Software Freedom Conservancy

[RSS] Conservancy Blog

Displaying posts by Karen Sandler

Karen Sandler Interviewed about Sexism and Imposter Syndrome

by Karen Sandler on September 19, 2017

During an interview with mic.com, our executive Director Karen Sandler spoke about sexism in tech and imposter syndrome.

Tags: conservancy, diversity

Donor Spotlight: Togán Labs

by Karen Sandler on August 23, 2017

Conservancy depends on our Supporters and Donors.We rely on their financial support, of course, but they are also valued ambassadors who spread the word about Conservancy and the work we do. This is the first installment in a series featuring the companies and individuals who support Conservancy. If you're a Supporter of Conservancy and would like to be featured here please let us know!

We're kicking off this series by interviewing Beth Flanagan, CTO and Co-Founder of Togán Labs about why they have chosen to donate to Conservancy.

What is Togán Labs?

Togán (pronounced Toe-gawn) Labs Ltd. is a small startup embedded services provider based in Cork, Ireland. We are the creators of Oryx Linux, an embedded Linux distribution based around the Yocto Project and OpenEmbedded. Oryx incorporates a lightweight container runtime engine which brings the benefits of containerisation to the embedded sector without disrupting existing developer workflows. We are not just another startup. Our core philosophy is the belief that we can work, keep roofs over our heads and be responsible to our co-workers, our customers and our communities. It's not just an afterthought to us, it's designed into our company. Our board consists of 2/3rds women, our core development team is gender balanced, we require our co-workers to learn the Irish language (because without an economic basis the language will become even more endangered than it currently is).

We believe that our ethics make us a stronger company. And part of those ethics is our firm belief in open source, especially in copyleft compliance.

Why are you making this donation to Conservancy?

As IoT and embedded devices become more and more ubiquitous in our lives, it is vital that companies supplying these devices enable the consumer by providing them with complete, corresponding source. It's not just a legal obligation, it's a smart business decision. What happens when companies stop supporting firmware upgrades for devices currently on the market? We can't afford a billion devices out there with out of date firmware and no way for communities to provide community supported upgrade solutions. The work Conservancy and others do moves us towards better compliance in the embedded space.

As well, there are personal reasons I believe in the work Conservancy does. I don't have a university degree but have been a software developer for over two decades because of the existence of open source software. I learned to program because strong copyleft existed. Were it not for the ability to get source code, to understand how things worked under the hood, there is a good chance I would never have entered this industry.

Which of Conservancy's member projects do you rely on?

So many of them! As a company that provides an embedded system we certainly make a lot of use of git, uCLibC, coreboot, BusyBox, QEMU, Samba, boost and of course the kernel. As the original author of the Yocto Autobuilder, a BuildBot based CI solution for the Yocto Project, I made heavy use of BuildBot and Twisted.

How do you see the future of software freedom?

I believe we are at a very important crossroads and that it is vital that our communities, corporations and organizations start having open and honest discussions about what the future of open source looks like and what we, as communities, value. I believe in collaboration, both in open source development and open source processes. I want to see all stakeholders around open source compliance move forward towards that goal.

Why do you think folks should open up their own wallets and become Supporters of Conservancy?

I have built a career and a company around a few billion euro software ecosystem I downloaded 20+ years ago for free! This software was started and built by people who believed that software should be free and open and it is vital that this shared value is protected, both from a moral perspective and a business one. I believe that Conservancy is one of the many organisations working towards that goal and the work they do, from Outreachy to compliance activities, enhances and enables our ability to deliver on the promise that is open source.

Tags: supporter

Cyborg Lawyer 2.0, "Hack Proof"

by Karen Sandler on April 6, 2017

It's been quite a number of years since I got my first defibrillator/pacemaker and, a little bit earlier than expected[1], the battery is now starting to run out. While the alarm hasn't started going off yet (it's set to go off every day a little after noon once the power gets below the 30 day replacement threshold), it's down to the point that this can happen at any moment. There's no way to recharge the battery, though device manufacturers are working on that for future models, so it's surgery to take out the old one and implant a new one. Of course, I've known this was coming for a while, but for various reasons I wasn't that worried about it. I mean, after all, I still don't have access to the source code in my current defibrillator. I was expecting status quo, with the inconvenience of surgery and recovery but instead was faced with the possibility of something much worse.

Karen getting her device interrogated via magnet

Back in 2007 when I first looked into getting my device, it was just before major research was published showing these devices to be vulnerable. I tried to convince my cardiologists and electrophysiologists that the issues around device security were critical, and that these device manufacturers got it backwards: no actual security but with proprietary software that cannot be reviewed or tested for safety. I explained that security through obscurity simply doesn't work. Initially, this did not go well at all but I finally found an electrophysiologist who got what I was saying [2]. He convinced me that I couldn't wait any longer to get the device and called around all of the local hospitals until he found one that had an old device that was still sterile. The older device had no wireless component, and could only be communicated with via a magnetic interface. This device was probably the very last one available in my geographic area. The whole experience caused me to research the safety of software on medical devices generally.

And ever since then I've been grateful to have that device. As exploit after exploit were published I was sound in the knowledge that at the very least, my device would be safe from remote attack. This became less hypothetical as I (like many other women on the Internet as I have come to understand) have received actual threats to my safety and well being.

I was a little worried about getting a new device, but had relaxed after I spoke to a nurse practitioner a couple of years ago. He said that anyone could ask for their device's radio telemetry to be disabled after it was publicized that Dick Cheney had the wireless functionality disabled in his device. Apparently, if this was true at the time, it is no longer true, and with only a few months of power left on my current device, I was faced with the prospect of not only having a device to which I couldn't see the source code, but also one that would be wirelessly accessible with little or no security on it.

I went to the Heart Rhythm Center to begin the process of planning for the replacement and met with Abigail Silver, a nurse practitioner. She was kind enough to involve me in the process of contacting the manufacturers to ask them if they had any devices either without radio telemetry or with radio telemetry that could be disabled. On speaker phone, Abigail called the major manufacturers. One by one the representatives we spoke to all told me that my request was not possible. Some of the representatives were cagey. One manufacturer suspiciously asked Abigail to take the phone of speaker in order to tell her that the company did have a device without radio telemetry, though it turned out that the device was just a pacemaker and not a defibrillator. Some of the representatives were defensive. When I explained how vulnerable medical devices are, the Biotronik representative bragged "Our devices are hack proof." When I explained that this was probably not the case, he boasted that Biotronik's devices had never been shown to be vulnerable, and did not listen to my reasons why that would not necessarily indicate the devices to be truly secure from any attack.

At the end of these calls, I was in total despair. How is it possible that none of the major device manufacturers recognize the danger in having these devices enabled with wireless access? Some of the representatives we spoke to had no knowledge of the exploits that were widely publicized. I thought the biggest challenge I was going to face was once again seeking the source code to my body, but this was a direct and immediate threat to my safety and well being.

Fortunately, at the last minute of my time at the Center, my doctor remembered a small manufacturer making inroads in the United States. Abigail called them and happily, they do have a device I'll likely be able to use. It is with great relief that I'm writing this blog post. I continue to learn so much about the medical system and our fragile relationship with software, I hope I can make the time to explore each relevant part of this experience and research in future posts.




[1] My battery ran out a bit faster that it would ordinarily have because I got three unnecessary shocks. One shock was because the device was callibrated too sensitively (I was working out at the gym, and my device thought my heart was beating twice as fast as it was). Two shocks were while I was pregnant, and I was having some palpitations, as pregnant women often do.

[2] I also found a great HCM specialist, Dr. Harry Lever, who understands how important ethics are in technology and medicine (and how we need to safeguard against corporate interests), and more general cardiologist Dr. Olivier Frankenberger who have been great resources in my healthcare journey.

Tags: cyborg, security

Getting Started with Linux Development and Compliance: An Interview with Christoph Hellwig

by Karen Sandler on February 22, 2017

Christoph Hellwig is a Linux developer, responsible for the code for several filesystems and the NVM Express drive. He’s a member of Conservancy’s GPL Compliance Project for Linux Developers and the plaintiff in the case against VMWare, which still awaits appeal. We recently had a chance to catch up with him to hear how he got started working on Linux, what advice he would give newcomers, and why he supports Conservancy’s work.

Photo of Christoph Hellwig speaking at DebConf 2015

Q: How did you become interested in Linux? Is there a contribution you are most proud of?

CH: When I was a kid in Germany I started using Usenet and got myself into programming more or less by accident. That lead to learning about Linux and installing it at home. Soon after I started hacking kernel to make the sound card in my computer work under Linux.

Q: Why did you join Conservancy’s GPL Compliance Project For Linux Developers?

CH: I decided that fighting copyright violations on my Linux code wasn’t a task I could take on alone. Based on that I decided to join the Conservancy’s GPL Compliance Project for Linux Developers, which is a very open project and also includes other kernel developers I respect a lot.

Q: What advice would you give to someone who is starting out in the Linux kernel today?

CH: Try to scratch an itch instead of just looking for an easy task that looks good on a resume. For example fix something that annoys you or a friend. Or try to upstream support for an embedded device you use. Don’t send cleanup patches for random code—that’s a good way to be seen as someone who is only interested in polishing his or her resume with kernel commits.

Q: Why do you choose to support Conservancy, in addition to volunteering your time to promote free software and compliance?

CH: I am very impressed with Conservancy’s work. Not only in the compliance program where I work closely with the Conservancy, but also how it helps a lot of free software projects to manage their affairs.

Join Christoph and support Conservancy today! Supporters sustain all of this work we do, from fiscal sponsorship for projects, to compliance work on their behalf.

Tags: conservancy, GPL

Next page (older) » « Previous page (newer)

1 [2] 3 4 5 6 7 8 9

Connect with Conservancy on Mastodon, Twitter, pump.io, Google+, Facebook, and YouTube.

Main Page | Contact | Sponsors | Privacy Policy | RSS Feed

Our privacy policy was last updated 25 May 2018.