Software Freedom Conservancy

[RSS] Conservancy Blog

Displaying posts by Karen Sandler

Late Summer Conference Report

by Karen Sandler on September 29, 2017

I’ve been traveling quite a lot recently and have had the good fortune of participating in some dynamite conferences. Often we’re so busy with our work and travel that we aren’t able to make the time to report on it properly, which results in a lot of our acomplishments and activities happening silently1. August’s travel was intense, and while my inbox backlog continues to be a bit unnerving, I’ve got to tell you about where I’ve been before September is completely over too!

GUADEC: GNOME’s 20th Birthday!

As many readers probably know, I’m an enthusiastic user and fan of GNOME. And, as the former Executive Director of the GNOME Foundation, I was so thrilled when I was invited to give a keynote speech at the annual main GNOME conference, GUADEC. Given that this year is GNOME’s 20th birthday, it was a special year to be able to participate in the conference.

GUADEC was invigorating. With Ubuntu returning to GNOME and the success of Endless and other commercial initiatives around GNOME, the GNOME community is optimistic and focused on the future. There were many new contributors but also a great showing amongst folks who have been around the community for a long time.

Photo of Karen in front of a banner at GUADEC

My talk focused on the personal ethical responsibilities of free software contributors and how GNOME contributors can engage in the process of steering our technology in the direction of transparency and security. While I wasn’t intending to talk about medical devices very much in my talk, for a majority of the audience this was their first GUADEC or free software conference and the topic came up to illustrate some of my main points. As a society we’re building our critical infrastructure on proprietary software, entrusting single companies with some of our most important information and interactions. I strongly believe that we need technologists to stand up for ethical technology now, especially within the companies that are producing it. I recommended that contributors engage with management to discuss the long term business advantages of doing the right thing. As it turned out, there were also several young attendees in the audience who have implanted medical devices so it was a great opportunity to connect. Over time, these issues will impact more and more people.

I was excited to see Neil McGovern, the GNOME Foundation’s new Executive Director, in action. After I moved to Conservancy, I served on a Hiring Committee to help the Foundation find the right person for this role. There were many very impressive candidates, but Neil was the stand out. Neil gave an inspiring freedom-focused talk, revealing the great job he’s already doing.

There was also a big party for GNOME’s 20th birthday which was a lot of fun. I moderated a panel on the history of GNOME, and learned a lot of fun tidbits about GNOME’s past! I was also excited to see the “Pants Award” go to Bastian Ilso, who puts together awesome videos for GNOME releases (and ropes me into doing the voiceovers too).

DebConf

Soon after I got back from GUADEC it was time to head to DebConf. I could only make it for part of DebConf, which definitely left me wishing I could have been there for the whole time.

Photo of Karen with Outreachy alums at DebConf

This time the conference was in Montreal, and I had the privilege of giving a presentation about Outreachy. The talk was very well attended and I left plenty of time for questions. The best part was getting to meet a number of Outreachy alums, mentors and coordinators.

I also had the opportunity to talk to Debian folks about the copyright aggregation project and to participate as a Debian Developer. This was my first Debian event since I became an official non-uploading Debian Developer. While I felt more of a responsibility to work proactively on things that Debian needed to have done, I also felt a strong sense of belonging in the community. When DebConf was held in New York seven years ago, I went briefly for a screening of Patent Absurdity, which I was interviewed in, but was so intimidated by the conference that I basically ran away immediately after! (Somewhat relatedly, I recently recorded a brief video about Imposter Syndrome.) Being recognized as an official contributor to the project helps not only to feel like your contributions are appreciated (even if they aren’t code) but also that you are more than welcome in a community - that you are a part of it.

FrOSCon

The last conference I got to this summer was FrOSCon. I hadn’t heard of this conference until recently and was surprised to learn how big it is. Primarily a local German conference, FrOSCon attracts almost 2000 people. Like FOSDEM, the event runs only over the weekend. Also like FOSDEM, the conference organization is extremely impressive. When I arrived the night before the conference, I went over to see if I could help get things set up but there were so many people there to help they actually had nothing for another person to do!

I was asked to do my standard medical devices talk as the first keynote of the conference, and I was glad I gave that particular talk - the room was full of people who hadn’t heard it. The questions I got were insightful and the enthusiasm in the discussions after I spoke was exciting. I also did a couple of interviews with local tech press reporters and met some fabulous people which led to great discussions. A few of us spontaneously gathered a working group on ethics for IoT and informed consent. Since then Emma Lilliestam, who also spoke at FrOSCon about issues related to software and cyborgs, has been writing up these issues and further developing thought on the topic.

Photo of file boxes set out during FRoSCon takedown

I fully appreciated the organization of the event when I stuck around to help with takedown.

It was amazing to see everything get taken down, cataloged and organized for next year. FrOSCon is definitely a conference I would recommend to others in the future.

While the summer is over, it seems like it’s always conference season. This evening I’m delivering a keynote presentation at Ohio Linux Fest, a conference I’ve always wanted to attend. While it’s a lot of travel, I’m grateful to get the opportunity to meet with so many people interested in free an open source software and to have the chance to encourage folks to think about the important issues of our day. If you attend any conference that I’m at, please be sure to say hello!

1 Conservancy has a staff of four full time people, which includes no marketers, campaigns people or anyone focused on PR.

Tags: conservancy, conferences, Outreachy

Karen Sandler Interviewed about Sexism and Imposter Syndrome

by Karen Sandler on September 19, 2017

During an interview with mic.com, our executive Director Karen Sandler spoke about sexism in tech and imposter syndrome.

Tags: conservancy, diversity

Donor Spotlight: Togán Labs

by Karen Sandler on August 23, 2017

Conservancy depends on our Supporters and Donors.We rely on their financial support, of course, but they are also valued ambassadors who spread the word about Conservancy and the work we do. This is the first installment in a series featuring the companies and individuals who support Conservancy. If you're a Supporter of Conservancy and would like to be featured here please let us know!

We're kicking off this series by interviewing Beth Flanagan, CTO and Co-Founder of Togán Labs about why they have chosen to donate to Conservancy.

What is Togán Labs?

Togán (pronounced Toe-gawn) Labs Ltd. is a small startup embedded services provider based in Cork, Ireland. We are the creators of Oryx Linux, an embedded Linux distribution based around the Yocto Project and OpenEmbedded. Oryx incorporates a lightweight container runtime engine which brings the benefits of containerisation to the embedded sector without disrupting existing developer workflows. We are not just another startup. Our core philosophy is the belief that we can work, keep roofs over our heads and be responsible to our co-workers, our customers and our communities. It's not just an afterthought to us, it's designed into our company. Our board consists of 2/3rds women, our core development team is gender balanced, we require our co-workers to learn the Irish language (because without an economic basis the language will become even more endangered than it currently is).

We believe that our ethics make us a stronger company. And part of those ethics is our firm belief in open source, especially in copyleft compliance.

Why are you making this donation to Conservancy?

As IoT and embedded devices become more and more ubiquitous in our lives, it is vital that companies supplying these devices enable the consumer by providing them with complete, corresponding source. It's not just a legal obligation, it's a smart business decision. What happens when companies stop supporting firmware upgrades for devices currently on the market? We can't afford a billion devices out there with out of date firmware and no way for communities to provide community supported upgrade solutions. The work Conservancy and others do moves us towards better compliance in the embedded space.

As well, there are personal reasons I believe in the work Conservancy does. I don't have a university degree but have been a software developer for over two decades because of the existence of open source software. I learned to program because strong copyleft existed. Were it not for the ability to get source code, to understand how things worked under the hood, there is a good chance I would never have entered this industry.

Which of Conservancy's member projects do you rely on?

So many of them! As a company that provides an embedded system we certainly make a lot of use of git, uCLibC, coreboot, BusyBox, QEMU, Samba, boost and of course the kernel. As the original author of the Yocto Autobuilder, a BuildBot based CI solution for the Yocto Project, I made heavy use of BuildBot and Twisted.

How do you see the future of software freedom?

I believe we are at a very important crossroads and that it is vital that our communities, corporations and organizations start having open and honest discussions about what the future of open source looks like and what we, as communities, value. I believe in collaboration, both in open source development and open source processes. I want to see all stakeholders around open source compliance move forward towards that goal.

Why do you think folks should open up their own wallets and become Supporters of Conservancy?

I have built a career and a company around a few billion euro software ecosystem I downloaded 20+ years ago for free! This software was started and built by people who believed that software should be free and open and it is vital that this shared value is protected, both from a moral perspective and a business one. I believe that Conservancy is one of the many organisations working towards that goal and the work they do, from Outreachy to compliance activities, enhances and enables our ability to deliver on the promise that is open source.

Tags: supporter

Cyborg Lawyer 2.0, "Hack Proof"

by Karen Sandler on April 6, 2017

It's been quite a number of years since I got my first defibrillator/pacemaker and, a little bit earlier than expected[1], the battery is now starting to run out. While the alarm hasn't started going off yet (it's set to go off every day a little after noon once the power gets below the 30 day replacement threshold), it's down to the point that this can happen at any moment. There's no way to recharge the battery, though device manufacturers are working on that for future models, so it's surgery to take out the old one and implant a new one. Of course, I've known this was coming for a while, but for various reasons I wasn't that worried about it. I mean, after all, I still don't have access to the source code in my current defibrillator. I was expecting status quo, with the inconvenience of surgery and recovery but instead was faced with the possibility of something much worse.

Karen getting her device interrogated via magnet

Back in 2007 when I first looked into getting my device, it was just before major research was published showing these devices to be vulnerable. I tried to convince my cardiologists and electrophysiologists that the issues around device security were critical, and that these device manufacturers got it backwards: no actual security but with proprietary software that cannot be reviewed or tested for safety. I explained that security through obscurity simply doesn't work. Initially, this did not go well at all but I finally found an electrophysiologist who got what I was saying [2]. He convinced me that I couldn't wait any longer to get the device and called around all of the local hospitals until he found one that had an old device that was still sterile. The older device had no wireless component, and could only be communicated with via a magnetic interface. This device was probably the very last one available in my geographic area. The whole experience caused me to research the safety of software on medical devices generally.

And ever since then I've been grateful to have that device. As exploit after exploit were published I was sound in the knowledge that at the very least, my device would be safe from remote attack. This became less hypothetical as I (like many other women on the Internet as I have come to understand) have received actual threats to my safety and well being.

I was a little worried about getting a new device, but had relaxed after I spoke to a nurse practitioner a couple of years ago. He said that anyone could ask for their device's radio telemetry to be disabled after it was publicized that Dick Cheney had the wireless functionality disabled in his device. Apparently, if this was true at the time, it is no longer true, and with only a few months of power left on my current device, I was faced with the prospect of not only having a device to which I couldn't see the source code, but also one that would be wirelessly accessible with little or no security on it.

I went to the Heart Rhythm Center to begin the process of planning for the replacement and met with Abigail Silver, a nurse practitioner. She was kind enough to involve me in the process of contacting the manufacturers to ask them if they had any devices either without radio telemetry or with radio telemetry that could be disabled. On speaker phone, Abigail called the major manufacturers. One by one the representatives we spoke to all told me that my request was not possible. Some of the representatives were cagey. One manufacturer suspiciously asked Abigail to take the phone of speaker in order to tell her that the company did have a device without radio telemetry, though it turned out that the device was just a pacemaker and not a defibrillator. Some of the representatives were defensive. When I explained how vulnerable medical devices are, the Biotronik representative bragged "Our devices are hack proof." When I explained that this was probably not the case, he boasted that Biotronik's devices had never been shown to be vulnerable, and did not listen to my reasons why that would not necessarily indicate the devices to be truly secure from any attack.

At the end of these calls, I was in total despair. How is it possible that none of the major device manufacturers recognize the danger in having these devices enabled with wireless access? Some of the representatives we spoke to had no knowledge of the exploits that were widely publicized. I thought the biggest challenge I was going to face was once again seeking the source code to my body, but this was a direct and immediate threat to my safety and well being.

Fortunately, at the last minute of my time at the Center, my doctor remembered a small manufacturer making inroads in the United States. Abigail called them and happily, they do have a device I'll likely be able to use. It is with great relief that I'm writing this blog post. I continue to learn so much about the medical system and our fragile relationship with software, I hope I can make the time to explore each relevant part of this experience and research in future posts.




[1] My battery ran out a bit faster that it would ordinarily have because I got three unnecessary shocks. One shock was because the device was callibrated too sensitively (I was working out at the gym, and my device thought my heart was beating twice as fast as it was). Two shocks were while I was pregnant, and I was having some palpitations, as pregnant women often do.

[2] I also found a great HCM specialist, Dr. Harry Lever, who understands how important ethics are in technology and medicine (and how we need to safeguard against corporate interests), and more general cardiologist Dr. Olivier Frankenberger who have been great resources in my healthcare journey.

Tags: cyborg, security

Next page (older) »

[1] 2 3 4 5 6 7 8

Main Page | Contact | Sponsors | Privacy Policy | RSS Feed

Find Conservancy on pump.io, Twitter, Youtube, Google+ and other social networks too!