Category Archives: Politics

Current distribution of WhatsApp alternatives [Update]

Android_robotMany people are discussing alternatives to WhatsApp right now. Here I just track how many installations the currently discussed, crypto-enabled alternatives have according to the app store.

WhatsApp was already bad before Facebook acquired it. But at least now people woke up and are considering secure alternatives. Yes, this move could have come earlier, but I do welcome the new opportunity: its the first time wide spread encryption actually has a chance in the consumer market. So for most of the people out there the question is more “which alternative should I use” instead of “should I use one”. Right now I do not have the faintest idea which alternative with crypto support will make the break through – but you could say I am well prepare.

Screenshot installed instant messengers
Screenshot installed instant messengers

Well – that’s obviously not a long term solution. Thus, to shed some light on the various alternatives and how they stand right now, here is a quick statistical overview:

Secure Instant Messengers, state updated 2014-03-11
Name WebPage/GooglePlay installed devices Ratings Google +1
ChatSecure Website / Google Play 100 000 – 500 000 1 626 2 620
Kontalk Website / Google Play 10 000 – 50 000 237 265
surespot Website / Google Play 50 000 – 100 000 531 632
Telegram Website / Google Play 10 000 000 – 50 000 000 273 089 97 641
Threema Website / Google Play 500 000 – 1 000 000 9 368 12 594
TextSecure Website / Google Play 100 000 – 500 000 2 478 2 589

The statistics are taken from Google’s Android Play Store. I would love to include iTunes statistics, but it seems they are not provided via the web page. If you know how to gather them please drop me a note and I’ll include them here.

These numbers just help to show how fat an application is spread – it does not say anything about the quality. For example Threema is not Open Source and thus not a real alternative. So, if you want to know more details about the various options, please read appropriate reviews like the one from MissingM.

Android 4.4 now *can* sync multiple calendars via ActiveSync

Android_robotWith the release of Android 4.4 called KitKat Google made some interesting changes to their ActiveSync implementation: the code is now set up to sync more than one calender, and the first KitKat user already confirmed that new feature.

In February I described in a blogpost why Android cannot sync multiple calendars via ActiveSync. The problem was that Google did not implement the necessary parts of the ActiveSync specification in Android.

However, that seems to have changed: if you look at the current ActiveSync implementation of Android 4.4 KitKat, the source code (tag 4.4rc1) does list support for multiple calendars – and also for multiple address books:

        MAILBOX_TYPE_MAP.put(Eas.MAILBOX_TYPE_USER_CALENDAR, Mailbox.TYPE_CALENDAR);
        MAILBOX_TYPE_MAP.put(Eas.MAILBOX_TYPE_USER_CONTACTS, Mailbox.TYPE_CONTACTS);

I had no chance yet to test that on my own, but there are reports that it is indeed working:

Today i flashed a Android 4.4 Rom on my smartphone. After adding the Exchange Profile all my Calendars are there [...]
I’ve uploaded a screenshot here:

http://postimg.org/image/5d4u364ub/

Looks like Google actually listened to…erm, corporate users? At least to someone, though ;)

But: Since I have no first-hand-experience in this regard I would like to ask all of my nine readers out there if anyone has a stock KitKat running and if the could check this feature. Please test this and leave a report about your experiences in the comments. I will include it in the article.

By the way, the above mentioned source code snippet also tells quite exactly which other ActiveSync functions are not yet supported in Android:

        //MAILBOX_TYPE_MAP.put(Eas.MAILBOX_TYPE_TASKS,  Mailbox.TYPE_TASKS);
        //MAILBOX_TYPE_MAP.put(Eas.MAILBOX_TYPE_NOTES, Mailbox.TYPE_NONE);
        //MAILBOX_TYPE_MAP.put(Eas.MAILBOX_TYPE_JOURNAL, Mailbox.TYPE_NONE);
        //MAILBOX_TYPE_MAP.put(Eas.MAILBOX_TYPE_USER_TASKS, Mailbox.TYPE_TASKS);
        //MAILBOX_TYPE_MAP.put(Eas.MAILBOX_TYPE_USER_JOURNAL, Mailbox.TYPE_NONE);
        //MAILBOX_TYPE_MAP.put(Eas.MAILBOX_TYPE_USER_NOTES, Mailbox.TYPE_NONE);
        //MAILBOX_TYPE_MAP.put(Eas.MAILBOX_TYPE_UNKNOWN, Mailbox.TYPE_NONE);
        //MAILBOX_TYPE_MAP.put(MAILBOX_TYPE_RECIPIENT_INFORMATION_CACHE, Mailbox.TYPE_NONE);

I guess syncing tasks could come in handy in corporate environments. Combined with support for multiple task folders you could even design your own Kanban “board” that way.

Nevertheless I’d like to add that ActiveSync is no big deal for me anymore because I am very happy with a – albeit 3rd party and not yet Open Source – CalDav implementation, which can even sync multiple task folders.

#LotT, Learning On The Toilet – learning where you’ve got the time for

Simple Workflow diagramA couple of weeks ago I heard about Testing On The Toilet, and initiative at Google where people hung up information about software testing on toilets. I liked the idea, and adopted it for our own key topics.

Testing On The Toilet (#TotT) was launched in 2007 by Google employees working in the area of software testing. They hung up flyers on Google toilets with information about how to write good software tests. The idea behind the flyers: they contain short but meaningful and easy to remember information. Each flyer only covers one sheet of paper, so its not too much to read. So far they have published dozens of flyers.

I loved the idea immediately – almost everyone goes to the toilet, so your coverage is almost perfect. Besides, each person can still decide on him/her own if its worth a read or not.

Not surprisingly, I decided to take over the idea – however, while the company I work for is situated right in the middle of Open Source software, writing software tests is not our main concern: Our key aspects are system integration and consulting. Think of improving database installations and maintaining enterprise scale server landscapes here. So most of the #TotT fylers do not really apply to us. But there are other things which are interesting and worth distributing, even if I have to create my own flyers.

Thus the idea of “Learning On The Toilet” – #LotT – was born. I just had to find proper information. I discussed the idea with my fellow project managers of my group of regulars, and it was suggested for an initial start to search the internet for suitable “top ten” lists. The idea stuck, and I gathered various lists in the next days. There was a list with tips for Vim, a cheat sheet concerning Selinux, nine points how to improve your communication skills, and others. I shortened the lists to each fit on one page, printed the first, and hung it on our toilets. And waited nervously for the first reactions: I didn’t tell anyone about the idea previously, and wasn’t sure if the sheets of paper would survive the first day.

But: they did! People read them! The feedback was positive – or about how to hang them better in the toilet, or that for example the refrigerator in the kitchen would be a good place as well. Also, some people mentioned that they would like to have this or that topic. But that meant the idea was positively received! I hardly got any bad feedback! That was great relief, and for now I decided to keep hanging up stuff.

The only problem is that there are so many information out there which are worth a read, but often the material does not fit to #LotT: its either too much to read, or too few real worthy information. Also, I’d love to publish the #LotT issues in my blog, but the copyright of the lists usually does not allow that.

So: if you have any good ideas regarding system integration in the Open Source world, just drop a note in the comments, and I will be happy to publish it here.

Thoughts on crypted communication

network-63770_150Due to the recently published information about mass surveillance on a yet not known level right now the question remains how to encrypt communication. I had some thoughts regarding that topic involving a GPG like web of trust combined with user friendliness which I’d like to share here.

Given everything which was published so far, un-encrypted communication is not save at all. The same is unfortunately true for encryption methods which rely on encryption provided by the servers of some organization. If there is a centralized organization storing the keys for you, or just providing you with the encryption technology, you are screwed, because the intelligence agencies will force them to cooperate. For that reason, the encryption must take place on the end users system already (and the software must be Open Source).

However, if you have end-user encryption, you have the problem of the key exchange – if two people want to communicate securely, they need to exchange the keys or at least securely verify that a public key indeed belongs to their private key. That only works if they meet in person – or if there is a web of trust.

A common example of such a web of trust is the GPG web of trust: people who have properly verified that person A belongs to key M sign this key. If person B trusts person A, it can just use key M since it is already verified by person A. However, in case of GPG the web of trust never reached mainstream. It is mainly used by technical minded people. Most users never got used to it.

So, from what I can tell the only chance to establish a web of trust is to hide the technical details as much as possible from the users. The same is true for the actual key exchange – it needs to be as simple as possible so that each normal user can use it.

Given this background I would suggest the following solution at least for mobile phones. You download the app, and it asks the user for a password. In the background, a key pair is generated and secured with the password, and all data stored on the device are encrypted using the public key. If user A meets user B all they need to do is pressing a button in the app, and a QR code is shown. The other user scans that QR code, and its done. The user shows up in the contact list, and they can chat. In the background, the app extracts the key ID and fingerprint from the QR code, downloads the public key, signs it and uploads the signature automatically.

The biggest problem comes up when user C comes into play, wants to communicate with user A, but they both have no common connection in their web of trust. They would have to meet – or use some other way of exchanging the data securely. A simple way would still be to talk on the phone, but that never worked for GPG. So some kind of web service to host their QR code for a short time only would probably a solution, although it would be pretty risky.

To lower the danger of a man in the middle attack in the above given web example the key servers must only accept one key pair for each identity, which is different to the way GPG works. That would in fact mean that you can have each login only once – if you loose your key, your are screwed.

One question though remains: how many steps in the web of trust are still trustworthy? I guess that could be left as a configuration option if, and only if, a user wants to modify that.

To summarize: I guess that the current cryptography technologies we have could really help to establish secure communication. But to really bring that communication to the masses we need easy-to-use (read: your grandma!) applications doing everything in the background.

SoCraMOB July 2013

Simple Workflow diagramLast Saturday software developers and IT enthusiasts met in Münster to take part in the Software Craftmanship community day “SoCraMOB”. The event was organized as Open Space and provided a great and encouraging platform for everyone who took part.

The SoCraMOB Open Space – hashtag #MOBenSpace – takes place roughly every second month and aims at people from the area around Münster, Osnabrück and Bielefeld. It has usually around 20-40 people and focuses on discussing modern and agile software development in these days, independent of the programming language. The background organization behind it is the German Softwerkskammer, an initiative to bring together software developers.

SocramobStarter

For me as a project manager it was a great opportunity to meet people from “the other side”, listen to their thoughts, exchange ideas and getting an idea of the current brand new technologies and strategies for software development. One of the sessions for example was about the possibility to add gamification to business software to reward users for example with badges when they accomplish dull tasks earlier than necessary. During the discussion I realized the potential of the attempt, but it also spiked my curiosity in how far I can introduce gamification into my daily project manager life.

SocramobGamification

Another session dealt with Event Centric Modelling and the difficulties to talk to a customer. For this session the host invited a real-world customer: a person with no IT background whatsoever, who nevertheless needed a web platform. The task for the software developers was to gather all needed information from the customer in roughly 15 minutes. Since the customer was a non-IT person, the developers for example had to avoid technical phrases or details.

What sounds like an almost trivial task showed painfully the difficulties of talking to a non-technical customer: the developers tended to talk to discuss with themselves, they almost forgot about the customer. Additionally, they constantly assumed answers instead of really asking the customer, they kept circling around minor technical issues, and so on. In the end the host even had to intervene to bring the developers back on track.

While I know these kind of problems from my daily work I would not have expected them to be so urgent. So the lesson did teach everyone a lesson – but that was exactly what it was for =) Additionally, to me the session did prove how important it is to first of all have a strong moderator for such discussions, and to have people who are able to speak to customers in a language the customer can actually understand – for example a project manager ;)

Overall I can say that the SoCraMOB was worth the visit, even as a non-developer, and I hope to be able to make it next time as well. As far as I got it from the retrospective and the feedback of the others, it was a great event for them as well, and it tends to be that full of energy every time, so I can only recommend the event to anyone living in that area to attend that meeting once in a while!
SocramobResults

Also, thanks OV software for sponsoring the event with space and the typical developers food =)
SocramobPizza