Episode: 1702
Title: HPR1702: FOSDEM 2015 Part 5 of 5
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1702/hpr1702.mp3
Transcribed: 2025-10-18 08:01:24

---

This is HPR episode 1,700 to entitled Fostom 2015 Part 5 of 5 and is part of the series interviews.
It is hosted by Ken Fallon and is about 62 minutes long.
The summary is Reactose, Coriose, WoW, PicoD, Ultimaker, Corbute and Flashroom, Satnux.
This episode of HPR is brought to you by an honesthost.com.
Get 15% discount on all shared hosting with the offer code HPR15.
That's HPR15.
Better web hosting that's honest and fair at An Honesthost.com.
Hi everybody, this is Ken Fallon, we're at the WoW building.
I'm now talking to the guys at ReactOS and you are?
I am Alexey Hragen from ReactOS Project and coordinator of this project.
Okay, so just to tell the folks at home what ReactOS is and what you're trying to do.
Yeah, it's a pretty interesting project I'm involved in for about 10 years
and this project is about creating an operating system.
However, we are not basing it on Linux or on BSD.
We do our own kernel from scratch.
And the key point is that we are binary compatible with existing Windows applications
and existing Windows drivers.
This is the key point of the whole project.
So you're building a tone of Microsoft Windows, I guess?
Yes, it's not totally correct to call this way, however,
the majority of people call this way and we also do this.
How did you start?
Do you woke up in the morning and decided I want to write this?
How did the project start?
Exactly, exactly, it's a great question because my personal story of being involved in ReactOS
was that I saw how Linux emerged from Unix and I had an idea.
Why don't such project exist for Windows?
Why don't people make a free Windows clone?
And I was browsing the internet, there was no Google back then in 2000 years.
And I looked for some five different projects which were quite small
and one of them was called ReactOS.
It was quite advanced back then.
It was able to boot into text mode console.
It didn't support any Windows applications back then.
But then over time we built a module by module and now it is able to
to load such complex applications like Microsoft Office
and we support some visual drivers natively.
So it's really intriguing for me, it was a totally new experience.
Are you sharing any of the code with projects like wine or those projects?
Absolutely, it's so great that these projects exist
because wine is essential for us.
It's like at least half of our user mode code.
However, we don't share that much code in kernel mode.
Unfortunately, because Linux is a totally different architecture
and BSD also totally different architecture.
But other projects also use our code base, for example,
this is in this wrapper and some other projects.
Also there is, for example, free type library
which is a great library and we use this for it saves us like
many hours of coding time.
It's great that so many free open search projects exist.
We wouldn't be able to build ReactOS without all those.
And are there any people running ReactOS in their businesses?
ReactOS is not ready yet for production.
It's enough a stage.
However, we occasionally see different photos from throughout the world.
Like we see something like Chinese supermarket
where cash desks were running in ReactOS.
I did not believe myself in this photo, but it's kind of real.
So we had similar experience from other parts of the world,
mostly of some other countries.
I did not see it myself.
But people run it somewhere and I'm really surprised.
And will the windows viruses and all that stuff run in ReactOS as well?
Absolutely, this is our fault.
You want the viruses, right?
Yeah, some viruses are compatible.
We can stamp on some of the reactors compatible.
But really many viruses are based on some very, very
window specific stuff like dressing directly by direct memory
dressers and things like that.
Fortunately, this breaks them on ReactOS.
But still, many viruses would be compatible.
Okay.
And you were saying that you were able to run Microsoft Office?
Any particular versions?
Or is it just the older versions?
Uh, 2013 if I don't mistake, yeah.
And 2007 also runs.
So could I run this in a virtual machine to run that one application
that will only run on Windows?
Absolutely, this is a preferred way to test ReactOS.
However, also we have a live CDs.
Yeah, which are accessible from the desk here.
They, you can use them to boot your laptop
and they would not damage your disk in any way
because it's experimental project.
That's absolutely fantastic.
I have a old application that I needed to run.
And when I booted the virtual machine for XP,
it wanted to register and it wouldn't run anymore.
So, yeah.
So this is an ideal solution.
Okay, are you going to be given any talks here at the show
or are you just going to be on the boot for the whole time?
No, this year we are not giving talks.
I gave a big talk about about seven years ago.
It was them.
It was pretty much nice.
But this way we decided to do only the stand here.
So it's pretty crowded and it's so nice to see so many people here.
Yes, it's great.
Where are you being here?
Thank you very much for taking the time for the interview
and thank you very much for doing this.
It might get myself, allow me to run some software very safely.
Yes, thank you.
Hi, everybody. My name is Ken Phalam.
We're here at the AWS Building of Post-Time 2015.
I'm at the CoreOS table.
Is that correct?
And I'm talking to...
Kelsey Hightower, engineer and evangelist at CoreOS.
And I'm Jonathan Mool, software engineer at CoreOS.
What is CoreOS?
To me, the way I describe it quickly, it's Google's infrastructure
that you can download.
Well, there's not actually written by Google, is it?
Right, so it's written by CoreOS and we've taken a lot of the patterns you see
in large distributed computing systems,
like you typically find at Google.
And one of our main flagship products is our operating system,
which is a container optimized Linux distribution.
Yeah, so CoreOS is an automatically updating Linux distribution.
So as soon as patch is available, we push them out and they update
distributions automatically.
Yeah, it is to make it totally seamless.
So the systems of administrators don't even need to think about it.
Updates just happen.
Okay, and you're following the mainline kernel,
which should be pretty strange.
Right, so we try to shift the latest and greatest stable kernel,
so more like the tradition that you see in a rolling distro.
So what we want to do is make sure that all the latest features
like overlay FMS that this recently got merged into the kernel,
IPvv and support that has got merged into the kernel
are available like weeks once they're available instead of like every two years.
So that's our main goal there.
How do you manage, how are you able to reduce an operating system
like that when you have companies like Red House and Suze?
So what's the difference between the two, I guess?
I think it's our contract with end user.
So CoreOS and its philosophy and the technology,
the OS itself, it says it's a redomy root file system
that contract between us and your application,
meaning we don't shift root through the Python, the JVM.
We can actually update our OS in an atomic fashion
since we expect all your applications to be running the container.
So we have a little bit more wiggle room and freedom
to change the underlying operating system
because the kernel is so stable
that application shouldn't be doing anything outside of like system calls.
Right, so the operating system itself is very minimal.
It's essentially just the kernel,
a system D, the init system,
and an SSH server, and then something like Docker
to be able to run application containers.
So we don't provide any of the standard sort of JVM
or Python or anything like that.
So we don't have to worry about maintaining those
and providing, maintaining application compatibility.
So it's a much smaller operating system
where you use vanilla upstream components wherever possible.
Okay, and are you a company,
or are you, how are you organized?
Yeah, so we're a startup based on a San Francisco, California.
We're a post-series A.
So we're in the stage now where we have a business model
where we're selling services and software.
We're a software company first.
So our main products are Core OS.
We sell commercial support on that, consulting services,
and accessories around that,
distributed computing like Docker registries.
We have our own runtime container, rocket,
things like that.
And are you working on an open core model,
or are those open as well?
Everything is open source.
So all of our technology is open source.
The only things that are not open source
are things like our Docker registry
or some of our gooey applications that sit on top.
But all of the Core technology,
LCD, the operating system,
there's no premium model.
It's all open source, and then we just add value on top.
Guys, thank you very much for your time.
Thank you.
We're at Sia SSL.
We forgot to see Yezl.
See Yezl.
Okay, can you spell that?
That's Charlie Yankee Alpha Sierra, Sierra Lima.
And that's a SSL library.
Yeah, so we're lightweight, portable SSL library.
Okay.
That's been very much in the news of late SSL libraries.
SSL in general has.
Yeah, yes.
And what makes you different from open SSL or Libres as well?
Yeah, so we've focused on a couple of things.
Yeah.
So we've written Sia SSL from the ground up from scratch in 2006.
Okay.
And we focused on the embedded market, mainly.
So we focused on affordability, size.
Yeah.
So we're 20 times smaller than open SSL in a typical build,
with the footprint size of around 60 to 100 kilobytes.
Yeah.
So that really pays off on, you know, a small resource
constrained device.
Yeah.
Now, do you lose a lot of the functionality
then as a result of that?
No, that's a full TLS 1.
Up to TLS 1.2 client and server.
Okay.
And server.
Yep.
And we're very portable.
We support about 20 operating systems out of the box.
Yeah.
So, you know, people don't have to spend time
forwarding to a new platform.
Okay.
Most likely we'll support it.
And then we support a handful, you know,
five to six embedded hardware crypto engines.
Yeah.
So we can take advantage of hardware cryptography
on the device.
Okay.
Pretty good.
And what sort of licenses are released under?
This is C-Asal's dual license product.
Okay.
So it's dual license center to the GPL version 2
and the commercial license.
Okay.
And why would I pick one over the other?
A GPL version 2 either makes sense for an open source project.
They can tolerate that.
Or for someone who's prototyping.
Yeah.
So it allows someone to download it off our website
and start playing with it right away.
Yeah.
Now, the commercial licenses for a commercial application
who doesn't want to abide by the terms of the GPL version 2.
Yeah.
So, being with it's the same code base,
the license centers just change.
It makes it for a seamless,
you know, a seamless move from GPL to commercial.
Okay.
But then if I was contributing to the project,
I would need to sign some agreement over to you, right?
Right.
We have people who thought it contributed agreement.
Yeah.
When they want to contribute back to CS.
And they give up the rights to the GPL
according to the tolls version, I guess.
Yeah.
I mean, I wouldn't say they give up their rights.
They're allowing you.
They're giving you also the right to call licenses.
Right.
They're contributing back.
They're giving us ownership of their changes.
Yeah.
Okay.
Very good.
And are there many people running with this application?
Yeah.
We have several hundred customers around the world
and that's growing.
Yeah.
We've doubled within the last year.
Yeah.
Both revenue and close to employees.
Okay.
Very good.
And do you know, how do I know that they call this secure
with the, are you going to be all that's done?
Or how do I get that warm, fuzzy feeling?
Yeah, sure.
So we've been around it's nearly 10 years.
Yeah.
We've had hundreds of commercial customers look at us.
We've had lots of open source people look at us.
We work all the time with universities and academics
who are, you know, testing new, they're looking for vulnerabilities.
They're testing us at libraries and crypto libraries
to see if they're exactly that.
If they're robust and secure.
So the GPL version is exactly the same as the commercial version
so that somebody can research and download the code,
hacking it as much as they want,
and then report back the bugs to you.
Yeah, exactly in codebase.
We were born out of my SQL kind of.
Yeah.
They wanted to clean your MSL library.
Okay.
And they, they have the same license model,
do a license, GPL commercial.
Very good.
So we've followed their license.
So is there anything you coming up this year
that you want to tell people about?
Yeah.
We, we're hiring more and more developers
so they can be more and more progressive.
Yeah.
So we're pretty excited about being one of the first ones
to hopefully implement TLS 1.3.
Yeah.
We're going to have some new crypto stuff coming up.
So a curve 25519,
ED25519,
and we also have added support
for the Chacha 20 and Bolly 1305 algorithms.
So those are two new ones
that Apple is pushing big with the home kit.
So we expect them to be popular
in IoT and smart home applications.
Okay, yeah.
So I'm,
I guess there's a lot of,
a lot of push now with the Internet of Things
to have SSL devices everywhere.
There is.
It's almost an necessity these days.
Yeah, I can give you this too.
If a device communicates,
you're probably going to be in trouble
if it's not secure.
Yeah.
Sooner or later,
you're going to get to your product.
Are you even talks at all
or are you just going to be focused here for a day?
This year we're just focused on the stand.
Yeah.
And if people want more information,
we can get it at your website.
Well,
so what's the difference between
WolfSSL and
the name which I can't pronounce?
Yeah, so let me clarify that.
WolfSSL is our company name.
Yeah.
And our product name is C-Azile.
C-Azile.
WolfSSL is a lot easier to remember.
One thing to keep in mind,
probably within the next month,
we're going to be changing
and rebranding C-Azile as WolfSSL.
Yeah, probably.
So it should be much more consistent.
Yeah, and you get the nice cool logos off.
Right.
Okay, thank you very much for taking the time
and enjoying the rest of the show.
Welcome.
And I'm talking to Pico TCP,
and your name is Martin.
Martin.
What is Pico TCP?
Pico TCP is the embedded
TCP IP stack for your reference.
Because it's beyond the far most,
the smallest and most modular
Pico TCP stack on the market.
You can unplug each module
if you want to have a very small stack
you can also say,
I want an IP layer
and an TCP protocol on that
and that's everything I need.
So you just configure it to build this
and you can get started
with a few kilobytes
of a few tens of kilobytes
of a flash and RAM memory.
Oh, very good.
So really focused on the embedded market, I guess.
Yeah, and it's in it, in it.
And are you a project or a company?
We are a company.
And the project started from
one of our developers
in his free time who said,
wow, I want to make
the best TCP IP stack in the world.
And yeah, he won't start it
and then at some point he said,
maybe we can do this
as an internal project.
And that's the points
where Pico TCP was born.
And what sort of licensing
is it available on there?
We have some dual licensing here.
We support GPLV2 license
and we have also a commercial license
for companies who want to use it
and sell products with Pico TCP.
So if I was contributing my changes back,
I'd need to sign a contributor agreement with you guys.
Yeah, and it's, yeah, yeah.
So I'm do maintain the same codebase
or is it always, is everything the same.
We have one codebase, it's on GitHub,
it's free for everyone to clone.
Yeah.
Okay.
And you find that businesses
have you shifted in many products?
Sorry.
I have many devices been shipped
using Pico TCP.
Not, not ready,
but because we are pretty young,
but we have already some customers
and some people who are interested
to use Pico TCP
on a large scale of embedded devices.
Okay.
And do you support IPP6?
Yeah, we do.
We do actually boats.
You can make your hybrids like if you want.
Okay.
And do you support things like IPSec and that sort of thing?
IPSec, we don't support at this point.
But we are always open
to implement new protocols.
Okay, and so I say I was a company
and I wanted,
desperately, I had loads of money
and I wanted that, for instance.
I could go and track you to do that
under the GPL if I wanted.
Yeah, of course.
Perfect.
You do.
Yeah, I love to.
So, what's the language is it written in?
It's written in C, it's plain C.
Yeah.
And is there anything else?
You keep your code and get help.
It's under the GPL.
Are you going to be given any talks here?
Yeah, of course.
We have two talks.
One is about machine networking,
where we promote Pico TCP as a protocol
where we can use all as ARK to make a large
machine networks with small devices.
Have you actually done that in practice?
Yeah, indeed, indeed.
Yeah, the work's okay.
Yeah, it works.
And for more figures, of course,
you should join the presentation
because our machine networking
specialists will be there.
So, fantastic.
If I forget to put the link into the show notes,
it will be available on the first-time website
for people who are listening to the show.
Anything else coming up in this year
that you want to tell us about?
We are every time implementing new protocols.
Next to this, we are also very...
I think it's very important to have a good code quality.
So, we are constantly monitoring our code quality
through Jenkins, a continuous integration system.
We have static code analysis through TICS.
That's a big tool that checks things like
code coverage, compiler warnings,
static code analysis, things like memory leaks
and other stuff at the plain side of the code.
We also have a lot of tests that run on targets
on a better target to test if the RFC compliance
is good, if everything works as it should be.
And all those things are run every night.
So, we have a nightly build, but we also
have a nightly test and every time we commit,
we have a lot of tests that are scheduled at that point.
Okay, pretty good.
Thank you very much for your time and enjoy the rest of the show.
Okay, thank you.
We've come over today.
Ultimaker.
Ultimaker.
And your name is?
My name is Oliver.
And what are you doing here?
What are we doing here?
We're showing off our amazing 3D printers,
which are fully open-source, and that's where we had fussed them.
And are you a company that makes these devices?
Yes, Ultimaker is the number one in quality,
especially a 3D printer manufacturer.
We're from the Netherlands, we make a Dutch product,
and as I said, we're fully open-source.
Oh, very good.
And how do you make your money on this if this is fully open-source?
We sell the printers, the physical printers.
That's where we make our money.
Okay, we have software that's used to take the 3D model
and turn into something the printer understands,
which is for free, you can download it, everybody can get it.
We have a firmware on there that's community developed,
it's more than it's from other 3D prints used as well.
So there's no money there.
The design of the printer is open-source as well,
so everybody can build it,
but we build it, assemble it, and ship it,
and that's where our income is from.
Could I buy it as a case, and put it together myself?
Yes, obviously our listeners cannot see it,
but over here we have our Ultimaker original,
which is a wooden version of our printer.
It's the first one that got into production.
It was a target for its makers and hackers.
That was the idea of the printer,
which is sold as a kit,
and it's fully self-assembled.
It takes about 8 to 10 hours to assemble.
It's a lot of screws, and that's a bit some pieces,
but it's certainly doable.
And the two printers that we have in front of us
are the more consumer-oriented-ed versions.
Yeah.
You could assemble it if you would be able to get the materials.
That's the tricky part here.
That's why we sell it as a unit.
And what sort of plastic do you
who will describe it to me?
What this thing does?
What this thing does is,
if you've ever seen a hot glue gun
that you fix things with,
it's a very expensive hot glue gun,
that's what you see.
It's a very expensive hot glue gun.
If you backtrack it, in a sense,
somebody brought out a 3D printing pen,
which really is just a hot glue gun,
and it's based on the same principle.
It's just this one just to all the movement for you.
You don't have to put down a layer,
full layer, full layer,
that you would do with your hot glue gun.
You can, the machine is a toy.
And this is a single-color printer.
This is a single-color printer.
You can change the filament during the print.
There's options for it in the software,
and you know, stop at this height,
and sorry, I can change the filament.
There's options for that.
But it doesn't do anything like that by itself.
So when we say it's a printer,
you've got an X-Watt,
you've got an X-Axis,
a Y-Axis,
and the place itself is heated.
Is the place itself is heated?
And the place goes up and down on the bottom?
Yes, exactly.
This bigger unit has a heated plate.
The small one,
the really small one that we have now,
there's not heavy heated bed.
It's to make it a little bit more affordable.
And what's the advantage of having a heated plate for this?
Ahesion, plastic adhesion.
The plastic that we print best adhesives
either to a blue masking tape
that a lot of painters use.
And a warm surface.
Yeah, pure adhesion issue.
So if you've got blue masking tape,
you don't need adhesives.
I think personally,
I think the prints without tape turn out nicer.
You can have a mirror smooth finish
because the plastic flows out a little bit onto the glass.
And the masking tape will always leave the riddles from the tape itself.
Sometimes the tape will stick to your object at your printing.
You have to replace the tape every once in a while
because it tears.
And if you don't put it on perfectly,
you will also see that any result.
It is, as I said, more affordable,
more easier to use.
Are you making a profit?
I'm sorry?
Are you making a profit?
Are you?
I'm the printer, yes.
Are you?
We are a healthy company at this moment.
That's excellent news.
Can I come work with help?
So what is the maximum size that you can build
with one of these printers?
The built volume of this one is very roughly a smake
because I don't know about hard,
but it's about 20 by 20 by 20.
So give me an idea.
Size of a skull.
We'll look at the object here.
I'm paying this robot.
I have it in my hand right now,
which is about almost 20 centimeters in height.
About six inches, I guess.
Oh, of course, yes.
Yeah, we have an international audience.
Yeah, that's where the height you can build with this one.
Volume-wise, you can go a little bit wider, obviously,
but also 20 centimeters, so about six inches,
so seven inches in length away.
Okay, I'm bracing myself now for the next question.
How much is the cost?
That's a very difficult question.
What is, can you put on love?
They feel it.
I always tell people, I'll tell you the question,
but I always tell people,
you only pry one printer,
and after that,
all the Christmas and birthday presents are free.
There you go.
Of course, you're set off for a life.
No, the kit version is a thousand euros without taxes.
Oh, my God.
Yeah, it's not that bad, actually.
It's not that cheap.
Look at components.
The components are not that cheap, they're in it.
The small one here,
which comes pre-assembled, is 1,500 euros.
Yeah.
This one comes in at 2,000 euros,
and the bigger one that we announced to get,
together with a really small one, a last CES,
is about 15 centimeters higher.
Okay, and you didn't basically build one.
It's the same size, it's just 30 centimeters higher.
I know a lot of people who are having the heart attack,
they don't listen to this at all.
I know what's different.
On the other hand,
you only look at laser printers from,
I can remember five, 10 years ago,
laser printers were thousands of.
And for, as a mechanical engineer,
we did a lot of prototyping,
and you would spend that just to get the plastic components
and it goes wrong,
and you have to wait another six weeks
to get them read on again.
So that's sort of one of the markets that we're not aiming for,
but it's a very interesting market,
is companies, businesses, architects,
that just buy these, because for them,
25 or 100 euros is now a lot of money.
It's nothing.
A 40,000 machine, 50,000 machine from one of the big players,
that's different, category.
So now you have a relatively cheap printer.
You can build your model in a few hours,
maybe over the weekend, and you have your thing.
Even if your company has a big machine that costs a lot,
they only have probably one.
Maybe two if you're really lucky.
And it's owned by Bond, and you have to chew for it,
and you know, it's all right, a lot of red tape.
This you can just give one, two to each office,
or each employee, even if you want to.
So it's really accessible that way.
Why does that one seem a lot faster than this one?
This one is still printing the bottom layer right now,
and the bottom layer is more sensitive than the rest.
So we print that a little bit slower,
so it comes out nice here, so it's nice and smooth,
so it hears nicely, and once you're done with the bottom layer,
you can ramp up the speed.
Okay, where are you based in the Netherlands?
Just below Utrecht, in Khelem also.
Khelem also?
Excellent.
I've run out of questions.
What's the news?
The news is the small printer, the bigger printer.
The small printer, the big printer, we just announced it's CES,
and we hope to start shipping them April.
And everything's open source, everything's free.
Everything's open source.
We're software developers, this is not a sales and marketing event to us.
I explicitly told our company, our bosses, that we want to go here,
because this is from developers for developers.
It's much different than CES.
CES, we don't go there.
So you seem to be a developer.
Do you know the free software or something?
So to answer your earlier question,
the software that we use to convert a 3D model
to something a printer understands is fully open source.
The software, the firmware that drives the printer is fully open source.
The electronics design is, although it is LTM files,
the files themselves are open source, the GPL.
The mechanical designs are open source.
The license at the moment is creative commons
by share a light with the non-commercial closure added,
which I'm personally hoping to push my bosses to maybe drop that,
which is my personal opinion, of course,
it's not what the company wants or maybe they do, I don't know yet.
But that, in that case, we can drop the non-commercial bit,
then we become open hardware,
and I think we could become a free software foundation approved,
which would be pretty impressive.
Can I steal some of the little robots?
This can have as many as you want.
I need three, and then all different colors, specifically.
You can have six if you don't want to.
It cost me two months to print them.
Because while they're all printed on our own printers.
Yeah, so it's fantastic.
Thank you very much for taking the time,
and I hope to bump into you in the Netherlands sometime soon.
We're talking to?
Carl Daniel, I'll help you now.
Okay, and Carl, you're representing two projects here.
What are they?
The first is the Corboot project, and the second is the Fleshroom project.
Corboot is a replacement for your buyers
and EFI.
It actually does that not only quite well,
but it really excels at that.
You might have used the device running Corboot.
You might just have not noticed.
For example, the Chromebooks from Google,
those laptops are pretty much all running Corboot.
Now, on the other hand, Fleshroom is a tool,
which is also not that well known.
It's very useful if you, for example,
plan to reflash or update your buyers,
change the firmware of the PX-0 on your network card,
want to change the firmware of your monitor,
or maybe update the firmware of your DVD drive,
all that stuff.
It's something which you can do from user space,
from Linux, from BSD,
or other operating systems, even MS-TOS,
with the help of Fleshroom.
So these are the anointing little programs
that you download from Dell,
and you must be running a version of Windows.
Yes, not only that.
Rebooting just to make a BIOS update,
or a firmware update, it's silly, isn't it?
It's something which, let's just say,
rebooting into a specially designated Windows DVD
to update your buyers is probably not something
which you would associate with reliability.
So, Fleshroom tends to do a way with all that,
and it does so nicely.
Well, on the other hand,
Corboot is something which is okay.
Admittedly, I'm a fan of Corboot.
Otherwise, it wouldn't be here at first,
I'm doing a booth for Corboot and Fleshroom.
Corboot is something which also has real benefits for you.
It's booting faster than EFI and BIOS,
quite noticeably so.
We get down to half a second,
or from power on to bootloader,
and a few configurations.
Usually, it's below one and a half seconds,
which is faster than BIOS and EFI if you think of it.
The other benefit of Corboot is that you can actually have the source code
of the stuff which is running in your firmware,
and that's quite nice from a free point of view,
but I also know that many people do not really care that much about it,
as long as they know the stuff is secure.
If you have the source code, you at least have the theoretical ability to inspect it.
Well, I know most people don't read the source code of the stuff they are using,
but still they would have the chance to do so.
Then there's also the point that Corboot is a bit easier to debug than BIOS.
For example, think of the last time you tried to find out why a machine didn't boot.
Think of it as, did you hear those,
codes from your BIOS.
The information you get from that is exactly mostly useless.
Then you can plug in some post code diagnostics card,
which gives you a 2-digit post code,
which tells you that, and this special BIOS version there might be something wrong.
With Corboot, you get full debug on a serial port or a USB port,
which tells you like a D-message on Linux kernel in detail,
what went wrong or what didn't go wrong.
So you also have great diagnostics,
you have the freedom aspect, you also have the security aspect,
and Corboot does not ship with backdoors,
compared to pretty much every other BIOS or EFI-based laptop you can buy out there.
Right, the Thames are suing words, I would imagine.
Let's just say that nowadays it's hardly impossible,
well, except for maybe the Chromebooks to buy
laptop without those backdoors.
Now let's talk backdoors, let's talk clear text,
let's talk about why I call them backdoors.
I should call them rootkits, which would be more accurate,
but that's even more fighting words.
The point is, nowadays you get a feature which is called anti-theft solution.
Which means in the most common implementation,
your BIOS, accesses, your EFI, accesses your hard drive, checks,
whether the Linux OSX or Windows running there
has the persistent rootkit part of this anti-theft module installed.
And if not, your Linux Windows or whatever will be infected with a nice rootkit,
which can talk home, just in case somebody steals your laptop and puts it,
and it's stupid enough to do that with the network attached.
Of course, that's also not exactly optimal if you want to be in full control
of your laptop and you don't care about theft protection.
Then you rather not have a rootkit in your machine,
especially a persistent rootkit, which won't even be removed after
exchanging the hard disk, because the BIOS or EFI will always re-install it again.
So this is like a feature of BIOS of EFI?
It's not really a feature, but it's an add-on module to EFI and BIOS,
which is nowadays shipped by pretty much every vendor for,
well, it's a feature, it's theft protection, everybody wants it, don't you?
Okay. And when you say it calls back, who's it calling back to?
Usually a service, either from the company selling that add-on module,
or the service of your laptop vendor. And to be honest, if your laptop is not stolen,
this thing is active. Anybody is sitting at that vendor, whether it be some
employee goofing off, or somebody from a criminal organization who doesn't like you,
can get control of your laptop. And this has in the past been implemented very badly.
It has also been demonstrated in the past that you can exploit quite a few of those
theft protection systems and get remote control, even if you're not from the vendor, not authorized.
Okay, that's great news here for everybody to hear. And Corbucci, how do I go about getting that?
Well, now there's a catch. Everything which is great usually has a catch.
With Corbucci, the biggest, well, let's call it a problem, issue is not the right word.
The biggest problem is that quite a few vendors are not interested in Corbucci, are not interested
in cooperating. Corbucci is not just like some operating system which you can just install.
Corbucci needs to know stuff about the hardware, stuff you can't even discover on a current hardware.
So sometimes you need to break out a logic probe and find out some of the wiring.
It's gotten better in the last few years. For example, the PCI slots died, which killed quite a
few interrupting problems we had. Well, we had to figure out each time. So essentially, Corbucci needs
to support your processor. It needs to support your chipset. Now, if that both points are given,
then you can start porting Corbucci to your laptop, desktop server or whatever.
And then it's a matter of picking the right pieces together, piecing them together,
firing it all up and hoping it works. It usually doesn't work on the first try.
And for example, laptops usually also have to have some funny interactions with backlight control
and stuff like that. So you have to reverse engineer quite a lot of stuff if your laptop or
desktop or whatever is not yet supported. However, if you follow the rainbow and search
it for a part of gold and your machine is actually on the list of supported boards by Corbucci,
it's pretty easy. It's usually on laptops just opening them up,
attaching an external programmer to the flagship on the mainboard and writing a working
Corbucci image on that. And if you ask nicely, we'll give you a reference image,
otherwise it's fully supported to compile those images on your own, select your own configuration
options. And then if you pick the right image, you get your reboot and you have a machine with
Corbucci and it's running nicely. And fast.
Well, that goes fast at least.
Boots fast. And well, I think there might be some enthusiasts out there who do high-end audio
processing. For example, if you're doing a podcast, you want to do some live audio source mixing
something like that. Maybe you might have noticed that sometimes you get extra runs with
Alza or something like that or, yeah, latency. Noticable latency. It's exactly the thing you don't
want if you do something like audio processing, industrial control or similar. If Corbucci,
one of the additional big benefits is that you can avoid running code in the background.
Most EFI and BIOS tend to keep stuff running in the background for various management tasks.
Unless absolutely necessary, Corbucci does not do that. There's no background task running.
This is great from a latency perspective. It's also great from a security perspective,
because if you, for example, are working in, let's just say, highly secure facilities or,
for example, if you're doing government, military work, stuff like that, you want to be very
sure of what is running on your machine. First of all, you want to be trusting the firmware and
second of all, after the firmware is gone and somebody has evaluated your operating system,
you do not want any code running in the background messing with your operating system. So
Corbucci does away with all that unless absolutely necessary and even then it's doing only the
minimal amount of work. So for a latency perspective and also from a security, a holistic security
point of view, it's also a great thing to run Corbucci. Okay, how did you, how did you get into
doing Corbucci in the first place? Oh well, it's a long story. Back when the OLPC initiative,
the one-laptop child initiative brought out their first prototype. They had some commercial
bias running on them with the explicit stated goal of replacing that with Corbucci and I was very
interested in that, had been following Corbucci passively for, well, one or two years and I was one
of my chances, well, not only one of my chances, it was the chance for me to get my feet dirty.
Or my feet dirty water and I started helping with the effort of getting Corbucci to run on the
OLPC XO1. Admittedly, nowadays the XO laptops do not run Corbucci. They do run open
firmware, which is also open source and was a bit more suited to what they were doing.
Still, Corbucci is a really great choice, especially because it supports such an amount of
diverse chipsets, processors and also hardware. We have hundreds of laptops or boards, well,
not hundreds of laptops, but hundreds of different main boards support it. Okay, and do you have a
list of these on the website so that I don't need to reinvent the wheel? We do have a wiki,
which is actually pretty current. We also have some board status board, which tests whether the
current code still compiles for your favorite board. Some vendors like Google are doing integration
testing and checking whether the Corbucci branch they are developing still works on the devices
they are shipping, and they are shipping also means well, all drone books. So there is quite
some testing going on and yes, the website is saying a lot, but I also have to admit that our
website is not always current in all aspects. So even if you don't find something listed on our
website, download our source code. How to do that is listed on our website, on the Corbucci
website, and dig around the sauce tree. You might find your chipset or your CPU listed even if it's
not mentioned in the wiki. So what's the worst that can happen? The worst that can happen
when you ask the Corbucci mailing list whether your hardware is supported, is can you please
go and read the wiki? Now let's talk more about what the worst that can happen if you try to get
Corbucci running on your board. The worst case that can happen is that your machine is a brick
temporarily. So if flashing, you flash the Corbucci image which does not work for a machine, the
machine will not boot or only boot partially. Then you have to attach an external programmer to the
flash shop of your laptop or board and refresh hopefully better working image or backup of the
previous BIOS or EFI. So it's not really dead, but you may have to open the machine and attach
a clip to the flash ship which is not that hard. Soldering is usually not involved unless
somebody puts epoxy all over your main board and can't access the flash ship. In that case,
you might have to scrape away some epoxy. But well if you're not afraid of opening your machine,
then nothing really can happen. You shouldn't maybe try to refresh Corbucci while you're
traveling and have no external backup at doing that. Some of us did that and it worked out,
but it's not something I would recommend to somebody for the first time. But still it's
a lot of fun to be had with. And yeah, the reflashing is something you would do with fleshroom.
So that's where fleshroom enters the picture again. A fleshroom can abuse pretty much any device to
flesh pretty much any chip. We have had people who abused an internal network card.
This sold the flash ship from that one put some wires on there instead and connected those wires
to the flash ship of a second main board and then use the network card to get a
flashroom to refresh the BIOS of the other main board. It does work. People will look at you like
you're crazy, but actually fleshroom is meant to do that. Okay. Okay. This is so far out of my
sphere of knowledge. I'm just going to find out whatever laptop you're using and make sure I buy
the exact same one. Yeah. Well, that very well supported model is the I think patch 260. It's
pretty old, but it's sturdy. It's reliable. It's time-tested. Nowadays, we also support
many more modern laptops of the G series and of the X series. All IBM. Well, yeah, Lenovo nowadays.
There are also a few, I think a few HP laptops supported. And I think
an AMD BIOS think pad is also supported. And then, of course, all those Chromebooks. And then
there was various desktop and server main boards. But usually the Vicky is pretty well up to date
regarding laptops. So if you see a laptop listed there, there's a good chance it will work out
of the box. Okay. Fantastic. So anything else that's going to happen this year that you want us to know about?
Yeah. An appeal to all the listeners out there. Apparently, some hardware vendors are still not
aware of what Corbute is. Yeah. Especially the firmware departments. And the key to a hardware
vendor is actually the salespeople, at least in my experience. So if you talk to your company,
you talk to some hardware vendor and tell them, yeah, we would like to buy some hardware.
Tell them that you might want to have Corbute on those laptops or on those servers.
On those servers, it's easy to justify. Just you don't want seven minutes of boot time. You want
something like 20 seconds or two seconds of boot time. And if enough salespeople here, the word
Corbute might start to inquire with their management, what is this Corbute stuff? And that might get us
the awareness to actually have vendors listen to us and take us not as a competition, but actually
as people who want to help them make their products better. That would be really, really great. And
other than that, go out, find some nice hardware which is supported by Corbute or which has CPU and
chips that supported by Corbute if you want to tinker and work with that. We'll try to help you
and it will be great fun for everyone involved. Okay, with that, I got to end the interview.
Thank you very much for taking the time. It's been a pleasure. Thank you very much.
And we're standing outside in the middle of a field, right beside somebody who's got what looks
like a yaggy antenna. Well, actually two of them. Tell us more, tell us more. What is this and why are
you here? Who are you first? So my name is Peter Papadez and I'm a member of the Soutlooks theme
from Athens, Greece. Satsnogs, N-O-G-S? That's a-S-A-T-N-O-G-S. What's that note?
Sierra, Alpha, Tango, November, Oscar, Golf, Sierra. That's pretty good. Are you an amateur operator or
two? Most of us are. So what's satsnogs is basically a grand station for tracking satellites.
So you can see the antennas and in the middle there is the tracking box and it has a gear assembly
inside and you can track satellites as they cross across the sky and you can receive signals,
demodulate them, record them and then upload them back to the network. You can, can you?
Oh yeah, very interesting. And you've got X and Y axis on this?
Yes, so we call them the azimuth and the altitude, but yes, that's pretty much it. So you have
360 degrees on the azimuth and 0 to 90 degrees on the altitude. So you're going to be, if you're
tracking, you'll be tracking the part of the half sphere, the hemisphere basically around you.
Okay, I'm not sort of, what sort of interesting things are you doing for this?
So we have thousands of satellites out there and we are now in this setup, which is a
typical setup. You can see a V8F antenna and a V8F antenna and we're focusing on satellites that
use those antennas because we can receive the signals, right? And most of them are CubeSats.
Lately, we have been having, we have been having had the millions of CubeSats.
Lots of CubeSats. A CubeSat is a really small satellite, 10 by 10 by 10 centimeters cube,
1 kilogram weight. And it's used for small experiments by universities or projects or companies
that want to deploy something really cheap and really quickly as a satellite. And the transmission
frequencies that most of those CubeSats are using are V8F and U8F and those bands that we have
the antennas. So we're helping tracking those satellites. So imagine if you're at a university and
you have a CubeSat that you deployed because you can only see, you know, like three or four times per
day on your location, you can use the distributed network of ground stations. Yes, and get a
global coverage and create a network for that. So what happens here? The signals come in,
do you volunteer for a particular satellite? So it depends on the deployment. Right now,
this is a tethered deployment, which means that we control the specifics of this deployment. So
we choose with satellite and with transporter, we're going to be following in which frequency
in blah blah blah. But generally, a permanent set up of a satellite ground station would be
something on top of a rooftop connected to the network. So the network gets to say which ground
station is going to is going to do with operation, with scheduled operation. So if you are an
operator, you have a satellite or you are a nanometer satellite observer or you like satellites,
you can go into the network, say I want to follow this satellite with this frequency during this
time frame. And the network automatically calculates all the sightings from different
cloud stations and sends those observation schedules to the ground stations, the ground stations,
execute them, record the messages and bring them back to the network. How fast are these satellites
composed? Depends on the orbit, but let's say a good pass would be something like 11 or 12 minutes,
but it really depends on the orbit, though. So for example, if you set one of these up,
it's likely that the whole day it will be moving left, right? Oh yeah. We need as many ground
stations as possible. So talk to me, talk me through this. This is an aluminium tripod. Have you
built this yourself? Yes. Everything that you see is designed and built from scratch,
DIY, open hardware style, and the software too, open software obviously. And for the parts that are
things that need to connect between each other, we have all the plastic pieces that you see are
three dependent parts. So we designed them on Fricad and then we printed out on three
different printers, three from the last boot in specific. And then all the tracking mechanisms
inside, it's also 30 printed, the gears, the all the assembly. And we're using also a commodity
cheap electronics hardware for the reception side of things. So we're using an RTL SDR,
which is a DVBT China, it'll really cheap SDR dongle. And Arduino, two Pololu drivers for the
stepper motors and an LNA, the LNA for all, which is an open hardware one. I thought like they
make an A and antennas kind of hard. Not really. I mean, given the that I expertize,
fortunately we do have in our team some RF experts. And they designed the NEC, the theoretical
model, and then we designed it. We printed the parts, we constructed antenna, and using a vector
network analyzer, we were able to match the frequency sensor check if the theoretical model
still works in practice, which it did. And that's that's a good part of it. So can I buy this online
or do I make it? So you can visit satanux.org, which is the website that has all the information
about how to build one. Yeah. Right now we don't supply any kits, although we plan to do that
in the future. And you can join the community and help us grow the project more, host the ground
station or even build more around it. What do you need to, because you're receiving only, I guess,
you would need to be a ham radio. You wouldn't need any specific license to do that. Depends on the
legislation of your country. Yes. Yeah. In some countries, in some countries, it's kind of like a
gray area, whether you can actually own something that, yeah, something that can receive also
transmit as well. Yeah, but it really depends on your area. And then for transmitting, of course,
you have to be on how big your fence is. Oh, yeah. Yeah. Exactly. How much is that going to
set me back? So everything from the tripod to the embedded PC, to the SDR, to the antennas,
to the tracking books, would be around 350 euros. Stop out, actually. Yeah, it's actually one
tenth of the commercially available equivalent in terms of the specifications. And you get to find
out very quickly if you have nice neighbors or not. For sure. So cool. Anything else that's coming
up on the project that people want to know about, so we, you could build this. I know we have a lot
of ham radio guys. Yeah, that this would be no problem for them to build the builders. And then
what does it go to? And then the next stage is to deploy a satnax client, which connects us,
connects us back to the network. So instead of using it only for your own observations, making
it available for other people around the world to use it. So contribute back to the network.
That's that's the thing. And then the generally for the project, the next steps are expanding the
the bonds that we're using. Right now we're using only VHF and UHF. And then now we're expanding
also to S bond. That's 2.4 gigahertz using dishes. Yeah. So that requires some mechanical
differences. Yeah. The R&D team is working on that heavily and we will welcome some
contributions around that. That's for sure. I have my first show that I was supposed to
this procrastination for. I was going to do how to point a satellite dish as my show. I still
haven't submitted it and it's been 10 years now. So maybe it will. Maybe once we haven't
do so. Anything new that's going to be coming up this year or that don't need to know about her?
Yeah, global deployment. We just won the Hackett Day prize. And that was a huge push for the project.
Yeah, that's how I heard about you. Yeah. And now given the budget that we have, we can safely say
that we can support and fund the construction and deployment of many ground stations around the
world. So we plan to have at least 50 ground stations deployed and working around the world
until the end of the year. So we're focusing massively on that right now. Who are there particular
regions that you're not particularly well covered in? Well, pretty much everything right now. That's
the third one that you see. Okay, so guys. It's just new for all of us. But right now the community
is working on US, Australia. We have Netherlands. We have Argentina. And there is also Singapore.
Okay. So we have to be focused on Russia, what's Russia, Africa and take the Central America and
Pacific will be a big big thing. So if anyone of you has any contacts on Pacific Island,
we have people all over the world and I'm sure it'll be a big summer. A nice Pacific Island.
I had something else there that I wanted to ask you, but it's completely gone out of my head.
But yeah, you're given the talk. So tomorrow, so people will be able to go to the Fostem website
and see more of this. What's the ways like and what I need to be a bit concerned about things
like lighting and stuff? Not really. Depends on where you deploy it. And that's like all different
antennas. So you don't have to really be worried about that. Plus, the typical setup, that's the
mobile setup. But the typical setup includes a radome. So imagine a random dome. So it's kind of like
a whole sphere around it. So we designed and build it ourselves too. And that's for the
permanent setups. So we can bring it here. So you don't have to be worried. If it's properly
insulated and properly grounded, you don't have to be worried. Okay. Fantastic stuff. Thank you
very much for the interview and good luck with the project. And good luck with the talk tomorrow. Thank you.
You're coming up with a way to do this as well, but we're going to be back to see the life of the
world in the middle of the day. Come on. Join us now, we'll share the software. You'll be
free, hackers. You'll be free. Join us now, we'll share the software. You'll be free, hackers.
Join us now, we'll share the software. You'll be free, hackers. You'll be free.
Join us now, we'll share the software. You'll be free, hackers. You'll be free.
Join us now, we'll share the software. You'll be free, hackers. You'll be free.
Join us now, we'll share the software. You'll be free, hackers. You'll be free.
Join us now, we'll share the software. You'll be free, hackers. You'll be free.
Join us now, we'll share the software. You'll be free, hackers. You'll be free.
You've been listening to Hacker Public Radio as Hacker Public Radio. We are a community
podcast network that releases shows every weekday and Monday through Friday. Today's show,
like all our shows, was contributed by an HBR listener like yourself. If you ever
thought of recording a podcast, then click on our contribution to find out how easy it really is.
Hacker Public Radio was founded by the digital dog pound and the infonomicom computer club,
and is part of the binary revolution and being revved.com. If you have comments on today's show,
please email the host directly, leave a comment on the website or record a follow-up episode yourself.
Unless otherwise stated, today's show is released on the creative commons,
attribution, share-like, free-to-lensance.