Monthly Archives: February 2007

What can we XSS inject into the new 40 millions Euros portal Italia.it? Better help in redoing it: rItaliaCamp

Since it is possible to inject every possible HTML just prefixing one double quotation mark () into the search text field of Italia.it, possibilities are endless.
Click on this link http://www.italia.it/it/scout/text/5,en,SCH………. to see what I quickly come up with (credit: I saw the XSS vulnerability on mentedigitale). Or check the video embedded here below (I made the video because I hope someone will fix this very soon and so the link will work nomore). I just inserted few divs, few paragraphs, and opened some windows, nothing disruptive. You can try it yourself, just copy the following HTML code and paste it into the search text field of Italia.it



Italia.it is the new Web portal for Italy, whose goal should be to emphasize and show to every surfer how freaking gorgeous Italy is. Italy is really a wonderful place, we could probably just live out of light tourism, enjoying our life, meeting and chatting in a friendly and hyper-relaxed way with all the tourists coming to Italy and willing to, how can i say?, subsidize Italians just as friendly keepers of this small and wonderful country that really belongs to the entire world and should be enjoyed by everyone. I’m not joking.
Anyway Italia.it was launched few days ago and I’m very sad to say that reactions have not been good. You can judge by yourself but keep in mind that Italia.it was paid by Italians 40 millions Euros and it took 3 years to complete. After 3 years and 40 millions Euros, everyone was expecting something a bit better. Let me also clarify and explicitly state that Berlusconi government started this shame 3 years ago, Berlusconi government allocated that 40 millions Euro amount of money and that Berlusconi government was not able to produce anything; the current Prodi government (which might not be the best in the world but it is as least 40 millions times better than the Berlusconi one) just quickly concluded the long gestation and presented the work so it should be thanked and cannot be taken as responsible: the entire responsibility of this waste of money and time is on Berlusconi’s ineptitude. About the Web portal, I don’t even want to start to comment on all the big problems the portal has from dozens of different points of view, you can check comments on technorati (822 blog posts at the moment) if you like. And don’t even try to imagine how much we paid for the shity logo.

I guess now you might start saying “it is too easy to criticize” or “why are you making additional noise, helping in destroying the image of Italy in the blogosphere?”. In fact, I love Italy, I terribly love Italy, few years ago I was very foreign-phile but I now think that Italy is the best place in the world to live (no, I have not seen all the places in the world, so I’m totally open to change my mind in future, don’t worry).
So why I’m posting a critique entry also showing a trivial XSS vulnerability affecting Italia.it? Because I think Italia.it was an error (made by Berlusconi by the way) and we must learn from errors, so that in future we don’t redo them. Next time Italian government has to do a Web portal, it can benefit from the current discussion.
So in which sense I think Italia.it was an error and how would I do it? Of course I don’t have the magic wander and also it is not my job designing strategies for national tourist Web portals, but some suggestions could be the following ones.
Surely the development could have been more open, trying to exploit the wisdom of the crowds and the passion of people. For example, post on a dedicated wiki the requirements specification you came up with, let people see it, discuss it and suggest changes. Of course this requires time and attention but it can be helpful in avoiding errors and getting insights. Moreover, leverage on people’s love for Italy (and for technology too): I think that if they would launched a competition for ideas such as “how would you want Italia.it portal?” or “how would you create Italia.it portal?”, there would have been thousands of people having a say, and maybe providing ideas or even actual working systems and prototypes. If there would have been a prize that would have been even more successful: maybe just a visibility prize (like “Your name and photo and URL will be in the Credits section of Italia.it, reachable from the homepage”) or a monetary one (even a small one, well actually in relation with 40.000.000 Euros the prize could be not so small, in fact).
About content in the portal, Italy has so many natural and cultural wonders that just making a catalogue of all of them is very hard. So the government allocated a large part of these 40.000.000 Euros, for provinces so that they pay someone for entering the content related to that province. Did Wikipedia teach nothing at all to us? Or Wikitravel? Is it possible to think that maybe some content can be added, modified and improved by normal Italians? Just because they like to show the world that in their city there is a wonderful monument? I’m not saying a simple and open installation of MediaWiki will succeed by itself and after 2 months we would have the biggest best catalogue about Italian wonders online, but just that creative solutions (not so innovative actually, since Wikipedia is already there to prove the point) can be thought and maybe 20.000.000 Euros can be used for something else?
In which directions my suggestions are going? Well, they are based on the conviction that for this kind of projects, actually for any creative activity (especially on the Web), Hacker ethic (of work) can be superior to Protestant ethic (of work). [I think Hacker ethic is what we should try always to tend to, as society, because it is what makes human life more human but anyway here the point is that for some tasks Hacker ethic is already more efficient and preferable]. If you have not read yet The Hacker Ethic. And the Spirit of the Information Age by Pekka Himanen, you should, it is a wonderful book that might shed a new light on why we (and you) do stuff during our life (you can start from the very simple “why do you work?” and “are there alternatives?”). In a nutshell, Hacker ethic means you work on what you love, Protestant ethic means you work because you have to. Protestant ethic comes from Max Weber’s famous essay “The Protestant Ethic and the Spirit of Capitalism” (1904-1905): Weber starts out by describing how the notion of work as a duty lies at the core of the capitalist spirit that arose in the sixteenth century: “This peculiar idea, so familiar to us today, but in reality so little a matter of course, of one’s duty in a calling, is what is most characteristic of the social ethic of capitalistic culture, and is in a sense the fundamental basis of it” (from nytimes).
The Hacker ethic instead is very different: The spirit behind other hackers’ creations is very similar to this. Torvalds is not alone in describing his work with statements like “Linux hackers do something because they find it to be very interesting.” For example, Vinton Cerf, who is sometimes called “the father of the Internet,” comments on the fascination programming exerts: “There was something amazingly enticing about programming.” Steve Wozniak, the person who built the first real personal computer, says forthrightly about his discovery of the wonders of programming: “It was just the most intriguing world.” This is a general spirit: hackers program because programming challenges are of intrinsic interest to them. Problems related to programming arouse genuine curiosity in the hacker and make him eager to learn more.
The hacker is also enthusiastic about this interesting thing; it energizes him. From the MIT of the sixties onward, the classic hacker has emerged from sleep in the early afternoon to start programming with enthusiasm and has continued his efforts, deeply immersed in coding, into the wee hours of the morning. A good example of this is the way sixteen-year-old Irish hacker Sarah Flannery describes her work on the so-called Cayley-Purser encryption algorithm: “I had a great feeling of excitement. . . . worked constantly for whole days on end, and it was exhilarating. There were times when I never wanted to stop.
Hacker activity is also joyful. It often has its roots in playful explorations. Torvalds has described, in messages on the Net, how Linux began to expand from small experiments with the computer he had just acquired. In the same messages, he has explained his motivation for developing Linux by simply stating that “it was/is fun working on it.” Tim Berners-Lee, the man behind the Web, also describes how this creation began with experiments in linking what he called “play programs.” Woznick relates how many characteristics of the Apple computer “came from a game, and the fun features that were built in were only to do one pet project, which was to program . . . [a game called] Breakout and show it off at the club.”
(from nytimes).
So what is the message here? Next time, we have to design Italia.it, maybe we might try to rely a bit more on the Hacker ethic and a bit less on the Protestant ethic. By the way, even if this is quite obvious, note that hacker ethics does not mean that hackers work for free just because they are passionate about what they do and they will feed themselves with this passion.

Ok, going to conclude this post. Why people participate to BarCamps? Because they are hackers (“Hackers can do almost anything and be a hacker. You can be a hacker carpenter. It’s not necessarily high tech. I think it has to do with craftsmanship and caring about what you’re doing.”), they like to be intellectually engaged with other people (incidentally, this should also be the reason for people doing academic research but sadly this is not always the case).

So, do you want to be a hacker for Italy? Then join a bunch of other hackers that will meet for a special BarCamp: the rItaliaCamp, a BarCamp whose goal is to put our passion, curiosity and enthusiam in creating a better Italia.it which all Italians can be proud of.
In the dedicated wiki, we are trying to organize our passions and ideas. Is it easy? No. It is not easy to coordinate and do in few weeks, unpaid, geographically distributed, what was valued as 40 million Euros, 3 years work. Will we be successful? We don’t know. Shall we try? You bet!
So Join the rItaliaCamp! I see you on March 31, 2007. Bring your passion.

Mobile Open Source, a seminar about Funambol model, licences, cleverness, Italianess

Few days ago I attended a gorgeously shiny (*) seminar by Fabrizio Capobianco entitled “Mobile Open Source: the Funambol model. US capital and Italian heart”. The abstract said “Funambol is the largest open source project in mobile, now reaching one million downloads. Funambol is also a Silicon Valley company, voted among the top 100 private company in America by Red Herring. Founded by Italian enterpreneurs and backed by US Venture Capitalists, it maintains its R&D center in Italy”.
Fabrizio is CEO of Funambol, he told us about what does it mean to run a company in the Bay Area that develops Open Source software for mobiles. He is very clear, very inspiring and very clever. He knows everything about all the different licences, their advantages and their disadvantages and he has been very successful in using them in the right way for his company. Funambol releases its software under 2 licences: GPL licence is the default but, as you probably know, GPL is persistent: if you take Funambol code under GPL, incorporate in your software and you want to release your software with the Funambol code incorporated, you must release everything under GPL as well. Not everyone wants to release all her software under GPL so, in that case, Funambol can release its software under a licence different from GPL. Of course, while everyone can get the software released under GPL for free, if she wants to get a different licence then she has to get a commercial agreement (i.e. to pay) with Funambol. As simple as that.
This is somehow similar to what MySQL company does but it has peculiar characteristics as well.
Note that in order to do this, Funambol must have the copyright for all the software it releases, and in fact this is so. Programmers who contribute their code have to give the copyright of it to Funambol in order to see it enter into the core code maintained by Funambol.
– So who wants to pay for something that is free? In Funambol case, carriers (Vodafone, T-Mobile, …) which don’t want to release all their code but still want to use Funambol open source code.
– So why don’t a carrier rewrite all the code? What is the real competitive advantage of Funambol?
The community! (Incidentally I have to say that what Funambol code provides does not seem terribly complicated. I’m not saying that it is simple at all, I’m just saying that it might seem simple at first glance.) The best and unique asset of Funambol is the community. They have tons of people (mainly IT technicians working for companies all over the world) downloading their code and testing it (because nowadays every IT manager has just one request from managers “let the emails flow seamlessly to mobiles of workers”, Fabrizio said). All these downloaders test the code, fill bug tickets, sometimes contribute with their code for doing simple tasks like creating a new interface between Funambol and the CMS, CRM, ERP, program, whatever they use in the company. Since downloaders are spread all over the world, they also test the code with all the different carriers and with basically every single possible mobile device and they provide back their little hacks. If a company, say Vodafone, would want to reach the same situation, it should pay thousands of people in every country to do this QA (that means Quality Assessment, during the talk I was dumb enough to think QA was “Question and Answering” and in fact it didn’t make too much sense … uhm). The community is really Funambol unique asset. But not everything is that easy and straightforward of course, a community is made by people who have emotions, believes, their original thinking and in fact the company has to be loyal to the community. Fabrizio said that releasing everything under GPL is a way to be loyal to the community, other companies (I think it was SugarCRM) releseas only 70% of their source code under GPL and the remaining 30% is released under proprietary licences so on the mailing list there are often people complaining about it and contributions are not as many as they could be. Funambol models is very clever and something like “we offer to be the gatekeeper (?!?) for the community, we mantain the software, mailing lists, web sites, but we release everything under GPL so everyone can beneficiate. We just charge people who don’t want to share their code. Basically, you either contribute with your code (enriching the community) or you contribute with your money (again enriching the community because we will use the money in order to create even more code and hence features)”. Can you think of a better model? Someone asked Fabrizio about the risk of forking and the reply was that the risk is always there of course and this is what will always keep them loyal to the community, I think Fabrizio believes profoundly in the philosophy of sharing but, just as with Free Software in general, it is reassuringly to know for everyone that the community or just someone will always be free to fork. Again the keyword here is “freedom”.
– So what is the biggest threat for Funambol model? (I hope you are still with me because now arrives the most interesting part of a talk that was already jawing everyone…) Well, you know, software is moving from software you download to services provided over the Internet. Google Office is different from Microsoft Office since Google does not distribute the software but distibute it as a service. When you distribute as a service, the GPL clause does not trigger and you are not forced to release your code under GPL. Fabrizio believes that 90% of the code will be served as service in few years (I’m not sure about this, but at least I believe so) so, for example, Vodafone will be able to provide Funambol code acquired under GPL (for free) as service and will not be forced to distribute all its code. For this reason, Funambol has created a new licence, the HPL (Honest Public License). But first let me enter into the “was not the GPL version 3 about this in fact?”. Well, again, Fabrizio surprised many of us here. He stated that the initial idea of the Free Software Foundation was to enter this concept “redistributing as service is redistributing (and hence the GPL clause triggers)” but that in fact at the moment there is a huge pressure from big players (read “google”) to not include this aspect in GPL version 3. Why? Because, as you probably know, Google is using GNU/Linux as backend and lots of Free Software. If some of the Free Software they use is released under a “GPL version 2 or higher” they are already in trouble since this might mean that they are forced to release all google code under GPL as well! Ok, Linux, the kernel, is not probably going to move to version 3 soon or ever but still this is a big problem. Basically Google will stop use any software that is released under GPL version 3 or keep the present code and fork on this improving the code (still under version 2) but never releasing it anymore (and the same of course is true for Yahoo!, IBM, …) This could easily be the end of all Free Software… well, I’m not sure I explained it very well, but Fabrizio did! So the final line was something like “if FSF insert this concept in GPL ver. 3, we will release Funambol code under GPL v3, otherwise we will submit our HPL licence for approval to the Open Source Initiative and will release our code under HPL”. So what does the HPL say? It is nothing but a slightly modified version of the GPL that simply adds this clause “distributing as service is distributing”. You can read the diff between GPL and HPL yourself. Stay with me as we go meta here. I have a small doubt. The text of the GPL licence itself is licensed verbatim: “Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.” This probably means that Funambol asked the FSF a licence over the GPL licence in order to be allowed to change it?
Ok, in the last part of the talk (I’m quite surprised on how he was able to compress in few hours so many concepts and to explain all of them terribly clearly and also to reply to all our questions), Fabrizio also shared his insights about the fact outsourcing software development in Italy makes a lot of business sense: basically, (1) Italian programmers are paid very little compared to all the other European Countries, (2) Italy has good protection for copyrights, (3) Italian programmers are in general loyal and (4) there are no venture capitalists in Italy. (2), (3) and (4) means your programmers will not steal your code, run away with it and fund an independent company, something that is more likely to happen, for example, in India.
This is what he calls the “Funambol model” and he is trying to spread it all over the Bay Area. So, please, do come in Italy, do exploit us, we’re waiting! ;-)
Now I try to get the hands on Fabrizio’s slides and update this post with a link to them.

(*) About the “gorgeously shiny seminar” expression, yes, I like to exagerate with adjectives I don’t even precisely know the meaning of. It is one of the pleasures of writing (and speaking) in English I let myself into. Hope you don’t mind.

The Italian lonelygirl15 and six degrees of Justin Timberlake

I’ve been following the blog of Asia “Justin2u” on Libero.it since its beginning, one month ago. Asia tries to exploit the six degrees of separation thing in order to meet Justin Timberlake in just one month. Since I cite this folklore theorem almost in every talk I give, people sent me the link to this “live experiment”, Asia’s blog. The sentence in the header explains it in this way: “Io conosco te ke conosci lui ke conosce l’altro ke conosce uno ke conosce Justin Timberlake e ke poi me lo presenta. E ke poi vuole il mio numero e mi kiama e mi kiede di arrivare e io vengo ;)” that is, in my opinion, a very funny way to explain the 6degrees thing: “I know you that know him that knows the other one that knows that one that knows Justin Timberlake and that he introduces me to him. And that then he wants my tel number and he calls me and he asks me to arrive and then I come ;)”. Loosely related, even Kevin Bacon tried to exploit the idea, creating sixdegrees.org: “With SixDegrees.org you can ask connections to donate to a charity.”
Asia is funny and very good-looking, she speaks in a funny very-youngish Italian (lots of “k” and “troppo + verb”). Check her first video I just uploaded on YouTube.

My bet is that she is not a normal girl just wanting to meet Justin but an actress, part of a commercial attempt to get some buzz about Libero.it social platform and of course I’m not the only one thinking so. Her blog is on Libero.it. All her videos were uploaded on libero videos (even while a lot of people in the comments kept suggesting to upload on youtube in order to get some non-italian connections, well she did upload her last video on youtube but i think it is just because she is going to reveal anyway her identity soon). All the friend blogs linked from her Libero blog are other Libero blogs. She invited people in chat and, guess what, yes it was on Libero chat. Actually before her blog I didn’t even know that Libero had blogs and videos and chats but now a lot of people in Italy know about it. So my bet is that she is an actress but of course I might be very wrong, well, I guess we will know in few days. By the way, I uploaded her first video (that was only on Libero video) on Youtube: if she is real and just wants to get the word out, she will be happy about this, otherwise if she is a commercial effort, someone will ask to remove the video from YouTube, simple eh?
Overall, I’m happy there is some clever marketer in Italy that is able to exploit the lonelygirl15 model, they didn’t invent it of course but just copying it quickly enough is something I’m very happy about. In case you don’t know, lonelygirl15 is an interactive web-based video serial centering around the life of a fictional teenage girl named Bree, whose YouTube username is the eponymous “lonelygirl15”. The series is presented through short, regularly-updated video blogs posted by the fictional characters, as well as through an optional alternate reality game. lonelygirl15 came to international attention as a “real” video blogger who achieved massive popularity on YouTube, a popular video sharing website, but was eventually outed by suspicious viewers as a fictitious character played by American-New Zealand actress Jessica Rose (from lonelygirl15 Wikipedia page). She got a lot of fame and actually she was hired by the United Nations in 2006, to fight poverty through an online anti-poverty video. Rose portrayed the lonelygirl15 character as she sat by herself in her bedroom talking to the camera. The subject matter in these videos focused on antipoverty (again from Wikipedia). I’m still incredibly surprised to see United Nations reacting so quickly to the buzz and using these non very conventional marketing strategies, though I’m not able at all to get a basic idea about their effectiveness.
Anyway, I guess we will not see Asia as United Nations Ambassador but still it was a clever way to get a lot of buzz around Libero social platform.
(In case you are wondering, all my links to Libero here are vote-abstain and nofollow so no Google juice, sorry ;-)

Links for 2007 02 16

Cool Trashware Video

Incredibly cool video about what “Free Geek” is doing. Free Geek is a Non-profit community organization providing free computers and education to those in need through the reuse and recycling of old computers.
This is what we are trying to do here in Trento as well with the “ComputeRinati” association (in general this activity in Italy is called Trashware), but hey we are nowhere near what Free Geek is accomplishing.

Link to “Free Geek” Video
And since I’m there, Microsoft just shipped Vista, the long-awaited operating system that does nothing that was not already possible with MacOSX since some years (and actually also with GNU/Linux with just some extra tweaking). But Vista requires a lot of RAM and resources actually forcing a lot of people to buy a new computer and dump the old one (for example there is a report claiming that “the system’s full range of tools would be available to less than 5 per cent of Britain’s PC market”). Don’t you think Microsoft should be taken responsible for the quantity of e-waste it is causing with the release of this deadly operating system?
Follow my suggestion: take the chance to switch to GNU/Linux, Ubuntu for example. Feel free to ask me suggestions on how to do it, there is surely a Linux User Group close to you willing to help and to share knowledge.
[via an email of Paolo Palmerini in the Trashware mailing list]

Links for 2007 02 15

Nicholas Negroponte in Udine and we will switch the light off

One Laptop Per Child imageNicholas Negroponte will be in Udine, Italy on February 16, 2007, next next Friday, during InnovactionFair. See the complete program. He will speak from 18.30 to 19.30 (and we will switch the light off … see below).
Yes yes that Nicholas Negroponte! The founder and Chairman Emeritus of Massachusetts Institute of Technology’s Media Lab. Nicholas is also the creator of the One Laptop Per Child non-profit organization, whose goal is “to provide children around the world with new opportunities to explore, experiment and express themselves”.
I’m fascinated by the challenges he and his group and everyone contributing is taking into making the One Laptop Per Child vision a reality. The hardware, software, interface and design (yes, they chose GNU/Linux) is a challenge in itself but what is much much more interesting are the social issues that will emerge when this physical item will make into the hand of a lot of children around the world. Issues like “will it be stolen and end on ebay?”, “is this a top-down approach, imposing to every children in the world the same mental metaphors and processes? what about cultural differences?”, “how teachers are integrated into this mass deployment and how each one of them in every different school of the world will react?”, “wouldn’t poor countries spend better their money providing basic facilities to people such as water than shiny laptops to children?” and much more. Ethan as usual is the best one in describing what we are really speaking about.
Why will we switch the light off while Nicholas is speaking? Nicholas will speak from 17.30 to 18.30 but, what a coincidence!, that day February 16, 2007 in Italy is the “M’illumino di meno Energy saving day” and the collective visible act, besides the awareness spreading, is to switch off all the non really really necessary lights and electric tools at 18.00. I sent an email to Caterpillar, the “M’illumino di meno” campaign organizer, which have a daily radio program on our public radio, but I got no reply so far. My proposal was to switch off all the lights but the microphone of Negroponte for at least few minutes at 18.00 and to broadcast what he says during that period on the radio as well. I think it would be a great message.
Let me also note that there is an ActionCamp that will develop bottom-up during the Innovaction Fair. This is just one of the many BarCamps that are blooming in Italy in the past year.
Since I had some problems to re-find the complete program, I copied and pasted here below so that I will found it more easily next time.

I’m still not 100% sure I’ll make it but almost. What about you? Are you coming?

Continue reading

Links for 2007 02 02

Links for 2007 02 01