Where is Google?

Google is everywhere

It seems like it was just yesterday when Google was only a search engine.

Today I asked myself, where is Google now? The answer might surprise you...

Google can be found:

  1. In my advertisements
  2. In my app store
  3. In my browser
  4. In my calendar
  5. In my car
  6. In my chat
  7. In my desktop
  8. In my DNS queries
  9. In my documents
  10. In my email
  11. In my finances
  12. In my home phone
  13. In my house
  14. In my home
  15. In my Wifi router
  16. In my Internet connection
  17. In my laptop
  18. In my maps
  19. In my mobile phone
  20. In my mobile operating system
  21. In my laptop operating systems
  22. In my photos
  23. In my politics
  24. In my search
  25. In my social network
  26. In my texting
  27. In my videos
  28. In my video conferencing
  29. In my virtual private servers
  30. In my virtual reality
  31. In my voice mail
  32. In my wrist watch
  33. In my websites

LionBSD - A New Approach to Creating Secure Operating Systems

Computer Security

LionBSD.org - Security Starts Here.


Help novice users stay afloat in a post-Snowden world that is increasingly interconnected, complex, and dangerous by creating rich relationships between novice users and technology experts using the operating system as the basis for two-way communication with each other.


Use cutting edge security practices to provide complete lifecycle (from purchase to trash) protection from ongoing, persistent security and privacy threats for novice computer users.


Security starts here. Stealing the best ideas from the entire open source community (a.k.a. Proudly Found Elsewhere).

Putting An End To Microsoft Windows

Linux vs Windows

A petition has been posted on Change.org: "Have the EFF investigate Microsoft for malicious practices regarding Windows 10".

Microsoft has a long history of bad business practices. Criticism of Microsoft has its own dedicated page on Wikipedia!

I have a simple question:

What does it take for us, as an open source community, to put an end to the Microsoft Windows operating system once and for all?


Here's a short list. Please add your ideas in the comments section!

  • Games - many people only use Windows because their favourite big title game doesn't work anywhere else. The good news is that the gaming industry is working on creating new open standards so that big title games work on *nix.
  • MS Office - LibreOffice is an excellent replacement.
  • Adobe Photoshop - from my understanding, GIMP isn't quite at the level professionals demand.
  • Hardware support - manufacturers don't often release open source drivers, and if they do, may not release them quickly.
  • Command-line - novice users don't want to be forced to use the command-line to configure their system when it wasn't necessary on Windows.

Keir Thomas discusses the top seven reasons why people stop using Linux.


I think this would be the perfect time to help people replace Windows with Linux/FreeBSD.

Here's how we could help. For more aggressive suggestions, see here :-)

  1. Launch free training programs on University campuses.
    • Setup a program on major University campuses that help people install Linux/FreeBSD on their laptop
    • Open to the general public
    • Demonstrate various distributions and windows managers, compare and constrast each
    • Knowledge can easily be applied to upgrade their home desktop computers
    • I suggest the use of University campuses to help build trust
    • Source volunteers from local User Groups
  2. ​Launch a heavy online campaign to raise awareness of this new program.
    • Target twitter, blogs, and magazines.

Meet Pico - The Perfect Lightweight Compliment To Drupal


Pico is billed as "a stupidly simple, blazing fast, flat file CMS".

With so many similar technologies in both Pico and Drupal, it's clear that Pico is the perfect lightweight compliment to Drupal.

Read more for the history behind Pico.

Reasons why I'm choosing OPNsense over pfSense


After reading the interesting pfSense roadmap by Jim Thompson, I was surprised by two things.

First and foremost, LibreSSL will probably never be accepted into pfSense:


Finally, since I mentioned OpenSSL, let me say this:  Other projects may explore alternative implementations of OpenSSL (e.g. LibreSSL), but pfSense is unlikely to do this for three reasons:

  1. OpenSSL had its issues, but a good, long-time (> 30 year) friend named Rich Salz is now leading the development there.  I’ve known Rich since 1985, and I trust his leadership of the OpenSSL project.
  2. Intel is focused on OpenSSL, as is the Linux Foundation, and their funding.  There will be more test path coverage and more performance work in OpenSSL than any other implementation.
  3. I don’t like the attitude of the people behind the LibreSSL project.  Talking smack about the project you forked from is bad form. I’ll say no more than to quote Frank Zappa on the subject.

The arguments are very weak. Points 1 and 3 are extremely subjective and openly biased, and all points ignore the fact that LibreSSL has already proven to be more secure than OpenSSL, having fewer vulnerabilities since it's release.

Secondly, the first, and likely most important, reason for switching from PHP to Python for pfSense 3.0 was simply "Personally, I have no time for PHP..."

....This is not a very in-depth analysis of why Python is the most appropriate language for pfSense. I can imagine many people would argue to use Go, or Node, or something else.

Considering that PHP is much more widely used than Python, using less popular language becomes a barrier to entry for developers. Hence, making such decisions shouldn't be done so carelessly.

OPNsense has already incorporated LibreSSL and security hardening features from HardenedBSD. That's very proactive.

Plink - Live music collaboration online


Check out Plink by Dinahmoe Labs. Play music with other people online using only your mouse!

gitDNS - DNS as a Service


The Problem With DNS Today

DNS stands for Domain Name Service, so "DNS as a service" might sound redundant.

DNS is already a distributed system, but it has some pitfalls:

  1. When domain names expire, a completely different organization can own and operate a website without your knowledge.
    • For example, when you go to bed, Good Guys Corp. may be running example.com, but in the morning, Bad Guys Inc. could be  running example.com.
  2. Distributed Denial of Service attacks can bring down large websites, and are frequently being extored for money with no real guarantee that the attack will be avoided if the money is paid
  3. Websites are not secure by default. Very few websites uses SSL/TLS encryption by default, allowing every computer between you and the website to snoop on your activity.
  4. ISPs are being court ordered to block certain websites
  5. Governments actively censor thousands of websites
  6. Phishing attacks trick users into believing they are viewing their bank's website by using very similarly looking domain names.
    • For example, ciibc.com might be used to trick users into thinking they are viewing cibc.com
  7. Cybersquatters purchase domain names, like pepsi.com, in hopes that the real Pepsi company will pay millions of dollars to own the domain name.
  8. Cybersquatters also purchase domain names in bulk, creating an artifical shortage of available domain names, and forcing people to purchase domain names at a much higher price.
  9. A few key U.S. organizations, like ICANN, have complete control on how our current DNS system works. The Internet belongs to everyone, and as such, no one country should have monopoly control on DNS, if it can be avoided.
  10. SSL/TLS certificates are expensive to purchase and own long-term.
    • For most of the history of the Internet, Verisign Inc. owned a monopoly on SSL/TLS certificates, and would charge exorbitant prices.

Is There Any Solution?

Yes. Instead of using domain names, like example.com, we could use the SHA-512 fingerprint of SSL/TLS certificates as the top level of a naming tree.

Each entry, hereby known as a "Product Namespace", in this naming tree would consist of the following:

  1. A SSL/TLS public certificate - hereby known as the "Product Namespace Certificate"
  2. A SHA-512 fingerprint of the Product Namespace Certificate
  3. A person or organization name
  4. One or more products or services

Each product/service would contain the following:

  1. An identifier - either a title or picture
  2. Routing information - several IP addresses and Time-To-Live (TTL) information
  3. A self-signed SSL/TLS certificate - signed using the Product Namespace Certificate
    • In effect, each entry in this naming tree is a Root Certiciate Authority for the products in their own Product Namespace.

Enter gitDNS - a custom perspective of the Internet

This naming tree could be stored in a git repository, hence the name gitDNS. Changes could be pulled in using `git pull`, branches could be created, merged, etc, to create a custom tailored slice of the Internet.

For example, for a very narrow view of the Internet, you could merge the "Anglican" branch of the github.com/christian-network/gitdns repository, and also merge the "Computer Science" branch of github.com/uwaterloo/gitdns repository.
For a very broad view of the Internet, you could simply pull all the root entries from the github.com/gitdns/root-keys repository.

Security and Privacy By Default

Every product/service in a Product Namespace contains its own SSL/TLS certificate, which we can use to create an encrypted communication channel to the website.

Stop Internet Censoring

gitDNS allows us to stop Internet censorship.

  • Domain name blocking would not be possible, since you are in control of which gitDNS entries you would like to use
  • IP address blocking would not be possible
    • ISPs would find it difficult to censor by IP address, as IP addresses can be easily changed
    • Furthermore, IP adress blocking can be avoided by grabbing IP addresses dynamically out of a common large pool (mesh IP addressing)

Advertising Your Produce Namespace

There are various ways you could advertise your Product Namespace.

  • Search engines
  • QR code

Longevity of Services

Websites are no longer threatened by domain name expiration or domain name ownership transfer.

Distributed Caching Web Servers

Instead of DNS servers, distributed caching web servers could be placed around the world that would serve you encrypted gitDNS websites. Tampering with the website data would be easily detected by your browser.

Distributed caching web servers would provide us with:

  • Added protection from DDOS attacks - there is no single point of entry to attack (i.e. it would be impossible to DDOS a specific website)
  • Added privacy - logging the IP addresses that end users connect to does not reveal anything, as a single IP address can be used to serve a million different websites in a single day

But Is It Web-Scale?

According to NetCraft, there are about a billion websites on the Internet. Using the SSL public certificate on FreeBSD.org as an example, the average size of certificate with a 4096-bit key might be about 5 Kilobytes. The average gitDNS entry, with one product, might be around 10 Kilobytes. Multiplied by a billion, the entire Internet might be about 10 Terabytes, which could easily be stored on two or three consumer harddrives, or just one 10TB Ultrastar Archive Ha10.

Dealing With Phising Attacks

One way might be to use client certificates.

When you first create an account with your bank, for example, your browser should create a client certificate and send the public key to your bank for storage, along with your username. Your browser should store your client certificate in a password protected key store.

When you log into your bank's website, or a website designed to trick you into believing it's your bank's website, your bank's website should:

  1. Ask you for your username
  2. Encrypt the remainder of your banking session using your stored certificate
  3. If your browser detects that the page is not encrypted with your certificate, it should prevent you from viewing the potential phishing attack website

Privacy and Security for the masses

Total Security and Total Privacy

While watching the "Security Now" show today, hosted by Steve Gibson and Leo Laporte, it's become clear to me that we need an organization/company that specializes in Total Security and Total Privacy.

What is Total Security and Total Privacy?

To me, Total Security (and Total Privacy) is looking at all attack vectors on an ongoing basis, and automatically providing protection against them for a wide number of customers. This way, when the Washing Post writes an article about ISPs tracking your online activity using super cookies, you can ask your Total Security provider what they're doing about it, with the expectation that they have already done something about it, and in the unlikely event that this is news to them as well, they're already working on rolling out new protections for you. For example, the Total Security provider could say they've already installed VPN software on your computer that anonymizes your online activity.

In essence, your Total Security provider is the first layer between you and any technology, ranging from desktop computers and mobile devices, to the new wave of embedded "smart" devices, which are being called the Internet Of Things. Your Total Security provider would provide a security layer around all your devices, with automatic upgrading to combat new emerging threats. Your Total Security provider would automatically alert you to vulnerabilities in any of the devices that you own, and automatically upgrade your device when possible, or provide workarounds when that isn't possible. Your Total Security provider would commission in-depth security audits on every software that they officially support. For example, if your Total Security provider claims to support the Kik messenger app, they would provide you with a security audit conducted by one or more well-known and respected security auditting firms. Your Total Security provider would automatically install browser plugins like Privacy Badger. Your Total Security provider would automatically upgrade your email to use Dark Mail when Dark Mail is well supported. Your Total Security provider would alert you to pre-installed malware before you purchase your new Lenovo laptop.

And why stop there? If you're using your phone to make purchases at the grocery store, your Total Security provider could alert you when a serious health hazard has been detected in the food you purchased. Your Total Security provider could also alert you to recalls and product defects, not only for household devices, but also your car, children toys, etc.

This might sound like what virus scanning companies like McAfee have been trying to do in recent years. However, their core strength is virus scanning. We need a new industry of companies whose original mission statement is to provide Total Security. We need these companies to spur new security and privacy advances, and use a portion of their profits to empower not-for-profit organizations like the Electronic Frontier Foundation, and sue large companies and governments when they misbehave.

The Chain of Trust Problem

One of the immediate problems is figure out who to trust. In the wake of Edward Snowden, it's become clear that telephone companies, ISPs, mobile phone manufacturers, governments, email providers, and even tech companies like Google that famously swear to do no evil, cannot be trusted. Every layer of our trust ecosystem has been shown to be vulernable to attack. A worthy Total Security provider will need to address each layer before attempting to open it's doors for business.

One attempt at addressing part of this issue is reproducible builds.


Goodbye Ubuntu, Hello FreeBSD


Having used Ubuntu for the last decade, it was time for a change. 20 years ago, I began my journey into open source with FreeBSD and Slackware, and used FreeBSD for over 10 years as my main desktop OS before switching to Linux. High-quality distributions based on FreeBSD include pfSenseFreeNAS, and of course, Mac OS X, and Sony PlayStation.

In my time, I've played with many different open source operating systems, including OpenBSD, NetBSD, Arch Linux, Cent OS, Debian, Fedora, Gentoo, Mandriva, and Red Hat. I should take a look at PC-BSD, as they aim to be a user friendly desktop operating system based on FreeBSD.

The main reason for switching back then was that ports were often lagging behind Linux, and often didn't have any support in FreeBSD. That's all changed now. FreeBSD has an extensive collection of very up-to-date ports, and to my suprise, I've found a number of ports that are more up-to-date than Ubuntu packages! Nvidia has first-class driver support for FreeBSD. I've also switched over all my servers to FreeBSD 10.2, except one, which runs KVM virtual machines (pfSense and FreeNAS) on Cent OS 7. Because of FreeBSD's excellent virtio drivers, network and disk performance is wonderful. The only reason I use KVM is because my servers have Intel L5520 CPUs and the FreeBSD native hypervisor, bhyve, requires Westmere or newer for Intel processors.

All my sites, including this site, now run in a FreeBSD jail. As of July, 2015, FreeBSD 11-CURRENT has support for running 64-bit Linux under Docker. Running Cent OS under FreeBSD is as easy as one command: `docker run --rm -it centos`.

To be honest, there was one thing that really ticked me off about Ubuntu. Canonical, the company behind Ubuntu, published Ubuntu 12.10 with built-in Amazon advertising... and did not offer a way to disable it!  I knew immediately that I did not see eye-to-eye with the folks at Canonical on two ciritical issues:


Privacy went out the window in the interest of making money. Richard Stallman (RMS) - founder of the GNU Project, Free Software Foundation, GNU Compiler Collection, GNU Emacs, and GNU General Public License - called it spyware, saying:

One of the major advantages of free software is that the community protects users from malicious software. Now Ubuntu GNU/Linux has become a counterexample.


By making Amazon product advertising enabled by default, and not providing a way to quickly and easily disable it, the folks at Canonical sent a strong message to the world that they do not respect our freedom. This is at odds with their roots in Debian, which is reknown for being zelous about freedom. Having the gall to publish Ubuntu 12.10 with Amazon product advertising enabled, and not offering a quick off-switch is astounding to me, even 'till today. I cannot honestly recommend anyone use their products while this type of anti-privacy, anti-freedom leadership exists within Canonical.

After struggling to find a way to disable it, I knew that the countdown to tossing Ubuntu out of my life had begun. It was a great ride while it lasted. Farewell Canonical!

That said... FreeBSD isn't able to put my laptop to sleep, so I use Linux Mint on my laptop, which is based on Ubuntu but not published by Canonical :-P

Porting ffado.org from Drupal 5 to Drupal 7


Having switched my desktop from Ubuntu to FreeBSD, I needed a way to make my EchoAudio soundcard work. While searching for drivers on the FFado website, I came across PHP error messages that looked like Drupal errors.

After talking with the very nice FFado project leader, Jonathan Woithe, I volunteered to upgrade their website from Drupal 5 to Drupal 7.

Benefits of Upgrading 

  • The new theme uses Bootstrap, and is very mobile friendly.
  • The admin theme is now based on Adminimal, which is very helpful for administators that need a wide page layout and a clean, mobile-friendly UI. It really should be the default admin theme in Drupal-core.
  • The anti-spam solution used is now the powerful Honeypot module, as the spam module was never ported to Drupal 7, although it seems not to be as effective as the previous spam module.

Lessons Learnt

  • Drush is your friend, especially `drush up`.
  • Don't make a move without backups at every stage, which should include your database and codebase.
    • If it were not for backups, I would have needed to repeat my work from Drupal 5 to Drupal 6 several times while working on porting from Drupal 6 to Drupal 7.
  • Always check the maintainance status of each contrib module for the next version of Drupal.
    • Some modules work very well for, say Drupal 6, but their Drupal 7 version is not well maintained. If this happens, look for an alternative module.

GitLab for FreeBSD



Good news! A GitLab port now exists in FreeBSD thanks to the very hard work of Torsten Zuehlsdorff.

See the README for installation instructions.


I created a FreeBD port that can automatically install GitLabFork it on GitHub.

Porting pkg to OpenBSD


I ported the FreeBSD pkg package management tool to OpenBSD. Check it out!

I'm also working on automatically converting OpenBSD packages to the pkg format. Fork it on Github.

Building pkg using sources from Git on OpenBSD and Bitrig

# Install packages
pkg_add autoconf automake libtool bitrig-binutils bzip2 git libarchive

# Set environment variables

# Create a download directory
mkdir ~/git

# Install pkgconf
cd ~/git
git clone https://github.com/pkgconf/pkgconf
cd pkgconf
sudo make install

# Install pkg
cd ~/git
git clone https://github.com/freebsd/pkg
cd pkg
sudo make install

Merging changes from GitHub back into Drupal.org

I recently needed to merge the work of pjonckiere and geertvd from GitHub back into Drupal.org. Here is how I did it using Git subtree merging:

# Clone the Drupal.org repository
git clone --branch 8.x-1.x fizk@git.drupal.org:project/calendar.git
cd calendar

# Make sure to set your name and email address
git config user.name "Yonas Yanfa"
git config user.email fizk@473174.no-reply.drupal.org

# Register the GitHub remote repository
git remote add -f geertvd git@github.com:geertvd/calendar.git

# Prepare for the later step to record the result as a merge
git merge -s ours --no-commit geertvd/8.x-3.x

# Read the GitHub branch into our Drupal.org branch
git read-tree --reset -u geertvd/8.x-3.x

# Commit the merge
git commit -m 'Merge https://github.com/geertvd/calendar'

# Pull in the GitHub commits
git pull -s subtree geertvd 8.x-3.x

# Verify that everything worked
git log

# Push the changes to Drupal.org
git push

The neat thing is, if the developers that worked on GitHub use the same email address in GitHub and Drupal.org, Drupal will credit them with all the commits as if they originally made their commits in Drupal.org!

Benchmarking Drupal 8.0 RC1

Drupal 8.0 RC1 has just been released! I've been looking forward to improved performance since Wim Leers wrote about Drupal 8's new caching system six months ago.

My quick benchmark shows that Drupal 8 is 3 times slower than Drupal 7 and Drupal 6.


Awesome React

A collection of awesome things regarding React ecosystem.


Subscribe to fizk.net RSS