1793 lines
74 KiB
TeX
1793 lines
74 KiB
TeX
\documentclass[pdf,red]{beamer}
|
|
\mode<presentation>{}
|
|
\usetheme{Boadilla}
|
|
|
|
\usepackage{listings}
|
|
|
|
% hide pesky navigation
|
|
\setbeamertemplate{navigation symbols}{}
|
|
|
|
%% ideas:
|
|
%% etherpad
|
|
|
|
\newwrite\lecturenotes
|
|
\openout\lecturenotes=lecture.notes
|
|
|
|
\def\hangleft#1{%
|
|
\settowidth{\dimen0}{#1}%
|
|
\hspace*{-\dimen0}%
|
|
#1%
|
|
}
|
|
|
|
|
|
\def\slide#1#2{%
|
|
\begin{frame}
|
|
\lecturestart
|
|
}
|
|
\def\endslide{%
|
|
\end{frame}
|
|
\lectureend
|
|
}
|
|
|
|
|
|
% My ties attempt to keep sentences flowing across (rendered) line breaks,
|
|
% where a brief pause when eyes scan to the beginning of the next line will
|
|
% be okay.
|
|
%
|
|
% Emphasis in these blocks might mean a number of things, such as speaking
|
|
% loudly, or inserting pauses between each word.
|
|
\def\lecturestart{%
|
|
\makeatletter
|
|
\xdef\@@lecture@notes{}
|
|
\makeatsymbol
|
|
}
|
|
\def\lecture#1{\write\lecturenotes{\unexpanded{#1}}}
|
|
|
|
\def\todo#1{#1}
|
|
|
|
|
|
%% TODO: minified code is not source code
|
|
|
|
|
|
%% preamble
|
|
\title{Restore Online Freedom!}
|
|
\author{Mike Gerwitz}
|
|
|
|
\begin{document}
|
|
|
|
\begin{frame}
|
|
\titlepage
|
|
|
|
\lecture{I'm going to warn everyone upfront---this is a~talk about
|
|
problems. Many of them are fundamental problems that don't quite
|
|
have a~solution yet. Others are problems that you can address
|
|
immediately, both as a user and as a web developer. I hope to
|
|
provide perspective that sufficiently shocks and motivates; to
|
|
make a difference, both big and small.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Who am I?}
|
|
\lecture{So my name's Mike Gerwitz,}
|
|
|
|
\begin{itemize}
|
|
\item Long-time free software hacker and activist
|
|
\lecture{I'm a long-time free software hacker and activist}
|
|
|
|
\item GNU volunteer, software evaluator, and part of maintainers team
|
|
\lecture{and volunteer for the GNU project. I'm part of the small
|
|
team of evaluators for GNU project submissions, and I'm what
|
|
I'd called a trainee on the maintainers team.}
|
|
|
|
\item Author of GNU ease.js
|
|
\lecture{I'm also the author of GNU ease.js, a classical
|
|
object-oriented framework for JavaScript licensed under the
|
|
GNU GPLv3+.}
|
|
|
|
\lecture{I've been involved in web development to at least some capacity}
|
|
\item 10+ years of web development
|
|
\lecture{for well over ten years. But possibly \emph{just} as
|
|
importantly, I've been a \emph{user} of the web for even
|
|
longer. Now, I'm 26---I'm not part of the generation that
|
|
was swiping at newspapers when they were babies, wondering
|
|
why nothing was happening, but I did grow up with the
|
|
Internet.}
|
|
|
|
\begin{itemize}
|
|
\item<2-> The Web has \only<2>{changed}\only<3->{{\bf worsened}} a lot
|
|
in 10 years
|
|
\lecture{And as I'm sure all of you here can attest to---and I'm
|
|
really stating the obvious here---the Internet has changed a
|
|
\emph{lot} in the past ten years. In fact, it's had a
|
|
version change---the so-called ``Web 2.0''! Which, to
|
|
clarify, is just jargon; there's not actually a version
|
|
change.}
|
|
|
|
\lecture{But I suppose I could phrase this in another way: the
|
|
Internet has also \emph{worsened} a lot in the past ten
|
|
years. A version bump isn't always an upgrade.}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{``But the Web is great!''}
|
|
\lecture{``But the web is great!'', you'll hear people say.}
|
|
|
|
\begin{itemize}
|
|
\item<2-> The Web has improved \emph{technically}
|
|
\lecture{Yes, the web has improved \emph{technically}---}
|
|
|
|
\begin{itemize}
|
|
\item<2-> Modern software on the web rivals traditional desktop
|
|
software
|
|
\end{itemize}
|
|
\lecture{you can do things on the web today that were
|
|
\emph{unfathomable} ten years ago. I don't think any
|
|
rational person who's seen the~transition over the past
|
|
ten-plus years would argue that.}
|
|
|
|
\lecture{But we're talking about \emph{freedom}.}
|
|
|
|
\item<3-> The truth is---the web has become alarmingly hostile and
|
|
freedom-denying toward users
|
|
\lecture{The web has become increasing \emph{hostile} and
|
|
freedom-denying toward its users. And that's not progress;
|
|
technical advancements are great, but \emph{not when they
|
|
deny users their freedoms}.}
|
|
|
|
\item<4-> Freedom trumps all.
|
|
\lecture{\emph{Freedom trumps all.} So we can say that, while Web~2.0
|
|
was a \emph{technical} upgrade, it has been a steadily
|
|
progressing \emph{downgrade} for users' freedoms.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{What freedoms are at stake?}
|
|
\lecture{So what freedoms are at stake? Well,}
|
|
|
|
% TODO: start at 0, skip to 4 after four freedoms
|
|
\begin{enumerate}
|
|
\item<+-> Four Freedoms;
|
|
\lecture{In most every case, the four freedoms. And as you'll see,
|
|
unlike with traditional desktop software, these aren't easy
|
|
freedoms to obtain.}
|
|
|
|
%\item Freedom to use software of your choice to view webpages;
|
|
\item<+-> Freedom of choice (interoperability);
|
|
\lecture{The freedom of \emph{choice}---that is, the freedom to use
|
|
the software of your choosing to access resources or services
|
|
online. Interoperability.}
|
|
|
|
%\item Freedom to process and adapt (within realm of Fair Use);
|
|
\item<+-> Freedom to automate and adapt (Fair Use);
|
|
\lecture{As an extension, the freedom to download resources for
|
|
indexing, scraping, offline backup, and other personal
|
|
uses. This is also essential to a number of important
|
|
activities covered under Fair Use.}
|
|
|
|
%\item Freedom to browse with relative anonymity and privacy;
|
|
\item<+-> Freedom of isolation;
|
|
\lecture{Freedom of isolation. And by isolation, I mean relative
|
|
anonymity and privacy---individual websites of the past
|
|
really didn't correlate your visits with visits on other
|
|
sites all that often, unless they were owned by the same
|
|
company.}
|
|
|
|
%\item Freedom to do your own computing;
|
|
\item<+-> Freedom to do your own computing;
|
|
\lecture{Freedom to \emph{do your own} computing, rather than having a
|
|
service do it on your behalf. Services as Software
|
|
Substitutes are particular problems.}
|
|
|
|
%\item Freedom to control your own data;
|
|
\item<+-> Freedom of ownership.
|
|
\lecture{The freedom to own and control your own data is a corollary
|
|
of the previous freedom. It's difficult to have that control
|
|
when you might not even be in possession of your data to
|
|
begin with.}
|
|
\end{enumerate}
|
|
|
|
\lecture{Now, this is not an exhaustive list; I unfortunately only have so
|
|
much time to present. But these freedoms should be sufficient to
|
|
illustrate the core issues.}
|
|
\end{frame}
|
|
|
|
|
|
\defverbatim{\gnuhost}{%
|
|
\small
|
|
\begin{verbatim}
|
|
$ host gnu.org
|
|
gnu.org has address 208.118.235.148
|
|
\end{verbatim}
|
|
}
|
|
|
|
\defverbatim{\gnurequest}{%
|
|
\small
|
|
\begin{verbatim}
|
|
$ curl -v https://gnu.org/
|
|
[...]
|
|
> GET / HTTP/1.1
|
|
> User-Agent: curl/7.35.0
|
|
> Host: gnu.org
|
|
> Accept: */*
|
|
\end{verbatim}
|
|
}
|
|
|
|
\defverbatim{\gnuresp}{%
|
|
\small
|
|
\begin{verbatim}
|
|
$ curl -v https://gnu.org/
|
|
[...some lines removed]
|
|
< HTTP/1.1 200 OK
|
|
< Date: Wed, 10 Feb 2016 19:45:21 GMT
|
|
< Server: Apache/2.4.7
|
|
< Cache-Control: max-age=0
|
|
< Expires: Wed, 10 Feb 2016 19:45:21 GMT
|
|
< Transfer-Encoding: chunked
|
|
< Content-Type: text/html
|
|
< Content-Language: en
|
|
<
|
|
{ [data not shown]}
|
|
\end{verbatim}
|
|
}
|
|
|
|
|
|
\begin{frame}[fragile]{Understanding the Web}
|
|
\lecture{Alright; so before we can really talk intelligently on these
|
|
issues, what is the Web? Quick summary:}
|
|
|
|
\begin{overlayarea}{\textwidth}{\textheight}
|
|
\begin{itemize}
|
|
\item<1-> Usually involves a web browser
|
|
\lecture{Normally when we talk about the ``Web'', as opposed to the
|
|
``Internet'' as a whole, we're referring to something that you
|
|
would access using a web browser. That web browser might be
|
|
a graphical browser like GNU IceCat, or it might be a
|
|
text-mode browser like w3m. But you don't \emph{have} to use
|
|
a web browser---you might even use \tt{wget} or \tt{curl}
|
|
directly and look at the plain text of the document, or parse
|
|
it with a script.}
|
|
|
|
\begin{enumerate}
|
|
\item <2-> User enters a URL or clicks on a link
|
|
\only<2>{\par(e.g. \url{https://gnu.org/})}
|
|
|
|
\lecture{The user first indicates the resource that they want to
|
|
``browse'' to using a URL, which stands for ``Uniform
|
|
Resource Locator''; it contains both a protocol and a
|
|
hostname. Let's take ``gnu.org'' as an example.}
|
|
|
|
\item<3-> Browser resolves domain to a host IP address (DNS lookup)
|
|
\only<3>{\gnuhost}
|
|
|
|
\lecture{The browser then resolves the domain name---\tt{gnu.org} in
|
|
this case---to the IP address of the server hosting the
|
|
resource. This is called a DNS---or ``Domain Name
|
|
Server''---lookup. The result may be one IP, or it may be
|
|
multiple. The easiest way to resolve a hostname on a
|
|
GNU/Linux system without worrying about what a DNS record
|
|
is, is to use the \tt{host} command. In the case of
|
|
\tt{gnu.org}, it resolves to a single IP address.}
|
|
|
|
\item<4-> For HTTP(S), brower sends HTTP request to host on port
|
|
80/443
|
|
\only<4>{\gnurequest}
|
|
\lecture{I mentioned a protocol. The beginning of the URL is
|
|
usually HTTP or HTTPS; we don't care about others for this
|
|
talk. The former transfers data in plaintext whereas the
|
|
later is encrypted using SSL. The browser sends an HTTP
|
|
request to the host requesting the resource.}
|
|
|
|
\item<5-> Server responds with resource
|
|
\only<5>{\gnuresp}
|
|
\lecture{The server responds. That response might be affirmative,
|
|
it might be an error, it might be garbage; let's assume
|
|
that it was a successful response.}
|
|
|
|
\item<6-> Browser recursively loads all resources referenced by
|
|
webpage
|
|
\begin{itemize}
|
|
\item<6-> Stylesheets, Images, Scripts, etc.
|
|
\end{itemize}
|
|
\only<6>{\includegraphics[width=\textwidth]{images/gnu-resources.png}}
|
|
\lecture{This is the meat of the talk. The browser then recursively
|
|
processes all resources referenced by \emph{that}
|
|
resource. Most often, these include images, stylesheets,
|
|
and scripts.}
|
|
\end{enumerate}
|
|
|
|
\item<7-> Distributed network (``web'') of computers
|
|
\lecture{So fundamentally, the web is a distributed network of
|
|
computers that serve resources. Resources can be anything
|
|
from your conventional web page, to a program that runs in
|
|
your browser, to a live video stream of this talk.}
|
|
\end{itemize}
|
|
\end{overlayarea}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Interoperability}
|
|
\begin{itemize}
|
|
\item<1-> Fundamental building blocks are standardized (W3C)
|
|
\lecture{So the Web is composed of many different
|
|
things. Technically, you can include anything on the
|
|
Web---certain formats will just invoke external programs or
|
|
trigger a download. But as far as web pages go, they
|
|
traditionally consist of HTML}
|
|
\begin{itemize}
|
|
\item<+-> HTML---Describes the document
|
|
\lecture{which describes the~document, and CSS}
|
|
|
|
\item<+-> CSS---Describes the document style (appearance)
|
|
\lecture{which describes the~document \emph{style}---how it looks,
|
|
what font to render in, the background color, et cetera.}
|
|
|
|
\lecture{Those documents can contain more than just text---there
|
|
is support for media as well, like images and embedded
|
|
video. Users can submit information by entering data in
|
|
form fields. Most of that falls under the HTML spec.}
|
|
|
|
\item<+-> HTTP---Communication protocol
|
|
\lecture{All of this communication is done using the HTTP
|
|
protocol, which defines how the server and client
|
|
communicate.}
|
|
\lecture{Back in the day, most every reaction to user input
|
|
involved loading a new webpage. You're seeing less and
|
|
less of that today---many web pages look and behave more
|
|
like \emph{software} than documents.}
|
|
|
|
\item<+-> JavaScript---Embed programs in web browser
|
|
\lecture{The standard way to do this today is with a language
|
|
called JavaScript.}
|
|
\end{itemize}
|
|
|
|
\item<5-> Variety of programs and standard tools can communicate with
|
|
webservers and read documents
|
|
\lecture{Given these standards for representing documents, styles,
|
|
media, etc---you're free to use whatever software you choose!
|
|
Everything is interoperable, on both the server and the
|
|
client. And this is incredibly important for user freedom,
|
|
and for free software.}
|
|
|
|
\item<6-> Threatened in the past: Java applets, ActiveX, Flash,
|
|
Silverlight, and other proprietary/non-standard software
|
|
\lecture{That interoperability has been threatened in the past by
|
|
other proprietary systems for embedding software in the
|
|
browser. The most popular ones include Java applets,
|
|
ActiveX, Flash, and Silverlight. Those were dark ages.}
|
|
\lecture{We do in fact have another looming threat---the Encrypted
|
|
Media Extensions proposal being considered by the W3C which
|
|
would effectively introduce DRM as a \emph{standard} for the
|
|
Web. We must oppose it, and I encourage you to join us
|
|
in protest just across the street tonight at 8:00.}
|
|
|
|
\item<7-> Now the greatest threat is JavaScript
|
|
\lecture{But an \emph{existing} standard is now our greatest
|
|
threat. JavaScript.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{What is JavaScript?}
|
|
\lecture{So what is \emph{JavaScript}?}
|
|
|
|
\begin{itemize}
|
|
\item<2-> ECMAScript (Standard: ECMA-262; ISO/IEC 16262)
|
|
\lecture{Formally, it's ECMAScript, which is the standard defining the
|
|
language. Browsers tend to incorporate their own
|
|
features---some of which are subsequently incorporated into
|
|
the spec---so when we refer to ECMAScript, we're talking
|
|
about a core standard that all browsers implementing that
|
|
particular version should support. There are other
|
|
implementations of ECMAScript, like JScript and ActionScript,
|
|
but they're used almost exclusively in proprietary
|
|
environments, and you should not use them unless you have a
|
|
way of running that code on a fully Free operating system.}
|
|
|
|
\item<3-> Traditionally: Browser-based, client-side scripting language
|
|
\lecture{JavaScript started out in the web browser, specifically
|
|
Netscape. It was written in 1995 with the goal of offering
|
|
something that was easier for non-programmers to write than
|
|
Java Applets. The name JavaScript has nothing to do with
|
|
Java the language.}
|
|
|
|
\item<4-> Today: General-purpose programming language
|
|
\lecture{But today is has evolved into a popular general-purpose
|
|
scripting language, used on both the client and the
|
|
server. It's worth noting that JavaScript has been used on
|
|
the server for pretty much as long as it has
|
|
existed---Netscape used it on the server back in 1995.}
|
|
|
|
\begin{itemize}
|
|
\item<5-> Heavily popularized by Node.js
|
|
\lecture{But it wasn't until Node.js that it exploded in
|
|
popularity, and is often times even \emph{preferable} by
|
|
some to other languages on the server. I'm not getting
|
|
into \emph{that} debate today.}
|
|
\end{itemize}
|
|
|
|
\item<6-> ``Assembly language'' of the web
|
|
\lecture{It's often called the ``assembly language'' of the web,
|
|
because there are dozens of languages that compile into
|
|
it---if you want code running in the browser, the standard
|
|
way to do it is by using JavaScript.}
|
|
\begin{itemize}
|
|
\item<7-> Soon: WebAssembly (WebASM)
|
|
\lecture{But there are properties of the language that don't make
|
|
ideal for being the compiler target for all things on the
|
|
web. One popular method is a subset of JavaScript called
|
|
asm.js that is more effectively optimized. But now we
|
|
have a low-level language on the horizon called
|
|
WebAssembly, which is intended as a compiler target for
|
|
C/C++ code. So expect these issues I'm about to describe
|
|
to only propagate further in the future as it becomes
|
|
more and more trivial to write software for the web.}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{The Illusion of Remote Execution}
|
|
\lecture{Perhaps one of the greatest dangers of software on the Web is the
|
|
illusion of remote execution---}
|
|
|
|
\begin{itemize}
|
|
\item<2-> Looks like the web page is manipulating itself
|
|
\begin{itemize}
|
|
\item<2-> Many consider the web page as a remote resource, not a local
|
|
copy of that resource
|
|
\end{itemize}
|
|
\lecture{the illusion that, because the program is manipulating and
|
|
appears to be a part of the web page, it must be executing
|
|
in a magical remote place.}
|
|
|
|
\item<3-> JavaScript programs run \emph{on the client}
|
|
\lecture{But it's not. JavaScript programs are executed \emph{on your
|
|
computer, by your web browser}: the program is downloaded
|
|
just like any other resource and interpreted by a JavaScript
|
|
engine in your browser.}
|
|
|
|
\item<4-> Illusion inhibits consideration of freedoms
|
|
\lecture{This is an important distinction, because we can't begin to
|
|
consider how to exercise our four freedoms if we can't even
|
|
get around to the fact that the program is actually running
|
|
on our computer.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[plain]{}
|
|
\begin{center}
|
|
\center\includegraphics[width=0.9\textwidth]{images/you-win.png}
|
|
|
|
Would you run some random website's program on your computer?
|
|
\end{center}
|
|
|
|
\lecture{(Read slide)}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[plain,c]{}
|
|
\lecture{Well, you do.}
|
|
|
|
\begin{center}
|
|
Well, you do.
|
|
\end{center}
|
|
|
|
\lecture{If only our web browser gave us a warning like that. But
|
|
instead, it's silent. And this is more dangerous than a phishing
|
|
attack---because at least when the user is presented with
|
|
\emph{this} (return to previous slide), they have a \emph{chance}
|
|
to be suspicious.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Covert Ephemeral Software}
|
|
\begin{itemize}
|
|
\item Browser downloads and executes arbitrary, often non-free software
|
|
\begin{itemize}
|
|
\item (Automatically clicks the download button for you!)
|
|
\end{itemize}
|
|
|
|
\lecture{But no---our web browsers are being stupid on our behalf!}
|
|
|
|
\item Most users have no idea this is happening
|
|
\lecture{And most users---even many technical ones---really don't have
|
|
any idea that this is happening. Because they don't think
|
|
about it like that.}
|
|
|
|
\begin{itemize}
|
|
\item And if they did, would they know to care?
|
|
\lecture{But let's say they did; would they even
|
|
\emph{know} to care? You can be taught to be suspicious
|
|
of sites advertising awards and such, but when a site
|
|
offers no indication at all, then what exactly do you
|
|
teach? What do you tell them to be suspicious of?
|
|
Instead, it's just a website.}
|
|
|
|
\item Most who \emph{do} know don't care.
|
|
\lecture{But then there are those who are well aware of what is
|
|
going on. Many of those are web developers---the same
|
|
people that \emph{write} this covert software. And
|
|
surprisingly, at least from my experience, most of them
|
|
don't care. Many instead take the stance that JavaScript
|
|
is an essential component of the modern web and it would
|
|
be silly to consider disabling it and quote-unquote
|
|
``break'' websites.}
|
|
\end{itemize}
|
|
|
|
\item Ephemeral software
|
|
\lecture{And then at the end the software disappears, leaving no
|
|
trace except for some persistent data storage. A browser
|
|
doesn't list all the scripts that it executes as
|
|
``installed software'' like it would an addon. Users won't
|
|
know that they were running software.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[c]{Just Say ``Yes!''}
|
|
\lecture{So if we adopt the philosophy of those who really don't care,
|
|
then life becomes a hell of a lot easier. Just saying ``yes''
|
|
all the time is much less confrontational; especially when
|
|
your web browser is doing it for you. And this makes a lot of
|
|
people pretty excited! Like...}
|
|
|
|
\begin{center}
|
|
\only<+>{Advertisers}
|
|
\lecture{Advertisers! You say ``yes!'' to their spyware that tracks
|
|
and analyzes you.}
|
|
|
|
\only<+>{Crackers \& Script Kiddies}
|
|
\lecture{Crackers and script kiddies love you too. You happily say
|
|
``yes!'' to their payloads.}
|
|
|
|
\only<+>{Governments (also Crackers \& Script Kiddies)}
|
|
\lecture{Governments! Also crackers and script kiddies. They like to
|
|
broadly distribute exploits in the hope of maybe catching a
|
|
criminal. One such exploit was a 0-day used by the FBI to
|
|
deanonymize Tor users, guilty or not.}
|
|
|
|
\only<+>{ISPs (Like Comcast)}
|
|
\lecture{And what about the entity you depend on the most for your
|
|
communications online? In November of last year it was
|
|
discovered that Comcast was MITM'ing customers to inject
|
|
JavaScript into non-SSL webpages to inform customers of
|
|
copyright violations. Oh yes.}
|
|
|
|
\only<+>{People who want to show off their cool stuff}
|
|
\lecture{There are certainly other malicious actors, but not everyone
|
|
has bad intentions---you also have hackers that just want to
|
|
show you their cool new programs. And some of those are also
|
|
the ones that find it silly to disable JavaScript---how else
|
|
would you be able to witness their hard work?}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[c]{Just Say ``Yes!''...and ``Yes!'' and ``Yes!'' and ``Yes!''...}
|
|
\begin{itemize}
|
|
\item<+-> Everyone expects their code to run, always, or there's
|
|
something wrong with your browser
|
|
|
|
\lecture{So if your browser doesn't default to saying ``yes'' to
|
|
untrusted, random, freedom-denying, possibly malicious
|
|
programs, then your browser is broken. This is in fact a big
|
|
deterrent for common-sense freedom and security practices: the
|
|
Tor Browser Bundle, for example---although it comes with
|
|
NoScript installed---does not block any websites by default,
|
|
even though it would make its users safer. No, that would
|
|
``break'' websites.}
|
|
|
|
\item<+-> But most browsers today give you a binary choice:
|
|
\lecture{But let's say you are one of those people who might be a
|
|
little uncomfortable with this situation, and want to do
|
|
something about it. Well, with most browsers, what are your
|
|
options?}
|
|
|
|
\begin{enumerate}[<+->]
|
|
\item No---disable JavaScript
|
|
\lecture{You could disable JavaScript completely. But there might
|
|
be \emph{some} things that you'd like to run.}
|
|
|
|
\item Yes---run everything!
|
|
\lecture{Or you could run everything! Good choices here. These
|
|
are clearly not choices that taken into consideration
|
|
these issues.}
|
|
\end{enumerate}
|
|
|
|
\lecture{Now, many people will simply say, ``Well, I trust the sites I
|
|
visit.''}
|
|
\item<+-> You aren't just running that site's JavaScript
|
|
\lecture{But it's very important to understand that you aren't just
|
|
running the programs for that website. That website might
|
|
also include code from other servers---like CDNs. It might
|
|
inject other code like the Google Analytics spyware. And
|
|
what if the site is compromised, or susceptible to a XSS
|
|
attack, and an attacker loads additional scripts?}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{How Do We Install Software (Usually)?}
|
|
\lecture{If all of this seems awkward to consider, that's because it
|
|
is. Let's go back to the desktop for a bit; now that we're
|
|
thinking in terms of programs running on our computer, how do we
|
|
normally install software?}
|
|
|
|
\begin{itemize}
|
|
\item<2-> Explicitly.
|
|
\lecture{Explicitly. You indicate that you want some program foo and
|
|
you make it so. Unless you use a backdoored operating system
|
|
like Windows, OSX, iOS, or others---they tend to install
|
|
things for you.}
|
|
|
|
\begin{itemize}
|
|
\item<3-> GNU/Linux---Usually through a package manager
|
|
\lecture{On a GNU/Linux operating system, you usually install
|
|
software through that distro's package manager. GNU Guix
|
|
is a pretty good one to try.}
|
|
|
|
\item<4-> Source distribution (tarballs/etc)
|
|
\lecture{You might compile from source. That's even more of an
|
|
explicit process.}
|
|
|
|
\item<5-> Binaries (especially on proprietary operating systems)
|
|
\lecture{And, as is usually necessary on proprietary operating
|
|
systems, there are binaries. They might be downloaded from
|
|
a website or a walled weed garden,}
|
|
\end{itemize}
|
|
|
|
\item<6-> There is a conscious effort made by the user
|
|
\lecture{but it's generally a conscious operation all the same. Even
|
|
users of proprietary operating systems don't like when things
|
|
appear on their computer without having been requested.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Software Signing}
|
|
\lecture{We also have certain other guarantees. Or attempts, at least.}
|
|
|
|
\begin{itemize}
|
|
\item<2-> Any package manager worth using will verify signatures of
|
|
package
|
|
maintainers
|
|
\lecture{If you're using a package manager that doesn't verify a
|
|
cryptographic signature of the package, then you should
|
|
consider another package manager. Many package managers
|
|
provide---with some caveats---assurances that the package you
|
|
received is actually the package that the author or
|
|
maintainer intended for you to receive. I'm not getting into
|
|
those caveats here.}
|
|
|
|
\item<+-> GNU projects also distribute detached signatures for manual
|
|
verification
|
|
\lecture{In the case of source distributions, detached signatures are
|
|
often used. You'll see this with GNU programs, for
|
|
example---if you download a program from ftp.gnu.org, you'll
|
|
also find a corresponding signature file, and you should use
|
|
GPG to verify that your download is what the author
|
|
actually signed.}
|
|
|
|
%% TODO: either come up with a plan or delete this
|
|
\item<+-> No such thing exists for the Web
|
|
\lecture{...We don't have this type of thing for the web.}
|
|
|
|
\item<+-> We need a web of trust (e.g. PGP)---decentralized
|
|
\begin{itemize}
|
|
\item<+-> What not to do: Firefox refuses to install/run addons that
|
|
are not signed by Mozilla
|
|
\item<+-> No ``walled gardens''
|
|
\end{itemize}
|
|
\end{itemize}
|
|
|
|
\lecture{But what does the absence of user control mean?}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[c]
|
|
\begin{center}
|
|
Everyone is flocking to the web
|
|
\end{center}
|
|
|
|
\lecture{Everyone is flocking to the web. And a major reason is because
|
|
of the convenience that is provided by transferring even more
|
|
control away from the user to the authors and distributors.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Effortless Distribution}
|
|
\lecture{This convenience provides a distribution model that is
|
|
exploitative, and highly alluring to many. Two things that go
|
|
great in the same sentence.}
|
|
|
|
\begin{itemize}[<+->]
|
|
\item Software is downloaded \emph{automatically}---guaranteed!
|
|
\lecture{So, when you visit a website---as we've already
|
|
discussed---your browser just starts saying ``Yes!'' to
|
|
software. So, for the majority of your users, it's
|
|
essentially guaranteed that your software will be downloaded
|
|
and executed, and it will be done so immediately. If not,
|
|
their browser is broken, right? Right.}
|
|
|
|
%% Shackle as a Service
|
|
\item It's so easy for you---just click here!
|
|
\lecture{Baiting the user into downloading that software is also a
|
|
trivial task---there's no trying to trick the user into
|
|
downloading and invoking an executable. Just provide the
|
|
user with a link, and their freedoms are automatically
|
|
robbed.}
|
|
|
|
\item Cross-\{device,platform\}!
|
|
\lecture{In the modern web, platform or operating system isn't a
|
|
border---you can rob someone of their freedoms anywhere, any
|
|
time, whether they're on a mobile device, their home
|
|
computer, or their refrigerator.}
|
|
|
|
\item Automatic updates! We know best! (Ephemeral software)
|
|
\lecture{And let's not worry about those pesky users who decide to
|
|
exercise their freedom to decide what software they want to
|
|
run. Just overwrite their software for them, at any
|
|
time. Updates are automatic, and the user has no
|
|
choice.}
|
|
\begin{itemize}
|
|
\item Your browser is effectively a backdoor
|
|
\lecture{You might hear from security experts that most
|
|
computers have a backdoor---software updates. Well, in
|
|
this case, the backdoor is the front door. You have no
|
|
option. There \emph{is no} separate installation and
|
|
update---they're one and the same. As I mentioned, we
|
|
can say that the software is ephemeral---it exists as
|
|
long as you're on the website, and then disappears until
|
|
you next load it again.}
|
|
\end{itemize}
|
|
|
|
\item We control your data (SaaSS)!
|
|
\lecture{But that's not enough. How can we remove every atom of
|
|
freedom that the user has? Ah, let's also hold their data
|
|
hostage, and control what they can and cannot do with it!}
|
|
|
|
\item So easy to spy on you!
|
|
\lecture{And what's a magnificent consequence of all of this? We get
|
|
to spy on you for free! It's part of the package! We know
|
|
exactly what you are doing, when your are doing it, how you
|
|
are doing it, and anything in-between. This is too good to
|
|
be true!}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
\only<1>{We can finally get rid of that pesky little bit of control you
|
|
had left over your physical computing!}
|
|
|
|
\lecture{Greedy, malicious software developers and distributors have
|
|
been searching long and hard for ways to prevent users from
|
|
even studying the binaries, letalone source code. They've
|
|
pursued draconian technical and legal measures like DRM and the
|
|
DMCA out of desperation.}
|
|
|
|
\only<2>{SaaS---Shackles as a Service}
|
|
\lecture{But as it happens, the answer fell right into their
|
|
laps---``Shackles as a Service''. We're at the point today
|
|
where the next step to strip all power from the user is to
|
|
remotely render the program and stream images. And
|
|
unfortunately, such a thing already exists! It's called
|
|
``cloud gaming'', or Gaming as a Service. Hold the fart
|
|
jokes. These services remotely render games and stream them
|
|
to the user. All user input is sent to the service. The
|
|
next logical step after that is then licensing eyeball or
|
|
brain implants so that the user can't record or manipulate
|
|
the image on her screen! Vision as a Service, perhaps.}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{The Web Is Easy}
|
|
\lecture{Let's explore another aspect of why the Web is so appealing for
|
|
software developers.}
|
|
|
|
%% TODO: let's emphasize the benefits a bit more
|
|
\begin{itemize}[<+->]
|
|
\item Low Barrier To Entry
|
|
\lecture{Most everyone has a web browser. Everything rendered in that
|
|
browser uses standardized document and styling formats---HTML
|
|
and CSS---which have been used for decades to represent
|
|
documents. This retrofitting of sorts makes it easy to
|
|
inspect programs' UIs and play with them. Every modern
|
|
browser comes with debugging tools for inspecting the DOM and
|
|
running scripts, for monitoring and inspecting network
|
|
traffic, for debugging scripts. This is \emph{great} for a
|
|
free Web---it encourages studying and tinkering. So
|
|
interested users can easily tweak the page, or type some
|
|
scripts in the browser's console to see what happens. And
|
|
when they start writing software, they can see it in the
|
|
familiar environment that is their web browser. There's not
|
|
much that is alien to them; if you introduce someone to shell
|
|
scripting, C, Perl, Python, etc, they're diving into a world
|
|
that is entirely hidden from their perspective as a
|
|
\emph{user} of software.}
|
|
|
|
\item Huge number of libraries and tools for web development
|
|
\lecture{Now, the leap from a document format to a program can be a
|
|
bit daunting. But, because of all the reasons I mentioned,
|
|
the number of libraries focused on web development is growing
|
|
at an \emph{unbelievable} rate. You can have working
|
|
software running on most every modern operating systems
|
|
quickly and easily, and not even have to worry about how
|
|
you're going to package and distribute it! And most of these
|
|
popular libraries are free software. The most daunting task
|
|
for new web developers is often what library to pick.}
|
|
|
|
\item Even desktop software using web libraries
|
|
\lecture{And then we have software like Node.js that allows running
|
|
code written for the web directly, without a web browser. So
|
|
it often makes sense to write software in JavaScript or a
|
|
language that compiles into it, because then you can share
|
|
code between the server and client. It makes sense to write
|
|
your UI using HTML and CSS, because you can execute the
|
|
program in a way that it doesn't look like a website;
|
|
Chromium, for example, has a ``app'' mode that makes the
|
|
loaded page look like a normal program. And then you have
|
|
those that only really know web development, but are now able
|
|
to take that knowledge and apply it directly to the server or
|
|
the desktop.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
\only<1>{This is great for software freedom.}
|
|
\lecture{All of this is great for software freedom---you have all of
|
|
these libraries that make it \emph{easy} to develop free
|
|
software!}
|
|
|
|
\only<2>{But we have a problem.}
|
|
\lecture{...but we have a problem. Well, another in the \emph{web} of
|
|
problems, I suppose.}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Effortless \emph{Proprietary} Software}
|
|
\lecture{While it's making software easy for the good guys, it's also
|
|
making it easy for the bad guys! And there's an explanation for
|
|
that.}
|
|
|
|
\begin{itemize}[<+->]
|
|
\item We have a licensing problem.
|
|
\lecture{What we have is a licensing problem! We have a \emph{lot} of
|
|
free software,}
|
|
|
|
\item Permissive licensing \emph{enables} proprietary software
|
|
\lecture{but most of it is licensed under a permissive license---the
|
|
most popular being the MIT~Expat license, which allows for
|
|
non-free derivatives. What this means is that proprietary
|
|
software authors have a relatively easy time developing
|
|
software that denies users their freedoms. Writing software
|
|
is expensive---it takes time, and time is money in
|
|
business. Any time that can be saved using these wonderful
|
|
free software libraries is money that they can divert toward
|
|
adding attractive features, releasing early, and implementing
|
|
ways to screw over the user.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Philosophy/Culture Problem}
|
|
\lecture{The predominant underlying reason of the licensing problem is a
|
|
philosophical and cultural one.}
|
|
|
|
\begin{itemize}
|
|
\item<2-> ``Open source almost everything''---Tom Preston-Werner
|
|
\lecture{If you've listened to any in-depth criticism about licensing
|
|
practices of the modern web development community, then
|
|
you've probably heard of Tom Preston-Werner's post entitled
|
|
``Open source almost everything''. It has some startling
|
|
statements that illustrate the mindset of the larger web
|
|
development community, and the open source community in
|
|
general. Let's take a look at a few. Now, just a warning,
|
|
some of what you are about to see may shock and confuse
|
|
you. Viewer discretion is advised.}
|
|
\end{itemize}
|
|
|
|
\only<3>{
|
|
\begin{quote}
|
|
\hangleft{``}If you do it right, open sourcing code is \textbf{great
|
|
advertising} for you and your company. [...] we like to talk publicly
|
|
about libraries and systems we've written that are still closed but
|
|
destined to become open source. [...] It helps determine what to open
|
|
source [...]. We recently open sourced [...] our chat bot
|
|
[...]. Within two days it had 500 watchers on GitHub and 409 upvotes
|
|
on Hacker News. This translates into goodwill for GitHub and more
|
|
superfans than ever before.'' (Emphasis \emph{not} mine.)
|
|
\end{quote}
|
|
\lecture{This is an excellent example of why we should reject ``open
|
|
source''---as a development methodology, it ignores users' freedoms
|
|
entirely. While we're talking about users' freedoms, Tom's talking
|
|
about liberating code for advertising and building suspense over a
|
|
project to produce ``superfans''. And he determines what to liberate
|
|
based on input from that suspense. Not because it's the ethical thing
|
|
to do.}
|
|
}
|
|
|
|
\only<4>{
|
|
\begin{quote}
|
|
\hangleft{``}If your code is popular enough to attract outside
|
|
contributions, you will have created a \textbf{force multiplier} that
|
|
helps you get more work done faster and cheaper.'' (Emphasis
|
|
\emph{not} mine.)
|
|
\end{quote}
|
|
\lecture{Free labor; that's what Tom sees. They can focus on all the
|
|
proprietary goodies that provide business value while the
|
|
community writes the rest of the software for them.}
|
|
}
|
|
|
|
\only<5>{
|
|
\begin{quote}
|
|
\hangleft{``}When you open source useful code, you \textbf{attract
|
|
talent}. Every time a talented developer cracks open the code to one
|
|
of your projects, you win.'' (Emphasis \emph{not} mine.)
|
|
\end{quote}
|
|
\lecture{In other words---liberated code is used in a predatory manner
|
|
to lure free software hackers into a position of developing
|
|
proprietary software.}
|
|
}
|
|
|
|
\only<6>{
|
|
\begin{quote}
|
|
\hangleft{``}Ok, then what shouldn't I open source? That's
|
|
easy. Don't open source anything that represents core business
|
|
value.''
|
|
\end{quote}
|
|
\lecture{But what about the stuff that is truly innovative and valuable
|
|
enough that you consider it a core part of your business? The
|
|
stuff that you think is the most valuable to you? The stuff
|
|
that the free software community needs to compete with this
|
|
ever-growing proprietary world? You hide it. And you suggest
|
|
that others do the same.}
|
|
}
|
|
|
|
\lecture{Alright, now this last quote blows my mind.}
|
|
|
|
\only<7>{
|
|
\begin{quote}
|
|
\hangleft{``}Lastly, \textbf{it's the right thing to do}. It's almost
|
|
impossible to do anything these days without directly or indirectly
|
|
executing huge amounts of open source code. If you use the internet,
|
|
you're using open source. That code represents millions of man-hours
|
|
of time that has been spent and then given away so that everyone may
|
|
benefit. We all enjoy the benefits of open source software, and I
|
|
believe we are all morally obligated to give back to that community.''
|
|
(Emphasis \emph{not} mine.)
|
|
\end{quote}
|
|
}
|
|
|
|
\lecture{What!? We are all \emph{``morally obligated''}, he says. This
|
|
is baffling. He recognizes how much he benefits from the free
|
|
software community after talking about how to exploit it and
|
|
contribute back only what might benefit their business by
|
|
attracting free labor and good talent. To quote Bradley~Kuhn
|
|
from one of his talks, this is incredibly self-serving.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{The Web Scene}
|
|
\lecture{Tom's philosophy is pervasive throughout the modern web
|
|
development community. And if we look at the composition, we can
|
|
see why:}
|
|
|
|
\begin{itemize}
|
|
\item<2-5> Contributions by large corporations (e.g. Google, Facebook,
|
|
Twitter, GitHub)
|
|
%% TODO: Examples
|
|
\lecture{It's no question that life today is largely online, and there
|
|
are many major corporations that play a big role in
|
|
that. Many of the popular free libraries for the web are
|
|
written by those corporations and used within their own
|
|
proprietary software as well.}
|
|
|
|
\item<3-5> Startups (e.g. YCombinator-funded)
|
|
\lecture{Most new software startups today are going to have some sort
|
|
of online component---if even just for the social
|
|
aspect. But as has already been discussed, the web is an
|
|
attractive platform, and an easy way to create vendor
|
|
lock-in---something that many misguided startups will
|
|
consider to be a very important thing for their long-term
|
|
success. For this to happen---for these young startups to be
|
|
able to get software out cheaply and quickly with limited
|
|
resources---they need free software. So there is immense
|
|
community pressure to create permissively licensed software;
|
|
it's more difficult to distribute proprietary software for
|
|
the web when the client libraries carry a copyleft.}
|
|
|
|
\item<4-5> New programmers, new culture
|
|
\lecture{And speaking of that community pressure---the web development
|
|
community is home to many new or inexperienced
|
|
programmers. Those programmers are immersed in a culture that
|
|
talks about ``rockstar'' and ``10x'' programmers; about
|
|
``brogrammers'' and ``hipster'' languages---these are very
|
|
different terms than hackers are used to, and highlight very
|
|
different concepts. Importantly, they focus on
|
|
\emph{methodology}---performance, producing something that is
|
|
cool and will be accepted by your peers. This is not a focus
|
|
on freedom at all. ``Copyleft'' is a dirty word: if you want
|
|
to be accepted by your peers---\emph{especially} in the
|
|
startup community, which you might want to be a part of
|
|
yourself---you'd better license your libraries
|
|
permissively. If you don't, someone's going to ask you to
|
|
relicense so that they can use it in their own proprietary
|
|
software, and lecture you on how copyleft restricts their
|
|
freedom as a developer. But that's assuming that you've even
|
|
been introduced to the concept of copyleft to begin
|
|
with. And besides, all your friends are doing it, and
|
|
they're all 10x rockstars!}
|
|
|
|
\item<5> Peer pressure
|
|
\lecture{So there is immense peer pressure---pressure to ignore
|
|
talking about the awkward politics and philosophy of freedom
|
|
entirely and just stick to the brogramming, man.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
Unconscious propagation and consciously manipulative leaders
|
|
\lecture{Anti-copyleft activists have the benefit of being able to
|
|
focus on the practical arguments---which are easy---and
|
|
avoiding or even trying to degrade philosophical
|
|
arguments---which are hard, because they involve
|
|
confrontation. It's therefore trivial to push ``open
|
|
source'' and permissive licensing with the end goal of
|
|
fighting copyleft, without actually bringing up the issue
|
|
most of the time, thereby creating a large community that
|
|
works against copyleft without actually \emph{thinking} about
|
|
copyleft. This is very dangerous. As I know many others
|
|
here have witnessed when trying to defend copyleft, it can be
|
|
very hard to explain these issues to someone who isn't aware
|
|
that issues even exist. It's an army of ignorance; an army
|
|
of non-enemies that we can't just tear down, because they
|
|
might not know better, and we'd do best to try to convince
|
|
them that their freedoms are important, and that users'
|
|
freedoms are too. And when we go after the leaders---the
|
|
mentors---the army swarms to their defense.}
|
|
\end{center}
|
|
|
|
\lecture{Well, having spoken of Bradley Kuhn: as of last month, we even
|
|
have a term describing broad issue. And, no, it's not a hipster
|
|
word.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\lecture{Kuhn's paradox!}
|
|
|
|
\begin{center}
|
|
Kuhn's Paradox
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Kuhn's Paradox}
|
|
\begin{quote}
|
|
\hangleft{``}For some time now, this paradoxical principle appears to
|
|
hold: each day, more lines of freely licensed code exist than ever
|
|
before in human history; yet, it also becomes increasingly more
|
|
difficult each day for users to successfully avoid proprietary software
|
|
while completing their necessary work on a computer.''
|
|
\end{quote}
|
|
|
|
\lecture{(Read Kuhn's Paradox)}
|
|
|
|
\lecture{Bradley Kuhn has talked a lot about some of these issues---and I
|
|
thank him for doing so. I didn't see his talks
|
|
until---coincidentally---after I started preparing \emph{this}
|
|
talk, and I was pleasantly surprised to hear him discussing many
|
|
of these same issues. I recommend his talks.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Culture of ``Open Source''}
|
|
\begin{itemize}
|
|
\item<1-> The licensing problem is a cultural problem
|
|
\lecture{This is the culture of ``Open Source''. And this is not
|
|
intended as an insult toward that community---it's simply a
|
|
truth that the ``Open Source'' movement was created to avoid
|
|
talking about freedom.}
|
|
|
|
\item ``Open Source'' devalues freedom
|
|
\lecture{And by avoiding that discussion, it devalues it. If we were
|
|
talking about freedom, then these issues get raised and
|
|
considered more frequently.}
|
|
|
|
\begin{itemize}
|
|
\item When freedom is inessential, proprietary ``features'' or
|
|
derivatives aren't bad
|
|
\lecture{So when freedom isn't valued, then these extra
|
|
proprietary features or derivatives on top of all the
|
|
excellent free software and libraries isn't seen as a bad
|
|
thing.}
|
|
|
|
\item ``Open Core'' (Microsoft)
|
|
\lecture{And this model of having a free base with proprietary
|
|
extensions is often called ``Open Core'', coined by
|
|
Microsoft. We thought ``Open Source'' was dangerous---this
|
|
``Open Core'' philosophy not only devlaues freedom, but it
|
|
deligitimizes it through some twisted logic!}
|
|
\end{itemize}
|
|
|
|
\item I'll take my Web partially free, hold the free
|
|
\lecture{The ``open core'' it describes doesn't exist for freedom---it
|
|
exists for the benefits of the ``Open Source'' development
|
|
model.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[c]
|
|
\begin{center}
|
|
Partial freedom isn't freedom!
|
|
\end{center}
|
|
|
|
\lecture{But partial freedom isn't freedom! It doesn't matter if
|
|
\emph{part} of your software is free---if even a byte of it robs
|
|
me of any of my four freedoms, then I can't ethically use it! I
|
|
would have to concede that your website is worth surrendering my
|
|
freedoms for. It's probably not.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{No Such Thing As Neutral On Freedom}
|
|
\begin{itemize}
|
|
\item Permissive (pushover) licenses are thought to appease multiple
|
|
parties
|
|
\lecture{Now remember---''Open Source'' was created to eliminate the
|
|
discussion of freedom. Freedom can be an uncomfortable
|
|
topic, because it's philosophical. And it's heavily
|
|
controversial; some people don't believe in users'
|
|
freedoms. Imagine that. This makes for uncomfortable
|
|
conversation that most people want to avoid. So they might
|
|
try to remain neutral by using pushover licenses, and appease
|
|
to every group:}
|
|
|
|
\begin{itemize}
|
|
\item<2-> Free software supporters
|
|
\item<3-> Copyleft haters
|
|
\item<4-> Businesses
|
|
\item<5-> People who really don't know/care
|
|
\end{itemize}
|
|
|
|
\item<6-> But there's no such thing as neutrality!
|
|
\lecture{But that is a flawed reasoning. Because when you try to
|
|
remain neutral on an important topic, you are remaining
|
|
neutral on both the good and the bad. Remaining neutral on
|
|
the topic of freedom is like standing on the sidewalk
|
|
watching someone being harassed, bullied, beaten. And rather
|
|
than step in, you just walk away. Maybe peek back. Because
|
|
if you were to step in to stop the bullying, then you'd piss
|
|
off the bullies, and you'd be a target. But if you stepped
|
|
in and bullied yourself, then you'd be called a bully! So
|
|
what's the end result?}
|
|
|
|
\item<7-> Neutral on freedom $\equiv$ allowing erosion of freedoms
|
|
\lecture{You let the bullies take over---they already have the upper
|
|
hand, and they'll continue to exert their power as long as it
|
|
benefits them.}
|
|
|
|
\item<8-> Copyleft is \emph{essential} for a free Web
|
|
\lecture{Standing up to the bullies means \emph{fighting} for freedom,
|
|
not just talking about it. If you are writing software, that
|
|
means using copyleft by means of a license like the
|
|
AGPL. Otherwise, you're standing on the sidelines watching
|
|
every user of the web being bullied.}
|
|
|
|
\begin{itemize}
|
|
\item<9-> If you use pushover licenses, you're helping to push over
|
|
everyone else (but perhaps not intentionally)
|
|
\lecture{Or worse---if you write a library that uses a pushover
|
|
license, then you're not just watching: you're giving
|
|
\emph{power} to the bullies. What would they do without
|
|
the tools you provide them? Well, they'd have to make
|
|
their own. Or maybe they'd see that you demand freedom,
|
|
and consider that maybe those they are bullying do
|
|
actually deserve some respect.}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
%% TODO: move to end?
|
|
\begin{frame}[c]
|
|
\begin{center}
|
|
If you value freedom,
|
|
\only<1>{talk about Free Software!}%
|
|
\only<2>{choose copyleft!}
|
|
\lecture{If you value freedom, \emph{talk about free software}!}%
|
|
|
|
\lecture{If you value freedom, \emph{choose copyleft!} Fight for what
|
|
you believe in! Now I understand---peer pressure is a hard
|
|
thing to overcome. But we're your peers too.}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
%%%=== BEGIN TIMEBLOCK 6m ==============================================
|
|
|
|
|
|
\begin{frame}[c]
|
|
\begin{center}
|
|
Freedom is only as good as your ability to exercise it
|
|
\end{center}
|
|
|
|
\lecture{All this focus on copyleft is good and all---if only it were the
|
|
solution to all of our problems. But we have a whole Web of
|
|
problems to deal with. Freedom is only as good as your ability
|
|
to exercise it.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Maybe free...?}
|
|
\begin{itemize}
|
|
\item Almost always no license information or link to source code
|
|
\lecture{One huge problem we have with software on the web is that it
|
|
is almost always void of licensing information. So software
|
|
might be free, but we can't be sure of that without having a
|
|
JavaScript expert review minified code and try to correlate
|
|
it with the original sources. I had to do with with Reddit
|
|
when auditing it for the FSF's Free JavaScript
|
|
campaign. There's no reasonable expectation for \emph{users}
|
|
to do that! They wouldn't be able to!}
|
|
|
|
|
|
\item But is all of it free?
|
|
\begin{itemize}
|
|
\item Certain things may look free, or have free components
|
|
(e.g. the ubiquitous jQuery)
|
|
\lecture{But how do we know that a program is fully free? Let's
|
|
draw a comparison with traditional binaries. How do you
|
|
know it's fully free? Well, you rely in part on
|
|
licensing information for the program. If we hold JS to
|
|
the same standards, then we at least need licensing
|
|
information on distributed code.}
|
|
|
|
\item Might also load non-free code as a separate program
|
|
(e.g. Google Analytics spyware)
|
|
\lecture{But the page might load other programs in \emph{addition}
|
|
to the free program, for example the Google Analytics
|
|
spyware. This is like a free software package installing
|
|
proprietary software alongside of it; SourceForge used to
|
|
do that, for example.}
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Corresponding Source Code}
|
|
\begin{itemize}[<+->]
|
|
\item Where can I find the corresponding source?
|
|
\lecture{The other requirement is the corresponding source code. We
|
|
should be able to build it ourselves, host it ourselves, and
|
|
expect to have the same functionality. And we should be able
|
|
to audit the distributed code and correlate it with the
|
|
original sources. And guess what---I found a small amount of
|
|
non-free code missing from the Reddit repository. Very
|
|
small, and it just screws with the user by moving elements
|
|
around the page if they have some cursed flag set, but
|
|
non-free nonetheless.}
|
|
|
|
\item Minified code is not source code!
|
|
\lecture{I have personally had people counter my argument in the past
|
|
with a statement saying that all JavaScript code is
|
|
quote-unquote ``open source'' because the source code is
|
|
distributed to the browser. No!}
|
|
|
|
\item ``The 'source code' for a work means the preferred form of the
|
|
work for making modifications to it. 'Object code' means any
|
|
non-source form of a work.''
|
|
\lecture{The GPL defines ``source code'' as (read above). So minified
|
|
sources are object code. And let's see why:}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[fragile,plain]
|
|
\scriptsize
|
|
\begin{verbatim}
|
|
add:function(a,b,c,d,e){var
|
|
f,g,h,i,j,k,l,m,o,p,q,r=N.get(a);if(r){c.handler&&(f=c,c=f.handler,
|
|
e=f.selector),c.guid||(c.guid=n.guid++),(i=r.events)||(i=r.events={}),
|
|
(g=r.handle)||(g=r.handle=function(b){return"undefined"!=typeof
|
|
n&&n.event.triggered!==b.type?n.event.dispatch.apply(a,arguments):void
|
|
0}),b=(b||"").match(G)||[""],j=b.length;while(j--)h=fa.exec(b[j])||[],
|
|
o=q=h[1],p=(h[2]||"").split(".").sort(),o&&(l=n.event.special[o]||{},
|
|
o=(e?l.delegateType:l.bindType)||o,l=n.event.special[o]||{},k=n.extend(
|
|
{type:o,origType:q,data:d,handler:c,guid:c.guid,selector:e,needsContext:
|
|
e&&n.expr.match.needsContext.test(e),namespace:p.join(".")},f),(m=i[o])
|
|
||(m=i[o]=[],m.delegateCount=0,l.setup&&l.setup.call(a,d,p,g)!==!1||
|
|
a.addEventListener&&a.addEventListener(o,g)),l.add&&(l.add.call(a,k),
|
|
k.handler.guid||(k.handler.guid=c.guid)),e?m.splice(m.delegateCount++,0,k)
|
|
:m.push(k),n.event.global[o]=!0)}}
|
|
\end{verbatim}
|
|
\lecture{This is a snippet of jQuery's minified sources for an 'add'
|
|
method. Real quick---what do each of those arguments mean? What
|
|
does this function do?}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
\includegraphics{images/librejs-logo.png}
|
|
\end{center}
|
|
\lecture{GNU has an addon for Firefox-based browsers like GNU IceCat that
|
|
approaches this issue in a few different ways.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{LibreJS}
|
|
\begin{itemize}[<+->]
|
|
\item Blocks execution of non-free JavaScript
|
|
\lecture{LibreJS blocks the execution of non-free JavaScript. But how
|
|
does it determine what is non-free?}
|
|
|
|
\item JavaScript should ideally contain {\tt @license} tags
|
|
\lecture{A couple ways. Ideally, the JavaScript should be wrapped in
|
|
license tags. It can identify the license in a number of
|
|
ways, including the full license header you'd see in source
|
|
files, or a magnet link, which is much more ideal for
|
|
minified sources.}
|
|
|
|
\item Hashes of common libraries recognized as free
|
|
\lecture{But the Web is full of \emph{existing} software like
|
|
libraries that don't contain those labels. So LibreJS also
|
|
maintains a list of file hashes for popular libraries. For
|
|
example, the minified jQuery file containing the snippet I
|
|
showed would be recognized as free, even though it doesn't
|
|
contain licensing information.}
|
|
|
|
\item Web Labels map scripts to corresponding source code
|
|
\lecture{It then has a method called Web Labels---which is a simple
|
|
HTML table---that is intended to be a machine-readable way to
|
|
map scripts to their source code.}
|
|
\end{itemize}
|
|
|
|
\lecture{The LibreJS project needs help from JavaScript developers to
|
|
develop and maintain the addon. If you're interested, please
|
|
visit gnu.org/software/librejs}.
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Submit Patches To Projects!}
|
|
\begin{itemize}[<+->]
|
|
\item Patch your own projects!
|
|
\item Submit patches to add headers to projects
|
|
\item Patches for minifiers (e.g. UglifyJS)
|
|
\item Patches for programs that combine sources (e.g. Browserify)
|
|
\item For Node.js programs: can pull license right out of {\tt package.json}
|
|
\end{itemize}
|
|
|
|
\lecture{You can help by adding licenses to your own projects and by
|
|
submitting patches to other projects; this will not only help
|
|
solve the licensing issue for that project, but also make others
|
|
aware of the issue. And one great way to help is to submit
|
|
patches to minifiers like UglifyJS to automatically add that
|
|
license information to sources, or retain it if it exists. But
|
|
that doesn't help when a minified file might contain code under
|
|
various licenses, so it'd also be helpful to patch programs like
|
|
Browserify---which packages Node.js modules for the client---to
|
|
recognize licenses and add them as appropriate. For node.js
|
|
pull the license right out of the package.json file.}
|
|
\end{frame}
|
|
|
|
|
|
%%%=== END TIMEBLOCK 6m ==============================================
|
|
|
|
|
|
\begin{frame}{Replacing Programs}
|
|
\begin{itemize}
|
|
\item<1-> How do you replace a program (free or non-) on your computer?
|
|
\lecture{Alright. So back to your desktop for a moment. If you want
|
|
to replace a non-free program with a free one, or modify a
|
|
free program, how do you do it?}
|
|
\begin{itemize}
|
|
\item<2-> You just do.
|
|
\lecture{Well...you just do.}
|
|
\end{itemize}
|
|
|
|
\item<3-> How do you replace a program (free or non-) on the Web?
|
|
\lecture{But what about on the web?}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[c]
|
|
\begin{center}
|
|
Ha!
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Replacing Programs---The Best Case}
|
|
\only<1->{
|
|
\begin{enumerate}
|
|
\item The program is entirely packaged in its own JavaScript file(s)
|
|
\item All dependencies are packaged with or alongside it
|
|
\end{enumerate}
|
|
}
|
|
\lecture{The best situation we have for replacing programs is when the
|
|
program is packaged entirely in its own JavaScript files, and
|
|
so are its dependencies.}
|
|
|
|
Solution:
|
|
|
|
\only<2->{
|
|
\begin{enumerate}
|
|
\item Block program scripts
|
|
\item Block undesirable dependencies
|
|
\item Inject replacement program
|
|
\end{enumerate}
|
|
}
|
|
\lecture{The solution isn't all that complicated then. Block those
|
|
undesirable scripts from loading and inject a replacement
|
|
program. I'll get into how to do that shortly.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Replacing Programs---The Realistic Case}
|
|
\lecture{But if only we were so lucky!}
|
|
|
|
\begin{enumerate}
|
|
\item<1-> The program is actually a number of independent programs
|
|
(scripts) doing different things
|
|
\lecture{In reality, a web page often contains what can be considered
|
|
a bunch of independent programs doing distinct things, like
|
|
validating forms, populating a real-time search, a shopping
|
|
cart, animating part of the page, etc.}
|
|
%% add web page screenshot as an example
|
|
|
|
\item<2-> Some scripts are packaged in one or more JavaScript files
|
|
\lecture{Some of those scripts might be packaged in one or more
|
|
JavaScript files. Okay, that's good.}
|
|
|
|
\item<3-> Some are inline {\tt <script>} tags scattered throughout
|
|
\lecture{But some are inline script tags mixed with the HTML.}
|
|
%% example
|
|
|
|
\item<4-> Some are inline JavaScript fragments in HTML attributes
|
|
\lecture{And others still might be fragments of JavaScript in HTML
|
|
attributes. Not everyone knows how to write proper
|
|
JavaScript, and others who do simply don't care that they're
|
|
writing a mess of spaghetti code. Or something might be
|
|
auto-generating that code for them.}
|
|
%% example
|
|
\end{enumerate}
|
|
|
|
\includegraphics[width=\textwidth]{images/code_quality.png}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[c]
|
|
\begin{center}
|
|
\only<1>{Solution?}
|
|
\lecture{So what's the solution?}
|
|
|
|
\only<2>{Write a presentation complaining about it.}
|
|
\lecture{Well my first step was to write a rant about it. Because not
|
|
everyone thinks about these issues.}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Blocking Scripts---Entirely}
|
|
\lecture{One option is to turn of JavaScript in your browser,
|
|
entirely. And that feature does exit, hidden within the bowels
|
|
of your browser's configuration. But if you disable JavaScript,
|
|
then you can't run any replacements.}
|
|
|
|
\begin{itemize}
|
|
\item Can disable JavaScript entirely
|
|
\item But then you can't run replacements
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Blocking Scripts---NoScript}
|
|
\begin{itemize}
|
|
\item NoScript is effective at blocking scripts per (sub-)domain
|
|
\lecture{I consider NoScript to be a necessity for the web. And
|
|
consequently, I can't recommend using Chromium or its
|
|
proprietary derivative, because it doesn't provide the
|
|
necessary APIs to do what NoScript does. And what it does is
|
|
block scripts entirely, but allows you to create a whitelist
|
|
for specific domains or sub-domains.}
|
|
|
|
\item Careful---some domains serve lots of scripts (e.g. CDNs)
|
|
\lecture{But you have to be careful when you do this, because some
|
|
domains serve a lot of different scripts, and some of them
|
|
might be non-free. CDNs are popular today.}
|
|
|
|
\item Some sites require you to trust many different domains
|
|
\lecture{It's also not uncommon to see a site referencing scripts from
|
|
a dozen different domains. That's a bad practice---you
|
|
shouldn't do that, even if only for performance. But do you
|
|
really want to trust a dozen third parties to run software
|
|
for a single website?}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Blocking Scripts---LibreJS}
|
|
\begin{itemize}
|
|
\item Blocks non-free JS with a high level of granularity
|
|
\lecture{LibreJS takes a much more granular approach---it blocks
|
|
individual scripts.}
|
|
|
|
\item Recognizes JavaScript files (or parts of), script tags, inline
|
|
scripts in attributes, etc.
|
|
\lecture{So rather than domain, it recognizes individual source files,
|
|
\emph{sections} of source files if they provide licensing
|
|
information, and some of those less desirable practices like
|
|
script tags and fragments in HTML attributes.}
|
|
|
|
\item But doesn't block scripts recognized as free
|
|
\lecture{But one feature I'd like to see is the ability to block all
|
|
scripts by default, even if free.}
|
|
\begin{itemize}
|
|
\item So that we can replace specific programs
|
|
\lecture{Why? Firstly, we'd be able to replace specific programs
|
|
on the page; we can't do that with NoScript.}
|
|
|
|
\item Free software can do bad things too
|
|
\lecture{Free software can still do all the bad things that I
|
|
talked about; you just have the ability to remove those
|
|
anti-features and replace it. Well, you should, anyway,
|
|
if you can find a \emph{way} to replace it.}
|
|
\end{itemize}
|
|
|
|
\item Doesn't play well with NoScript
|
|
\lecture{It also doesn't play well with NoScript---even if NoScript
|
|
would block scripts on a page, LibreJS will process them. I
|
|
don't know how difficult this would be to fix, but ideally it
|
|
would so that we can have the benefits of both.}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Injecting Scripts---Greasemonkey}
|
|
\begin{itemize}
|
|
\item Expat / Modified BSD / MPL 1.1
|
|
|
|
\item Inject user-defined scripts into web pages
|
|
|
|
\item \url{http://openuserjs.org}, \url{http://greasyfork.org},
|
|
\url{http://userscripts-mirror.org}
|
|
\end{itemize}
|
|
|
|
\lecture{After blocking scripts, the second step is replacing
|
|
them. Greasemonkey is a popular browser addon for running
|
|
arbitrary ``user scripts'' on pages. Since the scripts can be
|
|
anything, you can inject your modified program. There are a few
|
|
sites hosting scripts written by users that demonstrates the
|
|
practical utility of modifying programs on the web, or augmenting
|
|
them.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Injecting Styles---Stylish}
|
|
\begin{itemize}
|
|
\item GPLv3
|
|
|
|
\item Inject user-defined CSS into web pages
|
|
|
|
\item \url{http://userstyles.org}
|
|
\end{itemize}
|
|
|
|
\lecture{When modifying software, you often need to modify the style
|
|
associated with certain elements on the page. Or maybe you're
|
|
only interested in changing the stylesheet---you can do a lot of
|
|
things that way. You can do this with JavaScript, or even inject
|
|
CSS with JavaScript, but there's also an addon dedicated to it if
|
|
you'd prefer---Stylish. Like greasemonkey, it has a repository
|
|
of user-define stylesheets for websites.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Injecting Scripts/Styles---dotjs}
|
|
\begin{itemize}
|
|
\item MPL 1.1
|
|
|
|
\item Inject user-defined scripts from {\tt \~{}/.js}
|
|
|
|
\item Inject user-defined styles from {\tt \~{}/.css}
|
|
\end{itemize}
|
|
|
|
\lecture{There's also dotjs, which is like a Greasemonkey and Stylish in
|
|
one. It takes a much simpler approach---place scripts and
|
|
stylesheets for specific domains in your home directory and it
|
|
will automatically run them.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Replacing Scripts---What We Need}
|
|
\begin{itemize}
|
|
\item<1-> Something your grandparents can use!
|
|
|
|
\lecture{So that's the existing state of affairs. But as a user---not a
|
|
hacker---do you find this intuitive? You can ask your
|
|
grandparents to install GNU IceCat on their computer just fine,
|
|
but you can't ask them to go through all of this to replace a
|
|
non-free program on the web. We need an easier solution.}
|
|
|
|
\item<2-> Package changes:
|
|
\lecture{I challenge someone to create an addon that allows you to:}
|
|
|
|
\begin{itemize}
|
|
\item Install replacement software like you'd install an addon
|
|
|
|
\item Automatically block scripts with granularity of LibreJS
|
|
|
|
\item Automatically inject scripts
|
|
|
|
\item Verify package signatures
|
|
|
|
\item Update mechanism
|
|
\end{itemize}
|
|
|
|
\item Add support to LibreJS
|
|
\lecture{And ideally you'd add that support to GNU LibreJS.}
|
|
\end{itemize}
|
|
|
|
\lecture{But let's be honest.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
But all this is just a kluge.
|
|
\end{center}
|
|
|
|
\lecture{While all of this would be great, it's ultimately just a
|
|
kluge---we're trying to work around an architecture that was not
|
|
intended to promote exercising the four freedoms.}
|
|
|
|
\lecture{So I have a stronger proposal. I'm going to illustrate with an
|
|
even more disastrous problem.}
|
|
\end{frame}
|
|
|
|
|
|
%% TODO: What to do with "Shackles as a Service" above?
|
|
|
|
|
|
\begin{frame}{Service as a Software Substitute (SaaSS)}
|
|
\begin{itemize}
|
|
\item<1-> Also called ``Software as a Service'' (SaaS)
|
|
\item<1-> ``Who Does That Server Really Serve?'' essay by rms
|
|
|
|
\lecture{Services as software substitutes. Most people refer to it as
|
|
``Software as a Service'', but many of us use the term
|
|
``Service as a Software Substitute''---as coined by rms---to
|
|
emphasize that you're sacrificing something.}
|
|
|
|
\item You simply cannot modify a program running on someone else's
|
|
server
|
|
\lecture{This poses an entirely different problem than software
|
|
freedom---you simply cannot modify software on someone else's
|
|
computer; nor should you be able to.}
|
|
\end{itemize}
|
|
|
|
\lecture{Now let's be clear---you'll often hear that these services are
|
|
hosted quote ``in the cloud''.}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[plain]
|
|
\begin{center}
|
|
There is no cloud.
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Desktop vs. Web Application}
|
|
\begin{itemize}
|
|
\item To regain control, must host it yourself
|
|
|
|
\item This means running the entire stack (server and client) yourself
|
|
|
|
\item ``Unweb''
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Anatomy of a Client-Side Web Application}
|
|
\begin{itemize}
|
|
\item Cannot unweb proprietary web applications
|
|
|
|
\item Cannot unweb a partially free stack
|
|
\begin{itemize}
|
|
\item Webserver
|
|
\item Programs/scripts that it runs to generate content
|
|
\item Script dependencies
|
|
\item Client
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{The Affero GPL Doesn't Solve All Problems}
|
|
\begin{itemize}
|
|
\item Requires that, if users can access a \emph{modified} version of
|
|
the program over a network, that they must have access to the
|
|
corresponding source code
|
|
|
|
\item But this only helps a little bit---even if you have the source
|
|
code, you can't modify it on the server that's using it
|
|
|
|
\item The AGPL can be circumvented using a pipeline (where practical)
|
|
|
|
\item Doesn't cover works that the AGPL'd program might invoke
|
|
externally
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}[c]
|
|
\begin{center}
|
|
You depend on the author to make a faithful effort
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Plea to Web Developers}
|
|
\begin{itemize}
|
|
\item Abstract storage and all network calls
|
|
|
|
\item User-configurable storage and network options
|
|
|
|
\item Liberate webserver and all server-side programs it runs
|
|
|
|
\item No non-free server dependencies (linked or not)
|
|
|
|
\item Sane configuration defaults and examples!
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
\only<1>{Web application works just as desktop program}
|
|
\only<2>{End Goal: Just Run {\tt ./foo}}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}
|
|
\begin{center}
|
|
Mike Gerwitz
|
|
|
|
{\url mtg@gnu.org}
|
|
|
|
\medskip
|
|
|
|
Interested in submitting your project to GNU?
|
|
|
|
{\url gnueval@gnu.org}
|
|
|
|
\medskip
|
|
|
|
Licensed under the Creative Commons Attribution ShareAlike 4.0
|
|
International License
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
%% real-world examples
|
|
|
|
%% free software can do bad things too
|
|
|
|
|
|
\closeout\lecturenotes
|
|
|
|
\end{document} |