From russell at coker.com.au Mon Jul 3 00:23:52 2023 From: russell at coker.com.au (Russell Coker) Date: Mon, 03 Jul 2023 00:23:52 +1000 Subject: [Linux-aus] LA Certification Message-ID: <3502813.3CdzvNlvnA@xev> Would there be a benefit in having Linux Australia certification? Companies like Google give out certificates when people attend their training, would certificates of attendance be of any interest to people? What about certification of skilled contribution to FOSS projects? We could have a system where members of the projects can endorse worthy contributors for a certification of their skills and work. Would that help people get jobs? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ From kathy at kathyreid.id.au Mon Jul 3 08:56:50 2023 From: kathy at kathyreid.id.au (Kathy Reid) Date: Mon, 3 Jul 2023 08:56:50 +1000 Subject: [Linux-aus] LA Certification In-Reply-To: <3502813.3CdzvNlvnA@xev> References: <3502813.3CdzvNlvnA@xev> Message-ID: Hi Russell, Firstly I want to say thank you for this suggestion - I think it's great that people are thinking about how Linux Australia could help members with professional development. There are a few different use cases here: Certificates of attendance These would be event specific, and, IMHO, the domain of the event organisers, but I see no reason why they couldn't be issued. LA could assist with a template. Endorsement of skills I don't see this as a certification piece, it's much more an endorsement of one person by another - and we have platforms for that already, like LinkedIn, or other job platforms. Vendor certification This is a way for vendors to have their products enmeshed in industry; vendor certification is a way of legitimising a vendor's product range, and requiring people to *maintain* certification provides an ongoing revenue stream. LA is not a vendor, so I don't see us playing in this space. Non-vendor certification This is where players like the LPI have carved out a niche - providing non-vendor-specific certifications. In Australia at least there are several such providers, like LogiTrain and Knowledge Academy. I don't think this is where LA want to play because we're not set up for it. So, what *could* LA do in this space, if the goal is to help people with their Linux / FLOSS / open source / open * careers? We already have the Jobs board [0], with huge thanks to Mr Hesketh who I believe still maintains it. I'd love to get this auto-posting to our LinkedIn and Mastodon properties to increase its value and reach at some stage. Or, the volume is low enough it could be done manually. We could create some content on the website to point people in various directions - attend events here, here's what to consider in terms of certification, here's the type of certifications our members have. That is, help outline the pathways people could take with Linux and open source in their career. That might be the action here? A page which outlines what directions open source could take your career, and how that might work in Australia - to provide guidance. Kind regards, Kathy Reid [0] https://linux.org.au/jobs/ On 3/7/23 00:23, Russell Coker via linux-aus wrote: > Would there be a benefit in having Linux Australia certification? > > Companies like Google give out certificates when people attend their training, > would certificates of attendance be of any interest to people? > > What about certification of skilled contribution to FOSS projects? We could > have a system where members of the projects can endorse worthy contributors > for a certification of their skills and work. Would that help people get > jobs? > From info at petermoulding.com Mon Jul 3 10:16:45 2023 From: info at petermoulding.com (Info) Date: Mon, 3 Jul 2023 10:16:45 +1000 Subject: [Linux-aus] LA Certification In-Reply-To: References: <3502813.3CdzvNlvnA@xev> Message-ID: <0b1ae87c-4b00-81e4-9487-223e34fcd9c0@petermoulding.com> Lots of professions have accreditation points systems. To maintain accreditation as XYZ, you have to attend ongoing training on XYZ to the value of 100 points each year. LA could work with groups like PHP to allocate points for relevant sessions. Or just make up nominal points based on hours per subject and type of session. As an example, a one hour intense workshop on configuring a Web server might might be worth 10 points for server admin, 5 for the PHP related content, and 3 for security related tasks. While it is overall a bit flaky, it is easier to explain to management. :-) They can enter the numbers in a spreadsheet. :-)) On 3/7/23 08:56, Kathy Reid via linux-aus wrote: > Hi Russell, > > Firstly I want to say thank you for this suggestion - I think it's great > that people are thinking about how Linux Australia could help members > with professional development. > > There are a few different use cases here: > > Certificates of attendance > > These would be event specific, and, IMHO, the domain of the event > organisers, but I see no reason why they couldn't be issued. LA could > assist with a template. > > Endorsement of skills > > I don't see this as a certification piece, it's much more an endorsement > of one person by another - and we have platforms for that already, like > LinkedIn, or other job platforms. > > Vendor certification > > This is a way for vendors to have their products enmeshed in industry; > vendor certification is a way of legitimising a vendor's product range, > and requiring people to *maintain* certification provides an ongoing > revenue stream. LA is not a vendor, so I don't see us playing in this > space. > > Non-vendor certification > > This is where players like the LPI have carved out a niche - providing > non-vendor-specific certifications. In Australia at least there are > several such providers, like LogiTrain and Knowledge Academy. I don't > think this is where LA want to play because we're not set up for it. > > So, what *could* LA do in this space, if the goal is to help people with > their Linux / FLOSS / open source / open * careers? > > We already have the Jobs board [0], with huge thanks to Mr Hesketh who I > believe still maintains it. I'd love to get this auto-posting to our > LinkedIn and Mastodon properties to increase its value and reach at some > stage. Or, the volume is low enough it could be done manually. > > We could create some content on the website to point people in various > directions - attend events here, here's what to consider in terms of > certification, here's the type of certifications our members have. That > is, help outline the pathways people could take with Linux and open > source in their career. That might be the action here? A page which > outlines what directions open source could take your career, and how > that might work in Australia - to provide guidance. > > Kind regards, > > Kathy Reid > > [0] https://linux.org.au/jobs/ > > On 3/7/23 00:23, Russell Coker via linux-aus wrote: >> Would there be a benefit in having Linux Australia certification? >> >> Companies like Google give out certificates when people attend their training, >> would certificates of attendance be of any interest to people? >> >> What about certification of skilled contribution to FOSS projects? We could >> have a system where members of the projects can endorse worthy contributors >> for a certification of their skills and work. Would that help people get >> jobs? >> > _______________________________________________ > linux-aus mailing list > linux-aus at lists.linux.org.au > http://lists.linux.org.au/mailman/listinfo/linux-aus > > To unsubscribe from this list, send a blank email to > linux-aus-unsubscribe at lists.linux.org.au From kathy at kathyreid.id.au Mon Jul 3 10:39:34 2023 From: kathy at kathyreid.id.au (Kathy Reid) Date: Mon, 3 Jul 2023 10:39:34 +1000 Subject: [Linux-aus] LA Certification In-Reply-To: <0b1ae87c-4b00-81e4-9487-223e34fcd9c0@petermoulding.com> References: <3502813.3CdzvNlvnA@xev> <0b1ae87c-4b00-81e4-9487-223e34fcd9c0@petermoulding.com> Message-ID: Right, to maintain accreditation you need to have continuous professional development - usually measured in points. That CPD is usually administered by the accrediting body, so in this scenario Linux Australia is positioned as the accrediting body. We could work *with* an accrediting body, but the only one that comes to mind is the Australian Computer Society, who don't tend to be Linux- or open source- focused, and in recent years have moved to become much more of a profit-generating entity rather than a for-members based society (for example, a large portion of their revenue is membership from particular visa holders who have to maintain professional membership as a condition of their visa). I don't think we want to *be* an accrediting body, but I could be wrong. There's a second point here too - this type of work requires labour and time and effort. Who would do this? Best, Kathy On 3/7/23 10:16, Info via linux-aus wrote: > Lots of professions have accreditation points systems. To maintain > accreditation as XYZ, you have to attend ongoing training on XYZ to > the value of 100 points each year. > > LA could work with groups like PHP to allocate points for relevant > sessions. Or just make up nominal points based on hours per subject > and type of session. As an example, a one hour intense workshop on > configuring a Web server might might be worth 10 points for server > admin, 5 for the PHP related content, and 3 for security related tasks. > > While it is overall a bit flaky, it is easier to explain to > management. :-) > They can enter the numbers in a spreadsheet. :-)) > > On 3/7/23 08:56, Kathy Reid via linux-aus wrote: >> Hi Russell, >> >> Firstly I want to say thank you for this suggestion - I think it's great >> that people are thinking about how Linux Australia could help members >> with professional development. >> >> There are a few different use cases here: >> >> Certificates of attendance >> >> These would be event specific, and, IMHO, the domain of the event >> organisers, but I see no reason why they couldn't be issued. LA could >> assist with a template. >> >> Endorsement of skills >> >> I don't see this as a certification piece, it's much more an endorsement >> of one person by another - and we have platforms for that already, like >> LinkedIn, or other job platforms. >> >> Vendor certification >> >> This is a way for vendors to have their products enmeshed in industry; >> vendor certification is a way of legitimising a vendor's product range, >> and requiring people to *maintain* certification provides an ongoing >> revenue stream. LA is not a vendor, so I don't see us playing in this >> space. >> >> Non-vendor certification >> >> This is where players like the LPI have carved out a niche - providing >> non-vendor-specific certifications. In Australia at least there are >> several such providers, like LogiTrain and Knowledge Academy. I don't >> think this is where LA want to play because we're not set up for it. >> >> So, what *could* LA do in this space, if the goal is to help people with >> their Linux / FLOSS / open source / open * careers? >> >> We already have the Jobs board [0], with huge thanks to Mr Hesketh who I >> believe still maintains it. I'd love to get this auto-posting to our >> LinkedIn and Mastodon properties to increase its value and reach at some >> stage. Or, the volume is low enough it could be done manually. >> >> We could create some content on the website to point people in various >> directions - attend events here, here's what to consider in terms of >> certification, here's the type of certifications our members have. That >> is, help outline the pathways people could take with Linux and open >> source in their career. That might be the action here? A page which >> outlines what directions open source could take your career, and how >> that might work in Australia - to provide guidance. >> >> Kind regards, >> >> Kathy Reid >> >> [0] https://linux.org.au/jobs/ >> >> On 3/7/23 00:23, Russell Coker via linux-aus wrote: >>> Would there be a benefit in having Linux Australia certification? >>> >>> Companies like Google give out certificates when people attend their >>> training, >>> would certificates of attendance be of any interest to people? >>> >>> What about certification of skilled contribution to FOSS projects?? >>> We could >>> have a system where members of the projects can endorse worthy >>> contributors >>> for a certification of their skills and work.? Would that help >>> people get >>> jobs? >>> >> _______________________________________________ >> linux-aus mailing list >> linux-aus at lists.linux.org.au >> http://lists.linux.org.au/mailman/listinfo/linux-aus >> >> To unsubscribe from this list, send a blank email to >> linux-aus-unsubscribe at lists.linux.org.au > > _______________________________________________ > linux-aus mailing list > linux-aus at lists.linux.org.au > http://lists.linux.org.au/mailman/listinfo/linux-aus > > To unsubscribe from this list, send a blank email to > linux-aus-unsubscribe at lists.linux.org.au From lloy0076 at adam.com.au Mon Jul 3 11:03:20 2023 From: lloy0076 at adam.com.au (David Lloyd) Date: Sun, 2 Jul 2023 21:03:20 -0400 Subject: [Linux-aus] LA Certification In-Reply-To: References: <3502813.3CdzvNlvnA@xev> <0b1ae87c-4b00-81e4-9487-223e34fcd9c0@petermoulding.com> Message-ID: <22f80342-c2c2-baa6-b0ec-9ccc111d96fa@adam.com.au> I think Kathy makes some very valid points: I suspect that becoming an accreditation body either by: * Some type of formal, outside recognition; or * Simply becoming the "de facto" accreditation body for something ...would take time, dedication, and effort. Or enough money to pay someone to do so -- which is another can of worms. I think Linux Australia might be able to do it, but I sense it'd be a long term goal, take a lot of dedication if administered "not for salary" or cost a reasonable amount of money. As for ACS - there are good individuals in ACS but I've always sensed whilst ACS and LinuxSA do have overlap in areas, their ethos is subtly different and their cultures similar but different enough to require careful, tactful, and deep listening to work closely with each other (which Linux Australia would necessarily have to do if ACS agreed to be the accrediting body by lending its credibility or framework, for example). I am _not_ criticising either organisation; just mentioning that to me the cultures are different enough to make working together not as easy as it might seem at first (but what is, right?). DSL On 7/2/2023 8:39 PM, Kathy Reid via linux-aus wrote: > Right, to maintain accreditation you need to have continuous > professional development - usually measured in points. > > That CPD is usually administered by the accrediting body, so in this > scenario Linux Australia is positioned as the accrediting body. We > could work *with* an accrediting body, but the only one that comes to > mind is the Australian Computer Society, who don't tend to be Linux- > or open source- focused, and in recent years have moved to become much > more of a profit-generating entity rather than a for-members based > society (for example, a large portion of their revenue is membership > from particular visa holders who have to maintain professional > membership as a condition of their visa). I don't think we want to > *be* an accrediting body, but I could be wrong. > > There's a second point here too - this type of work requires labour > and time and effort. Who would do this? > > Best, Kathy > > On 3/7/23 10:16, Info via linux-aus wrote: >> Lots of professions have accreditation points systems. To maintain >> accreditation as XYZ, you have to attend ongoing training on XYZ to >> the value of 100 points each year. >> >> LA could work with groups like PHP to allocate points for relevant >> sessions. Or just make up nominal points based on hours per subject >> and type of session. As an example, a one hour intense workshop on >> configuring a Web server might might be worth 10 points for server >> admin, 5 for the PHP related content, and 3 for security related tasks. >> >> While it is overall a bit flaky, it is easier to explain to >> management. :-) >> They can enter the numbers in a spreadsheet. :-)) >> >> On 3/7/23 08:56, Kathy Reid via linux-aus wrote: >>> Hi Russell, >>> >>> Firstly I want to say thank you for this suggestion - I think it's >>> great >>> that people are thinking about how Linux Australia could help members >>> with professional development. >>> >>> There are a few different use cases here: >>> >>> Certificates of attendance >>> >>> These would be event specific, and, IMHO, the domain of the event >>> organisers, but I see no reason why they couldn't be issued. LA could >>> assist with a template. >>> >>> Endorsement of skills >>> >>> I don't see this as a certification piece, it's much more an >>> endorsement >>> of one person by another - and we have platforms for that already, like >>> LinkedIn, or other job platforms. >>> >>> Vendor certification >>> >>> This is a way for vendors to have their products enmeshed in industry; >>> vendor certification is a way of legitimising a vendor's product range, >>> and requiring people to *maintain* certification provides an ongoing >>> revenue stream. LA is not a vendor, so I don't see us playing in this >>> space. >>> >>> Non-vendor certification >>> >>> This is where players like the LPI have carved out a niche - providing >>> non-vendor-specific certifications. In Australia at least there are >>> several such providers, like LogiTrain and Knowledge Academy. I don't >>> think this is where LA want to play because we're not set up for it. >>> >>> So, what *could* LA do in this space, if the goal is to help people >>> with >>> their Linux / FLOSS / open source / open * careers? >>> >>> We already have the Jobs board [0], with huge thanks to Mr Hesketh >>> who I >>> believe still maintains it. I'd love to get this auto-posting to our >>> LinkedIn and Mastodon properties to increase its value and reach at >>> some >>> stage. Or, the volume is low enough it could be done manually. >>> >>> We could create some content on the website to point people in various >>> directions - attend events here, here's what to consider in terms of >>> certification, here's the type of certifications our members have. That >>> is, help outline the pathways people could take with Linux and open >>> source in their career. That might be the action here? A page which >>> outlines what directions open source could take your career, and how >>> that might work in Australia - to provide guidance. >>> >>> Kind regards, >>> >>> Kathy Reid >>> >>> [0] https://linux.org.au/jobs/ >>> >>> On 3/7/23 00:23, Russell Coker via linux-aus wrote: >>>> Would there be a benefit in having Linux Australia certification? >>>> >>>> Companies like Google give out certificates when people attend >>>> their training, >>>> would certificates of attendance be of any interest to people? >>>> >>>> What about certification of skilled contribution to FOSS projects?? >>>> We could >>>> have a system where members of the projects can endorse worthy >>>> contributors >>>> for a certification of their skills and work.? Would that help >>>> people get >>>> jobs? >>>> >>> _______________________________________________ >>> linux-aus mailing list >>> linux-aus at lists.linux.org.au >>> http://lists.linux.org.au/mailman/listinfo/linux-aus >>> >>> To unsubscribe from this list, send a blank email to >>> linux-aus-unsubscribe at lists.linux.org.au >> >> _______________________________________________ >> linux-aus mailing list >> linux-aus at lists.linux.org.au >> http://lists.linux.org.au/mailman/listinfo/linux-aus >> >> To unsubscribe from this list, send a blank email to >> linux-aus-unsubscribe at lists.linux.org.au > _______________________________________________ > linux-aus mailing list > linux-aus at lists.linux.org.au > http://lists.linux.org.au/mailman/listinfo/linux-aus > > To unsubscribe from this list, send a blank email to > linux-aus-unsubscribe at lists.linux.org.au -------------- next part -------------- An HTML attachment was scrubbed... URL: From sflees at suse.de Mon Jul 3 11:28:16 2023 From: sflees at suse.de (Simon Lees) Date: Mon, 3 Jul 2023 10:58:16 +0930 Subject: [Linux-aus] LA Certification In-Reply-To: References: <3502813.3CdzvNlvnA@xev> <0b1ae87c-4b00-81e4-9487-223e34fcd9c0@petermoulding.com> Message-ID: <7f602751-50ce-70e2-a8cb-d9772ecc6cb7@suse.de> On 7/3/23 10:09, Kathy Reid via linux-aus wrote: > Right, to maintain accreditation you need to have continuous > professional development - usually measured in points. > > That CPD is usually administered by the accrediting body, so in this > scenario Linux Australia is positioned as the accrediting body. We could > work *with* an accrediting body, but the only one that comes to mind is > the Australian Computer Society, who don't tend to be Linux- or open > source- focused, and in recent years have moved to become much more of a > profit-generating entity rather than a for-members based society (for > example, a large portion of their revenue is membership from particular > visa holders who have to maintain professional membership as a condition > of their visa). I don't think we want to *be* an accrediting body, but I > could be wrong. Maybe LA could / should be but in a slightly different way, tying into your "Endorsement of skills" point from earlier as well. There are still large parts of the open source software ecosystem and a lot of open source projects where it is still just one person in there spare time looking after a major project. This can make the endorsement of skills hard. On the other hand within the LA community there are people who have the skills to look over and endorse the work of such developers. > There's a second point here too - this type of work requires labour and > time and effort. Who would do this? LA has a grants program so if someone is passionate about this maybe they could put together a proposal whereby people are nominated / nominate to have there work on a certain open source project accredited. If there was people willing and the grant was successful then grant money could be used to compensate the people undertaking the review / accreditation. Having said that I in no way have the time to organize such a thing but I do think it could be a great concept if the right people took it and ran with it. At the same time this is not uniquely an Australian issue and maybe its something that could equally be picked up by the enterprise linux distro's and there equivalents in other parts of open source. > On 3/7/23 10:16, Info via linux-aus wrote: >> Lots of professions have accreditation points systems. To maintain >> accreditation as XYZ, you have to attend ongoing training on XYZ to >> the value of 100 points each year. >> >> LA could work with groups like PHP to allocate points for relevant >> sessions. Or just make up nominal points based on hours per subject >> and type of session. As an example, a one hour intense workshop on >> configuring a Web server might might be worth 10 points for server >> admin, 5 for the PHP related content, and 3 for security related tasks. >> >> While it is overall a bit flaky, it is easier to explain to >> management. :-) >> They can enter the numbers in a spreadsheet. :-)) >> >> On 3/7/23 08:56, Kathy Reid via linux-aus wrote: >>> Hi Russell, >>> >>> Firstly I want to say thank you for this suggestion - I think it's great >>> that people are thinking about how Linux Australia could help members >>> with professional development. >>> >>> There are a few different use cases here: >>> >>> Certificates of attendance >>> >>> These would be event specific, and, IMHO, the domain of the event >>> organisers, but I see no reason why they couldn't be issued. LA could >>> assist with a template. >>> >>> Endorsement of skills >>> >>> I don't see this as a certification piece, it's much more an endorsement >>> of one person by another - and we have platforms for that already, like >>> LinkedIn, or other job platforms. >>> >>> Vendor certification >>> >>> This is a way for vendors to have their products enmeshed in industry; >>> vendor certification is a way of legitimising a vendor's product range, >>> and requiring people to *maintain* certification provides an ongoing >>> revenue stream. LA is not a vendor, so I don't see us playing in this >>> space. >>> >>> Non-vendor certification >>> >>> This is where players like the LPI have carved out a niche - providing >>> non-vendor-specific certifications. In Australia at least there are >>> several such providers, like LogiTrain and Knowledge Academy. I don't >>> think this is where LA want to play because we're not set up for it. >>> >>> So, what *could* LA do in this space, if the goal is to help people with >>> their Linux / FLOSS / open source / open * careers? >>> >>> We already have the Jobs board [0], with huge thanks to Mr Hesketh who I >>> believe still maintains it. I'd love to get this auto-posting to our >>> LinkedIn and Mastodon properties to increase its value and reach at some >>> stage. Or, the volume is low enough it could be done manually. >>> >>> We could create some content on the website to point people in various >>> directions - attend events here, here's what to consider in terms of >>> certification, here's the type of certifications our members have. That >>> is, help outline the pathways people could take with Linux and open >>> source in their career. That might be the action here? A page which >>> outlines what directions open source could take your career, and how >>> that might work in Australia - to provide guidance. >>> >>> Kind regards, >>> >>> Kathy Reid >>> >>> [0] https://linux.org.au/jobs/ >>> >>> On 3/7/23 00:23, Russell Coker via linux-aus wrote: >>>> Would there be a benefit in having Linux Australia certification? >>>> >>>> Companies like Google give out certificates when people attend their >>>> training, >>>> would certificates of attendance be of any interest to people? >>>> >>>> What about certification of skilled contribution to FOSS projects? >>>> We could >>>> have a system where members of the projects can endorse worthy >>>> contributors >>>> for a certification of their skills and work.? Would that help >>>> people get >>>> jobs? >>>> >>> _______________________________________________ >>> linux-aus mailing list >>> linux-aus at lists.linux.org.au >>> http://lists.linux.org.au/mailman/listinfo/linux-aus >>> >>> To unsubscribe from this list, send a blank email to >>> linux-aus-unsubscribe at lists.linux.org.au >> >> _______________________________________________ >> linux-aus mailing list >> linux-aus at lists.linux.org.au >> http://lists.linux.org.au/mailman/listinfo/linux-aus >> >> To unsubscribe from this list, send a blank email to >> linux-aus-unsubscribe at lists.linux.org.au > _______________________________________________ > linux-aus mailing list > linux-aus at lists.linux.org.au > http://lists.linux.org.au/mailman/listinfo/linux-aus > > To unsubscribe from this list, send a blank email to > linux-aus-unsubscribe at lists.linux.org.au -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 495 bytes Desc: OpenPGP digital signature URL: From hugh at blemings.org Mon Jul 3 14:15:50 2023 From: hugh at blemings.org (Hugh Blemings) Date: Mon, 3 Jul 2023 14:15:50 +1000 Subject: [Linux-aus] LA Certification In-Reply-To: <3502813.3CdzvNlvnA@xev> References: <3502813.3CdzvNlvnA@xev> Message-ID: <954895c0-4e4a-c8cf-3099-56c9745f140a@blemings.org> Hi Russell, All, An interesting idea and already some great replies from (at the time of writing) Kathy, Peter, David and Simon. I'm breaking etiquette ever so slightly by replying to Russells' original post as I want to pick up on his final question which may take the discussion in a different tangent. I'll also flag I'm speaking for myself only here, but am drawing on past and current work experience. On 3/7/23 00:23, Russell Coker via linux-aus wrote: > Would there be a benefit in having Linux Australia certification? > > Companies like Google give out certificates when people attend their training, > would certificates of attendance be of any interest to people? > > What about certification of skilled contribution to FOSS projects? We could > have a system where members of the projects can endorse worthy contributors > for a certification of their skills and work. Would that help people get > jobs? I think this final question - "...would it help people get jobs?" bears careful thought... Based on my experience, if the job in question is in the open source software development/systems design space, I'd say "No: certifications don't particularly help"? Whenever I've been involved in hiring people (all SW Development in some form), the employer du jour is looking for demonstrated skills and will seek to measure them directly." In assessing whether to interview, recruiters (internal or external) are looking at the persons work history, have they a visible (Github etc) track record of credible open source contribution, that kind of thing. Once someone is in the interview process, most employers will set up several interviews, typically the first is to assess mutual cultural fit ("do they like us, do we like them"), a second for a systems design exercise ("can they design the thing"), the third for coding skills ("can they implement a subset of the thing"). Some companies are notorious for turning this process into a test of wills of sorts, almost seeking to trip the person up. Thankfully more and more companies (including where I am now) are taking the approach of setting these interviews up as an opportunity for the person to shine. Put them at ease, help them show their best, use your preferred programming language etc. But I can honestly say when hiring into FOSS roles, I've never looked at/for a certification, or for that matter, given much thought to presence/absence of tertiary qualifications. As it happens a colleague of mine recently put the view (paraphrased slightly) "If I see lots of certifications it's a bit of a warning flag - why not put that time into contributing to a FOSS project they care about?" a fair point I thought. If on the other hand the role is (say) software development for aerospace, health/medical systems, system administration, network security that sort of thing, then I suspect the existing certifications serve that space well and are appropriately table stakes in hiring. But that's outside my area of direct/adjacent experience! :) Hope that's a useful $0.20 worth. Cheers, Hugh -------------- next part -------------- An HTML attachment was scrubbed... URL: From a.nielsen at shikadi.net Mon Jul 3 18:41:15 2023 From: a.nielsen at shikadi.net (Adam Nielsen) Date: Mon, 3 Jul 2023 18:41:15 +1000 Subject: [Linux-aus] LA Certification In-Reply-To: <954895c0-4e4a-c8cf-3099-56c9745f140a@blemings.org> References: <3502813.3CdzvNlvnA@xev> <954895c0-4e4a-c8cf-3099-56c9745f140a@blemings.org> Message-ID: <20230703184115.6134b2c2@vorticon.teln.shikadi.net> > As it happens a colleague of mine recently put the view (paraphrased > slightly) "If I see lots of certifications it's a bit of a warning flag > - why not put that time into contributing to a FOSS project they care > about?" a fair point I thought. This matches my own experience too. I presume a lot of certifications focus on memorising things rather than applying knowledge, because people with a lot of certs often seem to struggle to come up with a solution for a problem. If you tell them the solution they can usually implement it no problem, but you often have to hold their hand a bit while you're trying to work out what the solution might look like. There are of course exceptions to this - some of the well known Cisco ones seem to be fairly good, but there are many more that don't really tell you much about a prospective applicant's true capabilities - especially if you're reviewing job applications and you've never heard of them before! So if you want to create a new certification, the most important thing is going to be its reputation. Each person you certify is going to advertise the worth of your certificate, so if you give them out to anyone it's going to be worthless. But if only the best are capable of passing, it could easily become a sought-after meaningful indicator of a potential employee's abilities. Cheers, Adam. From russell at coker.com.au Mon Jul 3 19:52:09 2023 From: russell at coker.com.au (Russell Coker) Date: Mon, 03 Jul 2023 19:52:09 +1000 Subject: [Linux-aus] LA Certification In-Reply-To: <7f602751-50ce-70e2-a8cb-d9772ecc6cb7@suse.de> References: <3502813.3CdzvNlvnA@xev> <7f602751-50ce-70e2-a8cb-d9772ecc6cb7@suse.de> Message-ID: <57814353.rZsT4p3NpQ@xev> On Monday, 3 July 2023 11:28:16 AEST Simon Lees via linux-aus wrote: > At the same time this is not uniquely an Australian issue and maybe its > something that could equally be picked up by the enterprise linux > distro's and there equivalents in other parts of open source. Red Hat has the RHCE program which is quite successful and generally well regarded. I've taken the exam, I got 100% but it wasn't an easy 100% and I watched someone who I knew to be quite competant fail it. I think the RHCE program is pretty important to Red Hat and they won't support anything that could be a competing certification. SUSE has their own certification, it appears to be outsourced and maybe less important to them but I'm sure they still make money from it and don't want to hurt it. RHCE is really good for people who are doing only RHEL stuff and presumably the SUSE certification is equally good for SLES stuff. There is LPI for certification of more general Linux skills not tied to a distribution, but again it's tied to the corporate training model. If someone is regarded as good at Linux stuff by people on this list I'll forward their CV to my employer and tell tham that the person is good. There are probably some people on this list who quietly do good stuff and I don't see what they are doing. How many others would do the same? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ From paul-linuxaus at gear.email Tue Jul 4 12:22:34 2023 From: paul-linuxaus at gear.email (Paul Gear) Date: Tue, 4 Jul 2023 12:22:34 +1000 Subject: [Linux-aus] LA Certification In-Reply-To: <20230703184115.6134b2c2@vorticon.teln.shikadi.net> References: <3502813.3CdzvNlvnA@xev> <954895c0-4e4a-c8cf-3099-56c9745f140a@blemings.org> <20230703184115.6134b2c2@vorticon.teln.shikadi.net> Message-ID: <4b5d1da7-2f24-790d-e7bd-d533eb7b8043@gear.email> On 3/7/23 18:41, Adam Nielsen via linux-aus wrote: >> As it happens a colleague of mine recently put the view (paraphrased >> slightly) "If I see lots of certifications it's a bit of a warning flag >> - why not put that time into contributing to a FOSS project they care >> about?" a fair point I thought. > This matches my own experience too. I presume a lot of certifications > focus on memorising things rather than applying knowledge, because > people with a lot of certs often seem to struggle to come up with a > solution for a problem. If you tell them the solution they can usually > implement it no problem, but you often have to hold their hand a bit > while you're trying to work out what the solution might look like. Speaking as someone who is FLOSS at heart but has a long list of vendor certs, this makes me sad. I get vendor certs because my current and previous employer both highly value them, and they make them free for staff to take. Most of the ones I've taken (largely AWS & Azure) are little more than logic tests and as long as you have a general idea about the product's capabilities and are a competent reader and logical thinker, they aren't difficult.? So the amount of time I need to dedicate to gaining a certification in something I do every day is tiny compared to the amount of effort I would need to expend to make significant FLOSS contributions.? Not to mention that many of these vendors now have significant footprints in the FLOSS ecosystem, especially in the Kubernetes space. Regards, Paul From hugh at blemings.org Tue Jul 4 13:08:13 2023 From: hugh at blemings.org (Hugh Blemings) Date: Tue, 4 Jul 2023 13:08:13 +1000 Subject: [Linux-aus] LA Certification In-Reply-To: <4b5d1da7-2f24-790d-e7bd-d533eb7b8043@gear.email> References: <3502813.3CdzvNlvnA@xev> <954895c0-4e4a-c8cf-3099-56c9745f140a@blemings.org> <20230703184115.6134b2c2@vorticon.teln.shikadi.net> <4b5d1da7-2f24-790d-e7bd-d533eb7b8043@gear.email> Message-ID: <53d28730-29ee-6a00-cd6e-6529414d8ff6@blemings.org> Hiya, On 4/7/23 12:22, Paul Gear via linux-aus wrote: > On 3/7/23 18:41, Adam Nielsen via linux-aus wrote: >>> As it happens a colleague of mine recently put the view (paraphrased >>> slightly) "If I see lots of certifications it's a bit of a warning flag >>> - why not put that time into contributing to a FOSS project they care >>> about?" a fair point I thought. >> This matches my own experience too.? I presume a lot of certifications >> focus on memorising things rather than applying knowledge, because >> people with a lot of certs often seem to struggle to come up with a >> solution for a problem.? If you tell them the solution they can usually >> implement it no problem, but you often have to hold their hand a bit >> while you're trying to work out what the solution might look like. > > > Speaking as someone who is FLOSS at heart but has a long list of > vendor certs, this makes me sad. > > I get vendor certs because my current and previous employer both > highly value them, and they make them free for staff to take. Most of > the ones I've taken (largely AWS & Azure) are little more than logic > tests and as long as you have a general idea about the product's > capabilities and are a competent reader and logical thinker, they > aren't difficult.? So the amount of time I need to dedicate to gaining > a certification in something I do every day is tiny compared to the > amount of effort I would need to expend to make significant FLOSS > contributions.? Not to mention that many of these vendors now have > significant footprints in the FLOSS ecosystem, especially in the > Kubernetes space. That's a fair point Paul and in re-reading my original email I realise I missed a bit of nuance. I should have made greater emphasis on the "...a /bit//of a/ warning flag..." - lots of certifications definitely wouldn't rule someone out if they also showed up well in other aspects of their resume (work experience, community contributions and whatnot) Having visible FLOSS contributions also helps paint the picture, but again it's not a blocker either :) Cheers, Hugh -------------- next part -------------- An HTML attachment was scrubbed... URL: From netadminstrator at hotmail.com Tue Jul 4 13:15:10 2023 From: netadminstrator at hotmail.com (David Lay) Date: Tue, 4 Jul 2023 03:15:10 +0000 Subject: [Linux-aus] LA Certification In-Reply-To: <53d28730-29ee-6a00-cd6e-6529414d8ff6@blemings.org> References: <3502813.3CdzvNlvnA@xev> <954895c0-4e4a-c8cf-3099-56c9745f140a@blemings.org> <20230703184115.6134b2c2@vorticon.teln.shikadi.net> <4b5d1da7-2f24-790d-e7bd-d533eb7b8043@gear.email> <53d28730-29ee-6a00-cd6e-6529414d8ff6@blemings.org> Message-ID: I do believe that IT certs should be free to take, and pay memberships when passed or desired to join said community. As Hugh stated certs are more know how over practical experiments. While these home labs or experiments etc does not reflect CPD. Look at any roles, we all learn on the job, do we flash our certs and say we know this? Sure, but all environments are different, course materials and exams are standard, we cant learn much from it, while if we agree to put our heads together on a project that uses all our skills/resources we gain more than those course materials. Thanks Get Outlook for Android ________________________________ From: linux-aus on behalf of Hugh Blemings via linux-aus Sent: Tuesday, July 4, 2023 1:08:13 PM To: Paul Gear ; linux-aus at lists.linux.org.au Subject: Re: [Linux-aus] LA Certification Hiya, On 4/7/23 12:22, Paul Gear via linux-aus wrote: On 3/7/23 18:41, Adam Nielsen via linux-aus wrote: As it happens a colleague of mine recently put the view (paraphrased slightly) "If I see lots of certifications it's a bit of a warning flag - why not put that time into contributing to a FOSS project they care about?" a fair point I thought. This matches my own experience too. I presume a lot of certifications focus on memorising things rather than applying knowledge, because people with a lot of certs often seem to struggle to come up with a solution for a problem. If you tell them the solution they can usually implement it no problem, but you often have to hold their hand a bit while you're trying to work out what the solution might look like. Speaking as someone who is FLOSS at heart but has a long list of vendor certs, this makes me sad. I get vendor certs because my current and previous employer both highly value them, and they make them free for staff to take. Most of the ones I've taken (largely AWS & Azure) are little more than logic tests and as long as you have a general idea about the product's capabilities and are a competent reader and logical thinker, they aren't difficult. So the amount of time I need to dedicate to gaining a certification in something I do every day is tiny compared to the amount of effort I would need to expend to make significant FLOSS contributions. Not to mention that many of these vendors now have significant footprints in the FLOSS ecosystem, especially in the Kubernetes space. That's a fair point Paul and in re-reading my original email I realise I missed a bit of nuance. I should have made greater emphasis on the "...a bit of a warning flag..." - lots of certifications definitely wouldn't rule someone out if they also showed up well in other aspects of their resume (work experience, community contributions and whatnot) Having visible FLOSS contributions also helps paint the picture, but again it's not a blocker either :) Cheers, Hugh -------------- next part -------------- An HTML attachment was scrubbed... URL: From wil at zeropointdevelopment.com Tue Jul 4 14:51:58 2023 From: wil at zeropointdevelopment.com (Wil Brown) Date: Tue, 4 Jul 2023 14:51:58 +1000 Subject: [Linux-aus] LA Certification In-Reply-To: References: <3502813.3CdzvNlvnA@xev> <954895c0-4e4a-c8cf-3099-56c9745f140a@blemings.org> <20230703184115.6134b2c2@vorticon.teln.shikadi.net> <4b5d1da7-2f24-790d-e7bd-d533eb7b8043@gear.email> <53d28730-29ee-6a00-cd6e-6529414d8ff6@blemings.org> Message-ID: Just to throw my 10c into the mix, the WordPress community has gone round and round with whether to provide "official" certification. Many of the questions and issues raised here on this list have also been raised with WP certification, with no good answers or clear path forward. The discussion was piqued again at the beginning of this year. Many quickly pointed out that WordPress is a rapidly evolving ecosphere and that any certification would likely be outdated. That may not be the case for all FOSS projects. There was also a discussion about whether certification divides the community unfairly, with those who cannot afford to get certified being left out or thought of as "less worthy". Wil. On Tue, Jul 4, 2023 at 1:15?PM David Lay via linux-aus < linux-aus at lists.linux.org.au> wrote: > I do believe that IT certs should be free to take, and pay memberships > when passed or desired to join said community. As Hugh stated certs are > more know how over practical experiments. While these home labs or > experiments etc does not reflect CPD. > > Look at any roles, we all learn on the job, do we flash our certs and say > we know this? Sure, but all environments are different, course materials > and exams are standard, we cant learn much from it, while if we agree to > put our heads together on a project that uses all our skills/resources we > gain more than those course materials. > > Thanks > > Get Outlook for Android > ------------------------------ > *From:* linux-aus on behalf of > Hugh Blemings via linux-aus > *Sent:* Tuesday, July 4, 2023 1:08:13 PM > *To:* Paul Gear ; linux-aus at lists.linux.org.au < > linux-aus at lists.linux.org.au> > *Subject:* Re: [Linux-aus] LA Certification > > > Hiya, > On 4/7/23 12:22, Paul Gear via linux-aus wrote: > > On 3/7/23 18:41, Adam Nielsen via linux-aus wrote: > > As it happens a colleague of mine recently put the view (paraphrased > slightly) "If I see lots of certifications it's a bit of a warning flag > - why not put that time into contributing to a FOSS project they care > about?" a fair point I thought. > > This matches my own experience too. I presume a lot of certifications > focus on memorising things rather than applying knowledge, because > people with a lot of certs often seem to struggle to come up with a > solution for a problem. If you tell them the solution they can usually > implement it no problem, but you often have to hold their hand a bit > while you're trying to work out what the solution might look like. > > > > Speaking as someone who is FLOSS at heart but has a long list of vendor > certs, this makes me sad. > > I get vendor certs because my current and previous employer both highly > value them, and they make them free for staff to take. Most of the ones > I've taken (largely AWS & Azure) are little more than logic tests and as > long as you have a general idea about the product's capabilities and are a > competent reader and logical thinker, they aren't difficult. So the amount > of time I need to dedicate to gaining a certification in something I do > every day is tiny compared to the amount of effort I would need to expend > to make significant FLOSS contributions. Not to mention that many of these > vendors now have significant footprints in the FLOSS ecosystem, especially > in the Kubernetes space. > > That's a fair point Paul and in re-reading my original email I realise I > missed a bit of nuance. > > I should have made greater emphasis on the "...a *bit** of a* warning > flag..." - lots of certifications definitely wouldn't rule someone out if > they also showed up well in other aspects of their resume (work experience, > community contributions and whatnot) > > Having visible FLOSS contributions also helps paint the picture, but again > it's not a blocker either :) > > Cheers, > Hugh > > > > _______________________________________________ > linux-aus mailing list > linux-aus at lists.linux.org.au > http://lists.linux.org.au/mailman/listinfo/linux-aus > > To unsubscribe from this list, send a blank email to > linux-aus-unsubscribe at lists.linux.org.au -- Wil Brown *WordPress Consultant, Developer & Educator at **Zero Point Development * *Vice President of Linux Australia * *WordPress Community Deputy* *m. 0423 526 829 <+61423526829> **w. zeropointdevelopment.com t. @WilBrown_AU LIn. LinkedIn * *Get my FREE business courses . ???* *Join me at WordPress Sydney and Elementor Sydney * Wil Brown about.me/wil_brown -------------- next part -------------- An HTML attachment was scrubbed... URL: From a.nielsen at shikadi.net Tue Jul 4 20:17:45 2023 From: a.nielsen at shikadi.net (Adam Nielsen) Date: Tue, 4 Jul 2023 20:17:45 +1000 Subject: [Linux-aus] LA Certification In-Reply-To: <4b5d1da7-2f24-790d-e7bd-d533eb7b8043@gear.email> References: <3502813.3CdzvNlvnA@xev> <954895c0-4e4a-c8cf-3099-56c9745f140a@blemings.org> <20230703184115.6134b2c2@vorticon.teln.shikadi.net> <4b5d1da7-2f24-790d-e7bd-d533eb7b8043@gear.email> Message-ID: <20230704201745.3887facb@vorticon.teln.shikadi.net> > > This matches my own experience too. I presume a lot of certifications > > focus on memorising things rather than applying knowledge, because > > people with a lot of certs often seem to struggle to come up with a > > solution for a problem. If you tell them the solution they can usually > > implement it no problem, but you often have to hold their hand a bit > > while you're trying to work out what the solution might look like. > > Speaking as someone who is FLOSS at heart but has a long list of vendor > certs, this makes me sad. > > I get vendor certs because my current and previous employer both highly > value them, and they make them free for staff to take. Most of the ones > I've taken (largely AWS & Azure) are little more than logic tests and as > long as you have a general idea about the product's capabilities and are > a competent reader and logical thinker, they aren't difficult. I suppose I should qualify that by saying the roles I have been involved in filling are more devops style, where you have to be part solution architect, part sysadmin, and part programmer. This means you have to make decisions based on a series of tradeoffs and competing goals. If you already had someone fully architect a project and provide instructions for exactly how it was to be built, or a support role that can fully diagnose a bug and give you the exact solution to implement, then most of those difficult decisions are resolved and most certifications would be fine and looked upon favourably. But then most of those jobs where you are just following instructions are the more junior roles, so that begs the question of how useful the certifications are if they don't provide skills that help you work your way up the corporate ladder? Of course if you're already a good problem solver then the certs will teach you useful skills - no argument there - but the issue is if an employer is looking at two job applications, both of which list the same cert, how does one know which person is the good problem solver who can work with minimal supervision, and which person will need frequent guidance? Most people just stick the cert's acronym on their CV and call it job done, with no explanation of what it is or how they used those skills to make themselves more productive, leaving the employer to wonder why they bothered listing it at all. If you could ensure your cert could only be obtained once a certain level of problem solving skills has been reached, I believe it would be much more valuable from an employer's perspective - at least once word got around that it was difficult to obtain and everyone who had one was really good at their job. Cheers, Adam. From paul-linuxaus at gear.email Tue Jul 4 21:30:19 2023 From: paul-linuxaus at gear.email (Paul Gear) Date: Tue, 4 Jul 2023 21:30:19 +1000 Subject: [Linux-aus] LA Certification In-Reply-To: <20230704201745.3887facb@vorticon.teln.shikadi.net> References: <3502813.3CdzvNlvnA@xev> <954895c0-4e4a-c8cf-3099-56c9745f140a@blemings.org> <20230703184115.6134b2c2@vorticon.teln.shikadi.net> <4b5d1da7-2f24-790d-e7bd-d533eb7b8043@gear.email> <20230704201745.3887facb@vorticon.teln.shikadi.net> Message-ID: <2a8487d5-c372-0bd8-c0ee-1e6dd023ce48@gear.email> On 4/7/23 20:17, Adam Nielsen via linux-aus wrote: >>> This matches my own experience too. I presume a lot of certifications >>> focus on memorising things rather than applying knowledge, because >>> people with a lot of certs often seem to struggle to come up with a >>> solution for a problem. If you tell them the solution they can usually >>> implement it no problem, but you often have to hold their hand a bit >>> while you're trying to work out what the solution might look like. >> Speaking as someone who is FLOSS at heart but has a long list of vendor >> certs, this makes me sad. >> >> I get vendor certs because my current and previous employer both highly >> value them, and they make them free for staff to take. Most of the ones >> I've taken (largely AWS & Azure) are little more than logic tests and as >> long as you have a general idea about the product's capabilities and are >> a competent reader and logical thinker, they aren't difficult. > I suppose I should qualify that by saying the roles I have been > involved in filling are more devops style, where you have to be part > solution architect, part sysadmin, and part programmer. This means you > have to make decisions based on a series of tradeoffs and competing > goals. The DevOps consulting space is exactly where I would expect someone to end up with a lot of certs, specifically because they've been part of that trade-off-based decision making process on a number of different projects with a number of different technologies. > ... > Of course if you're already a good problem solver then the certs will > teach you useful skills - no argument there - but the issue is if an > employer is looking at two job applications, both of which list the > same cert, how does one know which person is the good problem solver > who can work with minimal supervision, and which person will need > frequent guidance? In my experience, certs don't teach you the skills; they are merely validations of your existing skills.? If you come to study for a cert with no prior experience with the technology, you should learn some skills as you study, but but if you're already a good problem solver, they probably won't teach you much at all. As such, on a job application they don't really mean that much as an indicator, either positive or negative.? (It's that latter part that made me wade into this thread - the idea that they might somehow be seen as a contra-indicator or antipattern for a job applicant is rather troubling.) > Most people just stick the cert's acronym on their > CV and call it job done, with no explanation of what it is or how they > used those skills to make themselves more productive, leaving the > employer to wonder why they bothered listing it at all. I can only speak from my experience here, but my current employer highly values certs because we are an AWS partner, and must maintain a certain number of certifications to maintain our partner status.? I'd expect that's true for Microsoft, Cisco, and Red Hat partners as well, but I'm only guessing there. Paul From john at johndalton.info Wed Jul 5 14:18:11 2023 From: john at johndalton.info (John Dalton) Date: Wed, 5 Jul 2023 14:18:11 +1000 Subject: [Linux-aus] LA Certification In-Reply-To: <2a8487d5-c372-0bd8-c0ee-1e6dd023ce48@gear.email> References: <3502813.3CdzvNlvnA@xev> <954895c0-4e4a-c8cf-3099-56c9745f140a@blemings.org> <20230703184115.6134b2c2@vorticon.teln.shikadi.net> <4b5d1da7-2f24-790d-e7bd-d533eb7b8043@gear.email> <20230704201745.3887facb@vorticon.teln.shikadi.net> <2a8487d5-c372-0bd8-c0ee-1e6dd023ce48@gear.email> Message-ID: On Tue, Jul 4, 2023 at 9:30?PM Paul Gear via linux-aus < linux-aus at lists.linux.org.au> wrote: > > In my experience, certs don't teach you the skills; they are merely > validations of your existing skills. If you come to study for a cert > with no prior experience with the technology, you should learn some > skills as you study, but but if you're already a good problem solver, > they probably won't teach you much at all. As such, on a job application > they don't really mean that much as an indicator, either positive or > negative. (It's that latter part that made me wade into this thread - > the idea that they might somehow be seen as a contra-indicator or > antipattern for a job applicant is rather troubling.) > I agree with what you say about learning from certs, and while I won't put words into anyone else's mouth I will say for myself that it's only certs in the *absence* of other indicators that are a slight red flag - more of a mildly raised eyebrow - for me. There's no doubt some bias on display there - historically there have been certs I did not respect due to them seemingly being awarded to any warm body regardless of whether or not they could do the most basic things. If I don't know anything about the cert in question, it's meaningless to me. If I see that someone has achieved a bunch of certs but has *no other example* of their work or efforts to be able to point to, then having a bunch of certs just tells me they may have wasted their time (and possibly money) working on the wrong things. That might not be their fault - different education systems/communities/cultures/etc sometimes mislead people (in my opinion) about what is valued by people assessing whether or not someone might be good at doing a job. Having them won't count against you, unless it's *all* you have. In that case we are probably talking about purely entry level roles, where you'll probably want to do your own assessment of whether someone has any basic troubleshooting skills, which might be as simple as a conversation. As for the original topic, my own two cents are that it's a tremendous amount of effort and not worth our time and resources to develop and maintain a certification program. Perhaps a better approach would be for us as a community to talk more about how folks can explore and learn, where to dig deeper into topics only touched on in certs, or even to go so far as to endorse particular certs issued by other bodies which we think are worthwhile. J. -- http://johndalton.info http://www.linkedin.com/in/johnrdalton -------------- next part -------------- An HTML attachment was scrubbed... URL: From craige at mcwhirter.com.au Fri Jul 7 13:52:16 2023 From: craige at mcwhirter.com.au (Craige McWhirter) Date: Fri, 7 Jul 2023 13:52:16 +1000 Subject: [Linux-aus] LUGs In-Reply-To: References: <5692100.8vf5iQgoFF@xev> <3289680.esFFXGZ24q@xev> <20230628172816.010d4ddf@vorticon.teln.shikadi.net> <12218344.3WhfQktd6Z@xev> Message-ID: Hi Ashley :-) It's been a few decades... On Thu, Jun 29, 2023 at 09:54:45 +1000, Ashley via linux-aus wrote: > Slug was a great place for normal users to meet and learn. Then in the later > years from about 2014 or so it was taken over by the corporate users, > sysadmins and such and moved completely away from its roots. Part of that change I feel was less being taken over by corporate users than the reality that many of us found work with Linux so the interest of the more active / vocal users shifted from solving hobbyist problems to solving workplace problems. While my recollection is that almost all of us started out as student, hobbyists and academics playing with Linux by about 2000 most of us were being paid to work on Linux. By the time Ubuntu rolled out, killing community outreach like installfests, the scene, likes it's members, had shifted significantly. For a good chunk of that period, SLUG had two monthly meetings - second one solely devoted to Debian - and there could have even more specialised meetups but they sprung up independently of SLUG. Last time I was in Sydney there were more niche meetups than you could possibly attend and the SLUG team like many LUGS have struggled for about a decade with the questions "Where do we fit in? What do we do?" - as has Linux Australia itself. -- Craige McWhirter Signal: +61 4685 91819 Matrix: @craige:mcwhirter.io Mastodon: @craige at mcwhirter.io -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From russell-linuxaus at stuart.id.au Fri Jul 7 14:59:19 2023 From: russell-linuxaus at stuart.id.au (Russell Stuart) Date: Fri, 7 Jul 2023 14:59:19 +1000 Subject: [Linux-aus] LUGs In-Reply-To: References: <5692100.8vf5iQgoFF@xev> <3289680.esFFXGZ24q@xev> <20230628172816.010d4ddf@vorticon.teln.shikadi.net> <12218344.3WhfQktd6Z@xev> Message-ID: On 7/7/23 13:52, Craige McWhirter via linux-aus wrote: > Last time I was in Sydney there were more niche meetups than you could > possibly attend and the SLUG team like many LUGS have struggled for > about a decade with the questions "Where do we fit in? What do we do?" > - as has Linux Australia itself. I suspect you are right that the professionalisation of open source is partially responsible for driving down LUG membership. But I don't think it relates to LA. Speaking for myself, the answer to "Where do we fit in? What do we do?" for Linux Australia has always been fairly clear. LA fosters Open Source in the antipodes by funding conferences. LA does other things involving open source like providing infrastructure (bank account, insurance) to open source projects, some funding and helping LUGS. However that only happens as a consequence of auspicing successful conferences. So while important, those things aren't the answer to "Where does LA fit in"? It's true the conferences have gone through a rough trot in the past couple of years, but I doubt professionalisation of open source was the reason. That rough trot was caused primarily by COVID. Perhaps less desire for in-person meetups now a lot can be done online is also a cause, but it's evident a lot of people still like (need?) to meet personally and chat to a like minded friendly face occasionally - and besides open source has always done most of its work online. There has been a changing of the guard. The Linux kernel is mostly done now, as in there isn't a lot of new activity happening there. Wireguard is nice, it's interesting to watch eBPF and io_uring evolve to allow the kernel to execute user space programs in some limited form - but it's nothing like the pace it once was. Instead we have Rust, AI, exploring approaches to virtualisation (docker/LXC, k8s, qemu), and most interestingly to me figuring out how to make ourselves both private and secure (Passkey, confidential computing). As always, a lot of the plumbing under the hood in these fields is being done as open source projects. As an example, Meta's generous release of LLaMA has allowed open source tinkers to produce numerous novel toys (like running it on a Raspberry PI) which the big corps were not interested in doing. As a result, open source will probably develop AI models and code the rest of us use - just like it did with compilers, OS's and desktops. I'm hoping those new areas of activity will start running their own Australian and NZ conferences. When they do, they can come to LA for funding, infrastructure, and a place to get in contact with a pool of people who have done it before. I also fervently hope the "Linux" in our name doesn't dissuade them. We have been focused on "Open Source" as opposed to just "Linux" for decades now. It's likely everyone reading this knows that of course - but I'm not sure the young graduates attending the specialist meetups are aware of it. From dvalin at internode.on.net Fri Jul 7 16:24:18 2023 From: dvalin at internode.on.net (dvalin at internode.on.net) Date: Fri, 07 Jul 2023 15:54:18 +0930 Subject: [Linux-aus] LUGs Message-ID: <1ceda5805f5fcf73b8f96f28fa25f2d278b2f5f8@webmail.internode.on.net> Some of the less active members have moved from busy working in IT, and living so far out in outer suburbia that meeting attendance was a rare affair, to an equally busy retirement, renovating and owner-building. My Linux-related focus is currently moving to VenusOS, running on RPi, to manage Victron inverters in an off-gridnew build. (The RPi 4 drought seems to have broken.) And some would shift to BSD before tolerating monstrously monolithic Poetterware. Admitting corporate sabotageof the dream has not helped. Many problems can be solved by searching an errormessage, even if it must be dug out of dmesg At least,I hope that is the reason for dwindling list questions, and it's not just dwindling numbers of users. -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at petermoulding.com Fri Jul 7 17:02:37 2023 From: info at petermoulding.com (Info) Date: Fri, 7 Jul 2023 17:02:37 +1000 Subject: [Linux-aus] LUGs In-Reply-To: <1ceda5805f5fcf73b8f96f28fa25f2d278b2f5f8@webmail.internode.on.net> References: <1ceda5805f5fcf73b8f96f28fa25f2d278b2f5f8@webmail.internode.on.net> Message-ID: There was one subject of real interest everywhere that is just not covered anywhere I can see online or at conferences. How did people crack Medibank etc. Where are the "here is what we did wrong" presentations? Based on the last couple of years, you could run a five day conference with eight confessions a day just using the cases mentioned in the media, not the hundreds where they paid the ransom and kept everything quiet. I would fly anywhere for a conference like that, even Hobart in Winter. I guess most of it would not be relevant to Linux users as it would be Microsoft email automatically opening viruses or something similar. From a.nielsen at shikadi.net Fri Jul 7 19:19:31 2023 From: a.nielsen at shikadi.net (Adam Nielsen) Date: Fri, 7 Jul 2023 19:19:31 +1000 Subject: [Linux-aus] Security conferences (was: LUGs) In-Reply-To: References: <1ceda5805f5fcf73b8f96f28fa25f2d278b2f5f8@webmail.internode.on.net> Message-ID: <20230707191931.5837083a@vorticon.teln.shikadi.net> > There was one subject of real interest everywhere that is just not > covered anywhere I can see online or at conferences. How did people > crack Medibank etc. Where are the "here is what we did wrong" > presentations? Based on the last couple of years, you could run a > five day conference with eight confessions a day just using the cases > mentioned in the media, not the hundreds where they paid the ransom > and kept everything quiet. There are a few conferences that cover this sort of thing. The most recent one would be AusCERT which was held in May at the Gold Coast: https://auscert.org.au/events/auscert2023-back-to-the-future/ > I would fly anywhere for a conference like that, even Hobart in > Winter. In that case you could try one of the larger US conferences, like DEF CON (https://defcon.org/html/links/dc-faq/dc-faq.html) or Black Hat (https://www.blackhat.com/upcoming.html) which are both on in August (one after the other to cater for travellers), or HOPE (https://xiv.hope.net/faq.html) which starts in a couple of weeks. For anyone less keen on travelling, many of these types of conferences put up their talks on YouTube so they are easily found. > I guess most of it would not be relevant to Linux users as it would > be Microsoft email automatically opening viruses or something similar. Microsoft e-mail products automatically opening viruses hasn't really been a thing for at least a decade now. Most of this stuff is ultimately caused by tricking people into downloading and running a program that provides remote access to their computer and things go from there. A lot of Linux users are attracted by the freedom that open source provides, and a lot of security conferences have similar ideals and use open source tools, so there is usually quite a bit of overlap there. Cheers, Adam. From info at petermoulding.com Fri Jul 7 19:50:33 2023 From: info at petermoulding.com (Info) Date: Fri, 7 Jul 2023 19:50:33 +1000 Subject: [Linux-aus] Security conferences (was: LUGs) In-Reply-To: <20230707191931.5837083a@vorticon.teln.shikadi.net> References: <1ceda5805f5fcf73b8f96f28fa25f2d278b2f5f8@webmail.internode.on.net> <20230707191931.5837083a@vorticon.teln.shikadi.net> Message-ID: I looked at a few conference links and did not find the "What we did wrong" style confessions from failed organisations. How can anyone know what to avoid if there are no investigations and coroner reports? The medibank incident should be investigated out in the open the same as an aeroplane crash. On 7/7/23 19:19, Adam Nielsen wrote: >> There was one subject of real interest everywhere that is just not >> covered anywhere I can see online or at conferences. How did people >> crack Medibank etc. Where are the "here is what we did wrong" >> presentations? Based on the last couple of years, you could run a >> five day conference with eight confessions a day just using the cases >> mentioned in the media, not the hundreds where they paid the ransom >> and kept everything quiet. > > There are a few conferences that cover this sort of thing. The most > recent one would be AusCERT which was held in May at the Gold Coast: > > https://auscert.org.au/events/auscert2023-back-to-the-future/ > >> I would fly anywhere for a conference like that, even Hobart in >> Winter. > > In that case you could try one of the larger US conferences, like DEF > CON (https://defcon.org/html/links/dc-faq/dc-faq.html) or Black Hat > (https://www.blackhat.com/upcoming.html) which are both on in August > (one after the other to cater for travellers), or HOPE > (https://xiv.hope.net/faq.html) which starts in a couple of weeks. > > For anyone less keen on travelling, many of these types of conferences > put up their talks on YouTube so they are easily found. > >> I guess most of it would not be relevant to Linux users as it would >> be Microsoft email automatically opening viruses or something similar. > > Microsoft e-mail products automatically opening viruses hasn't really > been a thing for at least a decade now. Most of this stuff is > ultimately caused by tricking people into downloading and running a > program that provides remote access to their computer and things go > from there. > > A lot of Linux users are attracted by the freedom that open source > provides, and a lot of security conferences have similar ideals and use > open source tools, so there is usually quite a bit of overlap there. > > Cheers, > Adam. From Marcus at herstik.com Fri Jul 7 21:36:21 2023 From: Marcus at herstik.com (Marcus herstik) Date: Fri, 7 Jul 2023 21:36:21 +1000 Subject: [Linux-aus] Security conferences (was: LUGs) In-Reply-To: References: Message-ID: <404E6FCB-E241-4AD2-8C9C-DE19A751CEC8@herstik.com> Why should it be public? It may have started as government owned not for profit but it ain?t anymore. Medibank is a ?public? listed company, but that means its owned by investors so it won?t be dissected in public? proprietary blah, commercial in confidence yada yada. Regards, Marcus > On 7 Jul 2023, at 7:50 pm, Info via linux-aus wrote: > > ?I looked at a few conference links and did not find the "What we did wrong" style confessions from failed organisations. How can anyone know what to avoid if there are no investigations and coroner reports? > > The medibank incident should be investigated out in the open the same as an aeroplane crash. > > On 7/7/23 19:19, Adam Nielsen wrote: >>> There was one subject of real interest everywhere that is just not >>> covered anywhere I can see online or at conferences. How did people >>> crack Medibank etc. Where are the "here is what we did wrong" >>> presentations? Based on the last couple of years, you could run a >>> five day conference with eight confessions a day just using the cases >>> mentioned in the media, not the hundreds where they paid the ransom >>> and kept everything quiet. >> There are a few conferences that cover this sort of thing. The most >> recent one would be AusCERT which was held in May at the Gold Coast: >> https://auscert.org.au/events/auscert2023-back-to-the-future/ >>> I would fly anywhere for a conference like that, even Hobart in >>> Winter. >> In that case you could try one of the larger US conferences, like DEF >> CON (https://defcon.org/html/links/dc-faq/dc-faq.html) or Black Hat >> (https://www.blackhat.com/upcoming.html) which are both on in August >> (one after the other to cater for travellers), or HOPE >> (https://xiv.hope.net/faq.html) which starts in a couple of weeks. >> For anyone less keen on travelling, many of these types of conferences >> put up their talks on YouTube so they are easily found. >>> I guess most of it would not be relevant to Linux users as it would >>> be Microsoft email automatically opening viruses or something similar. >> Microsoft e-mail products automatically opening viruses hasn't really >> been a thing for at least a decade now. Most of this stuff is >> ultimately caused by tricking people into downloading and running a >> program that provides remote access to their computer and things go >> from there. >> A lot of Linux users are attracted by the freedom that open source >> provides, and a lot of security conferences have similar ideals and use >> open source tools, so there is usually quite a bit of overlap there. >> Cheers, >> Adam. > > _______________________________________________ > linux-aus mailing list > linux-aus at lists.linux.org.au > http://lists.linux.org.au/mailman/listinfo/linux-aus > > To unsubscribe from this list, send a blank email to > linux-aus-unsubscribe at lists.linux.org.au From info at petermoulding.com Fri Jul 7 22:07:31 2023 From: info at petermoulding.com (Info) Date: Fri, 7 Jul 2023 22:07:31 +1000 Subject: [Linux-aus] Security conferences (was: LUGs) In-Reply-To: <404E6FCB-E241-4AD2-8C9C-DE19A751CEC8@herstik.com> References: <404E6FCB-E241-4AD2-8C9C-DE19A751CEC8@herstik.com> Message-ID: <19c6d3f6-1fd4-3e97-622e-e2eeae72d1f3@petermoulding.com> On 7/7/23 21:36, Marcus herstik wrote: > Why should it be public? Australia's privacy laws should guarantee action when an Australians privacy is breached. More so when they have medical info. > > It may have started as government owned not for profit but it ain?t anymore. > > Medibank is a ?public? listed company, but that means its owned by investors so it won?t be dissected in public? proprietary blah, commercial in confidence yada yada. > > Regards, > Marcus > > >> On 7 Jul 2023, at 7:50 pm, Info via linux-aus wrote: >> >> ?I looked at a few conference links and did not find the "What we did wrong" style confessions from failed organisations. How can anyone know what to avoid if there are no investigations and coroner reports? >> >> The medibank incident should be investigated out in the open the same as an aeroplane crash. >> >> On 7/7/23 19:19, Adam Nielsen wrote: >>>> There was one subject of real interest everywhere that is just not >>>> covered anywhere I can see online or at conferences. How did people >>>> crack Medibank etc. Where are the "here is what we did wrong" >>>> presentations? Based on the last couple of years, you could run a >>>> five day conference with eight confessions a day just using the cases >>>> mentioned in the media, not the hundreds where they paid the ransom >>>> and kept everything quiet. >>> There are a few conferences that cover this sort of thing. The most >>> recent one would be AusCERT which was held in May at the Gold Coast: >>> https://auscert.org.au/events/auscert2023-back-to-the-future/ >>>> I would fly anywhere for a conference like that, even Hobart in >>>> Winter. >>> In that case you could try one of the larger US conferences, like DEF >>> CON (https://defcon.org/html/links/dc-faq/dc-faq.html) or Black Hat >>> (https://www.blackhat.com/upcoming.html) which are both on in August >>> (one after the other to cater for travellers), or HOPE >>> (https://xiv.hope.net/faq.html) which starts in a couple of weeks. >>> For anyone less keen on travelling, many of these types of conferences >>> put up their talks on YouTube so they are easily found. >>>> I guess most of it would not be relevant to Linux users as it would >>>> be Microsoft email automatically opening viruses or something similar. >>> Microsoft e-mail products automatically opening viruses hasn't really >>> been a thing for at least a decade now. Most of this stuff is >>> ultimately caused by tricking people into downloading and running a >>> program that provides remote access to their computer and things go >>> from there. >>> A lot of Linux users are attracted by the freedom that open source >>> provides, and a lot of security conferences have similar ideals and use >>> open source tools, so there is usually quite a bit of overlap there. >>> Cheers, >>> Adam. >> >> _______________________________________________ >> linux-aus mailing list >> linux-aus at lists.linux.org.au >> http://lists.linux.org.au/mailman/listinfo/linux-aus >> >> To unsubscribe from this list, send a blank email to >> linux-aus-unsubscribe at lists.linux.org.au > From a.nielsen at shikadi.net Fri Jul 7 23:06:13 2023 From: a.nielsen at shikadi.net (Adam Nielsen) Date: Fri, 7 Jul 2023 23:06:13 +1000 Subject: [Linux-aus] Security conferences (was: LUGs) In-Reply-To: References: <1ceda5805f5fcf73b8f96f28fa25f2d278b2f5f8@webmail.internode.on.net> <20230707191931.5837083a@vorticon.teln.shikadi.net> Message-ID: <20230707230613.12c30a2d@vorticon.teln.shikadi.net> > I looked at a few conference links and did not find the "What we did > wrong" style confessions from failed organisations. How can anyone > know what to avoid if there are no investigations and coroner reports? These conferences are more proactive. They focus on newly discovered issues, alerting people to the problems they need to address *before* there is a major security breach. When there is a compromise like the Medibank one and the reasons are made public, quite often you will find the very methods the attackers used have been discussed at these conferences many years earlier. This is why many companies and government agencies with a strong focus on security send delegates to these conferences, because they want to address their security shortcomings before there is a public breach rather than after. > The medibank incident should be investigated out in the open the same > as an aeroplane crash. I haven't looked into it but a quick web search shows it is being investigated by police, and there is some preliminary information available. It looks like someone with high-level access was tricked into typing their credentials into a phishing scam, and those login details were used to discreetly install remote access software that was used to extract the information. It appears MFA was not used so compromising the username and password was all that was needed to allow access. There is more detail on this article I found: https://www.afr.com/technology/revealed-how-crooks-got-inside-medibank-20221024-p5bsg4 None of this will come as a surprise to anyone who has attended security conferences, as they always have talks on how sophisticated social engineering and phishing scams are getting, and how end users will always be tricked into handing over their passwords, so you need MFA to save them from themselves. MFA has been considered mandatory for many years now and at this point no self respecting company would be without it, because it makes the very thing that happened to Medibank significantly more difficult. The latest social engineering trick being discussed is how AI can be used to fake the voice of real people. It will only be a matter of time until there are breaches because someone gets a call from their boss who forgot their password and needs some files urgently, and they just need them e-mailed to their personal GMail address. The files will dutifully get e-mailed because nobody wants to disappoint their boss, only to find out later the confidential files were just e-mailed directly to a scammer. MFA won't help you there. Hearing about how an actual breach took place is certainly very interesting, but from the point of view of protecting your own data, finding out about these things before they happen is of much more benefit than hearing of them after the fact. Cheers, Adam. From info at petermoulding.com Sat Jul 8 09:06:15 2023 From: info at petermoulding.com (Info) Date: Sat, 8 Jul 2023 09:06:15 +1000 Subject: [Linux-aus] Security conferences (was: LUGs) In-Reply-To: <20230707230613.12c30a2d@vorticon.teln.shikadi.net> References: <1ceda5805f5fcf73b8f96f28fa25f2d278b2f5f8@webmail.internode.on.net> <20230707191931.5837083a@vorticon.teln.shikadi.net> <20230707230613.12c30a2d@vorticon.teln.shikadi.net> Message-ID: Thank you for the reference. AFR is one newspaper I have not read for a while. I might have to look more often. Stories like that are often better for informing friends and staff about phishing and similar. What is missing is often the detail. SMH and other newspapers often mention phishing without explaining it. On rare occasions, they point out an email has a wrong return address. One of the reasons for converting people from proprietary email to open source is the display of actual email addresses instead of just the name. I encourage people to check then report scams. I think news.com.au and similar run articles on victims of phishing just for the shock value, not to help anyone avoid phishing. MFA works locally and people run into problems when they travel using cheaper local cards. Anyone with serious access should use two telephone and reserve one for the calls back to the office. If you use your telephone number, lose your telephone, then try to get a new telephone with the same number, you can end up in an authentication loop. One friend hit that road block recently. CACert was a great idea. I hoped that would lead to key authentication for Facebook and everything instead of just the Musk Blue Tick. On 7/7/23 23:06, Adam Nielsen via linux-aus wrote: >> I looked at a few conference links and did not find the "What we did >> wrong" style confessions from failed organisations. How can anyone >> know what to avoid if there are no investigations and coroner reports? > > These conferences are more proactive. They focus on newly discovered > issues, alerting people to the problems they need to address *before* > there is a major security breach. > > When there is a compromise like the Medibank one and the reasons are > made public, quite often you will find the very methods the attackers > used have been discussed at these conferences many years earlier. > > This is why many companies and government agencies with a strong focus > on security send delegates to these conferences, because they want to > address their security shortcomings before there is a public breach > rather than after. > >> The medibank incident should be investigated out in the open the same >> as an aeroplane crash. > > I haven't looked into it but a quick web search shows it is being > investigated by police, and there is some preliminary information > available. > > It looks like someone with high-level access was tricked into typing > their credentials into a phishing scam, and those login details were > used to discreetly install remote access software that was used to > extract the information. It appears MFA was not used so compromising > the username and password was all that was needed to allow access. > There is more detail on this article I found: > https://www.afr.com/technology/revealed-how-crooks-got-inside-medibank-20221024-p5bsg4 > > None of this will come as a surprise to anyone who has attended > security conferences, as they always have talks on how sophisticated > social engineering and phishing scams are getting, and how end users > will always be tricked into handing over their passwords, so you need > MFA to save them from themselves. MFA has been considered mandatory for > many years now and at this point no self respecting company would be > without it, because it makes the very thing that happened to Medibank > significantly more difficult. > > The latest social engineering trick being discussed is how AI can be > used to fake the voice of real people. It will only be a matter of time > until there are breaches because someone gets a call from their boss who > forgot their password and needs some files urgently, and they just need > them e-mailed to their personal GMail address. The files will > dutifully get e-mailed because nobody wants to disappoint their boss, > only to find out later the confidential files were just e-mailed > directly to a scammer. MFA won't help you there. > > Hearing about how an actual breach took place is certainly very > interesting, but from the point of view of protecting your own data, > finding out about these things before they happen is of much more > benefit than hearing of them after the fact. > > Cheers, > Adam. > _______________________________________________ > linux-aus mailing list > linux-aus at lists.linux.org.au > http://lists.linux.org.au/mailman/listinfo/linux-aus > > To unsubscribe from this list, send a blank email to > linux-aus-unsubscribe at lists.linux.org.au From heracles1108 at gmail.com Sat Jul 8 10:46:58 2023 From: heracles1108 at gmail.com (Ashley) Date: Sat, 8 Jul 2023 10:46:58 +1000 Subject: [Linux-aus] LUGs In-Reply-To: References: <5692100.8vf5iQgoFF@xev> <3289680.esFFXGZ24q@xev> <20230628172816.010d4ddf@vorticon.teln.shikadi.net> <12218344.3WhfQktd6Z@xev> Message-ID: <331a97f3-24a0-cbc9-d053-ae6e53c60e3a@gmail.com> Hi Craig, On 07/07/2023 1:52 pm, Craige McWhirter via linux-aus wrote: > Hi Ashley :-) > > It's been a few decades... It has been a long time. > > On Thu, Jun 29, 2023 at 09:54:45 +1000, Ashley via linux-aus wrote: > >> Slug was a great place for normal users to meet and learn. Then in the later >> years from about 2014 or so it was taken over by the corporate users, >> sysadmins and such and moved completely away from its roots. > Part of that change I feel was less being taken over by corporate users than > the reality that many of us found work with Linux so the interest of the more > active / vocal users shifted from solving hobbyist problems to solving > workplace problems. Unfortunately for the hobbyist this has been so. But it is good that Linux and FOSS have moved into more general use. I remember this is something we were all working for in the 90s. > While my recollection is that almost all of us started out as student, > hobbyists and academics playing with Linux by about 2000 most of us were being > paid to work on Linux. By the time Ubuntu rolled out, killing community > outreach like installfests, the scene, likes it's members, had shifted > significantly. This was an outcome we had all hoped for and I am happy that it was one of the many achievements of the SLUG membership. > For a good chunk of that period, SLUG had two monthly meetings - second one > solely devoted to Debian - and there could have even more specialised meetups > but they sprung up independently of SLUG. > > Last time I was in Sydney there were more niche meetups than you could possibly > attend and the SLUG team like many LUGS have struggled for about a decade with > the questions "Where do we fit in? What do we do?" - as has Linux Australia > itself. I guess this is the inevitable outcome of a successful campaign. We were all such enthusiastic advocates of FOSS in general that we tended to render our own existence superfluous. We are still there in the background but our work advocating Linux and FOSS is not really needed any more. FOSS and Linux and its derivatives have become ubiquitous > -- > Craige McWhirter > Signal: +61 4685 91819 > Matrix: @craige:mcwhirter.io > Mastodon: @craige at mcwhirter.io > > _______________________________________________ > linux-aus mailing list > linux-aus at lists.linux.org.au > http://lists.linux.org.au/mailman/listinfo/linux-aus > > To unsubscribe from this list, send a blank email to > linux-aus-unsubscribe at lists.linux.org.au Ashley Lynn From a.nielsen at shikadi.net Sat Jul 8 12:25:39 2023 From: a.nielsen at shikadi.net (Adam Nielsen) Date: Sat, 8 Jul 2023 12:25:39 +1000 Subject: [Linux-aus] Security conferences (was: LUGs) In-Reply-To: References: <1ceda5805f5fcf73b8f96f28fa25f2d278b2f5f8@webmail.internode.on.net> <20230707191931.5837083a@vorticon.teln.shikadi.net> <20230707230613.12c30a2d@vorticon.teln.shikadi.net> Message-ID: <20230708122539.3ef2363f@vorticon.teln.shikadi.net> > MFA works locally and people run into problems when they travel using > cheaper local cards. Anyone with serious access should use two > telephone and reserve one for the calls back to the office. > > If you use your telephone number, lose your telephone, then try to > get a new telephone with the same number, you can end up in an > authentication loop. One friend hit that road block recently. Using a phone number for MFA (e.g. with SMS) is considered a very poor practice and is not secure at all. There have been a number of cases of employees at phone companies around the world being tricked or bribed into porting a number across to a scammer's SIM, allowing the scammer to receive SMS texts sent to a target's phone number. I believe it's also possible to clone a SIM which although more of a technical challenge, can also allow an attacker to take over someone's phone number and negate the benefits of MFA. This has been happening for a long time now, such as this incident from 2018: https://www.abc.net.au/everyday/protecting-yourself-from-phone-porting-and-sim-card-scams/100421586 This is another thing that has been raised for many years at security conferences but too many companies and even banks still insist on using SMS for MFA, giving only the illusion of security, although some are now understanding the risks and moving to custom phone apps instead. This is why the best MFA methods do not require third party services, as it's one less avenue that can be compromised. A common and popular implementation is Time-based One-Time Passwords (TOTP) which use a shared secret and the current time to generate unique passwords (see https://en.wikipedia.org/wiki/Time-based_one-time_password). As these work entirely offline, they are not susceptible to any of the attacks that SMS texts are, they are safe to use in countries where Internet access is monitored and restricted or phone service is unreliable, and you can copy the secret to multiple devices so for example if you lose your phone, you can still generate the passwords on a laptop to make it easy to update all the underlying secrets (so by the time anyone extracts them from your lost phone they are no longer useful). Google Authenticator is one Android app that supports TOTP but there are many others, and the secrets are generally compatible between them all thanks to the RFC standards. Personally I use the open source oathtool to generate the passwords on my Linux machines, and I use them for many online services - GitHub, Google, Amazon AWS, etc. > CACert was a great idea. I hoped that would lead to key > authentication for Facebook and everything instead of just the Musk > Blue Tick. The problem with certificate authentication is that nobody figured out a good way to make it work for end users. It was too complicated for the average person to understand. Even just getting your certificate off a laptop onto a phone without compromising it (e.g. by e-mailing it to yourself) is still a challenge today. Perhaps WebAuthn and passkeys will be the answer: https://arstechnica.com/information-technology/2023/05/passwordless-google-accounts-are-easier-and-more-secure-than-passwords-heres-why/ Cheers, Adam. From info at petermoulding.com Sat Jul 8 17:55:27 2023 From: info at petermoulding.com (Info) Date: Sat, 8 Jul 2023 17:55:27 +1000 Subject: [Linux-aus] Security conferences (was: LUGs) In-Reply-To: <20230708122539.3ef2363f@vorticon.teln.shikadi.net> References: <1ceda5805f5fcf73b8f96f28fa25f2d278b2f5f8@webmail.internode.on.net> <20230707191931.5837083a@vorticon.teln.shikadi.net> <20230707230613.12c30a2d@vorticon.teln.shikadi.net> <20230708122539.3ef2363f@vorticon.teln.shikadi.net> Message-ID: The new systems look good for checking that the current user is the same as the previous user of that user id. CACert still appears to be the only system verifying the identity of the user, as in the user logging in as fred smith is fred smith. Perhaps the the Google passkey could have a blue tick if the user is first verified by CACert. When using Facebook, something I that was inflicted on me for months on a project where I was outvoted, even though we had a budget for a professional note sharing system, the people joining our group could be anyone. Verification was based on them typing "yes I am fred smith. Really. Really!" :-) If we use movies as the predictors of the future, Gattaca had a DNA scanner on every keyboard which would work if ignore the movie Twins where one was evil. :-)) On 8/7/23 12:25, Adam Nielsen via linux-aus wrote: >> MFA works locally and people run into problems when they travel using >> cheaper local cards. Anyone with serious access should use two >> telephone and reserve one for the calls back to the office. >> >> If you use your telephone number, lose your telephone, then try to >> get a new telephone with the same number, you can end up in an >> authentication loop. One friend hit that road block recently. > > Using a phone number for MFA (e.g. with SMS) is considered a very > poor practice and is not secure at all. There have been a number of > cases of employees at phone companies around the world being tricked or > bribed into porting a number across to a scammer's SIM, allowing the > scammer to receive SMS texts sent to a target's phone number. I > believe it's also possible to clone a SIM which although more of a > technical challenge, can also allow an attacker to take over someone's > phone number and negate the benefits of MFA. This has been happening > for a long time now, such as this incident from 2018: > https://www.abc.net.au/everyday/protecting-yourself-from-phone-porting-and-sim-card-scams/100421586 > > This is another thing that has been raised for many years at security > conferences but too many companies and even banks still insist on using > SMS for MFA, giving only the illusion of security, although some are now > understanding the risks and moving to custom phone apps instead. > > This is why the best MFA methods do not require third party services, > as it's one less avenue that can be compromised. A common and popular > implementation is Time-based One-Time Passwords (TOTP) which use a > shared secret and the current time to generate unique passwords (see > https://en.wikipedia.org/wiki/Time-based_one-time_password). > > As these work entirely offline, they are not susceptible to any of the > attacks that SMS texts are, they are safe to use in countries where > Internet access is monitored and restricted or phone service is > unreliable, and you can copy the secret to multiple devices so for > example if you lose your phone, you can still generate the passwords on > a laptop to make it easy to update all the underlying secrets (so by > the time anyone extracts them from your lost phone they are no longer > useful). > > Google Authenticator is one Android app that supports TOTP but there are > many others, and the secrets are generally compatible between them all > thanks to the RFC standards. Personally I use the open source oathtool > to generate the passwords on my Linux machines, and I use them for many > online services - GitHub, Google, Amazon AWS, etc. > >> CACert was a great idea. I hoped that would lead to key >> authentication for Facebook and everything instead of just the Musk >> Blue Tick. > > The problem with certificate authentication is that nobody figured out > a good way to make it work for end users. It was too complicated for > the average person to understand. Even just getting your certificate > off a laptop onto a phone without compromising it (e.g. by e-mailing it > to yourself) is still a challenge today. > > Perhaps WebAuthn and passkeys will be the answer: > https://arstechnica.com/information-technology/2023/05/passwordless-google-accounts-are-easier-and-more-secure-than-passwords-heres-why/ > > Cheers, > Adam. > _______________________________________________ > linux-aus mailing list > linux-aus at lists.linux.org.au > http://lists.linux.org.au/mailman/listinfo/linux-aus > > To unsubscribe from this list, send a blank email to > linux-aus-unsubscribe at lists.linux.org.au From russell at coker.com.au Sat Jul 8 20:32:50 2023 From: russell at coker.com.au (Russell Coker) Date: Sat, 08 Jul 2023 20:32:50 +1000 Subject: [Linux-aus] Linux Phone and Convergence progress Message-ID: <6188913.MhkbZ0Pkbq@cupcakke> https://etbe.coker.com.au/2023/06/06/pinephonepro-first-impression/ I received my PinePhone and did some tests with it, I wrote the above blog post about it. Since then I have got KDE running on it and found it much more to my taste than GNOME. https://etbe.coker.com.au/2023/07/08/sandboxing-phone-apps/ I've spent a lot of time investigating various options for sandboxing apps. My conclusion is that Bubblewrap is the best option at this time which can give the low overhead you need on a phone while also giving a decent choice of security options. Things to investigate next include SE Linux policy related to Bubblewrap confinement, BPF/seccomp, and default settings for desktop apps. In the above blog post I've included examples of Bubblewrap configuration that confine some common operations. Hopefully this will inspire others to do more of the same. Things that I haven't even blogged about yet include tests with USB-C docks (sad news - PinePhone and Librem5 don't seem to support 4k) and using a serial console to debug PinePhone kernel panics (I have a USB-C dock that reliably crashes the Mobian kernel). -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ From russell at coker.com.au Sun Jul 9 22:00:59 2023 From: russell at coker.com.au (Russell Coker) Date: Sun, 09 Jul 2023 22:00:59 +1000 Subject: [Linux-aus] Security conferences (was: LUGs) In-Reply-To: <20230707230613.12c30a2d@vorticon.teln.shikadi.net> References: <1ceda5805f5fcf73b8f96f28fa25f2d278b2f5f8@webmail.internode.on.net> <20230707230613.12c30a2d@vorticon.teln.shikadi.net> Message-ID: <112938875.nniJfEyVGO@cupcakke> On Friday, 7 July 2023 23:06:13 AEST Adam Nielsen via linux-aus wrote: > The latest social engineering trick being discussed is how AI can be > used to fake the voice of real people. It will only be a matter of time > until there are breaches because someone gets a call from their boss who > forgot their password and needs some files urgently, and they just need > them e-mailed to their personal GMail address. The files will > dutifully get e-mailed because nobody wants to disappoint their boss, > only to find out later the confidential files were just e-mailed > directly to a scammer. MFA won't help you there. AI for fake voice might make such things easier, but they can be done without it. Not a lot of people at big companies know the voices of their management chain that well. If someone was to fake my boss the accent would be the easy part, the hard part would be the manner of speaking. But that's even easier for ML systems to do if the attacker can access sent email. The solution to a lot of these things is to not allow communication outside channels and to have encryption for everything. Using a protocol like Matrix that supports end to end encryption would help in this regard. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ From tim.w.connors at gmail.com Tue Jul 11 11:26:00 2023 From: tim.w.connors at gmail.com (Tim Connors) Date: Tue, 11 Jul 2023 11:26:00 +1000 (AEST) Subject: [Linux-aus] FLOSS-and-Linux-friendly weather stations? In-Reply-To: References: <92778f8a-d6dd-684b-f3d7-a4f0980a5d0a@gear.email> Message-ID: <7e766395-b92e-26b7-fa7f-118d93e17586@gmail.com> On Wed, 28 Dec 2022, Stewart Smith via linux-aus wrote: > > > On Dec 15, 2022, at 23:37, Paul Gear via linux-aus wrote: > > I'm looking to get a weather station for the family and don't really know where to start - I'm hoping some of you might have been down this road before. > > > > If you?re looking for a project, you can buy the components for a weather station and link things up to an ESP32 and pretty much build your own. My partner ended up doing this sometime in 2020 as a random learning exercise and the thing is still going strong. > > It?s not necessarily cheaper, certainly takes a bunch more time, but is rewarding and interesting! Nothing like discovering that in order to weather protect a UV sensor you need the right kind of glass? Indeed what kind of glass did you use? I want something to protect an epaper display I'm hoping to put on my bike. -- Tim Connors From craige at mcwhirter.com.au Tue Jul 18 10:54:37 2023 From: craige at mcwhirter.com.au (Craige McWhirter) Date: Tue, 18 Jul 2023 10:54:37 +1000 Subject: [Linux-aus] Linux Phone and Convergence progress In-Reply-To: <6188913.MhkbZ0Pkbq@cupcakke> References: <6188913.MhkbZ0Pkbq@cupcakke> Message-ID: On Sat, Jul 08, 2023 at 20:32:50 +1000, Russell Coker via linux-aus wrote: > https://etbe.coker.com.au/2023/06/06/pinephonepro-first-impression/ > > I received my PinePhone and did some tests with it, I wrote the above blog > post about it. Since then I have got KDE running on it and found it much more > to my taste than GNOME. > > https://etbe.coker.com.au/2023/07/08/sandboxing-phone-apps/ Great write up - thanks for that Russell. I'm running NixOS + Phosh on both my PinePhone and Librem5. I find that despite all the determination I can muster to make these devices usable in a similar manner to my Android devices the biggest barrier appears to be RAM. I have the Braveheart Pinephone and the Evergreen Librem5 - both of which have 3G of RAM. Did you get the PinePhone Pro with 4GB RAM? If so, how do you find common apps, like Librewolf (or firefox), the terminal, Chatty (messaging), Geary (email) and newsflash (RSS reader) run at the same time and how do they handle the constrained memory? For me, opening more than two at present significantly degrades performance and three or more can cause genuine problems. After putting significant effort into trying to make this models my primary phone, I'm considering scaling my expectations back to "terminal + webrowser + mobile internet" _or_ buying the PinePhone Pro. Have you tried this usage or are you more focussed on the sandboxing side? -- Craige McWhirter Signal: +61 4685 91819 Matrix: @craige:mcwhirter.io Mastodon: @craige at mcwhirter.io -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From russell at coker.com.au Tue Jul 18 20:11:23 2023 From: russell at coker.com.au (Russell Coker) Date: Tue, 18 Jul 2023 20:11:23 +1000 Subject: [Linux-aus] Linux Phone and Convergence progress In-Reply-To: References: <6188913.MhkbZ0Pkbq@cupcakke> Message-ID: <3703767.MHq7AAxBmi@cupcakke> On Tuesday, 18 July 2023 10:54:37 AEST Craige McWhirter via linux-aus wrote: > I'm running NixOS + Phosh on both my PinePhone and Librem5. I find that > despite all the determination I can muster to make these devices usable in > a similar manner to my Android devices the biggest barrier appears to be > RAM. I've found the biggest barrier is things just not working the way any reasonable person would expect (like windows going to the wrong size after rotating, programs that don't scale their content down small enough to fit, etc). The next biggest barrier is things that are obvious bugs like delays in waking up from suspend. The number three problem is things working in ways that might be good if it's to your taste and you have got used to it but isn't so great if you are really used to Android and want more of the same (EG everything about Phosh). > I have the Braveheart Pinephone and the Evergreen Librem5 - both of which > have 3G of RAM. > > Did you get the PinePhone Pro with 4GB RAM? If so, how do you find common > apps, like Librewolf (or firefox), the terminal, Chatty (messaging), Geary > (email) and newsflash (RSS reader) run at the same time and how do they > handle the constrained memory? I have the PinePhonePro. I haven't run a lot of apps at the same time. I have done some experiments with things like loading LibreOffice which isn't too slow. That said my personal laptop has only 8G of RAM and at the moment only has 1312MB of swap in use. If I didn't have Chrome running with hundreds of tabs open it might work OK with 4G of RAM. Do other browsers use less RAM than Firefox? Currently my tests of USB-C docks haven't worked as well as I had hoped and I'm not sure that the PinePhonePro or Librem5 can even support a single 4K display. So neither of these phones will work the way I hoped for convergence. But they will do well enough to facilitate software development. > For me, opening more than two at present significantly degrades performance > and three or more can cause genuine problems. > > After putting significant effort into trying to make this models my primary > phone, I'm considering scaling my expectations back to "terminal + webrowser > + mobile internet" _or_ buying the PinePhone Pro. > > Have you tried this usage or are you more focussed on the sandboxing side? I've been focused on sandboxing and writing SE Linux policy so far. When I get it to a stage where I don't think I'll be wiping it in the near future then I'll put in my main SIM and start doing more real stuff with it. My current installation is Ext4 with no encryption and I want to move it to BTRFS over LUKS. To use the PinePhone or Librem phones for real work now requires either Karen Sandler's level of dedication, a plan to make phone development a large part of your use, or a usage model that involves it as a small tablet. https://pine64.com/product/pinetab2-10-1-8gb-128gb-linux-tablet-with-detached-backlit-keyboard/ Probably a lot of the people who get Librem5/PinePhonePro devices would be better off with a Pinetab2. Similar specs but twice the RAM and a physically larger screen, that unfortunately has a similarly low resolution. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ From lachlan00123456asdf at lachlandewaard.org Wed Jul 19 17:22:41 2023 From: lachlan00123456asdf at lachlandewaard.org (lachlan00123456asdf at lachlandewaard.org) Date: Wed, 19 Jul 2023 07:22:41 -0000 Subject: [Linux-aus] Help me understand Android development costs Message-ID: <11111A52-4B62-4742-812C-57A3BD9B43CA@lachlandewaard.org> Hi all, I would like to fund partial or full development of a simple Android app for Ampache (https://ampache.org/) using that json/xml api (https://ampache.org/api/) I was hoping I could point me somewhere to get more info about how much this type of stuff costs and requirements companies have when taking on dev work. I want to keep it simple focused on music playback from playlists with caching. This code would be required to be licensed under a free software licence in the Ampache github repository but would not care if the person who built it charged on the play store/used it for commercial development. I'm just at that point where I'm either going to have to learn how to do it myself or pay for it. (If I can afford that option) -------------- next part -------------- An HTML attachment was scrubbed... URL: From yifei at zhan.science Mon Jul 10 15:22:47 2023 From: yifei at zhan.science (yifei at zhan.science) Date: Mon, 10 Jul 2023 05:22:47 -0000 Subject: [Linux-aus] Linux Phone Progress: LoRa, BSD, IME Message-ID: <4b8eb1ce56bdb7a957795cb02d730ba4@zhan.science> I've been daily driving my PinePhone since it arrived and wrote a series of blog posts documenting my journey, those including: Setup and first impression: https://segments.zhan.science/posts/mobian_pinephone_pro/ Daily driving: https://segments.zhan.science/posts/one_week_with_mobian/ Running BSD virtual machines with KVM on PinePhone: https://segments.zhan.science/posts/kvm_on_pinehone_pro/ Another post on running OpenBSD bare metal will appear soon once I collected enough data, but for now multiprocessor kernel is already working. IME related work is currently paused because the keyboard I had fried itself (apparently the unit I got is defective and a replacement will be shipped to me), I will focus on other things and continue on this front once the replacement arrive. I also got the PineDio USB LoRa adapter working for transmitting and receiving short messages and have given a demo doing it on Flounder's July meeting: https://flounder.linux.org.au/2023/07/02/july-2023-meeting/ More work on driver and the userland program will be done to make LoRa more usable as a communication tool, and there will be more blog posts about that as it happens.