things iPhones are really good at. The first is good support for customer apps by companies. For example, Crédit Suisse so far only released their online banking App for iPhones, not for Android. The same goes for the german institute Deutsche Bank.

(On the other hand, small indy apps like Soup tend to be more widely available on Android.)

The other thing is podcasts. Apple has had a lot of time to implement a good podcast App, and so far there appears to be no good equivalent for Android. There are some podcast apps, some of which even work ok. But none of the tested ones have the comfort of the Apple Podcast App at this precise moment.


It is possible to use the iPhone as ones primary device for a period of time. However, the discomfort of doing so and the various annoyances suggest it is not a good idea. I was extremely happy when I could finally pick up my Galaxy Nexus and use it again. All in all, the iPhone feels like the bad phone hardware from 2005 mixed with an operating system from 1993, which is not a very pleasant experience.

Especially given the high price, required involvement (owning and maintaining a Mac, buying MacOS upgrades, buying an iPhone, buying apps, etc.) and the high risk of damaging the phone, it seems a rather questionable investment.

In my opinion, the iPhone needs a couple of years to come to the same level that other phones already have. The entire operating system needs to be better integrated (like Linux desktops, for example). The hardware needs a revamp and needs to catch up with recent developments like gorilla glass and covered switches, or more sturdy hardware in general.

Flattr this

2013-01-29 02:32:44

Gender Liberalism: what got us here won't get us there

A frequently promoted strategy for tackling the issue of world hunger is liberalism. Just like any other -ism, it takes an idea to its extreme. And the idea is that you basically just need to make everything in the market equal, and equal opportunities for everybody are the result. So far though, there appear to be major gaps between the ideals and the actual results: people are still starving as you're reading this, on this very planet.

The same principle is frequently promoted as a solution to the problem of gender equality. Basically, if everybody agrees that it's ok to hire women into technical jobs, we will no longer have a huge bias in this job area.

There are many reasons why this doesn't work, and none of them is inherent to our species in any biological aspect.

Education for failure

Education of women is a vast topic and basically starts with a childs first breath. Because that's precisely the moment when we start learning new things, regardless of our gender. Starting from their birth, the child will observe its environment very closely and make observations. Those are not only based on its own family and things people say, but also actions. For example, if all women around the kid never pick up a hammer to build something themselves, and all men do, the kid concludes that hammers are for men. This gets even worse if Daddy keeps taking hammers, or for that matter, keyboards out of Mommys hands and does things for her. Very bad impression, don't do it for the sake of your kids future.

In the life of an average girl, there are more aspects preventing a more informed relationship with technology though. For example, there's all these people telling girls that technology is not meant for them or that they wouldn't be good at it. (Fatal misinformation; various women I know are extremely skilled at building things.) Even worse, the cognitive processes of a woman are set up to expect failure in those situation by people telling them that they are going to fail anyway. And especially when people tell them ”I told you you wouldn't make it!“.

Everybody fails. Girls do, boys do, hermaphrodites do and whoever else you could possibly think of does it too. Failure is normal. Failure gives you an opportunity to analyze what you did and improve it. And improvement is good, after all. This is the message which needs to be carried whenever somebody fails, regardless of the topic and other questions like gender.

No-opportunity learner

There are other ways parents set their girls up to have less of a chance to succeed in technology. A frequently observed pattern is to deprive them of the opportunities to learn. We all know of various cases where a boy was playing Doom 3, World of Warcraft, whatever computer game you can imagine all day on his own computer and would just be left alone. Likewise, I know of many cases where girls were using the family computer (because they never received their own one) to try and write programs or attempt to install server software to try and run their own test server, and were told after two hours to get away from the computer.

”You are spending way too much time in front of that computer! Go play with your friends or take a walk!“

These stories are from girls who actually made it as far as to write a program of their own or run their own web server on localhost. It's hard to imagine how many girls never get there because they don't have enough time in front of the computer to figure it out before they get frustrated. Or because they're not allowed to run their own software on the family computer. Sure, some of this also hits boys, but excessive use of computers by boys is more widely accepted.

Peer Pressure away from what Matters

The time in school is typically spent around a group of other girls who are already frustrated with technology and a group of boys and teachers who throw around the same old phrases which discourage involvement with technology. Such an environment, just like all of the previously mentioned environments, is toxic to any interest in technology.

There's not just the circumstance that no other member of the peer groups will want to be involved in having fun with technology. Additionally, any involvement will be punished verbally (”What, you're playing with computers? Eww!“). And even boys who appreciate some involvement with technology frequently choose words which are more of an insult than a compliment (”You're doing this quite well for a woman“).

If you ever worked in different types of environments, you might have noticed the effect yourself. If you're surrounded by unmotivated people and people who aren't very skilled at what they're doing, they are slowing you down too, and you will never get as much done as you usually would. Even worse, you will learn a lot less over the years, because the typical tasks are scaled down for the size of the average mind in the team. So if you're the most intelligent person on the job, you're not very likely to grow (except perhaps in leadership skills).

On the other hand, if you surround yourself with people who are better than you at something, you will learn a whole lot from them, and your productivity and learning curve will appear to be boundless. You will start to feel like you've never seen the world so clearly.

This is however not the typical environment of a girl in school. Typically, they're surrounded with other girls who don't want to have any contact with technological challenges. So the mind suffers.

And then there's the problem that most boys aren't very well trained in not assuming leadership, and that teachers don't attempt to teach that skill either. So when people work in pairs on a computer or work bench, boys tend to take the keyboard or dremel away from the girls, and generally take a more commanding role in the team. This means that the girls tend to get less to do and just watch the boy fulfill his task. She only gets the tasks the boy assigns to her. And typically, proper judgment isn't applied in those situations.

No Hire!

Life doesn't end with school. Eventually, girls become women and will start looking for a job. And there, part of the problem is that hiring for tech companies is frequently done by members of management who consider themselves technical. In tech startups, it is even done by technicians themselves. Thus, this area, too, is male dominated.

And now women are struck by the same problem foreigners are. Studies have shown that recruiters are significantly more likely to hire people who are more like them, and in case of male recruiters that would be men. Unfortunately, this means that more men will become tech recruiters in the future. And it makes women less likely to find a tech job. This produces gaps in the CV which are filled either by unemployment or non-tech jobs, where women have an easier time getting hired.

Unfortunately, the same recruiters will then hold this against the applicants. If they didn't spend all of their time on tech jobs, it will be assumed that their lives are unsteady, making them less likely to get the tech job. This means that women in technology get less tech experience through jobs on average. Add to that all the prejudice against women for having the capacity to become pregnant, which is another big reason why they don't get jobs. Or the prejudice that women are more prone to depressions — who wouldn't get depressed with such terrible prospects?

No Heavy Administration

And even on the job itself there are problems. If a woman takes a job as a sysadmin, for example, it is not infrequent that her male colleagues are reluctant to assign some of the heavier server-lifting work in the server room, because it's a male-dominated domain and muscles are invovled. So the men alone carry the server into the server room, mount the rack slides, slide it in, hook it up and start the installation (unless automated away, which is happening way too rarely, but that's another point).

So in many companies, only the menial tasks of clicking up 1000 similar users or making coffee are left to the women. And the effects are devastating: I've seen women with a diploma in computer science and a CCNA certificate working for an ISP who were making coffee and carrying files from office to office. Because only men were entering the server room. Ever. This of course means that even though these women are on the job, they are refused the privilege to gather experience.

This has even wider effects when it comes to upgrade training courses. Women who fell into the trap to be kept away from the real experience may be perceived by management and human resources as not yet having achieved their full in-house learning potential. So they might not win the fight over the few free seats in that network management course, because a male colleague already has a lot of experience and is perceived as the superstar who's just the right network administrator.

Of course, none of the points mentioned above apply necessarily to all women. Some of them get more lucky and end up in a really great company where they can do good stuff and gather a lot of experience. I am happy for every one where this is the case. The purpose of this article is to point to these effects and to outline their consequences.

What can we do better in hiring then?

Even though women are inherently as capable as men, the effects mentioned above have serious consequences. They mean that, unlike with a man, you cannot generally expect a woman interested in technology to have gathered a lot of experience at home and during childhood. There are simply reasons why some of them cannot take advantage of their childhood to gather tech experience. The same is by the way true for men who grew up in extremely conservative families who banned all use of technology from their homes, and the likes. So if in doubt, you should always treat the applicants as such.

It also helps to be more lenient on the CV. Women might have gaps in their tech career, or even not have worked at all for monthes. This might be because someone was looking at their application, just like you, and made some wrong decisions.

Another point is experience. Typically, if someone was working on a job for a longer time, you expect a certain level of experience from them. And you will check if the experience of the applicant matches your expectations. For example, a man who worked as a wind tunnel engineer for 5 years is expected to be able to make a lot of good estimations about aerodynamics, or to make good designs just from his good judgment.

Since however women in tech are frequently left with the menial tasks, this means that a lot of the time they never had the chance to gather as much on-the-job experience as you would expect from a man who has worked the same time on the same job. Be it because she wasn't allowed to operate the wind tunnel, or be it because her colleagues always took away her keyboard when something important happened.

So you cannot trust the regular rules for past experience and career development. Still, you have to find some metric to determine if the applicant is going to be a valuable resource to the company or not. After all, you don't want to just hire anybody. So what can you do to determine if the applicant has what you need?

The question you should ask yourself is a question which should generally be asked more frequently in job interviews. ”Does the applicant have the ability to learn what she needs on the job?“

Most of the time this is a very interesting question which is widely neglected. Most companies are different and run different applications or produce things in a different way. Experience can give you a lot of help in learning the ways of your new job, but it is in no way all you need. All these companies which throw out a list of 50 words the applicant must be familiar with forget that the company will probably have their very own framework built around PostgreSQL or something like that. It is much more important that you determine whether or not the applicant will ever learn to use your framework.

Good tech employees always learn on every job. It should be the biggest and most verified part of the job description. If people don't learn on their job, the job is evidently boring and the person should get a more suited one.

Please note that women quota aren't covered in this text because I have no idea about this topic. Whether or not they are a good idea, I hope that mankind will follow whichever path yields the better result.


You may have noticed that what is written above is quite controversial. It basically says that women need special treatment, must be nourished and brought on to the jobs, and that you should keep your expectations lower. This typically raises the suspicion that women indeed aren't up to the job and aren't hired for their skills. And when they are hired, they have to wonder if they're really good enough or if they just got the job because of gender questions.

The answer is: if you manage to find an employee who can learn your ways quickly and understands what needs to be changed and how, it is a very good employee, regardless of the gender. But right now we have this gap and all the effects associated with it which pull very forcefully to keep the gap open for as long as possible. In order to bridge over this gap, some special treatment is required for some amount of time until we just truly work together in an environment which is free of prejudices and provides equal opportunities to members of any gender or non-gender.

Right now, we're unfortunately too far from that to just ignore the whole problem and wait for it to go away on its own.

Flattr this

2012-10-08 15:56:50

The Apple Experiment: Lowering Expectations

After days of struggling with the account creation, I had to realize that I could simply not have an iCloud account. The Windows toolbar, which was my last, best hope for a clean iCloud account, could not create them, only log in to them. So I had to create an Apple ID based on my current Google Apps mail address. After opening Mail, I could then finally create my iCloud address, but the account was tied to my Google Apps mail account.

But at least I could finally start using the iPhone. I connected it to the wireless (I was in a different place now) which worked just as nicely as you would expect. Except the keyboard is a bit quirky because, unlike the Hacker Keyboard on Android, it doesn't come with number keys or symbols without first switching to some different mode. If you have complicated passwords, this can be very time-consuming.

Come to the iTunes store (if you can)

I then went on to install various apps on the phone. The App Store suggested a number of usefull apps from Apple which I should install by all means. In order to do that, though, I first had to sign my Apple ID up with the iTunes store. This procedure involved giving my home address, credit card and phone number and verifying some mail I received in my Gmail (rather than the iCloud account, so I had to go back to my laptop to confirm my account creation).

While the iTunes store asked for a backup mail address, it complained when I entered my Google Apps address because even though this address would be the backup for my iCloud account, it was still associated with the Apple ID, so I had to enter a third, distinct mail address to satisfy the iTunes store.

Unfortunately it took me some time to find my home phone number and by the time I had it ready, the screen lock had kicked in. I unlocked the screen and found that this going into the screen lock had closed the iTunes account creation wizzard and I was staring at the regular start page of the App Store. The advertisement for the useful Apple apps was gone for good, I couldn't find it anymore. So I decided to install an app and was asked to type all the iTunes account details in again.

Luckily, I made it on time this round so I didn't have to repeat the process. Now I was finally able to install the free DB Navigator app I required for my trip to Hamburg the next day. Then I tried to install the SBB app and was asked to come up with 3 security questions and their answers. All of the questions were completely useless and could be figured out easily by anyone with enough knowledge of my life. Like, what was the first rock concert you ever went to? Really?

Then I had to find the SBB app again and tell the App Store one more time to install it. Luckily, it didn't have any further questions and just fulfilled my request.

Big Podcast disappointment

I then found, installed and launched the Podcast app. Since I was going to Hamburg the next day, I would want something to listen to while traveling. The Podcast app contained a slightly sorted list of completely random podcasts, but it appears that the collection was big enough that I could find some interesting ones by searching for a bit. I added them to my list and one of them started playing immediately and rather loudly, which earned me some slightly embarassing stares.

I then set the alarm clock and went to bed, attaching the phone to the charger for the first time since its recent repairs. On the next morning, I was woken up by my esteamed phone at the right time. However, the battery was still at a relatively low rate. It had not been charged over night, again. It seems I will have to send the phone in for repairs another time.

I caught the bus to the station and boarded the train to Hamburg. I made sure to take my Sennheiser phones with me on the train so that I could listen to some of the podcasts I had selected the previous day. When I was looking through the list, all of the episodes were gray. It turned out that the default setting was not to download them ahead of time for you to listen, but to let you do that manually. (At the same time, the default setting would download them only on wifi, not on 3G when you're someplace outside).

Unfortunately, I was in a foreign country (Germany), so I couldn't download the episodes from the train. Also, consdidering how full the 3G network in Zurich is during commuting times, I would expect most people to have difficulties doing that in the first place. I reconfigured the Podcast app and continued my trip without anything to listen to.

So I wonder, will I be able to get along with this phone? I haven't yet found any offline street maps for Germany, like OpenStreetMap (OSMAnd) for Android. Also, will I ever have a phone which works for more than a few days, until the battery is drained and cannot be recharged again?

Read more about this in the next episode…

Flattr this

2012-10-06 01:40:55

The Apple Experiment: Day One

About a week ago, I received an iPhone 4S with 32GB of storage. I immediately spent another CHF 40.- to get a rubber bumper and a display protection foil for the phone, in order to avoid it being destroyed in an accident or by being transported. A good iPhone user would possess such protectors, so I should have them too. They're ridiculously expensive though: CHF 20.- for the bumpers and CHF 20.- for the display protection foils.

And up for repairs

The charge of the battery was relatively low, about 20%, when I received it, so I plugged the phone in to charge it. While the phone was running on external power then, the battery wouldn't charge. As I carried it around, the power would continue to drain. Eventually, it reached zero, but the phone still wouldn't charge, even after several hours on the charger. So I brought it in to be repaired.

After a week in repairs I received the phone back just today, configured to the Apple ID of an employee of the shop which fixed it. The phone firmware had been reset and I was promised the phone would charge again. I haven't yet had an opportunity to try though.

Initial setup

Now that I had the phone back, I had to reset it and configure it for my own use. The option for resetting the phone could be found easily in the settings menu. Then, I was greeted with the iPhone setup screen. I slid to unlock, selected language and country, then configured the wireless network. I enabled location services and configured the iPhone as new. Then I was asked for an Apple ID.

I didn't have one, so I chose to create a Free Apple ID. The first question I was presented with was the birth date. The date is selected using three adjustment wheels, which is highly unpleasant if you were born at the other end of the month and year, a long time ago. A combined adjustment wheel and number editor would certainly be a relief here.

Then I had to type in my name — no surprises here. However, the name was split up into first and last name, which doesn't work for all cultures. It's a bit surprising that Apple forces this specific name format although they should have gathered quite some experience in dealing with different cultures by now.

Either way, I do have a first and last name, so I entered them. I was then asked whether I want to enter a mail address or create an iCloud account. Trying the full Apple experience, I had to go for the iCloud account. A quick question for the mail address later I received an error message: «Can't Create Apple ID: Your Apple ID could not be created because of a server error.» Clicking «Ok» on this message lead back to the screen which asks if you want to create an Apple ID or use an existing one.

Roadblock iCloud

Left without an option, I went to the Apple web site using Safari on my Mac Mini and was greeted with a very large video of Steve Jobs promoting various products to a kind of music. I couldn't find any other controls on the web site so I patiently watched the video till the end — which wasn't exactly easy, since the buffer kept running out. At some point the video was over and started again.

Hovering the mouse randomly over the browser window I discovered that there was a cross button on the upper left corner of the screen which would only appear when the mouse was hovered over it. Clicking that button loaded the regular Apple web site. However, that site didn't show the slightest sign of Apple ID creation mechanisms.

The apple in the menu bar brought back the video of Steve Jobs, which wasn't particularly helpful. The other menu items (Mac, iTunes, etc.) didn't mention Apple IDs either. In the Apple Store, there was a menu which mentioned «Accounts» and contained a menu point named «Account Home Page». The following page was more centered around orders from the Apple Store (looking at order lists or modifying or canceling orders), but there was a link to a page for changing the mail address of an Apple ID account.

The following page asked me to log into my Apple ID and offered an option to create one. I had finally found it! But the «Create Apple ID» page only allowed to create an ID with an existing, external mail account. No mention of iCloud anywhere.

So I used Google to find the iCloud service, which was apparently located at icloud.com. The web site didn't offer to create an account directly though. It asked you to create the account from the Mac or from an iOS6 device. The alternative was to use some iCloud tool bar on Windows. Since however I didn't have Windows, I couldn't follow that route.

The MacOS way required to open the system settings dialog. In that dialog, there was supposed to be a point called iCloud. I couldn't find that point though and it turned out that MacOS version 10.7.4 was required. I didn't have that version at hand, so I abandoned that road as well.

I may try finding a Windows installation to attempt the third way, but right now it appears that I cannot pursue the road I wanted to take due to a server error. Does that mean that my experiment is already over?

Read more about this in the next episode…

Flattr this

2012-10-05 18:30:00

The Apple Experiment

In order to know better what I'm talking about, I have started an experiment: I got myself an iPhone.


Now that your shock has faded, let me explain. First of all, it is not a new iPhone. I got an iPhone 4S for cheap from someone who just received it back from repairs as a replacement drive. So my phone was either new or refurbished, so as good as new. I still have about a year's worth of warranty left.

The purpose of this experiment is for me to figure out and document what the life of an Apple user is like. So I'm not going to jailbreak my iPhone or use any other methods to make my life easier or to make the iPhone work more like I want it to. I want the full dosis, and I want to try out every detail Apple is throwing at me. And I will try not to resort to my good old Galaxy Nexus for the period of the experiment, even when I want to.

And with that, wish me some luck on my challenge.

Flattr this

2012-07-31 13:24:57

Every year on the first of August

Switzerland is celebrating the first of August again. For the 721st time in a row, Switzerland is aging one year. And for the fifth time, people received a letter from the conservative party (UDC).

Two years ago, on November 28, 2010, the people of Switzerland decided to adopt the UDC motion for compulsory deportation of «criminal» foreigners, that is, foreigners who violated the criminal law. Since then, the federal government was trying to work out a way to implement this motion into law without violating any human rights and without trampling too much on the rights of foreigners.

Lack of any notion of proportion

This is a very hard problem. UDC wants the motion to be implemented as-is into Swiss law. This is however a clear violation of human rights, because it makes it extremely easy for everyone to kick any foreigner they don't like out of the country by alleging their involvement with a petty crime. The current Swiss law already covers the case where a foreigner commits serious violations of the criminal code. The extent to which the violations are serious has to be determined by a judge on a case-by-case basis. However, the motion would change this. Any crime, even a petty crime, would automatically lead to deportation. If this is put into context with the most recent attempts by the conservative forces all over the world to put anything they don't like into criminal law, the implications are exorbitant.

Think about ACTA. It was an attempt, supported by the Swiss institute of Intellectual Property, to put criminal sanctions on copyright violations. This means if you mess up a quote from a book in your publication, you don't only get to pay damages to the original author, but you also get automatically deported out of Switzerland and back into your home country.

There were similar attempts to put patent violations into criminal law. Note how extremely difficult it is nowadays to avoid running into patent violations when you develop any kind of products. If you implemented a web shop, for example, that would definitely get you deported.

Think about the cybercrime convention. If you use a media player to display DVDs you purchased on your laptop, that's a criminal offence (circumvention of copyright protection) and you will get deported.

Think about the hacker tools legislation. If you're a security researcher or a system administrator and you possess exploit code to do your daily job — definite deportation.

UDC still pushing

UDC however announced that, in their opinion, the Swiss government has been too slow in implementing their motion into law. Thus, they've sent out letters to every household in Switzerland (including the criminal foreigners and everyone else) asking for signatures for a new motion to implement the old motion as it was written down.

This is an even more difficult motion than the last one. A lot of time has to be devoted to making sure the new legislation will be in accordance with the basic human rights and with international treaties Switzerland has signed in the past. It is also very important that this new legislation doesn't lead to mass deportations or a mass exodus of foreigners who bring a lot of money into the country and add a lot of expertise the small, largely rural 7.6 Million people nation of Switzerland just cannot offer all by itself. New laws take their time, and this one is so very precarious that it most definitely shouldn't be rushed.

But more than that, UDC knows that complex legal matters take more than 1.5 years. This suggests that their main intention behind pushing this is to get exactly the legislation they had written down in the original motion, before the council or the parliaments get a shot at merging it with their own ideas and making it «weaker» so it can actually work without the detrimental effects UDC had in mind when drafting it.

As UDC is pushing right now, there can only be 3 outcomes from this law: a mass exodus, mass deportations or mass naturalization. This would give UDC a better argument to discriminate against naturalized citizens with their initiative proposal to give them differently colored passports and take away some of their citizen rights.

Flattr this