Secure free as in freedom and free as in cost real-time communications for everyone
Last September we presented the technological aspect of the secure calling project at LinuxCon 2009. This was an important milestone in presenting the technological aspect of how this project will offer the means for anyone to create and deploy network scalable and secure VoIP/collaboration solution to enable privacy without the need for a central service provider or proprietary software to achieve these goals. Our overall vision is to facilitate both solutions that are privately built, such as for organizations that wish to have secure communication as a foundation, and especially which can be autonomously assembled over the public Internet as a full public alternative to Skype using only free software and that depends purely on existing DNS for user lookup, rather than a service provider, and eliminates the use of source secret clients which can of course be compromised.
Background of architecture:
A SIP user agent is a front-end application which supports a standard set of protocols to enable registering with a directory service (SIP registrar) and a routing server to establish calls by sip uri's. Some user agents can also directly connect if you know each parties IP address, though some will not allow that because in the SIP standard a UA is supposed to only accept calls received by it's published "contact" uri that was sent to a registrar, and not just any arbitrary client calling it directly without looking that up first (such as by ip address).
Some use this behavior as a security means, by having the UA generate a UUID or some other kind of token for the contact uri to publish with a registrar, so that unless the call resolved through the registrar it is using there would be no way to directly know what uri the agent will respond to. Most UA's use
it as a means to separate which "identity" it is receiving a call as, since a UA can register itself with multiple registrars which may represent different service providers, and each one would have a different and unique contact uri.
Many VoIP providers offer themselves as a "backend" service for SIP. This means your UA is tethered to said provider, and your call peering goes through them. That looks like a standard telephone service simply conducted on TCP/IP rather than something new. It also is very convenient from a regulatory and intercept regime since all call control and routing happens at their end.
One can run a local asterisk server as a backend SIP registrar and routing service, but it (and bayonne) makes several assumptions. First, the call must connect to the server before the destination is even determined. This means all audio is established through the server first, and then hopped across the server to the final destination, converted as necessary. In one sense it is convenient, but since the audio session is established with and must be decoded by the server first, it obviously cannot pass encrypted audio end-to-end. It also means that said server has to have all supported codecs that will be used, including proprietary or patent encumbered ones if calls are supported with them. It means the call capacity is compute-bound, and induces latency. Finally, in the case of Asterisk, it was never designed for arbitrary uri routing, but rather for resolving things that are purely telephone numbers in form.
Skype actually is a kind of user agent that includes/integrates code for specific routing and network connection logic, but also depends on the Skype backend to find users. It is of course also proprietary, and the protocols it uses are undocumented and proprietary as well.
SIP Witch operates by keeping the network routing layer separate from the user agent rather than merging them like the Skype application does, hence any standard's compliant SIP client can be used with it. It also peers calls by URI using DNS lookup. It also does destination routing, so the final destination is determined first, and the calling user agent is then directed to connect itself with the final destination's IP address directly, rather than the asterisk/bayonne model where user agent is directed to connect with the server and without the need of a central directory service. This means all media connections are established peer-to-peer, and this can support an end-to-end encrypted media channel like ZRTP. It also means all codecs are negotiated between the endpoints, which also means
conducting calls does not require having patent licensed codecs, though the ua's may have and certainly use them if they choose. That is the user's decision and circumstances of course, but at least is not something that is burdened or otherwise forced on the software used for conveyance as well.
In this educational session, John Curran, President and CEO of ARIN will discuss how Linux IT professionals can prepare for IPv6, the benefits of adopting now, and the available resources to help communicate the value of IPv6 to their organizations.
With less than 10% of IPv4 address space remaining, it is extremely urgent that all organizations adopt IPv6 – the next generation of IP technology – before time runs out and the global Internet community is fragmented.
Some Linux IT professionals have been slow to adopt IPv6, and have yet to fully understand the benefits and ease of the deployment. With fewer resources on the Web regarding IPv6 and Linux, it is important for attendees to learn why IPv6 is necessary.
In this session, John Curran, President and CEO of the American Registry for Internet Numbers (ARIN), will discuss how attendees need to prepare for IPv4 depletion challenges, key considerations for IPv6 adoption, and the benefits of early IPv6 adoption. The session will provide attendees with the information and tools needed to ease their technical and business concerns of adopting IPv6.
John will also focus on open-source software implementations of IPv6 and how to make the transition as seamless as possible. He will highlight educational resources available to help Linux IT professionals to better understand and communicate the value of IPv6 to their organizations.
ARIN is the nonprofit corporation that manages the distribution of Internet number resources, including IPv4 and IPv6 addresses and Autonomous System Numbers (ASNs), to Canada, many Caribbean and North Atlantic islands, and the United States.
Learn how to deploy and manage an enterprise-class LDAP service
This introductory class will give you the tools you need to competently deploy and manage an enterprise-class LDAP service. We will use extensive demos to cover the structure and vocabulary of the hierarchical LDAP database; standards and best practices for provisioning and integration; migration from other authentication systems, including NIS; integration with the Linux name service switch; and integration with several popular open source applications, including Apache, Samba, and Postfix.
Particular emphasis is given to understanding the concepts underlying LDAP, and translating those concepts into effective integration with client-facing network services.
Hardware Load Balancers can run into the thousands, sometimes tens of thousands, of dollars, but did you know you have a Load Balancer right in your very own Linux box? LVS (Linux Virtual Server) is a free, easy way to Load Balance across web-servers or any other mass-scalable read-only services on your network, while taking up a very small footprint. In this lecture, you will learn how to enable and configure the Load Balancer that has been hiding inside your 2.6 kernel all this time...
Ever wondered what would happen if you could rethink a decade worth of design changes? Drizzle is a fork of the MySQL server targeted at web development and cloud computing. We are looking at how to create database for modern multi-core, large memory databases that fit inside of an overall application framework.
Tpkg, a tool for cross-platform application packaging and large scale deployment.
Tpkg is a tool for packaging and deploying applications. It is designed to work alongside your operating system's packaging tool. I'll talk about the advantages of separating the packaging of your applications from your base OS. Separating the packaging of applications from the base OS system ensures that application packages and their dependencies don't interfere with the functioning of the base OS. For example, your OS comes with Perl 5.6.1, but your application needs 5.8.9. Upgrading the OS copy of Perl may break other applications. By using tpkg and installing your application and the newer version of Perl in a location reserved for tpkg you avoid any conflicts. Tpkg is cross platform, so although you may have two or three different operating systems in your environment you can use a common tool to package and deploy your applications on those systems.
I'll talk about some of the unique features of tpkg that make it ideally suited to packaging applications, and distinguish tpkg from OS packaging tools like rpm and dpkg. Tpkg supports encrypting some or all of the files in the package, so your application package can contain secret files like SSL or SSH keys, database passwords, etc. Also supported are external hooks that can be used to tie into a system configuration management tool, allowing packages to request accounts and other OS configuration.
The process of making and deploying packages in tpkg will be covered.
The process of building a package is quite simple. The package metadata is stored in an XML or YAML configuration file. Packages can have pre and post install and removal scripts. Incorporating init scripts and crontabs into packages will be discussed. cpan2tpkg and gem2tpkg utilities are also available to readily package Perl modules or Ruby gems.
Tpkg supports dependencies both on other tpkg packages as well as native packages, and tpkg handles dependency resolution and automatic dependency installation of both tpkg and native dependencies. As such installing applications with complex dependency trees is simple and fast. The deployment features of tpkg allow you to automate the installation, upgrade or removal of packages across a large number of systems. Tpkg handles SSH and sudo prompts that might be encountered in connecting to the target systems when performing a deployment.
I'll also compare tpkg with deployment tools like Capistrano.
See a new approach to 1 to 1, managing netbooks, laptops and thin client with Linux
In this session, you will see how the concept of "Ubiquitous Computing" could help bring your 1:1 project to life by removing barriers that prevent access to technology. Learn to provide access to the same computing environment no matter the device or the location!
See how you can use Ubuntu Linux Netbook Remix in your netbook 1:1 environment, and see the possibilities available to manage a large number of mobile devices like laptops, netbooks and thin clients in a flexible and scalable way.
How many times have you talked to someone about your favorite distribution only to have them walk away uninterested? There are many superb tactics that help us, as users of some of the most powerful operating systems available, showcase and explain our choice in a way that sparks curiosity. Helping people upgrade to a free and open system can be a fun process and we'll show you some of our best "entry points". Come well equipped to share some of your own!
The GPL enforcement process remains opaque to most FLOSS developers and users. This talk will explain how GPL enforcement works, what users and companies should do to comply, and what developers should do to help their users comply.
Copyleft licenses are a special class of FLOSS licenses, since they place detailed legal obligations on the redistributors and/or modifiers of the software. Typically, our community follows these rules voluntarily as part of the software sharing community. Occasionally, however, companies fail to follow the rules. The response that upholds the license is typically called "GPL enforcement".
The GPL enforcement process unfortunately remains somewhat opaque, even to many developers who choose the GPL. Meanwhile, the enforcement lawsuits filed by gpl-violations.org and SFLC have startled many developers. This talk, presented by Bradley M. Kuhn, an experienced GPL enforcer, will explain the motivations for enforcement action, teach developers how to educate their users about license obligations and teach businesses how to comply with developers' wishes. Kuhn will explain in general terms the standard process of GPL enforcement practiced by non-profit entities and individuals in the FLOSS world.
Those attending the talk can expect to learn:
* how to better educate their users to follow the terms of GPL correctly to avoid compliance problems,
* the mindset that leads other developers and organizations to choose to actively enforce the GPL, and
* the process typically used when a choice to enforce is made.
Participants will learn about Sugar's wonderful educational Activities and how to bring them to their own classroom through purchase of XO machines from OLPC (One Laptop Per Child) or using free usb downloads for the intel computers they already have.
Educators and developers worldwide are teaming up to bring Sugar's OS Software to students everywhere. The programs they create, called Activities, can be run on One Laptop Per Child (OLCP)'s XO, and, via usb downloads, on PCs and Intel Macs.
The list of Activities grew from a few dozen in 2007 to over 300 by December 2009. In addition, using other web based resources via Sugar has been made easier. As the collection of Activities grew, more programs of interest to older students, and even adults, were added.
Participants will learn about the latest and greatest Sugar Activities and the simple processes for getting them. We will look at Sugar on a Stick, buying XO laptops for their school, and the Contributors Program which supplies a small number of free XO computers to educators and developers who contribute programs or content to the greater OLPC/Sugar Labs community.