Convert posts to markdown files
This was considerable effort, and took a bit more time than I had hoped. While newer posts were written with Markdown, previous ones were writen with my own Markdown-like formatting, but they had enough differences that it was quite an effort to get things updated. I also checked the HTML output of each, though I didn't read every article in detail. Some of these were more substantial than others; National Uproar, for example. These conversions were markup translations: the actual text remains unchanged, except in one minor instance to add text for the sake of providing some text to hold a link to a quote. Any changes to post text will happen in future commits so that the diffs are clearly visible.master
parent
2a674052b0
commit
64e1341075
|
@ -0,0 +1,29 @@
|
|||
# Who needs "microblogging"?
|
||||
|
||||
I don't. This is just some place safe to store random thoughts that people
|
||||
probably don't care about (like most comments on most social networking
|
||||
services), with the added benefit of distributed backup, a simple system and no
|
||||
character limit.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
All the thoughts are commit messages; in particular, this means no versioning.
|
||||
That's okay, because I'm not going to go back and modify them, but I do want
|
||||
dates and I do want GPG signatures (to show that it's actually me thinking this
|
||||
crap).
|
||||
|
||||
This isn't a journal.
|
||||
|
||||
This will mostly be a hacker's thought cesspool.
|
||||
|
||||
This isn't a blog.
|
||||
|
||||
Though, considering how much I ramble (look at this message), certain thoughts
|
||||
could certainly seem like blog entries. Don't get the two confused---one
|
||||
requires only thought defecation and the other endures the disturbing task of
|
||||
arranging the thought matter into something coherent and useful to present to
|
||||
others.
|
||||
|
||||
Yeah. Enjoy. Or don't. You probably shouldn't, even if you do. If you don't,
|
||||
you probably should just to see that you shouldn't.
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
# Getting too tired to hack? At 23:00?
|
||||
|
||||
This has been normal since becoming a father. I can't complain---I love being a
|
||||
father. Of course, I also love hacking. I also love sleep. Knowing that my son
|
||||
is going to wake me up a 6:00 in the morning has a slight influence in a
|
||||
situation like this.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
I'd like to just suffer through it, but being a fiancé also has another
|
||||
obligation: going to bed when your significant other decides that it's bed time
|
||||
(and by "bed time" I mean sleep). I still manage to fit it in somehow.
|
|
@ -0,0 +1,32 @@
|
|||
# The use of trademarks in free software has always been a curious and unclear concept to me, primarily due to my ignorance on the topic
|
||||
|
||||
Trademarks, unless abused, are intended to protect consumers' interests---are
|
||||
they getting the brand that they think they're getting? If you download Firefox,
|
||||
are you getting Firefox, or a derivative?
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Firefox is precicely one of those things that has brought this issue to light
|
||||
for me personally: the name is trademarked and derivatives must use their own
|
||||
names, leading to IceCat, IceWeasel, Abrowser, etc. Even though FF is free
|
||||
software, the trademark imposes additional restrictions that seem contrary to
|
||||
the free software philosophy. As such, it was my opinion that trademarks should
|
||||
be avoided or, if they exist, should not be exercised. (GNU, for example, is
|
||||
trademarked[^0], but the FSF certainly [does not exercise it][1]; consider GNUplot,
|
||||
a highly popular graphing program, which is not even part of the GNU project.)
|
||||
|
||||
[This article][2] provides some perspective on the topic and arrives at much the
|
||||
same conclusions: trademark enforcement stifles adoption and hurts the project
|
||||
overall.
|
||||
|
||||
I recommend that trademarks not be used for free software projects, though I am
|
||||
not necessarily opposed to registering a trademark "just in case" (for example,
|
||||
to prevent others from maliciously attempting to register a trademark for your
|
||||
project).
|
||||
|
||||
[1]: http://www.gnu.org/prep/standards/html_node/Trademarks.html
|
||||
[2]: http://mako.cc/copyrighteous/20120902-00
|
||||
|
||||
[^0]: uspto.gov; serial number 85380218; reg. number 4125065.
|
||||
From what I could find from the USPTO website, it was submitted by
|
||||
Aaron Williamson of the SFLC (http://www.softwarefreedom.org/about/team/)
|
|
@ -0,0 +1,17 @@
|
|||
# All these election attack ads are utterly useless
|
||||
|
||||
There have been a lot of elections going on lately---local, state and national.
|
||||
The majority of those ads are attack ads: immature and disrespectful; if you
|
||||
want my vote, give me something positive to vote for instead of spending all of
|
||||
your time and money attacking your candidate. If my vote is to go to the "least
|
||||
horrible" candidate, then there is no point in voting at all.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Even more frustrating is the deceptiveness of the ads---intentional
|
||||
deceptiveness, nonetheless. And these are the ads that many in the United States
|
||||
will be basing the majority of, if not all, of their vote on come election time
|
||||
(how many will realistically research instead of sitting in front of the TV
|
||||
absorbing all of the useless bullshit that they are spoonfed?).
|
||||
|
||||
Frightening.
|
|
@ -0,0 +1,42 @@
|
|||
# Why no kid (or kid at heart) should write an iPhone game
|
||||
|
||||
I saw [this post][0] appear on HackerNews, talking about how building a game for
|
||||
iOS is "fun" and "cool". The poster lures the reader in with talk of making
|
||||
money and talks of a "unique sense of fulfillment" that comes with development
|
||||
of these games, and then goes on to invite kids to learn how to develop games
|
||||
for the iPhone (and presumably other iOS devices).
|
||||
|
||||
[0]: http://blog.makegameswith.us/post/33263097029/call-to-arms
|
||||
|
||||
This is a terrible idea.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Getting children involved with hacking is an excellent idea, but introducing
|
||||
them to the evils of Apple and associating that with a feeling of pleasure does
|
||||
a great disservice; all software developed for iOS must be "purchased" (even
|
||||
if it's of zero cost) through a walled garden called the "App Store". The
|
||||
problem with this is that [the App Store is hostile toward free
|
||||
software][1]---its overly restrictive terms are incompatible with free software
|
||||
licenses like the GPL. Teaching children to develop software for this crippled,
|
||||
DRM-laden system is teaching them that it is good to prevent sharing, stifle
|
||||
innovation and deny aid to your neighbor.
|
||||
|
||||
A better solution would be to suggest developing software for a completely free
|
||||
mobile operating system instead of iOS, such as [Replicant][2] (a fully free
|
||||
Android distribution). Even if Replicant itself were not used, Android itself,
|
||||
so long as proprietary implementations and "stores" are avoided[[3]], is much
|
||||
more [compatible with education][4] than iOS, since the children are then able
|
||||
to freely write and distribute the software without being controlled by
|
||||
malicious entities like Apple. Furthermore, they would then be able to use a
|
||||
fully free operating system such as GNU/Linux to *write* the software.
|
||||
|
||||
Do not let fun and wealth disguise this ugly issue. Even more importantly---do
|
||||
not pass this practice and woeful acceptance down to our children. I receive a
|
||||
"unique sense of fulfillment" each and every day hacking free software far
|
||||
away from Apple's grasp.
|
||||
|
||||
[1]: http://www.fsf.org/news/blogs/licensing/more-about-the-app-store-gpl-enforcement
|
||||
[2]: http://replicant.us/
|
||||
[3]: http://www.gnu.org/philosophy/android-and-users-freedom.html
|
||||
[4]: http://www.gnu.org/education/edu-schools.html
|
|
@ -0,0 +1,27 @@
|
|||
# Always use -t with ssh-add (and always set passwords on your ssh keys)
|
||||
|
||||
Many people use SSH keys for the sole purpose of avoiding password entry when
|
||||
logging into remote boxes. That is legtimate, especially if you frequently run
|
||||
remote commands or wish to take advantage of remote tab complation, but creating
|
||||
a key with an empty password is certainly the wrong approach---if an attacker
|
||||
gets a hold of the key, then they have access to all of your boxes before you
|
||||
have the chance to notice and revoke the key.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
ssh-agent exists for this purpose. The problem is---creating an agent only to
|
||||
place the key in memory indefinately is also a terrible idea. If your system
|
||||
does become compromised and the attacker is either root access or access as your
|
||||
user, then they can simply connect to the ssh-agent (unless it's password
|
||||
protected) and start using your key. Also consider that, should you leave your
|
||||
box unattended for even a moment without locking it (for whatever reason---shit
|
||||
happens), an attacker could gain physical access to your PC (and an attacker may
|
||||
just be a coworker looking to play a prank).
|
||||
|
||||
Every morning at work, I begin the day by typing ssh-add followed by an
|
||||
appropriate lifetime (be it the duration of the work day, or the duration that I
|
||||
think I will need the key). This way, your key is in memory when you are likely
|
||||
to be physically present at the box and it is automatically removed from memory
|
||||
after a given lifetime. Additionally, I like to add `ssh-add -D` to the script
|
||||
that locks my PC when I walk away from my desk: that will immediately clear all
|
||||
keys from memory, just in case.
|
|
@ -0,0 +1,21 @@
|
|||
# Texas middle and high schools tracking student locations with RFID tags
|
||||
|
||||
[An article][0] describes how a school district in Texas is attempting to force
|
||||
its students to wear RFID tags at all times in order to track their location to
|
||||
"stem the rampant truancy devastating the school's funding".
|
||||
|
||||
[0]: http://rt.com/usa/news/texas-school-id-hernandez-033/
|
||||
|
||||
What?
|
||||
|
||||
<!-- more -->
|
||||
|
||||
This is deeply concerning. Not only does this raise serious security and privacy
|
||||
concerns (as mentioned near the end of the article), but it also costed the
|
||||
schools over a half a million dollars to implement. In order words: Texas
|
||||
taxpayer money has been wasted in an effort to track our children.
|
||||
|
||||
Good thing they don't have anything [better to spend that money on.][1]
|
||||
|
||||
[1]: http://fedupwithlunch.com/
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# "Day changed to S"
|
||||
|
||||
Whatever "S" may be (in this case, "13 Oct 2012"), there is always a sense
|
||||
of peace and gratification that comes with witnessing that line appear in any
|
||||
type of log; it shows a dedication to an art, should your days contain daylight.
|
||||
|
||||
<!-- more -->
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# Branch Prediction
|
||||
|
||||
An enlightening discussion on branch prediction.[0]
|
||||
|
||||
[0]: http://stackoverflow.com/questions/11227809/why-is-processing-a-sorted-array-faster-than-an-unsorted-array
|
||||
|
||||
<!-- more -->
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# Free Speech in the Western World
|
||||
|
||||
An interesting opinion piece on [free speech in the western world.][0]
|
||||
|
||||
[0]: http://www.washingtonpost.com/opinions/the-four-arguments-the-western-world-uses-to-limit-free-speech/2012/10/12/e0573bd4-116d-11e2-a16b-2c110031514a_print.html
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,24 @@
|
|||
# NYC Master Keys
|
||||
|
||||
[Bruce Schneier summarizes in a blog post][0] a disturbing topic regarding a New
|
||||
York City locksmith selling "master keys" on eBay, providing access to various
|
||||
services such as elevators and subway entrances.
|
||||
|
||||
[A discussion about this blog post on Hacker News][1] yielded some interesting
|
||||
conversation, including an [even more disturbing article describing how simple
|
||||
it may be to create master keys][2] for a set of locks given only the lock, its
|
||||
key and a number of attempts.
|
||||
|
||||
[0]: http://www.schneier.com/blog/archives/2012/10/master_keys.html
|
||||
[1]: http://news.ycombinator.com/item?id=4654777
|
||||
[2]: http://www.crypto.com/masterkey.html
|
||||
|
||||
<!-- more -->
|
||||
|
||||
I'll let you ponder the implications of both of these topics. Here's something
|
||||
to get you started: organized crime could use these keys to effectively evade
|
||||
law enforcement or break into millions of "locked" homes. Crackers could gain
|
||||
intimate access to various city systems whereby they may be able to further
|
||||
obstruct or infect systems. A security system is only as strong as its weakest
|
||||
link. Keeping citizens in the dark about these issues gives them a dangerous and
|
||||
false sense of security.
|
|
@ -0,0 +1,27 @@
|
|||
# Verizon router backdoors
|
||||
|
||||
A [very disturbing article][0] makes mention of a Verizon TOS update for its
|
||||
Internet service customers:
|
||||
|
||||
[0]: http://www.linuxbsdos.com/2012/10/04/is-that-a-backdoor-or-an-administrative-password-on-your-verizon-internet-router/
|
||||
|
||||
> Section 10.4 was updated to clarify that Verizon may in limited instances
|
||||
> modify administrative passwords for home routers in order to safeguard
|
||||
> Internet security and our network, the security and privacy of subscriber
|
||||
> information, to comply with the law, and/or to provide, upgrade and maintain
|
||||
> service.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
...what? This is deeply disturbing, deeply perverted idea of security. Not only
|
||||
is this a severe privacy concern (all internet traffic passes through your
|
||||
router), but it's a deep *security* concern---what if a cracker is able to
|
||||
figure out Verizon's password scheme, intercept the communication with your
|
||||
router or otherwise?
|
||||
|
||||
I recommend that you (a) use your own router, (b) change its default password if
|
||||
you have not yet done so and (c) disallow remote access. Furthermore, I
|
||||
recommend using a free (as in freedom) firmware such as [DD-WRT][1] if supported
|
||||
by your hardware.
|
||||
|
||||
[1]: http://dd-wrt.com/
|
|
@ -0,0 +1,34 @@
|
|||
# Crackers capable of causing pacemaker deaths
|
||||
|
||||
[This article][0] demonstrates why medical devices must contain free software:
|
||||
crackers are able to, with this particular type of pacemaker, exploit the device
|
||||
to trigger a fatal electric shock to its host from as far as 30 feet away (the
|
||||
article also mentions rewriting the firmware, which could of course be used to
|
||||
schedule a deadly shock at a predetermined time). These issues would not exist
|
||||
with free software, as the user and the community would be able to study the
|
||||
source code and fix any defects (or hire someone who can) before placing it in
|
||||
their bodies.
|
||||
|
||||
[0]: http://www.scmagazine.com.au/News/319508,hacked-terminals-capable-of-causing-pacemaker-mass-murder.aspx
|
||||
|
||||
<!-- more -->
|
||||
|
||||
(Note that this article mistakenly uses the term "hacker" when they really
|
||||
mean "cracker".)
|
||||
|
||||
The aforementioned article is an excellent supplement to [a discussion on free
|
||||
software in pacemakers][1]. In particular, I had pointed out within this
|
||||
discussion [a talk by Karen Sandler of the GNOME Foundation regarding this
|
||||
issue][2] at OSCON 2011, in which she mentions potential issues of proprietary
|
||||
software in pacemakers and the difficulty she faced in attempting to get the
|
||||
source code for one that she was considering for herself.
|
||||
|
||||
The discussion on HackerNews also yielded [an article by the SFLC][3] detailing
|
||||
this issue.
|
||||
|
||||
(Please do not use YouTube's proprietary video player to view the mentioned
|
||||
YouTube video.)
|
||||
|
||||
[1]: http://news.ycombinator.com/item?id=3959547
|
||||
[2]: https://www.youtube.com/watch?v=nFZGpES-St8
|
||||
[3]: https://www.softwarefreedom.org/news/2010/jul/21/software-defects-cardiac-medical-devices-are-life-/
|
|
@ -0,0 +1,12 @@
|
|||
# Federal Appeals Court Declares "Defense of Marriage Act" Unconstitutional
|
||||
|
||||
A step in the [right direction.][0]
|
||||
|
||||
It should also be noted that New York State had also [legalized same sex
|
||||
marriage back in July of 2011][1]---a move I was particularily proud of as a
|
||||
resident of NY state.
|
||||
|
||||
[0]: http://www.aclu.org/lgbt-rights/federal-appeals-court-declares-defense-marriage-act-unconstitutional
|
||||
[1]: http://en.wikipedia.org/wiki/Same-sex_marriage_in_New_York
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,34 @@
|
|||
# Another crack at medical device cracking
|
||||
|
||||
My previous post mentioned the dangers of running non-free software on implanted
|
||||
medical devices. While reading over RMS' policital notes[0], I came across [an
|
||||
article mentioning how viruses are rampant on medical equipment][1].
|
||||
|
||||
> "It's not unusual for those devices, for reasons we don't fully understand, to
|
||||
> become compromised to the point where they can't record and track the data,"
|
||||
> Olson said during the meeting, referring to high-risk pregnancy monitors.
|
||||
|
||||
The devices often run old, unpatches versions of Microsoft's Windoze operating
|
||||
system. The article also mentions how the maleware often attempts to include its
|
||||
host as part of a botnet.
|
||||
|
||||
[0]: http://stallman.org/archives/2012-jul-oct.html#18_October_2012_%28Computerized_medical_devices_vulnerable_to_viruses%29
|
||||
[1]: http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices/
|
||||
|
||||
<!-- more -->
|
||||
|
||||
This is deeply concerning and incredibly dangerous. As non-free software is used
|
||||
more and more in equipement that is responsible for our health and safety, we
|
||||
are at increased risk for not only obvious software flaws, but also for crackers
|
||||
with malicious intent; harming someone will become as easy as instructing your
|
||||
botnet to locate and assassinate an individual while you go enjoy a warm (or
|
||||
cold) beverage.
|
||||
|
||||
These problems are *less likely* (not impossible) to occur in free software
|
||||
beacuse the users and community are able to inspect the source code and fix
|
||||
problems that arise (or hire someone that can)[2]. In particular, in the case of
|
||||
the hospitals mentioned in [the article][1], they would be free to hire someone
|
||||
to fix the problems themselves rather than falling at the mercy of the
|
||||
corporations who supplied the proprietary software.
|
||||
|
||||
[2]: http://www.gnu.org/philosophy/free-sw.html
|
|
@ -0,0 +1,8 @@
|
|||
# Digitizing Books Is Fair Use: Author's Guild v. HathiTrust
|
||||
|
||||
A New York court ruled that "digitizing" books for researched and disabled
|
||||
individuals is lawful.[[0]]
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2012/10/authors-guild-vhathitrustdecision
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,28 @@
|
|||
# Obama and Warrantless Wiretapping
|
||||
|
||||
The EFF has released an article with a [plethora of links describing warrantless
|
||||
wiretapping under the Obama administration][0], spurred by Obama's response to
|
||||
Jon Stewart's questioning on The Daily Show last Thursday. (Readers should also
|
||||
be aware of the [NSA spy center][1] discussed earlier in the year, as is
|
||||
mentioned in the EFF article.)
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2012/10/fact-check-obamas-misleading-answer-about-warrantless-wiretapping-daily-show
|
||||
[1]: http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/
|
||||
|
||||
<!-- more -->
|
||||
|
||||
It is clear that the United States government has no intent on protecting the
|
||||
freedoms of individuals and instead is actively resisting attempts to correct
|
||||
the problems. While we can hope that this will change, and we can be confident
|
||||
that organizations like the EFF will continue to fight for our liberties, one
|
||||
immediate option is to limit as much as possible what the NSA and other agencies
|
||||
can discover about you. Consider using [Tor][2] for all of your network traffic
|
||||
(at the very least, use HTTPS connections to prevent agencies and ISPs from viewing
|
||||
specific web pages on a particular domain; HTTPS is unnecessary if using Tor.)
|
||||
PGP/GPG can be used to encrypt e-mail messages to the intended recipients. Etc.
|
||||
|
||||
It's unfortunate that such precautions are necessary. Privacy is important even
|
||||
if you have nothing to hide; any suggestion to the contrary is absolutely
|
||||
absurd.
|
||||
|
||||
[2]: http://torproject.org
|
|
@ -0,0 +1,15 @@
|
|||
# Stingrays: Cell Phone Privacy and Warrantless Surveillance
|
||||
|
||||
How would you feel if law enforcement showed up in your living room, demanded
|
||||
your cell phone, and started writing down your call history and text messages?
|
||||
How would you feel if you didn't even know that they were in your home to begin
|
||||
with, let alone stealing private data? [This is precisely what is happening when
|
||||
law enforcement uses "Stingrays" to locate individuals][0], collecting data of
|
||||
every other individual within range of the device in the process. Even *if* you
|
||||
are the subject of surveillance, this is still an astonishing violation of
|
||||
privacy. (Of course, law enforcement could always demand such records from your
|
||||
service provider, but such an act at the very least has a paper trail.)
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2012/10/stingrays-biggest-unknown-technological-threat-cell-phone-privacy
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,63 @@
|
|||
# GNU Trick-Or-Treat---FSF Crashes Windows 8 Launch
|
||||
|
||||
The FSF decided to [crash the Windows 8 launch even in New York City][0],
|
||||
complete with [Trisquel][1] DVDs, FSF stickers and information about their
|
||||
[pledge to upgrade to GNU/Linux instead of Windows 8][2].
|
||||
|
||||
I find this to be a fun, excellent alternative to blatant protesting that is
|
||||
likely to be better received by those who would otherwise be turned off to
|
||||
negativity. At the very least, the [walking gnu][3] would surely turn heads and
|
||||
demand curiosity.
|
||||
|
||||
[0]: http://www.fsf.org/news/activists-trick-or-treat-for-free-software-at-windows-8-launch-event-1
|
||||
[1]: http://trisquel.info/
|
||||
[2]: http://www.defectivebydesign.org/windows8
|
||||
[3]: http://www.fsf.org/blogs/community/gnus-trick-or-treat-at-windows-8-launch
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Here is the e-mail that was sent to the info at fsf.org mailing list:
|
||||
|
||||
> Happy (almost) Halloween, everybody,
|
||||
>
|
||||
> You've probably been noticing Microsoft's ads for their new operating
|
||||
> system -- after all, they've spent more money on them than any other
|
||||
> software launch campaign in history. In fact, everything about the
|
||||
> campaign has been meticulously planned and optimized, so you can
|
||||
> imagine journalists' surprise when an unexpected guest showed up at an
|
||||
> invite-only launch event on Thursday.
|
||||
>
|
||||
> Our volunteer, Tristan Chambers, was there and caught the whole thing
|
||||
> on camera! Pictures here:
|
||||
> <http://www.fsf.org/blogs/community/gnus-trick-or-treat-at-windows-8-launch>.
|
||||
>
|
||||
> Reporters and security guards at the event weren't sure how to react
|
||||
> when they were greeted by a real, live gnu. The gnu -- which, on
|
||||
> closer inspection, was an activist in a gnu suit -- had come for some
|
||||
> early trick-or-treating. But instead of candy, she had free software
|
||||
> for the eager journalists. The gnu and the FSF campaigns team handed
|
||||
> out dozens of copies of Trisquel, a fully free GNU/Linux distribution,
|
||||
> along with press releases and stickers. Once they got over their
|
||||
> confusion, the reporters were happy to see us and hear our message --
|
||||
> that Windows 8 is a downgrade, not an upgrade, because it steals
|
||||
> users' freedom, security and privacy.
|
||||
>
|
||||
> Free software operating systems are the real upgrade, and they don't
|
||||
> need a zillion-dollar launch event to prove it. To show Microsoft that
|
||||
> their ads won't change our minds, we're starting an upgrade pledge:
|
||||
> switch to a free OS, or if you're already using one, help a friend
|
||||
> switch. We can pay Microsoft a chunk of change for their new,
|
||||
> proprietary OS, or we can stand up for our freedom. The choice isn't
|
||||
> as hard as Microsoft wants you to think.
|
||||
>
|
||||
> Sign the pledge now! -- <http://www.fsf.org/windows8/pledge>.
|
||||
>
|
||||
> Thanks for making a commitment to free software.
|
||||
>
|
||||
> PS - If you'd like more details about the action, you can check out
|
||||
> our press release here:
|
||||
> <http://www.fsf.org/news/activists-trick-or-treat-for-free-software-at-windows-8-launch-event-1>.
|
||||
>
|
||||
> -Zak Rogoff
|
||||
> Campaigns Manager
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
# Abolishing Patents
|
||||
|
||||
My issue with patents exceeds the [obvious case against software patents][0];
|
||||
indeed, I have long pondered the problems with patents in other fields. When I
|
||||
hear the phrase "patent pending" or "patented technology" touted in ads, I
|
||||
have never thought positive thoughts; instead, I have thought "you are damning
|
||||
this otherwise excellent work to stagnation". What if someone has an excellent
|
||||
idea to improve upon that particular product? Well, they'd better be prepared to
|
||||
jump through some hoops or shell out some hefty licensing fees. Or maybe it's
|
||||
just easier to abandon the idea entirely and forget that it had never happened.
|
||||
|
||||
[0]: http://patentabsurdity.com/
|
||||
|
||||
<!-- more -->
|
||||
|
||||
However, I thought, it's not a simple case of ridding the world of patents.
|
||||
How would that affect the incentive to innovate? How would people recoup
|
||||
expensive R&D costs, especially in industries like pharmacy (both my parents are
|
||||
pharmacists)? What about the incentive to describe your invention to the world?
|
||||
Then again, nobody *has* to get a patent for their invention. It may be worth
|
||||
keeping it secret if nobody can figure it out.
|
||||
|
||||
The answers to all of these questions appeared in one place: [The Case Against
|
||||
Patents][1], which I found referenced in an article regarding the [Swedish Pirate
|
||||
Party's opinions on patents, trademarks and copyright][2]. While it is still a
|
||||
draft at the time of this writing, I encourage you to give it a read, as it is
|
||||
very enlightening.
|
||||
|
||||
[1]: http://research.stlouisfed.org/wp/2012/2012-035.pdf
|
||||
[2]: http://falkvinge.net/2012/10/13/what-the-swedish-pirate-party-wants-with-patents-trademarks-and-copyright/
|
|
@ -0,0 +1,18 @@
|
|||
# Jailbreaking and DCMA---EFF Touts Victory, FSF Warns Of Failure
|
||||
|
||||
While the [EFF is pleased to announce][0] that the Copyright Office has [renewed
|
||||
DMCA exceptions upholding jailbreaking rights for cellphones][1], the FSF
|
||||
cautions that [this right has not been extended to tablets, game consoles or
|
||||
even PCs with restricted boot][2].
|
||||
|
||||
[0]: https://www.eff.org/press/releases/eff-wins-renewal-smartphone-jailbreaking-rights-plus-new-legal-protections-video
|
||||
[1]: http://www.copyright.gov/fedreg/2012/77fr65260.pdf
|
||||
[2]: http://www.fsf.org/blogs/licensing/copyright-office-fails-to-protect-users-from-dmca
|
||||
|
||||
<!-- more -->
|
||||
|
||||
It should be noted that the EFF also successfully gained protection for the use
|
||||
of short copyrighted clips in remixing,[0] and while this is a positive step
|
||||
forward in its own, the implications of the first paragraph should not be
|
||||
ignored.
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
# OpenWireless.org
|
||||
|
||||
The EFF [announces the launch of openwireless.org][0], which encourages users to
|
||||
[share their network connections][1] to create a global network of freely
|
||||
available wireless internet access.
|
||||
|
||||
This is a noble movement. This reminds me of a point in history when MIT began
|
||||
password protecting their accounts, which were previously open to anyone.
|
||||
Stallman, disagreeing with such a practice, [encouraged users to create empty
|
||||
passwords][2]. Stallman would even give out his account information so that
|
||||
remote users may log into MIT's systems, all with good intent.
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2012/10/why-we-have-open-wireless-movement
|
||||
[1]: https://www.openwireless.org/
|
||||
[2]: http://shop.fsf.org/product/free-as-in-freedom-2/
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Of course, with malice rampant in today's very different world, Stallman's
|
||||
actions, although noble, would be both naive and a huge security risk.
|
||||
Fortunately, [opening your wireless network isn't necessarily one of these
|
||||
risks][3] and, if done properly, does not equate to opening your private network
|
||||
to attack.
|
||||
|
||||
Consider using [DD-WRT][4] as your router's firmware, if supported by your
|
||||
device, as it is itself [free software][5].
|
||||
|
||||
[3]: https://openwireless.org/myths
|
||||
[4]: http://dd-wrt.com
|
||||
[5]: http://www.gnu.org/philosophy/free-sw.html
|
|
@ -0,0 +1,12 @@
|
|||
# "Trademark" Bullying
|
||||
|
||||
There's two problems with this post from the EFF describing [The Village Voice
|
||||
suing Yelp for "Best of" trademark infringement][0]: firstly, there's the
|
||||
obvious observation that such a trademark should not have been permitted by the
|
||||
USPTO to begin with. Secondly---why do entities insist on gaming the system in
|
||||
such a terribly unethical manner? It takes a special breed of people to do such
|
||||
a thing.
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2012/10/stupid-lawyer-tricks-and-government-officials-who-are-helping-them
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,15 @@
|
|||
# Ubuntu 12.10 Privacy: Amazon Ads and Data Leaks
|
||||
|
||||
The EFF [cautions that Ubuntu 12.10 leaks user information to Amazon by
|
||||
default][0] rather than requiring the user to opt *into* the system.
|
||||
|
||||
Of course, I cannot recommend that you use Ubuntu, as it encourages the
|
||||
installation of non-free device drivers, readily enables non-free software
|
||||
repositories and contains non-free components in its kernel.[1] Instead,
|
||||
consider a [fully free GNU/Linux distribution like Trisquel][2].
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks
|
||||
[1]: http://www.fsfla.org/svnwiki/selibre/linux-libre/
|
||||
[2]: https://trisquel.info
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,8 @@
|
|||
# Ban On Public Rallying and Demonstrations in Bahrain
|
||||
|
||||
The government of Bahrain found that the best solution to preventing violent
|
||||
protests was to [ban all public rallying and demonstrations][0].
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2012/11/bahrain-goes-bad-worse
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,8 @@
|
|||
# EFF Elaborates On DCMA Ruling
|
||||
|
||||
In addition to my aforementioned links, the EFF has provided [a more detailed
|
||||
analysis][0] of the decision.
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2012/11/2012-dmca-rulemaking-what-we-got-what-we-didnt-and-how-to-improve
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,22 @@
|
|||
# California Proposition 35 Concerns
|
||||
|
||||
The EFF [points out problems with California's Proposition 35][0], which would,
|
||||
among other things, [require registered sex offenders to "disclose Internet
|
||||
activities and identities"][1]:
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2012/11/eff-urges-no-vote-california-proposition-35
|
||||
[1]: http://voterguide.sos.ca.gov/propositions/35/
|
||||
|
||||
<!-- more -->
|
||||
|
||||
> [...] Proposition 35 would force individuals to provide law enforcement with
|
||||
> information about online accounts that are wholly unrelated to criminal
|
||||
> activity – such as political discussion groups, book review sites, or blogs.
|
||||
> In today’s online world, users may set up accounts on websites to communicate
|
||||
> with family members, discuss medical conditions, participate in political
|
||||
> advocacy, or even listen to Internet radio. An individual on the registered
|
||||
> sex offender list would be forced to report each of these accounts to law
|
||||
> enforcement within 24 hours of setting it up – or find themselves in jail.
|
||||
> This will have a powerful chilling effect on free speech rights of tens of
|
||||
> thousands of Californians.
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
# MediaGoblin $10k Matching Grant
|
||||
|
||||
Congratulations to MediaGoblin for not only [meeting the $10k matching grant
|
||||
from a generous anonymous donor][0], but also for raising $36k to date.
|
||||
|
||||
[MediaGoblin][1] is a "free software media publishing platform that anyone can
|
||||
run"; it is a distributed, free (as in freedom) alternative to services such as
|
||||
YouTube, Flickr and others, and is part of the [GNU project][2].
|
||||
|
||||
[0]: http://mediagoblin.org/news/we-made-10k-matching.html
|
||||
[1]: http://mediagoblin.org/
|
||||
[2]: http://gnu.org/
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,9 @@
|
|||
# Another Useless, False-Sense-Of-Security NSA Security Tactic
|
||||
|
||||
A police officer [recalls a time he went through airport security][0] and
|
||||
received a patdown from one of the security agents, which he found to be
|
||||
absolutely useless.
|
||||
|
||||
[0]: http://www.gizmodo.co.uk/2012/10/search-me/
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,11 @@
|
|||
# Video of 2012 Voting Machine Altering Votes
|
||||
|
||||
A Reddit user [posted video of a 2012 voting machine preventing him from
|
||||
selecting Barak Obama][0]. Malfunction or not, this is the type of thing that
|
||||
could have possibly been caught if the software were free. Furthermore, from
|
||||
reading the source code, one would be able to clearly tell whether or not it was
|
||||
a bug or an intentional "feature".
|
||||
|
||||
[0]: http://thenextweb.com/shareables/2012/11/06/reddit-user-captures-video-of-2012-voting-machines-altering-votes/
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,19 @@
|
|||
# OLPC Tablet in Ethiopia
|
||||
|
||||
A story mentions how [Ethiopian kids quickly learned to read and use tablet
|
||||
PCs][0] provided by the [One Laptop Per Child][1] project. This is not only a
|
||||
noble feat (as we would expect from OLPC), but also an impressive one,
|
||||
considering that (as the article mentions) the children did not know how to
|
||||
read, even in their own language.
|
||||
|
||||
[0]: http://dvice.com/archives/2012/10/ethiopian-kids.php
|
||||
[1]: http://one.laptop.org/
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Now, while the OLPC does have [its own tablet][2], the article mentions that the
|
||||
[children were given Motorola Zoom tablets][0]; I would hope that they run free
|
||||
software to encourage freedom in these developing countries and to encourage the
|
||||
children to hack and explore their devices in even greater detail.
|
||||
|
||||
[2]: http://one.laptop.org/about/xo-3
|
|
@ -0,0 +1,10 @@
|
|||
# U.S. "Copyright Alert System"
|
||||
|
||||
[The EFF warns][0] of [the "Copyright Alert System"][1]---a government
|
||||
endorsed spy system---that will launched shortly to monitor peer-to-peer
|
||||
networks for so-called "infringing" activity.
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2012/11/us-copyright-surveillance-machine-about-be-switched-on
|
||||
[1]: http://www.copyrightinformation.org/alerts
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,160 @@
|
|||
# VLC's Move to LGPL
|
||||
|
||||
Jean-Baptiste Kempf of the VLC project explains that "most of the code of VLC"
|
||||
has been [relicensed under the LGPL][0], moving *away from* the GPL. Some of the
|
||||
reasons for the move include "competition, necessity to have more professional
|
||||
developers around VLC and AppStores".[1] (With the "AppStore" comment,
|
||||
Jean-Baptiste is likely referring to issues regarding free software in Apple's
|
||||
App Store, which [the FSF has discussed on their website][2].)
|
||||
|
||||
This is unfortunate; using the LGPL in place of the GPL is [not encouraged for
|
||||
free software projects][3] because, while it ensures the freedom of the project
|
||||
itself, it does not encourage the development of free software that *uses* the
|
||||
project---the LGPL allows linking with proprietary software. Let's explore the
|
||||
aforementioned reasons in a bit more detail.
|
||||
|
||||
[0]: http://www.jbkempf.com/blog/post/2012/I-did-it
|
||||
[1]: http://www.jbkempf.com/blog/post/2012/How-to-properly-relicense-a-large-open-source-project
|
||||
[2]: http://www.fsf.org/news/blogs/licensing/more-about-the-app-store-gpl-enforcement
|
||||
[3]: http://www.gnu.org/licenses/why-not-lgpl.html
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Firstly, let us consider the issue of competition. In one of the [discussions on
|
||||
Hacker News][4], I pointed out the distinction between "open source" and Free
|
||||
Software:
|
||||
|
||||
[...]
|
||||
It is important to understand the distinction between "open source" and "free
|
||||
software". Open source focuses on the benefits of "open" code and development
|
||||
and how it can create superior software. Free Software focuses on the ethical
|
||||
issues---while free software developers certainly want contributors, the
|
||||
emphasis is on the fact that the software respects your freedom and, for that,
|
||||
it's far superior to any other proprietary alternative; free software users
|
||||
constantly make sacrifices in functionality and usability, and we're okay with
|
||||
that.
|
||||
|
||||
[http://www.gnu.org/philosophy/open-source-misses-the-point.html][5]
|
||||
[...]
|
||||
|
||||
In this sense, why should competition be considered for software freedom, unless
|
||||
it is between two free software projects, encouraging innovation in conjunction
|
||||
*with* freedom? In such a case, one wouldn't change the software license from
|
||||
the GPL to the LGPL, because the LGPL is less pursuant toward those freedoms.
|
||||
Therefore, VLC instead adopts the ["open source"][5] development model, as it
|
||||
cares more for competition.
|
||||
|
||||
The next concern was to "have more professional developers around VLC".[1] Is
|
||||
this to imply that free software hackers cannot be professional developers? I
|
||||
certainly am. Consider projects like the kernel Linux---many companies have
|
||||
contributed back to that project, which is licensed under the GPLv2. If the goal
|
||||
is to have more people contributing to your project, then a license like the GPL
|
||||
is certainly best, as it puts a legal obligation on the distributor to release
|
||||
the source code, which the parent project may then incorporate. Now, the LGPL
|
||||
also forces this (except for linked software); since the only [differences
|
||||
between the GPL and the LGPL][6] deal with the linking exception, this means
|
||||
that the author is either (a) mistaken in the concern or (b) wishes for more
|
||||
*proprietary* development around VLC. Alternatively, the author may be
|
||||
concerned that the GPL introduces compatibility issues between whatever other
|
||||
"open source" license developers wish to use when linking VLC code, but
|
||||
again---that means that VLC is devaluing freedom. Risky business, but this is
|
||||
the model that BSD follows (permitting proprietary derivatives of the entire
|
||||
software---not just linking---and receiving contributions back from proprietary
|
||||
software makers.)
|
||||
|
||||
Finally, let us consider the issue of Apple's App Store. This is issue is
|
||||
certainly of strong concern---Apple's products are very popular and yet they do
|
||||
not even make an attempt to respect the users' freedoms either with their
|
||||
software or with any of the software they allow on their "App Store".[2]
|
||||
However, Jean-Baptiste has made a fatal mistake---we should not be changing our
|
||||
licenses to suit Apple! In effect, that is giving Apple even more power over
|
||||
free software by allowing them to exert control not only over their users, but
|
||||
also over the developers of the users' favorite software! We should instead
|
||||
express our condolences with those users and suggest instead that they adopt a
|
||||
device or operating system that respects their freedom, or that they jailbreak
|
||||
their devices (which is [still legal][7]).
|
||||
|
||||
I'll end this commentary with an additional response of mine from the
|
||||
[aforementioned Hacker News thread][4]:
|
||||
|
||||
> The freedoms represent an ethical issue---that software developers have
|
||||
> unprecedented control over their users. Why should I, as a hacker, be able
|
||||
> to tell you what you can and cannot do with your device? Furthermore, it
|
||||
> raises deep privacy issues---what kind of data am I collecting and why
|
||||
> should I have that data?
|
||||
>
|
||||
> I entered the free software movement slowly (I began software development on
|
||||
> Windows as a young boy and was trained to think that bossing the user around
|
||||
> was a good thing; I thought it was fun to write DRM system and
|
||||
> anti-features). I began using GNU/Linux while still rationalizing my use of
|
||||
> proprietary software through Wine or by dual-booting into Windows. I then
|
||||
> saw the benefits of the "open source" development model. It wasn't until I
|
||||
> spent the time researching the reasons behind the free software movement
|
||||
> that things began to click. I was able to look back on everything I learned
|
||||
> as a developer for Windows and see that I enjoyed the thought of controlling
|
||||
> my users. I enjoyed the power I got from programming---programming was
|
||||
> empowerment, and the only way to squeeze the money out of those unsuspecting
|
||||
> users was to do it forcefully.
|
||||
>
|
||||
> People have fundamentally different philosophies when it comes to
|
||||
> programming. Do all proprietary software developers do so out of greed? On
|
||||
> some level, sure---they're not contributing that code so that others may
|
||||
> benefit from it. But are they doing it for the purpose of controlling their
|
||||
> users? Not necessarily, but they still are, even if they have the best of
|
||||
> intentions. Is someone who creates proprietary educational software for
|
||||
> children in third world companies "evil"? Certainly not. The problem is that
|
||||
> they're denying them an additional right---the right to modify that
|
||||
> software, learn from it and use their devices as they please.
|
||||
>
|
||||
> Of course, we often see proprietary software used unethically, often times
|
||||
> for vendor lock-in or greed; corporations are worried that if they lighten
|
||||
> their grip on their users, that the users may run, or worse, do something
|
||||
> [il]legal. I don't believe that is the place of software developers. I
|
||||
> remember, back when I used Windows, I was obsessed with magic/illusion. I
|
||||
> purchased a ton of videos online teaching me various magic tricks, but the
|
||||
> videos were laced with DRM (which, at the time, as a Windows developer, I
|
||||
> applauded). The problem was, that I then upgraded my hardware. My videos no
|
||||
> longer worked. I contacted them for a new key, and could view them again.
|
||||
> Then I got a new PC. And now I use GNU/Linux. I can no longer watch those
|
||||
> videos that I purchased because of this unnecessary, artificial restriction.
|
||||
> Was I going to distribute those videos? No. Did that prevent others from
|
||||
> stripping the restrictions and distributing it anyway? Certainly not. I was
|
||||
> being punished for others' actions and the others weren't any worse off from
|
||||
> the restrictions, because they understood how to defeat them.
|
||||
>
|
||||
> Of course, DRM's only one of the many issues (and DRM cannot exist in free
|
||||
> software, because the community would simply remove the anti-feature). What
|
||||
> if I were using some software---let's say Photoshop---and it crashed on me
|
||||
> in the middle of my work. Crap. Well, if I were using GIMP, I would run gdb
|
||||
> on the core dump (assuming a segfault) and inspect the problem. I would try
|
||||
> to repeat it. I could, if I wanted to, get my hands on the source code, fix
|
||||
> the problem and distribute that fix to others. If I didn't have the time or
|
||||
> ability, others could fix the problem for me, and we have the right to share
|
||||
> those changes. We have the right to benefit from those changes. With
|
||||
> Photoshop, we'd better start waiting. What if I was able to magically come
|
||||
> up with a fix, perhaps by modifying the machine code? Hold on---I'm not
|
||||
> allowed to do that! And I'm certainly not allowed to distribute that fix to
|
||||
> others. And I'm certainly not allowed to give my son a copy for his PC if he
|
||||
> wanted to do an art project for school.
|
||||
>
|
||||
> The FSF provides a great deal of information on their philosophy:
|
||||
> <http://www.gnu.org/philosophy/>. You could also gain a great deal of
|
||||
> insight by reading up on the history:
|
||||
> <http://shop.fsf.org/product/free-as-in-freedom-2/> or by reading RMS'
|
||||
> essays: <http://shop.fsf.org/product/signed-fsfs/>.
|
||||
>
|
||||
> And ultimately, you may find that you do not agree with our
|
||||
> philosophy---many don't. That's certainly your right, and I respect that.
|
||||
> What I cannot respect, and will not respect, is when that philosophy is used
|
||||
> to exert control over others.
|
||||
>
|
||||
> (As a final note: many say we control developers through our "viral"
|
||||
> licenses. But keep in mind that we're trying to protect the users *from*
|
||||
> developers. This means taking power away from developers. This is
|
||||
> intentional.)
|
||||
|
||||
[4]: http://news.ycombinator.com/item?id=4787965
|
||||
[5]: http://www.gnu.org/philosophy/open-source-misses-the-point.html
|
||||
[6]: http://www.gnu.org/licenses/lgpl.html
|
||||
[7]: https://www.eff.org/press/releases/eff-wins-renewal-smartphone-jailbreaking-rights-plus-new-legal-protections-video
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
# Copyright Reform? You're silly.
|
||||
|
||||
Amazingly, the Republican Study Committee (RSC) had [released a report
|
||||
suggesting copyright reform][0]. Of course, that's a silly thing to do when
|
||||
you're in bed with organizations like the MPAA and RIAA; [the report was quickly
|
||||
retracted][1].
|
||||
|
||||
It would have been a surprising step forward; maybe there's hope yet, assuming
|
||||
the GOP can get a handle on itself.
|
||||
|
||||
(Disclaimer: I have no party affiliation.)
|
||||
|
||||
[0]: http://www.techdirt.com/articles/20121116/16481921080/house-republicans-copyright-law-destroys-markets-its-time-real-reform.shtml
|
||||
[1]: http://www.techdirt.com/articles/20121117/16492521084/hollywood-lobbyists-have-busy-saturday-convince-gop-to-retract-copyright-reform-brief.shtml
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,58 @@
|
|||
# Privacy In Light of the Petraeus Scandal
|
||||
|
||||
I'm not usually one for scandals (in fact, I couldn't care less who government
|
||||
employees are sleeping with). However, it did bring up deep privacy
|
||||
concerns---how exactly did the government get a hold of the e-mails?
|
||||
|
||||
The [EFF had released an article answering some questions][0] about the scandal,
|
||||
which is worth a read. In particular, you should take a look at the [EFF's
|
||||
Surveillance Self-Defense website][1] for an in-depth summary of the laws
|
||||
surrounding government surveillance and tips on how to protect against it.
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2012/11/when-will-our-email-betray-us-email-privacy-primer-light-petraeus-saga
|
||||
[1]: https://ssd.eff.org
|
||||
|
||||
I'd like to touch upon a couple things. In particular, [the article mentions][0]:
|
||||
|
||||
<!-- more -->
|
||||
|
||||
> Broadwell apparently accessed the emails from hotels and other locations, not
|
||||
> her home. So the FBI cross-referenced the IP addresses of these Wi-Fi
|
||||
> hotspots "against guest lists from other cities and hotels, looking for common
|
||||
> names."
|
||||
|
||||
To stay anonymous in this situation, one should [consider using Tor][2] to mask
|
||||
his/her IP address. Additionally, remove all cookies (or use your browser's
|
||||
privacy mode if it will disable storing and sending of cookies for you) and
|
||||
consider that your User Agent may be used to identify you, especially if
|
||||
maleware has inserted its own unique identifiers.
|
||||
|
||||
Also according to [the EFF article][0]:
|
||||
|
||||
> According to reports, Patraeus and Broadwell adopted a technique of drafting
|
||||
> emails, and reading them in the draft folder rather than sending them.
|
||||
|
||||
That didn't work out so well. Consider [encrypting important communications][3]
|
||||
using GPG/PGP so that (a) the e-mail cannot be deciphered in transit and (b) the
|
||||
e-mail can only be read by the intended recipient. Of course, you are then at
|
||||
risk of being asked to divulge your password, so to avoid the situation
|
||||
entirely, it would be best to delete the e-mails after reading them.
|
||||
Additionally, if you host your own services, it may be wise to host your own
|
||||
e-mail (guides for doing this vary between operating system, but consider
|
||||
looking at software like [Postfix][4] for mail delivery and maybe [Dovecot][5]
|
||||
for retrieval).
|
||||
|
||||
Privacy isn't only for those individuals who are trying to be sneaky or cheat on
|
||||
their spouses. Feel free joining the EFF in trying to reform the ECPA to respect
|
||||
our privacy in this modern era; storing a document digitally shouldn't change
|
||||
its fundamental properties under the law.
|
||||
|
||||
I'd also encourage you to read [Schneier's post on this topic][6], which
|
||||
summarizes points from many articles that I did not cover here.
|
||||
|
||||
[2]: https://ssd.eff.org/tech/tor
|
||||
[3]: https://ssd.eff.org/tech/encryption
|
||||
[4]: http://www.postfix.org
|
||||
[5]: http://www.dovecot.org/
|
||||
[6]: http://www.schneier.com/blog/archives/2012/11/e-mail_security.html
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# Tor exit node operator raided in Austria
|
||||
|
||||
[These things][0] mustn't be allowed to happen; they are an affront to privacy.
|
||||
Tor exit node operators should not have to fear conviction for activities they
|
||||
themselves did not perform.
|
||||
|
||||
[0]: http://www.lowendtalk.com/discussion/6283/raided-for-running-a-tor-exit-accepting-donations-for-legal-expenses
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,10 @@
|
|||
# Warrants For E-mails in the United States
|
||||
|
||||
The [Senate Judiciary Committee passed an amendment][0] that requires that they
|
||||
receive a warrant before spying on our e-mails.
|
||||
|
||||
This is excellent; let us hope that it becomes law.
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2012/12/deep-dive-updating-electronic-communications-privacy-act
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,53 @@
|
|||
# Copyright Assignment Of Free Software Projects
|
||||
|
||||
An [e-mail today from Paolo Bonzini][0], a maintainer of GNU sed, has prompted
|
||||
additional discussion regarding copyright assignment to corporate entities; in
|
||||
particular, the discussion focuses on copyright assignment to the FSF under the
|
||||
GNU project.
|
||||
|
||||
[0]: http://article.gmane.org/gmane.comp.lang.smalltalk.gnu.general/7873
|
||||
|
||||
<!-- more -->
|
||||
|
||||
An [article by Michael Kerrisk on LWN.net][1], posted a couple days earlier,
|
||||
touches on the [same issue brought up by GnuTLS earlier in the month][2]. The
|
||||
disagreements from the two aforementioned individuals of the GNU-maintained
|
||||
projects prompt a thoughtful analysis of whether copyright assignment is
|
||||
appropriate for your own free software project[1]. In contrast, consider the
|
||||
[developer certificate of origin][3] policy adopted by the Linux project, under
|
||||
which contributors maintain copyright for their contributions.
|
||||
|
||||
There are benefits and downsides to both models---if a project requires
|
||||
copyright assignment (such as the GNU projects), then enforcement and license
|
||||
modifications are simplified. As an example, if the Linux project wanted to move
|
||||
to the GPLv3, they would have to contact each contributor (a similar move was
|
||||
done recently [by the VLC project][4], except that they moved from the GPL to
|
||||
the LGPL). However, the Linux project has a much smaller barrier to entry---they
|
||||
need not [assign copyright of their contributions to the project (such as is the
|
||||
case with GNU)][5], meaning that individuals may be more likely to contribute.
|
||||
|
||||
One of the major benefits touted by the FSF for copyright assignments from
|
||||
contributors is [copyright enforcement][6]---another complication that would
|
||||
arise from enforcing the GPL in a project such as Linux. That said, as the LWN
|
||||
article mentions[2], what if [the FSF cannot find the time to enforce the
|
||||
copyright on a project violation][7]? Then again, what of the flipside---do you
|
||||
have the time or money to enforce violations on your own projects were they not
|
||||
assigned to a corporation like the FSF?
|
||||
|
||||
These are interesting discussions and certainly things that should be considered
|
||||
when determining how to handle both contributions and the copyright for your
|
||||
entire project. Ultimately, that decision falls on you, the author/maintainer,
|
||||
and your needs.
|
||||
|
||||
(Disclaimer: I am an associate member of the Free Software Foundation. This
|
||||
article does not reflect any of my personal opinions; whether or not I would
|
||||
assign copyright to the FSF for any of my projects would be determined based on
|
||||
the goals and plan of that particular project.)
|
||||
|
||||
[1]: http://lwn.net/SubscriberLink/529522/854aed3fb6398b79/
|
||||
[2]: http://lwn.net/Articles/529558/
|
||||
[3]: http://elinux.org/Developer_Certificate_Of_Origin
|
||||
[4]: http://mikegerwitz.com/thoughts/2012/11/VLC-s-Move-to-LGPL.html
|
||||
[5]: http://git.savannah.gnu.org/cgit/gnulib.git/tree/doc/Copyright/assign.changes.manual#n64
|
||||
[6]: http://www.gnu.org/licenses/why-assign.html
|
||||
[7]: http://lwn.net/Articles/529777/
|
|
@ -0,0 +1,46 @@
|
|||
# Congress Approves FISA For Another 5 Years
|
||||
|
||||
At a [vote of 73-23][0], Congress has voted to [extend FISA warentless spying
|
||||
bill by five more years[1], even shooting down [proposed amendments][2] to the
|
||||
bill.[3]
|
||||
|
||||
[0]: https://www.senate.gov/legislative/LIS/roll_call_lists/roll_call_vote_cfm.cfm?congress=112&session=2&vote=00236
|
||||
[1]: https://www.eff.org/deeplinks/2012/12/congress-disgracefully-approves-fisa-warrantless-eavesdropping-bill-five-more
|
||||
[2]: https://www.eff.org/deeplinks/2012/12/why-we-should-all-care-about-senates-vote-fisa-amendments-act-warrantless-domestic
|
||||
[3]: http://arstechnica.com/tech-policy/2012/12/as-senate-votes-on-warrantless-wiretapping-opponents-offer-fixes/
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Thank you to those senators that [opposed the bill][0]:
|
||||
|
||||
> Akaka (D-HI);
|
||||
> Baucus (D-MT);
|
||||
> Begich (D-AK);
|
||||
> Bingaman (D-NM);
|
||||
> Brown (D-OH);
|
||||
> Cantwell (D-WA);
|
||||
> Coons (D-DE);
|
||||
> Durbin (D-IL);
|
||||
> Franken (D-MN);
|
||||
> Harkin (D-IA);
|
||||
> Leahy (D-VT);
|
||||
> Lee (R-UT);
|
||||
> Menendez (D-NJ);
|
||||
> Merkley (D-OR);
|
||||
> Murkowski (R-AK);
|
||||
> Murray (D-WA);
|
||||
> Paul (R-KY);
|
||||
> Sanders (I-VT);
|
||||
> Schatz (D-HI);
|
||||
> Tester (D-MT);
|
||||
> Udall (D-CO);
|
||||
> Udall (D-NM);
|
||||
> Wyden (D-OR).
|
||||
|
||||
Unfortunately, the two senators from my own state cannot join that list.
|
||||
|
||||
The [EFF has sumarized the surveillance issues of 2012][4] recently on their
|
||||
website.
|
||||
|
||||
[4]: https://www.eff.org/deeplinks/2012/12/2012-review-effs-fight-against-secret-surveillance-law
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
# Happy New Year
|
||||
|
||||
The greatest excitement in moving into a new year is the prospect of quantified
|
||||
growth.
|
||||
|
||||
Of course, it also means another year to look forward to the health of those you
|
||||
care for.
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,29 @@
|
|||
# DNA Collection
|
||||
|
||||
Consider a recent article from the EFF [regarding "Rapid DNA Analyzers"][0].
|
||||
The article poses the potetial issues involved, but also consider that any DNA
|
||||
collected (if not destroyed) would violate not just your privacy, but your
|
||||
entire blood line. What if DNA from immigrants were collected? Much of that
|
||||
information is inherited, so generations down the line, your privacy is still
|
||||
violated.
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2012/12/rapid-dna-analysis
|
||||
|
||||
<!-- more -->
|
||||
|
||||
I cannot comment intelligently on the matter since I haven't read deeply enough
|
||||
into the proposed storage/hashing/etc policies, but those polices can be abused
|
||||
and such data can be leaked. I highly oppose any sort of DNA collection outside
|
||||
of personal at-home use (when the technology is available with free software)
|
||||
and use by medical professionals for personal medical reasons so long as the
|
||||
institution performing the test can provide stringent evidence of its
|
||||
destruction. But even then, if law enforcement somehow got a hold of the DNA
|
||||
before it were destroyed, then the problem still exists, so it would be best if
|
||||
you had your own personal tools to analyze your own DNA and distribute only the
|
||||
portions that were required (and encryption tools like [GPG][1] could be used
|
||||
for distribution).
|
||||
|
||||
One day, but not now. Let's make those scanners affordable and run free
|
||||
software.
|
||||
|
||||
[1]: http://www.gnupg.org/
|
|
@ -0,0 +1,15 @@
|
|||
# USPTO Wants To Hear From Software Community
|
||||
|
||||
The [USPTO wants to hear from the software community][0]. Interesting, but the
|
||||
problem is that the "software community" includes more than just those who
|
||||
find software patents to be an abomination.
|
||||
|
||||
I have [mentioned issues with software patents in a previous post][1], but one
|
||||
resource that may be worth looking at direclty is ["The Case Against
|
||||
Patents"][2] [pdf].
|
||||
|
||||
[0]: http://www.groklaw.net/article.php?story=20130104012214868
|
||||
[1]: http://mikegerwitz.com/thoughts/2012/10/Abolishing-Patents.html
|
||||
[2]: http://research.stlouisfed.org/wp/2012/2012-035.pdf
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,41 @@
|
|||
# LuLu Says Goodbye to DRM
|
||||
|
||||
On January 8th, [LuLu announced that they would be dropping DRM][0] for users
|
||||
who "[download] eBooks directly from Lulu.com to the device of their choice".
|
||||
This is a wise move (for [those of us who oppose DRM][1]), but unfortunately, as
|
||||
John Sullivan of the Free Software Foundation noted on the fsf-community-team
|
||||
mailing list, the [comments on LuLu's website][0] are not all positive:
|
||||
|
||||
[0]: http://www.lulu.com/blog/2013/01/drm-update/
|
||||
[1]: http://defectivebydesign.org/
|
||||
|
||||
> This is a positive development, but unfortunately there has been a lot
|
||||
> of negative reaction in the comments on their announcement.
|
||||
>
|
||||
> It'd be great if people could chime in and support them their move away
|
||||
> from DRM.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
At first glance, certain authors seem to be concerned that the absense of DRM
|
||||
will lead to ["more illegal file sharing"][0]:
|
||||
|
||||
> [...] I’ve got copies of my non-DRM ebooks all over the torrent sites and
|
||||
> thousands of downloads registered, for which I haven’t received a cent. As
|
||||
> soon as you push for them to be taken down, they’re posted up again.
|
||||
|
||||
While it is unfortunate that those authors are not receiving compensation for
|
||||
their hard work, it should be noted that this problem exists even *with*
|
||||
DRM, so it is not a valid argument toward keeping it.
|
||||
|
||||
I applaud this move by LuLu, though I'm disappointed to see [this comment in the
|
||||
original post][0]:
|
||||
|
||||
> Companies like Amazon, Apple and Barnes & Noble integrate a reader’s
|
||||
> experience from purchasing to downloading and finally to reading. These
|
||||
> companies do a fantastic job in this area, and eBooks published through Lulu
|
||||
> and distributed through these retail sites will continue to have the same
|
||||
> rights management applied as they do today.
|
||||
|
||||
They do not do it well; no DRM is good DRM.
|
||||
|
|
@ -0,0 +1,171 @@
|
|||
# Re: FSF Wastes Away Another "High Priority" Project
|
||||
|
||||
A couple days ago, my attention was drawn to an article on Phoronix that
|
||||
[criticized the FSF for its decision to stick with GPLv3 over GPLv2 on
|
||||
LibreDWG][0] due to the number of projects that make use of it---licensed under
|
||||
the GPLv2---under [a now incompatible][1] license. This article is very negative
|
||||
and essentially boils down to this point (the last paragraph):
|
||||
|
||||
> Unless the Free Software Foundation becomes more accomodating [sic] of these
|
||||
> open-source developers -- who should all share a common goal of wanting to
|
||||
> expand free/open-source software -- LibreDWG is likely another project that
|
||||
> will ultimately waste away and go without seeing any major adoption due to
|
||||
> not working with the GPLv2.
|
||||
|
||||
It it worth mentioning why this view is misguided (though understandable for
|
||||
those who adopt the ["open source" philosophy over that of software
|
||||
freedom][2]).
|
||||
|
||||
[0]: http://www.phoronix.com/scan.php?page=news_item&px=MTI4Mjc
|
||||
[1]: http://www.gnu.org/licenses/gpl-faq.html#WhatDoesCompatMean
|
||||
[2]: http://www.gnu.org/philosophy/open-source-misses-the-point.html
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Let me start with [this paragraph from the Phoronix article][0]:
|
||||
|
||||
> The Free Software Foundation was contacted about making LibreDWG GPLv2+
|
||||
> instead (since the FSF is the copyright holder), but the FSF/Richard Stallman
|
||||
> doesn't the DWG library on the earlier version of their own open-source
|
||||
> license.
|
||||
|
||||
The FSF's founding principle is that of [software freedom][3] (beginning with the
|
||||
GNU project). Now, consider the reason for the creation of the GPLv3---the GPLv2
|
||||
[could not sufficiently protect against][4] software patents and newer threats such
|
||||
as "tivoization". These goals further the FSF's mission of ensuring---in
|
||||
this case---that free software *remains* free ([a concept that RMS coined
|
||||
"copyleft"][5]). It would make sense, then, that the FSF (and RMS') position is
|
||||
that [it is important that we adopt the GPLv3 for our software][6].
|
||||
|
||||
From this perspective, it does not make sense to "downgrade" LibreDWG's
|
||||
license to the GPLv2, which contains various bugs that have since been patched
|
||||
in GPLv3---it is not pursuant to the FSF's goals. (Of course, not all agree with
|
||||
the GPLv3; one such notable disagreement (as well as issues
|
||||
stemming from copyright assignment) leaves the kernel Linux [perpetually licensed
|
||||
under the GPLv2][7] since it does not contain the ["or later" clause][8]).
|
||||
|
||||
That is not to say that the author's concern is not legitimate---a number of
|
||||
projects are licensed under the GPLv2 and therefore cannot use the newer (and
|
||||
improved) versions of LibreDWG that are licensed under the GPLv3 (unless they
|
||||
were to upgrade to the GPLv3, of course). Whether or not upgrading is feasible
|
||||
(e.g., in the case of the kernel Linux, it is not) is irrelevant---let us
|
||||
instead focus on the issue of adoption under the assumption that the project is
|
||||
either unwilling or unable to make use of a library licensed under the GPLv3.
|
||||
|
||||
As aforementioned, [the author focuses on the issue of adoption][0]:
|
||||
|
||||
> LibreDWG is likely [...to] go without seeing any major adoption due to not
|
||||
> working with the GPLv2
|
||||
|
||||
A focus on adoption is a [focus of "open source", not free software][2], the
|
||||
latter of which the FSF represents. With a focus on software freedom, the goal
|
||||
is to create software that respects the [users' four essential freedoms][9]; if
|
||||
the software is adopted and used, great! However, freedom should never be
|
||||
sacrificed in order to encourage adoption. One may argue that "downgrading" to
|
||||
the GPLv2 is not sacrificing freedom because the software is still free (it is
|
||||
even the GPL)---but it is important to again realize that the GPLv3 is "more
|
||||
free" than the GPLv2 in the sense that it [*protects* additional freedoms][6];
|
||||
so, while the GPLv2 isn't necessarily sacrificing users' freedoms directly, it
|
||||
does have such an indirect effect through means of enforcement.
|
||||
|
||||
A reader familiar with GNU may then point out the LGPL---the Lesser General
|
||||
Public License---under which popular (and very important) [libraries such as
|
||||
glibc are licensed][10]. In fact, one could extend this argument to any
|
||||
library---why not have LibreDWG licensed under the LGPL to avoid this problem in
|
||||
its entirety, while still preserving the users' freedoms for that library in
|
||||
itself? This understanding requires a brief lesson in history---the rationale
|
||||
under which the LGPL was born. [To quote the GNU project][11]:
|
||||
|
||||
> Using the ordinary GPL is not advantageous for every library. There are
|
||||
> reasons that can make it better to use the Lesser GPL in certain cases. The
|
||||
> most common case is when a free library's features are readily available for
|
||||
> proprietary software through other alternative libraries. In that case, the
|
||||
> library cannot give free software any particular advantage, so it is better to
|
||||
> use the Lesser GPL for that library.
|
||||
|
||||
It was for this reason that glibc was released under the LGPL---because it was
|
||||
better to have the users adopt some sort of free software than none at all;
|
||||
there were other alternatives that existed that users may flock to if they were
|
||||
forced to liberate their own proprietary software (after all, the C API is also
|
||||
standardized, so such a feat would be trivial). Now that glibc has since matured
|
||||
greatly, it could be argued today that it has proved its usefulness and the LGPL
|
||||
may no longer be necessary, but such a discussion is not necessarily relevant
|
||||
for this conversation.
|
||||
|
||||
What is important is that [the FSF does not recommend the LGPL for most
|
||||
libraries][11] because that would encourage proprietary software developers to
|
||||
take advantage of both the hard work of the free software community and the
|
||||
users of the software. Now, I cannot speak toward the alternatives to
|
||||
LibreDWG---do there exist proprietary alternatives that are reasonable
|
||||
alternatives to non-commercial projects? I do not have experience with the
|
||||
library. However, I hope by this point the FSF's position has been rationalize
|
||||
(even if you---the reader---do not agree with it).
|
||||
|
||||
Of course, this rationalization will still leave a sour taste in the mouth of
|
||||
those "open source" developers (or perhaps even some free software developers)
|
||||
that think in terms of what is "lost": these projects---which are themselves
|
||||
free software and therefore beneficial to our community---cannot take advantage
|
||||
of *other free software* due to this licensing issue. Since these projects had
|
||||
already existed when LibreDWG was licensed under the GPLv2, the relicensing to
|
||||
GPLv3 may seem unfair and, therefore, a "loss". It is difficult to counter
|
||||
such an argument if the above rationale has not been sufficient; nor will I
|
||||
argue that the situation is not unfortunate, should the projects be unable to
|
||||
relicense. However, it must be understood that, to ensure the future of free
|
||||
software, the FSF must adopt to combat today's threats and so too must other
|
||||
free software projects.
|
||||
|
||||
The Phoronix article mentioned two projects in particular that suffer from
|
||||
LibreDWG's relicensing: [LibreCAD and FreeCAD][0]. LibreCAD omits the "or later"
|
||||
clause that was mentioned above, preventing them from easily migrating to the
|
||||
GPLv2 (which is [against the FSF's recommendation][12]). Unless the project
|
||||
requires that contributors assign copyright to the project owner, then they
|
||||
would have to get permission from each contributor (or rewrite the code) in
|
||||
order to change the license (which is not unheard of; [VLC had done so recently
|
||||
to migrate from the GPL to the LGPL][13]); this is a significant barrier for any
|
||||
project with multiple contributors, especially when your project is a derivative
|
||||
work (of QCad).
|
||||
|
||||
The other project mention was FreeCAD, and the author of the article mentions
|
||||
that the project depends on Coin3D and Open CASCADE, "both of which are
|
||||
GPLv2", so [the project cannot migrate to GPLv3][0]. A quick look at Coin3D's
|
||||
website shows that the software is actually licensed under the modified
|
||||
(3-clause) BSD license, and so [migrating to the GPLv3 is not an issue][15]. Open
|
||||
CASCADE has its own "public license" that I do not have the time to evaluate
|
||||
(nor am I lawyer, so I do not wish to give such advice), so I cannot speak to
|
||||
its compatibility with the GPLv3. That said, I'm unsure if it would be a barrier
|
||||
toward FreeCAD's adoption of the GPLv3.
|
||||
|
||||
Ultimately, the moral of the story is to plan for the *future*---if you use a
|
||||
project licensed under the GPL, ensure that it has the "or later" clause that
|
||||
allows it to be licensed under later version of the GPL, since you can be sure
|
||||
that the FSF and many other free software developers will be quick to adopt the
|
||||
license. Of course, many may not be comfortable with such a licensing decision:
|
||||
you effectively are giving the FSF permission to relicense you work by simply
|
||||
releasing a new version of the GPL. It is your decision whether you are willing
|
||||
to place this kind of trust in the organization responsible for starting the
|
||||
free software movement in the first place.
|
||||
|
||||
Readers may now assume that I am placing the entire blame and onus on the
|
||||
implementors of LibreDWG. The onus, perhaps, but not the blame---this truly is
|
||||
an unfortunate circumstance that takes away from hacking a free software
|
||||
project. Unfortunately, the projects are stuck in a bad place, but the FSF is
|
||||
not to blame for standing firm in their ideals. Instead, this can be thought of
|
||||
as a maintenance issue---rather than a source code refactoring resulting from a
|
||||
library API change, we instead require a "legal code" refactoring resulting
|
||||
from a "legal API" change.
|
||||
|
||||
[3]: http://www.fsf.org/about/
|
||||
[4]: http://www.gnu.org/licenses/quick-guide-gplv3.html
|
||||
[5]: http://www.gnu.org/copyleft/
|
||||
[6]: http://www.gnu.org/licenses/rms-why-gplv3.html
|
||||
[7]: http://lwn.net/Articles/200422/
|
||||
[8]: http://www.gnu.org/licenses/gpl-faq.html#v2v3Compatibility
|
||||
[9]: http://www.gnu.org/philosophy/free-sw.html
|
||||
[10]: http://www.gnu.org/licenses/lgpl.html
|
||||
[11]: http://www.gnu.org/licenses/why-not-lgpl.html
|
||||
[12]: http://www.gnu.org/licenses/gpl-howto.html
|
||||
[13]: http://mikegerwitz.com/thoughts/2012/11/VLC-s-Move-to-LGPL.html
|
||||
[14]: https://bitbucket.org/Coin3D/coin/wiki/Home
|
||||
[15]: http://www.gnu.org/licenses/license-list.html#ModifiedBSD
|
||||
[16]: http://www.opencascade.org/getocc/license/
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
# Phone "Unlocking" Once Again Illegal
|
||||
|
||||
[Ridiculous.][0] We should own the hardware that we purchase.
|
||||
|
||||
[0]: https://www.eff.org/is-it-illegal-to-unlock-a-phone
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,102 @@
|
|||
# Re: Who Does Skype Let Spy?
|
||||
|
||||
Today, [Bruce Schneier brought attention to privacy concerns surrounding
|
||||
Skype][0], a very popular ([over 600 million users][1]) VoIP service that has
|
||||
since been acquired by Microsoft. In particular, [users are concerned over what
|
||||
entities may be able to gain access to their "private" conversations][1]
|
||||
through the service---Microsoft has refused to answer those kinds of questions.
|
||||
While the specific example of Skype is indeed concerning, it raises a more
|
||||
general issue that I wish to discuss: The role of free software and SaaS
|
||||
(software as a service).
|
||||
|
||||
[0]: http://www.schneier.com/blog/archives/2013/01/who_does_skype.html
|
||||
[1]: http://www.skypeopenletter.com/
|
||||
|
||||
<!-- more -->
|
||||
|
||||
To [quote Schneier][0]:
|
||||
|
||||
> We have no choice but to trust Microsoft. Microsoft has reasons to be
|
||||
> trustworthy, but they also have reasons to betray our trust in favor of other
|
||||
> interests. And all we can do is ask them nicely to tell us first.
|
||||
|
||||
Schneier continues to admit, in similar words, that [we are but "vassals" to
|
||||
these entities and that they are our serfs][2]. His essays regarding the [power of
|
||||
corporations and governments over their users][3] echo the words of Lawrence
|
||||
Lessig in his [predictions of a "perfectly regulated" future made possible by
|
||||
the Internet][4]. While Lessig (despite what his critics have stated in the
|
||||
past) seems to have been correct in many regards, we need not jump into the
|
||||
perspective of an Orwellian dystopia where we are but "vassals" to the
|
||||
Party.[^5] Indeed, this is only the case---at least at present---if you choose to
|
||||
participate in the use of services such as Skype, as ubiquitous as they may be.
|
||||
|
||||
Skype is a useful demonstration of the unfortunate situation that many users
|
||||
place themselves in by trusting their private data to Microsoft. Skype itself is
|
||||
proprietary---we cannot inspect its source code (easily) in order to ensure that
|
||||
it is respecting our privacy. (Indeed, as a user on [the HackerNews
|
||||
discussion][6] pointed out, [Skype has installed undesirable software in the
|
||||
past][7].) If Skype were [free software][8], we would be able to inspect its
|
||||
source code and modify it to suit our needs, ensuring that the software did only
|
||||
what we wanted it to do---ensuring that Microsoft was not in control of us.
|
||||
|
||||
However, even if Skype were free software, there is another issue at work that
|
||||
is often overlooked by users: Software as a Service (SaaS). When you make use of
|
||||
services that are hosted on remote servers (often called "cloud"
|
||||
services)---such as with Skype, Facebook, Twitter, Flickr, Instagram, iTunes,
|
||||
iCloud and many other popular services---you are blindly entrusting your data to
|
||||
them. Even if the Skype software were free (as in freedom), for example, [we
|
||||
still cannot know what their servers are doing with the data we provide to
|
||||
them][9]. Even if Skype's source code was plainly visible, the servers act as a
|
||||
black box. Do they monitor your calls? [Does Facebook abuse your data?][10] How is
|
||||
that data stored---[what happens][1] in the event of a data breach, or in the event
|
||||
of a warrant/subpoena?
|
||||
|
||||
The only way to be safe from these providers is to [reject these services
|
||||
entirely and use your own software on your own PC][9], or use software that will
|
||||
connect directly to your intended recipient without going through a 3rd
|
||||
party. (Never mind your ISP; that is a separate issue entirely.) If you must
|
||||
use a 3rd party service, ensure that you can adequately encrypt your
|
||||
communications (e.g. using GPG to encrypt e-mail communications)---something
|
||||
that may not necessarily be easy/possible to do, especially if the software is
|
||||
proprietary and works against you.
|
||||
|
||||
The EFF has published [useful information on protecting yourself against
|
||||
surveillance][11], covering topics such as encryption and anonymization.
|
||||
|
||||
If we are to resist the worlds that [Lessig][4] and [Schneier][3] describe, then we
|
||||
must [stand up for our right to privacy and demand action][12]. [Who will have
|
||||
your back][13] when we're on the brink of ["perfect regulation"][4]; who will
|
||||
stand up for your rights and work *with* you---not against you---to preserve
|
||||
your liberties? Without this push, services like Skype empower governments and
|
||||
other entities to work toward perfect regulation---to continuously spy on
|
||||
everything that we do. With everyone putting their every thought and movement on
|
||||
services like Facebook, [Twitter][14] and Skype, the Orwellian Thought Police have
|
||||
the ability to manifest in a form that not even Orwell could have
|
||||
imagined---unless it is stopped.
|
||||
|
||||
To help [preserve your ever-dwindling rights online][15], consider becoming a
|
||||
member of or participating in the campaigns of the [Free Software
|
||||
Foundation][16], [Electronic Frontier Foundation][17], the [American Civil
|
||||
Liberties Union][18] or any other organizations dedicated toward free society.
|
||||
|
||||
(Disclaimer: I am a member of the Free Software Foundation.)
|
||||
|
||||
[2]: http://www.schneier.com/essay-406.html
|
||||
[3]: http://www.schneier.com/essay-409.html
|
||||
[4]: http://codev2.cc/
|
||||
[6]: http://news.ycombinator.com/item?id=5139801
|
||||
[7]: http://blogs.skype.com/garage/2011/05/easybits_update_disabled_for_s.html
|
||||
[8]: http://www.gnu.org/philosophy/free-sw.html
|
||||
[9]: http://www.gnu.org/philosophy/who-does-that-server-really-serve.html
|
||||
[10]: https://www.eff.org/deeplinks/2013/01/facebook-graph-search-privacy-control-you-still-dont-have
|
||||
[11]: https://ssd.eff.org
|
||||
[12]: https://www.eff.org/deeplinks/2013/01/its-time-transparency-reports-become-new-normal
|
||||
[13]: https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back
|
||||
[14]: https://www.eff.org/deeplinks/2013/01/google-twitters-new-transparency-report-shows-increase-government-demands-sheds
|
||||
[15]: https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=8750
|
||||
[16]: http://www.fsf.org/register_form?referrer=5804
|
||||
[17]: https://supporters.eff.org/donate
|
||||
[18]: https://www.aclu.org/donate/join-renew-give
|
||||
|
||||
[^5]: Orwell, George. Nineteen Eighty-Four. ISBN 978-0-452-28423-4.
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# What is CISPA and Why is it Dangerous?
|
||||
|
||||
The EFF has put together an excellent [FAQ on CISPA][0], the "cybersecurity"
|
||||
bill that was reintroduced to congress earlier this month.
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2013/02/cispas-back-faq-what-it-and-why-its-still-dangerous
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,15 @@
|
|||
# DMR: "Very early C compilers and language"
|
||||
|
||||
An interesting article by Dennis Ritchie discussing [early C compilers][0]
|
||||
recovered from old DECtapes. The source code and history are fascinating reads.
|
||||
The quality of the code (the "kludgery"[1], as he puts it) to me just brings
|
||||
smiles---I appreciate seeing the code in its original glory.
|
||||
|
||||
It is also saddening reading the words of such a great man who is no longer with
|
||||
us; perhaps it helps to better appreciate his legacy.
|
||||
|
||||
[0]: http://cm.bell-labs.com/cm/cs/who/dmr/primevalC.html
|
||||
[1]: http://www.catb.org/~esr/jargon/html/K/kludge.html
|
||||
|
||||
<!-- more -->
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
# Libreated Pixel Cup Winners Announced
|
||||
|
||||
[Congratulations][0] to the [winners of the Liberated Pixel Cup][1].
|
||||
|
||||
[0]: http://www.fsf.org/news/winners-announced-for-free-software-gamings-highest-honor-the-liberated-pixel-cup
|
||||
[1]: http://lpc.opengameart.org/content/code-judging-is-in
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,35 @@
|
|||
# Google Says the FBI Is Secretly Spying on Some of Its Customers
|
||||
|
||||
A Wired article mentions [figures released from Google][0] regarding National
|
||||
Security Letters issued by the NSA under the Patriot Act. It is too early to
|
||||
comment in much detail on this matter (I would like to wait for commentary from
|
||||
the EFF), but, as the article mentions:
|
||||
|
||||
[0]: http://www.wired.com/threatlevel/2013/03/google-nsl-range/?cid=co6199824
|
||||
|
||||
> Google said the number of accounts connected to National Security letters
|
||||
> ranged between “1000-1999″ for each of the reported years other than 2010. In
|
||||
> that year, the range was “2000-2999.”
|
||||
|
||||
<!-- more -->
|
||||
|
||||
The [EFF provides additional information, including recommendations on what to
|
||||
do about such requests][1] via their Surveillance Self-Defense website. As
|
||||
quoted from that website:
|
||||
|
||||
> And it's even worse for FISA subpoenas, which can be used to force anyone to
|
||||
> hand over anything in complete secrecy, and which were greatly strengthened
|
||||
> by Section 215 of the USA PATRIOT Act. The government doesn't have to show
|
||||
> probable cause that the target is a foreign power or agent — only that they
|
||||
> are seeking the requested records "for" an intelligence or terrorism
|
||||
> investigation. Once the government makes this assertion, the court must
|
||||
> issue the subpoena.
|
||||
|
||||
To add insult to injury:
|
||||
|
||||
> FISA orders and National Security Letters will also come with a gag order that
|
||||
> forbids you from discussing them. Do NOT violate the gag order. Only speak to
|
||||
> members of your organization whose participation is necessary to comply with
|
||||
> the order, and your lawyer.
|
||||
|
||||
[1]: https://ssd.eff.org/foreign/fisa
|
|
@ -0,0 +1,41 @@
|
|||
# Adding 1 and 1 in PHP
|
||||
|
||||
An amusing demonstration; it is my hope that [readers will not take this PHP
|
||||
library seriously][0]. This is likely a parody of the over-engineering that
|
||||
often takes foot in Object-Oriented development (a game of "how many GoF[^4]
|
||||
design patterns can we use in this project" anyone?).
|
||||
|
||||
[0]: https://github.com/Herzult/SimplePHPEasyPlus
|
||||
|
||||
<!-- more -->
|
||||
|
||||
That is not to say that "OOP is bad" (just as object-oriented developers often
|
||||
consider procedural code bad, when they may just be terrible at writing
|
||||
procedural code). Indeed, I wrote [an ECMAScript framework for Classical OOP
|
||||
(ease.js)][1]. The problem is that, with the excitement and misunderstandings
|
||||
that surround "good" object-oriented design, designers are eager to
|
||||
over-abstract their implementations (I have been guilty of the same thing).
|
||||
Object oriented programming is often taught to novice CS students (often with
|
||||
the reign of Java in schools)---teaching practices that can be good principles
|
||||
when properly applied and in moderation---which [I have also seen contribute to
|
||||
such madness][2].
|
||||
|
||||
Abstractions are highly important, but only when necessary and when they lead to
|
||||
more concise representations of the problem than would otherwise occur (note
|
||||
that some problems are inherently complicated and, as such, a concise
|
||||
representation may not seen concise). I'm a strong advocate of DSLs when
|
||||
abstractions begin to get in the way and increase the verbosity of the code
|
||||
(languages with strong macro systems like lisp help eliminate the need for
|
||||
DSLs written from scratch)---design patterns exist because of deficiencies in
|
||||
the language: They are "patterns" of code commonly used to achieve a certain
|
||||
effect.
|
||||
|
||||
[Criticisms against OOP are abundant][3], just as every other paradigm.
|
||||
|
||||
[1]: http://easejs.org
|
||||
[2]: http://c2.com/cgi/wiki?TextbookOo
|
||||
[3]: http://c2.com/cgi/wiki?ArgumentsAgainstOop
|
||||
|
||||
[^4]: Design Patterns: Elements of Reusable Object-Oriented Software. ISBN
|
||||
0-201-63361-2. Gamma, Helm, Johnson and Vlissides (the "Gang of Four").
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
# Oxford University Blocks Google Docs
|
||||
|
||||
Oxford University decided to [block Google Docs][0] last month due to phishing
|
||||
attacks against its users. To quote the blog post:
|
||||
|
||||
[0]: http://blogs.oucs.ox.ac.uk/oxcert/2013/02/18/google-blocks/
|
||||
|
||||
> Almost all the recent attacks have used Google Docs URLs, and in some cases
|
||||
> the phishing emails have been sent from an already-compromised University
|
||||
> account to large numbers of other Oxford users. Seeing multiple such incidents
|
||||
> the other afternoon tipped things over the edge. We considered these to be
|
||||
> exceptional circumstances and felt that the impact on legitimate University
|
||||
> business by temporarily suspending access to Google Docs was outweighed by the
|
||||
> risks to University business by not taking such action.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
This incident was brought to my attention by [a blog post by Schneier][1], in
|
||||
which he referenced his [essay on "feudal security"][2] (I commented in more
|
||||
detail on this essay in [my response to a previous blog post of
|
||||
his][3].[^blog]) In this case, Oxford is trusting that it knows better than its
|
||||
users and has the right to exercise this power over them in light of their
|
||||
inexperience with handling these situations (or even recognizing them).
|
||||
|
||||
This may very well be the case---the Oxford IT department probably does have a
|
||||
better understanding of security than many of their users. However, by blocking
|
||||
access to Google Docs, they are also blocking access to millions of legitimate
|
||||
articles hosted there, which is far from acceptable. Oxford is more than just a
|
||||
workplace---for which many would argue these actions are acceptable; it is a
|
||||
university that should encourage freedom of expression. They simply must find a
|
||||
better way of dealing with these problems. If a user falls victim to a phishing
|
||||
attack within Oxford, they will likely fall victim outside of it.
|
||||
|
||||
Would Oxford consider blocking e-mail access too (where phishing attacks are
|
||||
very cheap and common)?
|
||||
|
||||
> We appreciate and apologise for the disruption this caused for our users.
|
||||
> Nevertheless, we must always think in terms of the overall risk to the
|
||||
> University as a whole, and we certainly cannot rule out taking such action
|
||||
> again in future [...]
|
||||
|
||||
N.B.: Google Docs is proprietary and I cannot recommend its use any more than I
|
||||
can recommend use of Microsoft Office.
|
||||
|
||||
[1]: https://www.schneier.com/blog/archives/2013/03/oxford_universi.html
|
||||
[2]: https://www.schneier.com/essay-406.html
|
||||
[3]: /2013/01/re-who-does-skype-let-spy
|
||||
|
||||
[^blog]: (I posted a link to my response on his blog, but he did not approve the comment.)
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
# White House Supports Cell Phone Unlocking
|
||||
|
||||
Earlier this week, the starter of the [White House petition to "Make Unlocking
|
||||
Cell Phones Legal"][0] posted a [thread on Hacker News][1] stating that the
|
||||
White House had officially responded, stating:
|
||||
|
||||
> The White House agrees with the 114,000+ of you who believe that consumers
|
||||
> should be able to unlock their cell phones without risking criminal or other
|
||||
> penalties. In fact, we believe the same principle should also apply to
|
||||
> tablets, which are increasingly similar to smart phones. And if you have paid
|
||||
> for your mobile device, and aren't bound by a service agreement or other
|
||||
> obligation, you should be able to use it on another network. It's common
|
||||
> sense, crucial for protecting consumer choice, and important for ensuring we
|
||||
> continue to have the vibrant, competitive wireless market that delivers
|
||||
> innovative products and solid service to meet consumers' needs.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
The petition---as stated in the above response---garnered over 114,000
|
||||
signatures. The response is exciting news because the Library of Congress had
|
||||
[removed the phone unlocking exemption][2] at the beginning of this year. (As
|
||||
the EFF points out, [this may not necessarily mean that unlocking your phone is
|
||||
"illegal"][3]).
|
||||
|
||||
However, although this response is getting a lot of attention (I was surprised
|
||||
to see my local news station report on it), this is not yet cause for
|
||||
celebration; it is my hope that the White House will now follow through with
|
||||
this statement and act upon it appropriately.
|
||||
|
||||
(The [EFF has also posted their own comments on the White House's response][4].)
|
||||
|
||||
This is just one issue in [a string of problems that is the DMCA][5].
|
||||
|
||||
[0]: https://petitions.whitehouse.gov/petition/make-unlocking-cell-phones-legal/1g9KhZG7
|
||||
[1]: https://news.ycombinator.com/item?id=5319577
|
||||
[2]: /2013/01/phone-unlocking-once-again-illegal
|
||||
[3]: https://www.eff.org/is-it-illegal-to-unlock-a-phone
|
||||
[4]: https://www.eff.org/deeplinks/2013/03/white-house-supports-unlocking-phones-real-problem-runs-deeper
|
||||
[5]: https://www.eff.org/wp/unintended-consequences-under-dmca
|
||||
|
|
@ -0,0 +1,109 @@
|
|||
# HTML5 DRM
|
||||
|
||||
Two acronyms that, until very recently, would seem entirely incompatible---HTML,
|
||||
which is associated with an unencumbered, free (as in freedom) representation of
|
||||
a document, and [DRM][0], which [exists for the sole purpose of restricting
|
||||
freedom][1].[^bias] Unfortunately, Tim Berners-Lee---the man attributed to
|
||||
["inventing" the Internet][18]---mentioned in a [keynote talk at SXSW][15] that [he is
|
||||
not opposed to introducing DRM into the HTML5 standard][4]:
|
||||
|
||||
[^bias]: (Disclaimer: I am an associate member of the [Free Software
|
||||
Foundation][2] and, as such, this reference is intentionally bias; feel free
|
||||
to see the [Wikipedia article on DRM][3] for more general information.)
|
||||
|
||||
> [Tim Berners-Lee] did not, however, present himself as an opponent of digital
|
||||
> locks. During a post-talk Q&A, he defended proposals to add support for
|
||||
> "digital rights management" usage restrictions to HTML5 as necessary to get
|
||||
> more content on the open Web: "If we don't put the hooks for the use of DRM
|
||||
> in, people will just go back to using Flash," he claimed.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Many who oppose DRM refer to it as ["digital restrictions management"][0]---a
|
||||
phrase that better describes how it affects the user. The "rights" that
|
||||
"digital rights management" describes are the "rights" (in terms of
|
||||
copyright) of publishers and copyright holders: They wish to lock down their
|
||||
content so that [you, the user, can only access it as *they* please][5]. Has
|
||||
["your" device][25] ever told you that [you cannot share a book with your
|
||||
friends][6][17][24]? Has your device ever [deleted your content without your
|
||||
permission][7][8]? Does your device grant you [less privileges if you decide to
|
||||
liberate yourself from it][9] through "jailbreaking"?[^jb] Does the software you
|
||||
run [potentially spy on you without telling you][11], without giving you the
|
||||
option to correct it? Or perhaps the games you play [require you to be online,
|
||||
even in single-player mode][12].
|
||||
|
||||
[^jb]: I go into more detail on jailbreaking and its current legality as of
|
||||
the time of writing [in a previous article of mine][10].
|
||||
|
||||
These are but a small handful of [examples of the many mistakes and injustices
|
||||
of Digital Restrictions Management][5]. These restrictions take additional
|
||||
effort---that is, development time, which also means more money---to build into
|
||||
software; computers, by their very nature, do exactly as they are told, meaning
|
||||
that they can only work against you if someone else tells it to (unless you tell
|
||||
your computer to make your life miserable...if you're into that sort of thing).
|
||||
As such, we refer to these restrictions as ["anti-features"][23].
|
||||
|
||||
> Corporations claim that DRM is necessary to fight copyright infringement
|
||||
> online and keep consumers safe from viruses. But there's no evidence that DRM
|
||||
> helps fight either of those. Instead DRM helps big business stifle innovation
|
||||
> and competition by making it easy to quash "unauthorized" uses of media and
|
||||
> technology.
|
||||
|
||||
It is this logic that [corporations][13] (and even some individuals, such as
|
||||
[authors][14]) use to influence entities such as the W3C---and Tim
|
||||
Berners-Lee---into [thinking that DRM is necessary][15]. The [W3C describes a
|
||||
"trust infastructure"][16] that could be standardized for bringing DRM to the
|
||||
web:
|
||||
|
||||
> It is clear that user domains (eg eBook trading, sub-rights trading, streaming
|
||||
> music, etc.) each require sets of Rights Primitives that those domains wish do
|
||||
> useful things with.
|
||||
|
||||
This is an unfortunate perspective, especially since those "useful things" are
|
||||
exactly the opposite for users. The Internet strongly promotes the free,
|
||||
(generally) unencumbered flow of information. To [quote W3C][19]:
|
||||
|
||||
> The social value of the Web is that it enables human communication, commerce,
|
||||
> and opportunities to share knowledge. One of W3C's primary goals is to make
|
||||
> these benefits available to all people, whatever their hardware, software,
|
||||
> network infrastructure, native language, culture, geographical location, or
|
||||
> physical or mental ability.
|
||||
|
||||
A DRM implementation flies in the face of those goals, as it is, by definition,
|
||||
restrictive---how can we be encouraged to share by using systems that aim to
|
||||
[prevent that very thing][0]?
|
||||
|
||||
Richard Stallman has already announced that the [FSF will "campaign against W3C
|
||||
support for DRM"][20]; let's hope that many others will join in on this
|
||||
campaign, hope that organizations like the EFF will continue to fight for our
|
||||
rights, and further hope that users will [reject DRM-laden products][22]
|
||||
outright. [DRM cannot exist in free software][25] and it cannot exist on a
|
||||
network that facilitates free information.
|
||||
|
||||
[0]: http://www.defectivebydesign.org/what_is_drm
|
||||
[1]: http://www.defectivebydesign.org/
|
||||
[2]: http://fsf.org
|
||||
[3]: https://en.wikipedia.org/wiki/Digital_rights_management
|
||||
[4]: http://boingboing.net/2013/03/10/tim-berners-lee-the-web-needs.html
|
||||
[5]: https://www.eff.org/issues/drm
|
||||
[6]: http://www.amazon.com/gp/help/customer/display.html?nodeId=200549320
|
||||
[7]: http://www.defectivebydesign.org/blog/1248
|
||||
[8]: http://boingboing.net/2012/10/22/kindle-user-claims-amazon-dele.html
|
||||
[9]: http://arstechnica.com/apple/2011/02/ibooks-to-jailbreakers-no-yuo/
|
||||
[10]: /2013/03/white-house-supports-cell-phone-unlocking
|
||||
[11]: /2013/01/re-who-does-skype-let-spy
|
||||
[12]: https://www.eff.org/deeplinks/2013/03/tale-simcity-users-struggle-against-onerous-drm
|
||||
[13]: http://venturebeat.com/2012/10/12/together-html5-and-drm-can-take-out-native-apps/
|
||||
[14]: /2013/01/lulu-says-goodbye-to-drm
|
||||
[15]: http://www.guardian.co.uk/technology/blog/2013/mar/12/tim-berners-lee-drm-cory-doctorow
|
||||
[16]: http://www.w3.org/2000/12/drm-ws/
|
||||
[17]: https://www.fsf.org/bulletin/e-books-must-increase-our-freedom-not-decrease-it
|
||||
[18]: http://www.w3.org/People/Berners-Lee/
|
||||
[19]: http://www.w3.org/Consortium/mission#principles
|
||||
[20]: http://lists.libreplanet.org/archive/html/libreplanet-discuss/2013-03/msg00007.html
|
||||
[21]: https://www.eff.org/deeplinks/2012/11/2012-dmca-rulemaking-what-we-got-what-we-didnt-and-how-to-improve
|
||||
[22]: http://www.defectivebydesign.org/guide
|
||||
[23]: https://www.fsf.org/bulletin/2007/fall/antifeatures/
|
||||
[24]: https://www.gnu.org/philosophy/right-to-read.html
|
||||
[25]: https://www.gnu.org/philosophy/can-you-trust.html
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
# Federal Judge Rules NSLs (National Security Letters) Unconstitutional
|
||||
|
||||
This news is huge and an incredible win for both the EFF and all U.S. citizens.
|
||||
Today, [United States District Judge Susan Illston found the National Security
|
||||
Letters' gag provisions unconstitutional][0] and---since the review procedures
|
||||
violate the separation of powers and cannot be separated from the rest of the
|
||||
statute---has consequently [ruled the NSLs themselves to be
|
||||
unconstitutional][1]:
|
||||
|
||||
[0]: http://www.wired.com/threatlevel/2013/03/nsl-found-unconstitutional/
|
||||
[1]: https://www.eff.org/press/releases/national-security-letters-are-unconstitutional-federal-judge-rules
|
||||
|
||||
> In today's ruling, the court held that the gag order provisions of the statute
|
||||
> violate the First Amendment and that the review procedures violate separation
|
||||
> of powers. Because those provisions were not separable from the rest of the
|
||||
> statute, the court declared the entire statute unconstitutional
|
||||
|
||||
<!-- more -->
|
||||
|
||||
This is an exciting decision; let's see where it takes us.
|
||||
|
||||
> U.S. District Judge Susan Illston ordered the government to stop issuing
|
||||
> so-called NSLs across the board, in a stunning defeat for the Obama
|
||||
> administration’s surveillance practices. She also ordered the government to
|
||||
> cease enforcing the gag provision in any other cases. However, she stayed her
|
||||
> order for 90 days to give the government a chance to appeal to the Ninth
|
||||
> Circuit Court of Appeals.[[0]]
|
||||
|
||||
[The issues surrounding NSLs][2] were highlighted just last week when [Google
|
||||
released numbers relating to the orders that it received][3].
|
||||
|
||||
[2]: https://www.eff.org/issues/national-security-letters
|
||||
[3]: /2013/03/google-says-the-fbi-is-secretly-spying-on-some-of-its-customers
|
|
@ -0,0 +1,46 @@
|
|||
# Defective By Design Campaign Against W3C DRM Standard
|
||||
|
||||
[As I had mentioned late last week][0], RMS had mentioned that Defective By
|
||||
Design (DBD) would be campaigning against the [introduction of DRM into the W3C
|
||||
HTML5 standards][1]. (Please see [my previous mention of this topic][0] for a
|
||||
detailed explanation of the problem and a slew of references for additional
|
||||
information.) Well, [this campaign is now live and looking for
|
||||
signatures][2]---50,000 by May 3rd, which is the [International Day Against
|
||||
DRM][3]:
|
||||
|
||||
> Hollywood is at it again. Its latest ploy to take over the Web? Use its
|
||||
> influence at the World Wide Web Consortium (W3C) to weave [Digital
|
||||
> Restrictions Management (DRM)][4] into HTML5 -- in other words, into the very
|
||||
> fabric of the Web.
|
||||
>
|
||||
> [...]
|
||||
>
|
||||
> Help us reach 50,000 signers by May 3rd, 2013, the [International Day Against
|
||||
> DRM][3]. We will deliver the signatures to the W3C (they are right down the
|
||||
> street from us!) and [make your voice heard[[1].
|
||||
|
||||
[0]: /2013/03/html5-drm
|
||||
[1]: https://www.eff.org/deeplinks/2013/03/defend-open-web-keep-drm-out-w3c-standards
|
||||
[2]: http://www.defectivebydesign.org/no-drm-in-html5
|
||||
[3]: http://www.defectivebydesign.org/dayagainstdrm
|
||||
[4]: http://www.defectivebydesign.org/what_is_drm
|
||||
|
||||
<!-- more -->
|
||||
|
||||
To summarize the issue as [stated by the EFF][5]:
|
||||
|
||||
> W3C is there to create comprehensible, publicly-implementable standards that
|
||||
> will guarantee interoperability, not to facilitate an explosion of new
|
||||
> mutually-incompatible software and of sites and services that can only be
|
||||
> accessed by particular devices or applications. But EME is a proposal to bring
|
||||
> exactly that dysfunctional dynamic into HTML5, even risking a return to the
|
||||
> ["bad old days, before the Web"][5] of deliberately limited
|
||||
> interoperability.
|
||||
>
|
||||
> it would be a terrible mistake for the Web community to leave the door open
|
||||
> for Hollywood's gangrenous anti-technology culture to infect W3C standards.
|
||||
|
||||
So please---[sign the petition now][2]!
|
||||
|
||||
[5]: http://www.anybrowser.org/campaign/index.html
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
# Congratulations to the 2012 Free Software Award Winners
|
||||
|
||||
Each year, the [Free Software Foundation][0] presents awards to individuals who
|
||||
have made a [strong contribution to free software][1]:
|
||||
|
||||
[0]: http://fsf.org
|
||||
|
||||
> The Award for the Advancement of Free Software is given annually to an
|
||||
> individual who has made a great contribution to the progress and development
|
||||
> of free software, through activities that accord with the spirit of free
|
||||
> software.
|
||||
|
||||
[1]: https://www.fsf.org/news/2012-free-software-award-winners-announced-2
|
||||
|
||||
<!-- more -->
|
||||
|
||||
This year, announced at the LibrePlanet 2013 conference, [the winner was Dr.
|
||||
Fernando Perez][1]---creator of IPython. The winner of the Award for Projects of
|
||||
Social Benefit was [OpenMRS][2], which is a free (as in freedom) medical records
|
||||
system for developing countries.
|
||||
|
||||
[2]: http://openmrs.org/
|
|
@ -0,0 +1,20 @@
|
|||
# U.S. House Passes CISPA
|
||||
|
||||
Two days ago---on the 18th--[the U.S. House of Representatives decided to pass
|
||||
CISPA 288-127][0].
|
||||
|
||||
> The legislation passed 288-127, despite a veto threat from Pres. Barack Obama,
|
||||
> who expressed serious concerns about the danger CISPA poses to civil
|
||||
> liberties.
|
||||
|
||||
[0]: https://www.eff.org/deeplinks/2013/04/us-house-representatives-shamefully-passes-cispa-internet-freedom-advocates
|
||||
|
||||
<!-- more -->
|
||||
|
||||
As the bill moves into the senate, [civil liberties groups will continue to
|
||||
oppose it][1]; I personally hope that you will do the same.
|
||||
|
||||
Move [information on CISPA][2] is available on the EFF's website.
|
||||
|
||||
[1]: https://www.eff.org/deeplinks/2012/04/voices-against-cispa
|
||||
[2]: https://www.eff.org/cybersecurity-bill-faq
|
|
@ -0,0 +1,14 @@
|
|||
# Improved Website
|
||||
|
||||
The old WordPress website has been replaced entirely by the "thoughts" site
|
||||
(which was previously located at /thoughts). This website is generated from its
|
||||
git repository---available on the Projects page---which is freely licensed.
|
||||
There is some content that existed on the old site that is still useful; should
|
||||
that content be transferred to this site, a redirect will be set up (assuming
|
||||
that it hadn't already been lost to the search engines).
|
||||
|
||||
Since all this content is static, there is no discussion system. I am still
|
||||
debating whether or not I will add this in the future. Until that time, feel
|
||||
free to contact me via e-mail.
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,631 @@
|
|||
# National Uproar: A Comprehensive Overview of the NSA Leaks and Revelations
|
||||
|
||||
I am finding it difficult to keep up with the flood of reports in my little free
|
||||
time, while still finding the time to brush up on relevant history. My hope is
|
||||
to provide a summary of recent events and additional background---along with a
|
||||
plethora of references---that will allow the reader to perform further research
|
||||
and to formulate educated, personal opinions on the topics. If you do not care
|
||||
for my commentary, simply scroll to the list of references at the bottom of this
|
||||
article.
|
||||
|
||||
Many [individuals and organizations][0] have long warned of [digital privacy
|
||||
issues][1], but there has been one agency in particular that has been the
|
||||
subject of much scrutiny---the [National Security Agency (NSA)][2], which is a
|
||||
[United States government agency][3] that has a [long history of controversial
|
||||
spying tactics][4] on its country's own citizens. It is a chilling topic---one
|
||||
that can easily make any person sound like they've latched onto an Orwellian
|
||||
conspiracy.
|
||||
|
||||
[0]: /2013/01/re-who-does-skype-let-spy
|
||||
[1]: https://www.schneier.com/essay-418.html "The Internet Is a Surveillance State"
|
||||
[2]: https://www.eff.org/nsa-spying "The EFF on NSA Spying"
|
||||
[3]: https://www.eff.org/agency/national-security-agency "The National Security Agency"
|
||||
[4]: https://www.eff.org/nsa-spying/timeline "Timeline of NSA Spying"
|
||||
|
||||
<!-- more -->
|
||||
|
||||
**Wednesday, June 5th, 2013**---[the Guardian newspaper publishes a leaked
|
||||
document][5][6][7] ordering Verizon to
|
||||
|
||||
> [...] produce to the National Security Agency (NSA) upon service of this
|
||||
> Order, and continue production on an ongoing daily basis thereafter for the
|
||||
> duration of this Order, [...] an *electronic copy of* the following tangible
|
||||
> things: *all call detail records or "telephony metadata"* created by Verizon
|
||||
> for communications (i) between the United States and abroad; or (ii) wholly
|
||||
> within the United States, *including local telephone calls*.[[6]] [emphasis
|
||||
> added]
|
||||
|
||||
The order goes on to describe "telephony metadata" to include routing
|
||||
information, source and destination telephone numbers, IMSI and IMEI numbers,
|
||||
and time and duration of the call; it "does not include the substantive content
|
||||
of any communication"---the communication content itself.[[6]] This order was
|
||||
[issued by the Foreign Intelligence Surveillance Court (FISC)][8] under [section 215
|
||||
of the Patriot Act][9]. (This news comes [less than three months after United
|
||||
States District Judge Susal Illston ruled NSA Letters' gag provisions
|
||||
unconstitutional][10].)
|
||||
|
||||
This report caused a massive uproar, but [came as no surprise][11] to many
|
||||
security researchers and privacy advocates. Early last year, Wired released an
|
||||
article stating that [the NSA "Is Building the Country's Biggest Spy
|
||||
Center"][14]. Privacy concerns were raised in November of last year by [the
|
||||
Petraeus scandal][14]. In March of this year, Google released figures showing
|
||||
that [the NSA is secretly spying on some of its customers][15]. Two months later,
|
||||
[outrage][17] after the Associated Press discovers that [the Justice Department
|
||||
collected the calling records of many of its reporters and editors][18].
|
||||
Additionally, [the EFF already had cases against the NSA's actions][2]---[Jewel
|
||||
v. NSA][12] and [Hepting v. AT&T][13] both focus on unconstitutional dragnet
|
||||
surveillance of innocent citizens' data and communications. These cases will be
|
||||
explored in further detail throughout this article.
|
||||
|
||||
But the chaos didn't end there.
|
||||
|
||||
**Thursday, June 6th, 2013**---just one day after the Guardian reported on the
|
||||
leaked Verizon order, the newspaper reports on [a leaked slideshow describing
|
||||
PRISM][19], a top-secret program that "claims direct access to servers of firms
|
||||
including Google, Apple and Facebook. According to the leaked document, the NSA
|
||||
supposedly has the ability to collect material including e-mail, chat, video and
|
||||
voice communications, photos, stored data and more.[[19]]. Responses from most
|
||||
companies was immediate. In a [blog post entitled "What that...?"][20], Larry
|
||||
Page---Google's CEO---put very plainly that Google does not participate in such
|
||||
a program and denied any knowledge of PRISM:
|
||||
|
||||
> First, we have not joined any program that would give the U.S. government—or
|
||||
> any other government—direct access to our servers. Indeed, the U.S. government
|
||||
> does not have direct access or a "back door" to the information stored in
|
||||
> our data centers. We had not heard of a program called PRISM until yesterday.
|
||||
> Second, we provide user data to governments only in accordance with the
|
||||
> law.[[20]] --Larry Page, Google CEO
|
||||
|
||||
[Mark Zuckerberg of Facebook also denied involvement][21], calling such claims
|
||||
"outrageous" and encouraging governments to be "much more transparent about
|
||||
all programs aimed at keep the public safe":
|
||||
|
||||
> I want to respond personally to the outrageous press reports about PRISM:
|
||||
> Facebook is not and has never been part of any program to give the US or any
|
||||
> other government direct access to our servers. We have never received a
|
||||
> blanket request or court order from any government agency asking for
|
||||
> information or metadata in bulk, like the one Verizon reportedly received. And
|
||||
> if we did, we would fight it aggressively. We hadn't even heard of PRISM
|
||||
> before yesterday. [...] We strongly encourage all governments to be much more
|
||||
> transparent about all programs aimed at keeping the public safe. It's the only
|
||||
> way to protect everyone's civil liberties and create the safe and free society
|
||||
> we all want over the long term.[[21]] --Mark Zuckerberg, Facebook CEO
|
||||
|
||||
Indeed, [all companies eventually denied involvement with PRISM][22].
|
||||
|
||||
**Friday, June 7th, 2013**---Two days after the [initial Verizon report][5] and one day
|
||||
after the publishing of [portions of the PRISM documents][19], the White House
|
||||
responded to the Guardian reports with President Obama [defending his
|
||||
administration][16]. Unfortunately, given the [history of the NSA surveillance
|
||||
programs][4]---especially since the Bush administration after the 9/11
|
||||
attacks---it may be difficult to believe that his words are the whole truth. As
|
||||
such, we will use [portions of his transcript][16] to guide the remainder of this
|
||||
discussion.
|
||||
|
||||
> **Jackie Calmes:** Mr. President, could you please react to the reports of
|
||||
> secret government surveillance of phones and Internet? And can you also assure
|
||||
> Americans that the government — your government doesn’t have some massive
|
||||
> secret database of all their personal online information and activity?
|
||||
>
|
||||
> **Obama:** [...] Now, the programs that have been discussed over the last
|
||||
> couple days in the press are secret in the sense that they’re classified, but
|
||||
> they’re not secret in the sense that when it comes to telephone calls, every
|
||||
> member of Congress has been briefed on this program.
|
||||
>
|
||||
> With respect to all these programs, the relevant intelligence committees are
|
||||
> fully briefed on these programs. These are programs that have been authorized
|
||||
> by broad, bipartisan majorities repeatedly since 2006. And so I think at the
|
||||
> outset, it's important to understand that your duly elected representatives
|
||||
> have been consistently informed on exactly what we’re doing.[[16]]
|
||||
|
||||
There are some important notes regarding the phrasing of the President's
|
||||
statement. Firstly, it is important to note that the President is *confirming the
|
||||
existence of* the programs that "have been discussed over the last couple days
|
||||
in the press"---that is, the [Verizon FISA Court order][5] and the [PRISM][19]
|
||||
leak. However, it is also important to take a step back and note that the
|
||||
President did *not* state outright that the reports tell the whole---or even the
|
||||
correct---story. So what do we know?
|
||||
|
||||
On June 6th---a day before the White House responded to the leaks---the Director
|
||||
of National Intelligence James Clapper [declassified certain information pertaining
|
||||
to the "business records" provision of FISA][23], stating, "I believe it is
|
||||
important for the American people to understand the limits of this targeted
|
||||
counterterrorism program and the principles that govern its use". This statement
|
||||
mentions that:
|
||||
|
||||
> Although this program has been properly classified, the leak of one order,
|
||||
> without any context, has created a misleading impression of how it operates.
|
||||
> [...] The program does not allow the Government to listen in on anyone's phone
|
||||
> calls. The information acquired does not include the content of any
|
||||
> communications or the identity of any subscriber. The only type of information
|
||||
> acquired under the Court's order is telephony metadata, such as telephone
|
||||
> numbers dialed and length of calls.[[23]]
|
||||
|
||||
The term "telephony metadata" could mean anything; the "numbers dialed" and
|
||||
"length of calls" are part of it, but what does [the Court order][6]
|
||||
specifically request?
|
||||
|
||||
> IT IS HEREBY ORDERED that [Verizon] shall produce to the [NSA] [...], and
|
||||
> continue production on an ongoing daily basis [...] for the duration of this
|
||||
> Order, [...] all call detail records or "telephony metadata" [...].
|
||||
> Telephony metadata includes comprehensive communications routing information,
|
||||
> including but not limited to [...] originating and terminating telephone
|
||||
> number, [...] International Mobile Subscriber Identity (IMSI) number,
|
||||
> International Mobile station Equipment Identity (IMEI) number, [...] trunk
|
||||
> identifier, telephone calling card numbers, and time and duration of call.
|
||||
> Telephony metadata does not include the substantive content of any
|
||||
> communication [...], or the name, address, or financial information of a
|
||||
> subscriber or customer.[[6]] --FISA Court order
|
||||
|
||||
The President made this point very clear:
|
||||
|
||||
> **Obama:** When it comes to telephone calls, nobody is listening to your
|
||||
> telephone calls. That’s not what this program’s about. As was indicated, what
|
||||
> the intelligence community is doing is looking at phone numbers and durations
|
||||
> of calls. They are not looking at people’s names, and they’re not looking at
|
||||
> content. But by sifting through this so-called metadata, they may identify
|
||||
> potential leads with respect to folks who might engage in terrorism. If these
|
||||
> folks — if the intelligence community then actually wants to listen to a phone
|
||||
> call, they’ve got to go back to a federal judge, just like they would in a
|
||||
> criminal investigation. So I want to be very clear. Some of the hype that
|
||||
> we’ve been hearing over the last day or so — nobody’s listening to the content
|
||||
> of people’s phone calls.[[16]]
|
||||
|
||||
The EFF provides compelling arguments as to why [metadata is important to our
|
||||
privacy][24]. One such example: "They know you spoke with an HIV testing
|
||||
service, then your doctor, then your health insurance company in the same hour.
|
||||
But they don't know what was discussed." The EFF further states, "the
|
||||
government has given no assurances that this data will never be correlated with
|
||||
other easily obtained data". So, while the President may try reassuring us by
|
||||
stating that "they've got to go back to a federal judge", he certainly does
|
||||
not make it clear that they may already have enough information *without* having
|
||||
to do so---from this supposedly non-content metadata. They do not need to
|
||||
subpoena the phone company for the name or address of the individual in most
|
||||
cases, as reverse telephone directories are readily available. With that, they
|
||||
then have the names of yourself, everyone you have called and GPS data.
|
||||
|
||||
Another argument worthy of strong consideration is posed by Daniel J.
|
||||
Solove---[what if the government is wrong about your intentions][25]? How can
|
||||
you go about correcting incorrect data if its very existence is hidden from the
|
||||
public?
|
||||
|
||||
> What if the government leaks the information to the public? What if the
|
||||
> government mistakenly determines that based on your pattern of activities,
|
||||
> you're likely to engage in a criminal act? What if it denies you the right to
|
||||
> fly? What if the government thinks your financial transactions look odd—even
|
||||
> if you've done nothing wrong—and freezes your accounts? What if the government
|
||||
> doesn't protect your information with adequate security, and an identity thief
|
||||
> obtains it and uses it to defraud you?[[25]]
|
||||
|
||||
These are serious questions. Even if you---the reader---are of the type that sates
|
||||
"I don't care; I have nothing to hide", then consider that, despite the government's
|
||||
best efforts to secure and protect the data, [it could possibly fall prey to
|
||||
enemies of the United States][25]. Consider that the [Chinese cracked into
|
||||
Pentagon systems][26], taking "designs for more than two dozen major weapon systems
|
||||
used by the United States military".
|
||||
|
||||
Of course, we are now assuming that that the NSA is (a) operating in accordance with the
|
||||
Court order with respect to the privacy of communications content and (b) that
|
||||
the President's statement is not intentionally omitting projects that *do*
|
||||
warrantlessly wiretap innocent Americans' communications. Historically, the NSA has not
|
||||
given us reason to entertain either of these thoughts.
|
||||
|
||||
**January 31, 2006**---[Hepting v. AT&T][13]; the EFF files a case suing AT&T on
|
||||
behalf of its customers for "violating privacy law by collaborating with the
|
||||
NSA in the massive, illegal program to wiretap and data-min Americans'
|
||||
communications". This case included "undisputed evidence" from former AT&T technician
|
||||
Mark Klein showing that [AT&T routed a copy of all Internet traffic to an NSA-controlled
|
||||
room in San Francisco][27]:
|
||||
|
||||
> Through the "splitter cabinet," the content of all of the electronic voice
|
||||
> and data communications going across the Peering Links [...] was transferred
|
||||
> from the WorldNet Internet room's fiber optical circuits into the
|
||||
> [NSA-controlled] SG3 Secure Room [...] including such equipment as Sun servers
|
||||
> and Juniper (M40e and M160) "backbone" routers. The list also included a
|
||||
> Narus STA 6400, which is a "Semantic Traffic Analyzer."[[27]]
|
||||
|
||||
That is---allegedly, AT&T indiscriminately passed *all* of the traffic passing
|
||||
through its San Francisco facility into the NSA-controlled "SG3 Secure Room"
|
||||
where the NSA performed their *own* filtering, storage and analysis however they
|
||||
pleased. This is an astounding accusation. Additionally, Klein further states
|
||||
that "other such `splitter cabinets' were being installed in other cities,
|
||||
including Seattle, San Jose, Los Angeles and San Diego".[[27]]
|
||||
|
||||
Unfortunately, Hepting was dealt a fatal blow in July 2008 when both the
|
||||
government and AT&T were [awarded retroactive immunity][28] by the [FISA
|
||||
Amendments Act (FAA)][29]. This startling turn was signed by President Bush in
|
||||
response to the EFF's court victories in the case and "allows the Attourney
|
||||
General to require the dismissal of the lawsuits over the telecoms'
|
||||
participation in the warrantless surveillance program".[[13]] The case was
|
||||
dismissed in June 2009 and dozens of other lawsuits.
|
||||
|
||||
Fortunately, the battle is not over. The EFF then filed [Jewel v. NSA][12] which
|
||||
directly targets the "NSA and other government agencies on behalf of AT&T
|
||||
customers to stop the illegal unconstitutional and ongoing dragnet surveillance
|
||||
of their communications and communications records". This case was too based
|
||||
on [the testimony of Klein][27]. Additionally, the EFF had declarations of William
|
||||
Binney, Thomas Drake and Kirk Wiebe---[three NSA whistleblowers][30]. Most
|
||||
interesting (and damning) for the purposes of our discussion is the [Summary of
|
||||
Voluminous Evidence][31].
|
||||
|
||||
> I have served on the Intelligence Committee for over a decade and I wish to
|
||||
> deliver a warning this afternoon. When the American people find out how their
|
||||
> government has secretly interpreted [the business records provision of
|
||||
> FISA], they are going to be stunned and they are going to be angry.[^32]
|
||||
> --Senator Ron Wyden
|
||||
|
||||
Note that the Senator is referring to precisely the same provision---business
|
||||
records---that was partly declassified by James Clapper on Thursday.[[23]] Of
|
||||
course, we are assuming that the NSA decides to go to the FISA Court for
|
||||
permission; this apparently has not always been the case.
|
||||
|
||||
According to [the summary of evidence][31], the NSA stated:
|
||||
|
||||
> To perform both its offensive and defensive mission, NSA must "live on the
|
||||
> network." [The program would be] a powerful and permanent presence on a
|
||||
> global telecommunications infrastructure where protected American
|
||||
> communications and targeted adversary communications will coexist.
|
||||
|
||||
This certainly shares some similarities with the Verizon case. But FISA stood
|
||||
in the way of this goal; John Yoo explains why FISA was insufficient for such
|
||||
a dragnet operation:
|
||||
|
||||
> [U]nder existing laws like FISA, you have to have the name of somebody, have
|
||||
> to already suspect that someone's a terrorist before you can get a warrant.
|
||||
> [...] it doesn't allow you as a government to use judgment based on
|
||||
> probability to say: "[...] there's a high probability that some of those
|
||||
> calls are terrorist communications. But we don't know the names of the people
|
||||
> making those calls." You want to get at those phone calls, those e-mails, but
|
||||
> under FISA you can't do that.[^33] --Jon Yoo
|
||||
|
||||
After the September 11th attacks, "FISA ceased to be an operative
|
||||
concern".[[31]] If that statement sounds unsettling, that is because it is;
|
||||
President Bush subsequently authorized the NSA to "conduct electronic
|
||||
surveillance within the United States" without an order from the FISA Court
|
||||
(FISC). General Hayden phrased it as such: the program "is a more [...]
|
||||
`aggressive' program than would be traditionally available under FISA".[^34]
|
||||
What---if anything---does this mean about any current NSA operations (including
|
||||
the Verizon order)? If Bush is able to authorize such actions, what is to say
|
||||
that Obama will not (and has not)?
|
||||
|
||||
Let us return to the statements from both Clapper[[23]] and Obama stating that
|
||||
"nobody is listening to the content of your phone calls".[[16]] We can certainly
|
||||
hope that this is the case, but we shall continue to draw from evidence in the
|
||||
[Jewel v. NSA case][12] to see what the NSA has done in the past.
|
||||
|
||||
> It was the biggest legal mess I've ever encountered.[^35] --Jack Goldsmith, Justice
|
||||
> Department's Office of Legal Consel
|
||||
|
||||
The program operated "in lieu of" court orders.[^36] Even more alarming (if such a
|
||||
thing is possible), "neither the President nor Attorney General approved the specific
|
||||
interceptions; rather, the decision to listen or read particular communications was
|
||||
made by intelligence analysts"; the only authorization needed was by an NSA
|
||||
"shift supervisor".[^37] So, let's reiterate:
|
||||
|
||||
> **Obama:** If these folks — if the intelligence community then actually wants to listen
|
||||
> to a phone call, they've got to go back to a federal judge, just like they
|
||||
> would in a criminal investigation.[[16]]
|
||||
|
||||
It may very well be that Obama is being truthful within context of the Verizon
|
||||
order; perhaps they have learned from their mistakes with the AT&T dragnet.
|
||||
Unfortunately, their secrecy is making it very difficult for the public to make
|
||||
an informed analysis of the matter.
|
||||
|
||||
Ultimately, it is believed that Attorney General Comey's initial certifications of
|
||||
the program were "based on a misimpression of those activities" due to a botched
|
||||
legal analysis by Jon Yoo that was described as "at a minimum [...] factually
|
||||
flawed". Yoo was the only OLC official to read into the program since its
|
||||
inception in October 2001 until his leaving in May 2003.[[31]] When Comey refused
|
||||
to reauthorize the program, Bush did so himself, resulting in threats of resignation
|
||||
from Comey and "about two dozen Bush appointees". However, "[d]espite the illegality
|
||||
of the Program, no officials resigned."[[31]].
|
||||
|
||||
In 2009, the New York Times published a series of articles regarding the
|
||||
program, exposing a ["serious issue involving the NSA" concerning
|
||||
"significant misconduct"][38]. This included a "`flagrant' overcollection
|
||||
of domestic email".[[31]]
|
||||
|
||||
> Because each court order could single out hundreds or even thousands of phone
|
||||
> numbers or e-mail addresses, the number of individual communications that
|
||||
> were improperly collected could number in the millions, officials said.[[31]]
|
||||
|
||||
That was then; this is now, right? How can we be sure of any connection between
|
||||
the NSA of a decade ago vs. the NSA of today? Well, as an average citizen with
|
||||
no security clearance, I can't. However, there are some important connections that
|
||||
can be made. Firstly, recall Ron Wyden's quote above stating that the public
|
||||
will be "stunned" and "angry".[^32] On Thursday, June 6th, he [released this
|
||||
statement on his Senate website][39]:
|
||||
|
||||
> The program Senators Feinstein and Chambliss publicly referred to today is one
|
||||
> that I have been concerned about for years. I am barred by Senate rules from
|
||||
> commenting on some of the details at this time. However, I believe that when
|
||||
> law-abiding Americans call their friends, who they call, when they call, and
|
||||
> where they call from is private information. Collecting this data about every
|
||||
> single phone call that every American makes every day would be a massive
|
||||
> invasion of Americans’ privacy.[[39]] --Senator Ron Wyden
|
||||
|
||||
Perhaps the most obvious and direct connection is that the [government asked for
|
||||
more time in Jewel v. NSA (and Shubert v. Obama) in light of the NSA
|
||||
revelations][40].
|
||||
|
||||
> The revelations not only confirmed what EFF has long alleged, they went even
|
||||
> further and honestly, we’re still reeling. EFF will, of course, be continuing
|
||||
> its efforts to get this egregious situation addressed by the courts.
|
||||
>
|
||||
> [...] EFF and others had long alleged that, despite the rhetoric surrounding
|
||||
> the Patriot Act and the FISA Amendments Act, the government was still
|
||||
> vacuuming up the records of the purely domestic communications of millions of
|
||||
> Americans. And yesterday, of course, with the Verizon order, we got solid
|
||||
> proof.. And it appears that the reach of this vacuum goes much further, into
|
||||
> the records of our Internet service providers as well.[[41]] --Electronic
|
||||
> Frontier Foundation
|
||||
|
||||
This brings us back to [PRISM][19]. Numerous sources reported that [the White
|
||||
House confirmed][42] its existence. Indeed, if you consider the President's
|
||||
original words--- "the programs that have been discussed over the last couple
|
||||
days in the press are secret in the sense that they’re classified"[[16]]---this
|
||||
does seem to be a verification of the project's existence. However, confusion ensued
|
||||
when [companies like Google and Facebook denied involvement][43], despite what
|
||||
the [leaked information seems to state][19]. Yonatan Zunger---chief architect at
|
||||
Google---[reiterated the words of Larry Page][44]:
|
||||
|
||||
> I can also tell you that the suggestion that PRISM involved anything happening
|
||||
> directly inside our datacenters surprised me a great deal; owing to the nature
|
||||
> of my work at Google over the past decade, it would have been challenging --
|
||||
> not impossible, but definitely a major surprise -- if something like this
|
||||
> could have been done without my ever hearing of it. And I can categorically
|
||||
> state that *nothing* resembling the mass surveillance of individuals by
|
||||
> governments within our systems has ever crossed my plate.[[44]] --Yonatan
|
||||
> Zunger, Chief Architect, Google
|
||||
|
||||
Questions then arose as to what exactly "PRISM" is. Marc Ambinder with The Week
|
||||
reported that [PRISM is nothing more than one of many different "data collection
|
||||
tools"][45] that may be used by the NSA. One day later, Marc posted another article
|
||||
entitled ["Solving the mystery of PRISM"][46]
|
||||
|
||||
> Each data processing tool, collection platform, mission and source for raw
|
||||
> intelligence is given a specific numeric signals activity/address designator,
|
||||
> or a SIGAD. [...] PRISM is US-984XN. Each SIGAD is basically a collection
|
||||
> site, physical or virtual; [...] PRISM is a kick-ass GUI that allows an
|
||||
> analyst to look at, collate, monitor, and cross-check different data types
|
||||
> provided to the NSA from internet companies located inside the United States.[[46]]
|
||||
|
||||
Others hypothesized that, due to the denial of involvement from various
|
||||
companies[[44]], PRISM may operate by intercepting communications. The Guardian
|
||||
[countered by releasing another slide from the leaked presentation][47], stating
|
||||
outright that "[b]oth of these theories appear to be contradicted by internal
|
||||
NSA documents".
|
||||
|
||||
> It clearly distinguishes Prism, which involves data collection from servers,
|
||||
> as distinct from four different programs involving data collection from "fiber
|
||||
> cables and infrastructure as data flows past".[[47]]
|
||||
|
||||
This sounds a great deal like Klein's description of the SG3 Secure Room at
|
||||
AT&T[[27]] (though I do not intend to imply that they are the same thing---that is
|
||||
not clear, nor does Klien state that he ever noted the word "PRISM" on any
|
||||
documents). The Guardian goes on to state that "[a] far fuller picture of the exact
|
||||
operation of Prism [...] is expected to emerge in the coming weeks and months".
|
||||
(Is that foreshadowing or an educated guess?)
|
||||
|
||||
There is, of course, the other obvious hypothesis---that organizations including
|
||||
Google, Facebook and Microsoft are being [deceptive or not telling the whole
|
||||
truth][48]. Alternatively, maybe such operations were being done under the noses
|
||||
of executives. On Friday, the New York Times published an article stating that
|
||||
the technology companies ["cooperated at least a bit"][49].
|
||||
|
||||
> [Google, Micorsoft, Yahoo, Facebook, AOL, Apple and Paltalk] were legally
|
||||
> required to share the data under the Foreign Intelligence Surveillance Act.
|
||||
> [...] But instead of adding a back door to their servers, the companies were
|
||||
> essentially asked to erect a locked mailbox and give the government the key,
|
||||
> people briefed on the negotiations said. Facebook, for instance, built such a
|
||||
> system for requesting and sharing the information, they said.[[49]]
|
||||
|
||||
This does not necessarily mean that these companies had any knowledge,
|
||||
specifically, of "PRISM". As the Guardian said, I will be curious to see what
|
||||
information surfaces in the coming months; the gag provisions of the orders make
|
||||
for an unfortunate situation for everyone involved.
|
||||
|
||||
Let us return to the President's statements.
|
||||
|
||||
> **Obama:** And I welcome this debate. And I think it's healthy for our
|
||||
> democracy. I think it's a sign of maturity, because probably five years ago,
|
||||
> six years ago, we might not have been having this debate.[[16]]
|
||||
|
||||
This is a difficult debate to have, Mr. President, when the public does not know
|
||||
of the existence of these programs; we only have knowledge of these programs due
|
||||
to the aforementioned leaks---courageous individuals who feel that their
|
||||
government is not representative of the democracy and freedom that it supposedly
|
||||
represents. This segues into another statement from the President:
|
||||
|
||||
> **Jackie Calmes:** Do you welcome the leak, sir? Do you welcome the leak if
|
||||
> you welcome the debate?
|
||||
>
|
||||
> **Obama:** I don't---I don't welcome leaks, because there's a reason why these
|
||||
> programs are classified. [...] But that's also why we've set up congressional
|
||||
> oversight. These are the folks you all vote for as your representative in
|
||||
> Congress, and they’re being fully briefed on these programs.
|
||||
|
||||
Unfortunately, Obama seems to have missed another critical fact. We---the
|
||||
people---vote for representatives that, well, "represent" *the issues that we
|
||||
care about*. Those who are strongly opposed to gun legislation will vote for
|
||||
those representatives that share those feelings and will fight to oppose such
|
||||
legislation. Similarly, a pro-life supporter will probably not vote for a
|
||||
candidate in favor of abortion. But what if there is a candidate that shares one
|
||||
opinion but not another---say, opposes gun regulation but supports abortion,
|
||||
when you as a voter are a pro-life gun-owner against gun legislation? Then you
|
||||
will likely vote for the issues that you feel most strongly about (or what you
|
||||
feel is a fair balance between all the other issues you follow). The problem
|
||||
here, Mr. President, is that we---the people---are not made aware of these
|
||||
issues because they are *classified*. How many people may not have voted for
|
||||
you, Mr. President, had they known that you would support dragnet surveillance
|
||||
of innocent Americans?
|
||||
|
||||
**Sunday, June 9th, 2013**---The Guardian continues to surprise the world by
|
||||
[releasing the name of the NSA whistleblower at his request][50]. Edward
|
||||
Snowden, a 29-year-old former CIA technical assistant and current defense
|
||||
contractor employee is responsible for what The Guardian is calling "the
|
||||
biggest intelligence leak in the NSA's history". Reporting from Hong
|
||||
Kong---where Snowden fled to on May 20th in the hope of resisting the
|
||||
U.S. government---Glenn Greenwald, Ewen MacAskill and Laura Poitras report
|
||||
on his motives.
|
||||
|
||||
> Three weeks ago, Snowden made final preparations [...] [a]t the NSA office in
|
||||
> Hawaii where he was working, [copying] the last set of documents he intended
|
||||
> to disclose.[[50]]
|
||||
|
||||
Snowden describes situations where he began to begin questioning his government,
|
||||
such as a case where a CIA operative purposely encouraged a Swiss banker to get
|
||||
intoxicated and drive drunk so that he would be arrested. "Much of what I saw
|
||||
in Geneva really disillusioned me about how my government functions and what its
|
||||
impact is in the world." He mentioned that the election of Obama in 2008 gave
|
||||
him hope for reform, but watched in 2009 as "Obama advanced the very policies
|
||||
that I thought would be reined in. [...] I got hardened."[[50]]
|
||||
|
||||
It is this statement from Snowden that, if accurate, suggests that Obama not
|
||||
only supports Bush's initial dragnet operation[[31]], but has further expanded it.
|
||||
|
||||
At this point, since the news is still quite young at the time that this article
|
||||
was written, the world must wait to see what action the government will attempt
|
||||
to take against Snowden. Reuters had already reported the previous day that
|
||||
[the government is likely to open a criminal probe into the NSA leaks][51].
|
||||
|
||||
> James Clapper, the director of U.S. national intelligence, condemned the leaks
|
||||
> and asserted that the news articles about PRISM contained "numerous
|
||||
> inaccuracies."[[51]]
|
||||
|
||||
Snowden is not the first to come forward as a whistleblower from the NSA---as we
|
||||
discussed previously, three NSA whistleblowers came fourth previously to back the
|
||||
EFF in Jewel v. NSA;[[30]] they each had the charges either cleared or dropped. That
|
||||
said, [Obama has been aggressively pursuing whistleblowers][59]. Snowden
|
||||
mentioned that he views his best hope of freedom as the possibility of asylum
|
||||
with Iceland.[[50]] It appears that such may already be working in his favor, with
|
||||
[Iclandic Legislator Birgitta Jonsdottir already starting the process to apply
|
||||
for asylum][52], although it is not clear if Snowden has already applied.
|
||||
|
||||
There is a great deal to think about. Even though the [evidence against the NSA
|
||||
dates far back][4], the recent revelations invoke emotions that are difficult to
|
||||
describe. With countless individuals working to sift through the information,
|
||||
the Obama administration under attack and nobody knowing if the Guardian is
|
||||
sitting on even more information, the entire world will continue to watch
|
||||
impatiently...and act.
|
||||
|
||||
While all this is going on, it would be useful to reiterate certain privacy and
|
||||
security topics that have already been covered at large. Firstly, consider
|
||||
checking out the EFF's [Surveillance Self-Defense][53] website, which contains
|
||||
information on a number of topics including anonymity and how to respond to
|
||||
court orders. Consider using [Tor for anonymity][54] online (but recognize that
|
||||
it is not a full solution in itself). Consider [keeping your data to
|
||||
yourself][55] rather than storing it on "cloud" services---[Richard Stallman
|
||||
explains how Software as a Service (SaaS) differs in dangers from proprietary
|
||||
software][56]. Consider using only [free software][57] to limit further
|
||||
sacrifices in personal freedom and to limit the information that corporations
|
||||
and third parties collect from you while using your computer and other devices.
|
||||
Finally, if you have information that you want to leak to the press (whether or
|
||||
not you are an [NSA employee][58]), you may be able to consider tools such as
|
||||
[The New Yorker's Strongbox][60]; it uses [software created by Aaron Swartz][61]
|
||||
shortly before his untimely death early this year.
|
||||
|
||||
Finally, aid senators like Rand Paul in developing [legislation to curb the powers
|
||||
of the government][62]. We must also do our best to fight for the rights of
|
||||
brave whistleblowers like Snowden. To end with the words of the EFF, ["we need
|
||||
a new church committee and we need it now"][41].
|
||||
|
||||
[5]: http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order
|
||||
"NSA collecting phone records of millions of Verizon customers daily"
|
||||
[6]: http://s3.documentcloud.org/documents/709012/verizon.pdf "PDF of the FISA Court order to Verizon."
|
||||
[7]: http://s3.documentcloud.org/documents/709012/verizon.txt "Ibid; plain text version."
|
||||
[8]: https://www.eff.org/deeplinks/2013/06/confirmed-nsa-spying-millions-americans
|
||||
"Confirmed: NSA Spying on Millions of Americans"
|
||||
[9]: https://www.eff.org/deeplinks/2011/10/ten-years-later-look-three-scariest-provisions-usa-patriot-act
|
||||
"Three Scariest Provisions of thet USA Patriot Act"
|
||||
[10]: /2013/03/federal-judge-rules-nsls-national-security-letters-unconstitutional
|
||||
"Federal Judge Declares National Security Letters Unconstitutional"
|
||||
[11]: http://www.theatlantic.com/politics/archive/2013/06/what-we-dont-know-about-spying-on-citizens-scarier-than-what-we-know/276607/
|
||||
"Bruce Schneier comments on NSA leak"
|
||||
[12]: https://www.eff.org/cases/jewel "Jewel v. NSA"
|
||||
[13]: https://www.eff.org/cases/hepting "Hepting v. AT&T"
|
||||
[14]: /2012/11/privacy-in-light-of-the-petraeus-scandal
|
||||
"Privacy In Light of the Petraeus Scandal"
|
||||
[15]: /2013/03/google-says-the-fbi-is-secretly-spying-on-some-of-its-customers
|
||||
"Google Says the FBI Is Secretly Spying on Some of Its Customers"
|
||||
[16]: http://blogs.wsj.com/washwire/2013/06/07/transcript-what-obama-said-on-nsa-controversy/
|
||||
"Obama on the NSA controversy"
|
||||
[17]: https://www.eff.org/deeplinks/2013/05/congressional-outrage-over-ap-phone-records
|
||||
"Congressional outrate of AP phone records"
|
||||
[18]: https://www.eff.org/deeplinks/2013/05/doj-subpoena-ap-journalists-shows-need-protect-calling-records
|
||||
[19]: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data
|
||||
[20]: http://googleblog.blogspot.com/2013/06/what.html "Larry Page denies PRISM involvement"
|
||||
[21]: https://www.facebook.com/zuck/posts/10100828955847631 "Mark Zuckerberg denies PRISM involvement"
|
||||
[22]: http://www.guardian.co.uk/world/2013/jun/07/google-facebook-prism-surveillance-program
|
||||
[23]: http://www.dni.gov/index.php/newsroom/press-releases/191-press-releases-2013/868-dni-statement-on-recent-unauthorized-disclosures-of-classified-information
|
||||
"James Clapper---Directory of National Intelligence---declassifies
|
||||
information pertaining to the "business records" provision of FISA"
|
||||
[24]: https://www.eff.org/deeplinks/2013/06/why-metadata-matters
|
||||
"The EFF describes why telephony metadata can have a significant impact on our privacy."
|
||||
[25]: http://mashable.com/2013/06/08/china-hack-nsa/ "What if crackers get a hold of the NSA's databases?"
|
||||
[26]: http://rt.com/usa/us-chinese-report-defense-888/ "The Chinese crack into Pentagon systems."
|
||||
[27]: https://www.eff.org/file/28823 "Public unredacted Mark Klein declaration"
|
||||
[28]: https://www.eff.org/pages/case-against-retroactive-amnesty-telecoms "The Case Against Retroactive Amnesty for Telecoms."
|
||||
[29]: http://www.govtrack.us/congress/bills/110/hr6304/text "FISA Amendments Act (FAA)."
|
||||
[30]: https://www.eff.org/press/releases/three-nsa-whistleblowers-back-effs-lawsuit-over-governments-massive-spying-program
|
||||
"Three NSA whistleblowers back the EFF in Jewel v. NSA"
|
||||
[31]: https://www.eff.org/node/72021 "Summary of Voluminous Evidence, Jewel v. NSA"
|
||||
[38]: http://www.nytimes.com/2009/04/16/us/16nsa.html?pagewanted=all "Officials Say U.S. Wiretaps Exceeded Law"
|
||||
[39]: http://www.wyden.senate.gov/news/press-releases/wyden-statement-on-alleged-large-scale-collection-of-phone-records
|
||||
"Ron Wyden comments on the collection of Verizon phone records"
|
||||
[40]: https://www.eff.org/deeplinks/2013/06/government-asks-more-time-eff-surveillance-cases
|
||||
"In Light of NSA Revelations, Government Asks for More Time in EFF Surveillance Cases"
|
||||
[41]: https://www.eff.org/deeplinks/2013/06/response-nsa-we-need-new-church-commission-and-we-need-it-now
|
||||
"In Response to the NSA, We Need A New Church Committee and We Need It Now"
|
||||
[42]: http://www.theweek.co.uk/us/53475/white-house-admits-it-has-access-facebook-google
|
||||
"White House admits it has "access" to Facebook, Google"
|
||||
[43]: http://www.guardian.co.uk/world/2013/jun/07/google-facebook-prism-surveillance-program
|
||||
"Facebook and Google insist they did not know of Prism surveillance program"
|
||||
[44]: https://plus.google.com/+YonatanZunger/posts/huwQsphBron
|
||||
"Yonatan Zunger---Chief Architect at Google---expresses his distaste of PRISM"
|
||||
[45]: http://theweek.com/article/index/245311/sources-nsa-sucks-in-data-from-50-companies
|
||||
"Sources: NSA sucks in data from 50 companies"
|
||||
[46]: http://theweek.com/article/index/245360/solving-the-mystery-of-prism
|
||||
"Solving the mystery of PRISM"
|
||||
[47]: http://www.guardian.co.uk/world/2013/jun/08/nsa-prism-server-collection-facebook-google
|
||||
"NSA's Prism surveillance program: how it works and what it can do."
|
||||
[48]: http://www.guardian.co.uk/world/2013/jun/08/obama-response-nsa-surveillance-democrats
|
||||
"Obama deflects criticism over NSA surveillance as Democrats sound alarm."
|
||||
[49]: http://www.nytimes.com/2013/06/08/technology/tech-companies-bristling-concede-to-government-surveillance-efforts.html?ref=global-home&_r=2&pagewanted=all&
|
||||
"Tech Companies Concede to Surveillance Program"
|
||||
[50]: http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance
|
||||
"Edward Snowden: the whistleblower behind the NSA surveillance revelations."
|
||||
[51]: http://www.reuters.com/article/2013/06/08/us-usa-security-leaks-idUSBRE95700C20130608
|
||||
"Government likely to open criminal probe into NSA leaks: officials."
|
||||
[52]: http://www.forbes.com/sites/andygreenberg/2013/06/09/icelandic-legislator-im-ready-to-help-nsa-whistleblower-seek-asylum/
|
||||
"Icelandic Legislator: I'm Ready To Help NSA Whistleblower Edward Snowden Seek Asylum"
|
||||
[53]: https://ssd.eff.org/ "EFF Surveillance Self-Defense."
|
||||
[54]: https://www.torproject.org/ "The Tor project offers anonymity online."
|
||||
[55]: http://www.guardian.co.uk/technology/2008/sep/29/cloud.computing.richard.stallman
|
||||
"Cloud computing is a trap, warns GNU founder Richard Stallman"
|
||||
[56]: http://www.gnu.org/philosophy/who-does-that-server-really-serve.html
|
||||
"Who does that server really serve?"
|
||||
[57]: http://www.gnu.org/philosophy/free-sw.html "What is free software?"
|
||||
[58]: http://www.whistleblowers.org/index.php?option=com_content&task=view&id=984&Itemid=173
|
||||
"National Security Employees Know Your Rights"
|
||||
[59]: http://www.theatlanticwire.com/politics/2011/05/obamas-war-whistle-blowers/38106/
|
||||
"Obama's War on Whistle-Blowers"
|
||||
[60]: http://www.newyorker.com/strongbox/ "The New Yorker Strongbox"
|
||||
[61]: http://www.newyorker.com/online/blogs/newsdesk/2013/05/strongbox-and-aaron-swartz.html
|
||||
"Strongbox and Aaron Swartz"
|
||||
[62]: http://abcnews.go.com/blogs/politics/2013/06/rand-paul-bill-would-curb-nsa-on-phone-records/
|
||||
"Rand Paul Bill Would Curb NSA on Phone Records"
|
||||
|
||||
[^32]: Ibid.[[31]] 157 Cong. Rec. S3372--3402, S3386 (May 26, 2011) [Vol. VI, Ex. 111, p. 4286]
|
||||
(Statement of Sen. Ron Wyden, On Patriot Act Reauthorization)
|
||||
[^33]: Ibid.[[31]] PBS Frontline, Spying on the Homefront, Interview with John C. Yoo at 4
|
||||
(Jan. 10, 2007) [Vol. I, Ex. 10, p. 394]
|
||||
[^34]: Ibid.[[31]] Press Briefing by Att’y Gen. Alberto Gonzalez and Gen. Michael Hayden,
|
||||
Principal Dep. Dir. for Nat’l Intelligence (Dec. 19, 2005)
|
||||
[^35]: Ibid.[[31]] Preserving the Rule of Law in the Fight Against Terror:
|
||||
Hearing before the S. Comm. on the Judiciary, 110th Cong. 7 (Oct. 2, 2007)
|
||||
[Vol. III, Ex. 42, p. 1307] (testimony of Jack Goldsmith)
|
||||
[^36]: Ibid.[[31]] Press Briefing by Att’y Gen. Alberto Gonzalez and Gen. Michael Hayden, Principal Dep. Dir.
|
||||
for Nat’l Intelligence (Dec. 19, 2005)
|
||||
[^37]: Ibid.[[31]] Remarks by Gen. Michael Hayden, Address to the National Press Club, Washington, D.C. (Jan. 23, 2006)
|
||||
[Vol. IV, Ex. 73, p. 1809]
|
|
@ -0,0 +1,159 @@
|
|||
# All "Thoughts" and Site Text Now Licensed Under CC BY-SA
|
||||
|
||||
All "thoughts"---that is, my blog-like entries that are generated by the
|
||||
repository commit messages---and site text are hereby retroactively relicensed
|
||||
under the [Creative Commons Attribution-ShareAlike 3.0 Unported License][0].
|
||||
This license shall not supersede any license that is explicitly put forth within
|
||||
a work; see the COPYING file within the thoughts repository---available on the
|
||||
"Projects" page---for more information.
|
||||
|
||||
[0]: http://creativecommons.org/licenses/by-sa/3.0/
|
||||
|
||||
<!-- more -->
|
||||
|
||||
This is not a decision I take lightly; it has received much thought over the
|
||||
course of recent years. For some time, I accepted [the view of Richard Stallman
|
||||
and the Free Software Foundation][1] on opinion pieces in that, since they
|
||||
express personal opinions, it is not unreasonable to require that they be
|
||||
distributed verbatim. Indeed, it would seem wise not to allow someone to change
|
||||
your words, especially on something that you are passionate about.
|
||||
|
||||
However, I have come to adopt another perspective. What is the motivation behind
|
||||
releasing content under a license that permits modification (that is, the
|
||||
creation of derivative works)? Often, the primary reason is to allow others to
|
||||
improve upon the content or to modify it to suit their particular needs. To
|
||||
prevent others from locking down those changes---preventing others from having
|
||||
the same rights as they did---many will often release their works under licenses
|
||||
that require that all derivatives be released under the same terms. In the case
|
||||
of Creative Commons, this is called ["ShareAlike"][2], which is motivated by
|
||||
GNU's copyright hack called [copyleft][3] (popularized by the [GNU General
|
||||
Public License][4]).
|
||||
|
||||
For [free software][5] advocates, the question of whether or not to permit
|
||||
modification is generally not even raised---it is a necessity. Software serves a
|
||||
functional purpose: Prohibiting modification could prevent users from altering
|
||||
the software in ways that they may find useful and could be used to exert
|
||||
control over the users. Software does stuff. Software can control what the user
|
||||
can and cannot do.
|
||||
|
||||
Creative works are often considered in a different light. Like software, they
|
||||
are indeed useful---they can be tools to learn, to entertain, etc. However, does
|
||||
prohibiting modification do any harm? In the case of [documentation for free
|
||||
software][6], yes---documentation is very important and can make the difference
|
||||
between highly useful software and impenetrable software. Free documentation
|
||||
ensures that, as the software grows, the documentation can grow with it. Since
|
||||
the documentation for many projects is often scarce or poorly written (great
|
||||
computer hackers are not necessarily great language hackers), the freedom to
|
||||
modify the documentation is a necessity.
|
||||
|
||||
Then what of texts that have nothing to do with a free software project? Texts
|
||||
that serve as an educational resource of any kind would benefit from being free
|
||||
just as a free software project would---experts could contribute, teachers could
|
||||
alter it to suit their particular teaching style or their classroom setting,
|
||||
etc. But what of texts that exist purely as opinion pieces?
|
||||
|
||||
I'm not sure there's such a thing as a "pure" opinion piece, unless it is
|
||||
utter garbage.
|
||||
|
||||
An author would do well to substantiate their opinion with appropriate
|
||||
references (though often times, this is not the case). With those
|
||||
references (or lack thereof) comes the need to connect them to the content---the
|
||||
author must explain his or her opinion. This explanation is educational, even if
|
||||
the reader does not agree with the opinion. Perhaps the reader wishes to use the
|
||||
opinion piece as a resource, but notices that it is lacking in some respect.
|
||||
Should they not be able to improve it, perhaps to even further the author's
|
||||
point? Or, perhaps the opinion piece could be extended to the contrary---to
|
||||
prove additional references to either make it neutral or even work against the
|
||||
author's original opinion. Even though this may not be what the author wants,
|
||||
this is still a useful derivation of the original work.
|
||||
|
||||
As an example, consider this very post. This is clearly an opinion piece---I
|
||||
have made the choice to release my content under a Creative Commons license and
|
||||
I am substantiating my opinion in the hope that others may gain insight and
|
||||
possibly even choose the same path for their own creative works. What if someone
|
||||
wished to present this article to a group of individuals---maybe in the
|
||||
workplace---but found my "garbage" comment to be unnecessarily harsh? What
|
||||
personal harm would I incur if they were to remove that statement? However, what
|
||||
if they wished to go further by replacing all references to "free software"
|
||||
with references to "open source"---a term which I [reject][7]? Well, this
|
||||
could potentially affect my image, depending on the group's philosophy. What
|
||||
now?
|
||||
|
||||
There are a few important points to note from this. Firstly, the license
|
||||
mandates that:
|
||||
|
||||
> If You Distribute, or Publicly Perform the Work or any Adaptations or
|
||||
> Collections, You must, unless a request has been made pursuant to Section
|
||||
> 4(a), keep intact all copyright notices for the Work and provide, reasonable
|
||||
> to the medium or means You are utilizing: (i) the name of the Original Author
|
||||
> (or pseudonym, if applicable) if supplied, and/or if the Original Author
|
||||
> and/or Licensor designate another party or parties (e.g., a sponsor institute,
|
||||
> publishing entity, journal) for attribution ("Attribution Parties") in
|
||||
> Licensor's copyright notice, terms of service or by other reasonable means,
|
||||
> the name of such party or parties; (ii) the title of the Work if supplied;
|
||||
> (iii) to the extent reasonably practicable, the URI, if any, that Licensor
|
||||
> specifies to be associated with the Work, unless such URI does not refer to
|
||||
> the copyright notice or licensing information for the Work; and (iv) ,
|
||||
> consistent with Ssection [sic] 3(b), in the case of an Adaptation, a credit
|
||||
> identifying the use of the Work in the Adaptation (e.g., "French translation
|
||||
> of the Work by Original Author," or "Screenplay based on original Work by
|
||||
> Original Author").[8]
|
||||
|
||||
In plain English---you must provide attribution to the original author and
|
||||
indicate that the work has been modified from the original. Furthermore:
|
||||
|
||||
> The credit required by this Section 4(c) may be implemented in any reasonable
|
||||
> manner; provided, however, that in the case of a Adaptation or Collection, at
|
||||
> a minimum such credit will appear, if a credit for all contributing authors of
|
||||
> the Adaptation or Collection appears, then as part of these credits and in a
|
||||
> manner at least as prominent as the credits for the other contributing
|
||||
> authors.[8]
|
||||
|
||||
It would therefore be appropriate to assume that an author of a derivate work
|
||||
will, in good faith, make clear attribution. Should this not be the case, then
|
||||
what is to say that the author would not have simply modified a work which is
|
||||
not licensed to permit modifications?
|
||||
|
||||
The next point is another simple one: Under United States copyright law, the
|
||||
[fair use doctrine][9] permits limited use of a copyrighted work without prior
|
||||
consent from the author; it is this doctrine that allows, for example, authors
|
||||
and journalists to quote portions of other works to report on or back up their
|
||||
arguments. This means that, even if the license did not permit, an author could
|
||||
still incorporate *portions* of my work to support their own arguments or agenda,
|
||||
regardless of whether or not I may agree with it. This segues into the final
|
||||
point.
|
||||
|
||||
Who am I to [dictate others opinions][10]? It would not be right of me to limit
|
||||
one's freedom simply because they violate my own personal opinions or beliefs.
|
||||
Therefore, if this is one condition under which I would decide to restrict my
|
||||
creative works, then that reason should be immediately dismissed. This means
|
||||
that---within the context of my previous example---if someone wanted to alter
|
||||
all the references to "free software" in my work to adapt it to their own
|
||||
personal style, then they should be permitted to do so. Such a work is no longer
|
||||
my own: They must clearly state that it has been altered from the original.
|
||||
Hopefully readers take notice of that. My works are always published on my own
|
||||
personal website where the originals can be found; with today's search engines,
|
||||
such a task is trivial. If someone neglects to do so---and I do understand that
|
||||
many will neglect to do so---then they have not made an informed opinion on the
|
||||
material.
|
||||
|
||||
Another minor point would be that, for the majority of my works, it is unlikely
|
||||
that anyone will be making any sort of alteration.
|
||||
|
||||
As such, I find that I have little ground to stand on should I attempt to
|
||||
rationalize a more restrictive license. Any remaining arguments, such as "what
|
||||
if they sell your content or modify it only slightly and are given more credit
|
||||
for the work than they deserve?" are already covered by the free software
|
||||
philosophy can may be easily adopted here.
|
||||
|
||||
[1]: http://www.gnu.org/licenses/license-list.html#OpinionLicenses
|
||||
[2]: http://creativecommons.org/licenses/
|
||||
[3]: https://www.gnu.org/copyleft/copyleft.html
|
||||
[4]: https://www.gnu.org/copyleft/gpl.html
|
||||
[5]: https://www.gnu.org/philosophy/free-sw.html
|
||||
[6]: https://www.gnu.org/philosophy/free-doc.html
|
||||
[7]: http://www.gnu.org/philosophy/open-source-misses-the-point.html
|
||||
[8]: http://creativecommons.org/licenses/by-sa/3.0/legalcode
|
||||
[9]: http://en.wikipedia.org/wiki/Fair_use
|
||||
[10]: http://www.gnu.org/philosophy/programs-must-not-limit-freedom.html
|
||||
|
|
@ -0,0 +1,64 @@
|
|||
# Snowden Statement at Moscow Airport; Accepts Asylum Offers
|
||||
|
||||
**See Also:** [National Uproar: A Comprehensive Overview of the NSA Leaks and
|
||||
Revelations][0]; I have not yet had the time to devote to writing a thorough
|
||||
follow-up of recent events and will likely wait until further information and
|
||||
leaks are presented.
|
||||
|
||||
[Edward Snowden][1]---the whistleblower responsible for [exposing various NSA
|
||||
dragnet spying programs][0], among other documents---has been [stuck in the
|
||||
Moscow airport][2] for quite some time while trying to figure out how he will
|
||||
travel to countries offering him asylum, which may involve traveling through
|
||||
territories that may cooperate with the United States' extradition requests.
|
||||
|
||||
[0]: /2013/06/national-uproar-a-comprehensive-overview-of-the-nsa-leaks-and-revelations
|
||||
[1]: https://en.wikipedia.org/wiki/Edward_Snowden (Now with his own Wikipedia page)
|
||||
[2]: http://www.guardian.co.uk/world/2013/jul/01/edward-snowden-escape-moscow-airport
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Snowden [issued a statement today to Human Rights groups at Moscow's
|
||||
Sheremetyevo airport][3], within which he mentioned:
|
||||
|
||||
> I announce today my formal acceptance of all offers of support or asylum I
|
||||
> have been extended and all others that may be offered in the future. With, for
|
||||
> example, the grant of asylum provided by Venezuela’s President Maduro, my
|
||||
> asylee status is now formal, and no state has a basis by which to limit or
|
||||
> interfere with my right to enjoy that asylum. [...] I ask for your assistance
|
||||
> in requesting guarantees of safe passage from the relevant nations in securing
|
||||
> my travel to Latin America, as well as requesting asylum in Russia until such
|
||||
> time as these states accede to law and my legal travel is permitted. I will be
|
||||
> submitting my request to Russia today, and hope it will be accepted
|
||||
> favorably.[3]
|
||||
|
||||
Snowden had previously [withdrawn his request for political asylum in Russia][4]
|
||||
after [Vladmir Putin stated that he could stay][5] only if he stopped "bringing
|
||||
harm to our American partners"---something which [Snowden does not believe that
|
||||
he is doing][6]. Although Venezuela has offered Snowden asylum, as [explained by
|
||||
the Guardian][6], "he remains unable to travel there without travel
|
||||
documents". Even if he does obtain travel documents, there are still
|
||||
worries---earlier this month, the [Bolivian president's plane was diverted with
|
||||
suspicion that Snowden was on board][7], showing that certain countries may be
|
||||
willing to aid the U.S. in his extradition or otherwise prevent him from
|
||||
traveling.
|
||||
|
||||
My focus on these issues will seldom be on Snowden himself---I would prefer to
|
||||
focus primarily on what he sacrificed his life to bring to light. But it is
|
||||
precisely this sacrifice that makes it important to ensure that Snowden does not
|
||||
fall out of the picture (though it does not appear that he will any time soon).
|
||||
The Guardian also seems to have adopted the strategy of slowly providing more
|
||||
information on the leaks over time---such as the recent revelation that
|
||||
[Microsoft cooperated with the NSA's Prisim program to provide access to
|
||||
unencrypted contents of Outlook.com, Hotmail, Skype and SkyDrive services][8]; I
|
||||
will have more on that later.
|
||||
|
||||
I end this with a photograph taken yesterday of [Richard Stallman with Julian
|
||||
Assange holding up a picture of Snowden][9] that brings a smile to my face.
|
||||
|
||||
[3]: http://wikileaks.org/Statement-by-Edward-Snowden-to.html
|
||||
[4]: http://www.guardian.co.uk/world/2013/jul/02/edward-snowden-nsa-withdraws-asylum-russia-putin
|
||||
[5]: http://www.guardian.co.uk/world/2013/jul/01/putin-snowden-remain-russia-offer
|
||||
[6]: http://m.guardiannews.com/world/2013/jul/12/edward-snowden-accuses-us-illegal-campaign
|
||||
[7]: http://www.guardian.co.uk/world/2013/jul/05/european-states-snowden-morales-plane-nsa
|
||||
[8]: http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data
|
||||
[9]: http://twitpic.com/d279tx
|
|
@ -0,0 +1,99 @@
|
|||
# London Trashcan Spies
|
||||
|
||||
We're not talking about kids hiding out in trashcans talking on
|
||||
walkie-talkies and giggling to each other.
|
||||
|
||||
[Ars has reported on London trashcans][0] rigged to collect the [MAC
|
||||
addresses][1] of mobile devices that pass by. Since we do not often see
|
||||
mobile devices carrying themselves around, we may as well rephrase this as
|
||||
"collect the MAC addresses of people that pass by":
|
||||
|
||||
> During a one-week period in June, just 12 cans, or about 10 percent of the
|
||||
> company's fleet, tracked more than 4 million devices and allowed company
|
||||
> marketers to map the "footfall" of their owners within a 4-minute
|
||||
> walking distance to various stores.
|
||||
|
||||
[0]: http://arstechnica.com/security/2013/08/no-this-isnt-a-scene-from-minority-report-this-trash-can-is-stalking-you/
|
||||
[1]: http://en.wikipedia.org/wiki/MAC_address
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Your device's---er, *your*---MAC address is a unique identifier that, in
|
||||
the case of wireless networks, is used by the networks to state that a
|
||||
message is intended specifically for you---something that is necessary since
|
||||
wireless devices communicate through open air and, therefore, your device is
|
||||
[also able to pick up the communications of other devices][2]:
|
||||
|
||||
> In IEEE 802 networks such as Ethernet, token ring, and IEEE 802.11, and in
|
||||
> FDDI, each frame includes a destination Media Access Control address (MAC
|
||||
> address). In non-promiscuous mode, when a NIC receives a frame, it
|
||||
> normally drops it unless the frame is addressed to that NIC's MAC address
|
||||
> or is a broadcast or multicast frame.
|
||||
|
||||
Therefore, in such networks, a MAC address is required for communication. So
|
||||
why does your device freely give away such a unique identifier that can be
|
||||
used to track you? Consider that, when wireless is enabled (and, as [the Ars
|
||||
article][0] mentions, sometimes [even when it's not][3]), your device
|
||||
generally scans your surroundings in order to provide you with a list of
|
||||
networks to connect to. This list is generally populated when various access
|
||||
points broadcast their own information to advertise themselves so that you
|
||||
can select them to connect. However, some access points are hidden---they do
|
||||
not broadcast their information, which helps to deter unwanted or malicious
|
||||
users. To connect to these access points, you generally provide the name
|
||||
that the access point administrator has given to it (e.g. "mysecretap").
|
||||
|
||||
Let's say you disconnect from mysecretap. Since the access point (AP) is not
|
||||
broadcasting itself, how does your device know when it is available again?
|
||||
It must attempt to ping it and see if it gets a response. With this ping is
|
||||
your MAC address. Since many devices conveniently like to connect
|
||||
automatically to known access points when they become available, it is
|
||||
likely that your device is pinging rather frequently.
|
||||
|
||||
But what if you do not use hidden access points? Well, it is likely that the
|
||||
same issue still stands---what if the access point that you connected to was
|
||||
once listed but then becomes hidden? (Maybe the administrator of the access
|
||||
point allowed broadcasts for a period of time to allow people to connect
|
||||
easily, but then hid it at a later time.) Your device would need to account
|
||||
for that, and therefore, to be helpful, likely broadcasts pings for any
|
||||
access point you have connected to recently (where "recently" would depend
|
||||
on your device).
|
||||
|
||||
Now, back to the [NSA][5]-wannabe-trashcans: At this point, all an observer
|
||||
must do is lay in wait for those broadcasts and record the MAC addresses. By
|
||||
placing these devices at various locations, you could easily track the
|
||||
movements of individuals, including their speed, destinations, durations of
|
||||
their visits, visit frequencies, favorite areas, dwellings, travel patterns,
|
||||
etc. Since devices may broadcast a whole slew of recent access points that
|
||||
it connected to, you could also see areas that the owner may have been to
|
||||
(oh, I see that you connected to the free wifi in that strip joint). You
|
||||
[could be evil][6].
|
||||
|
||||
Turn off wireless on your device when you are not using it---especially when
|
||||
you are traveling. Ensure that your device [does not continue pinging access
|
||||
points when wireless is disabled][3].
|
||||
|
||||
Better yet, fight back. Consider exploring how to spoof your MAC address,
|
||||
perhaps randomly generating one every so often. Consider the possibilities
|
||||
of activist groups that may pollute these spy databases by gathering a list
|
||||
of unique MAC addresses of passerbys for the purpose of rebroadcasting them
|
||||
at random intervals---which you could even do using long-range antennas
|
||||
targeted at these devices.[^7] If done properly to mimic models of common
|
||||
travel patterns, the data that these spy devices gather would become
|
||||
unreliable.[^8]
|
||||
|
||||
Surveillance by any entity---be it [governments][5], corporations,
|
||||
individuals or otherwise---is not acceptable.
|
||||
|
||||
[2]: http://en.wikipedia.org/wiki/Promiscuous_mode
|
||||
[3]: http://arstechnica.com/gadgets/2013/08/review-android-4-3-future-proofs-the-platform-with-multitude-of-minor-changes/3/#p15
|
||||
[4]: http://arstechnica.com/security/2013/08/diy-stalker-boxes-spy-on-wi-fi-users-cheaply-and-with-maximum-creep-value/
|
||||
[5]: /2013/06/national-uproar-a-comprehensive-overview-of-the-nsa-leaks-and-revelations
|
||||
[6]: http://renewlondon.com
|
||||
|
||||
[^7]: Disclaimer: Please research your local laws.
|
||||
|
||||
[^8]: Of course, it is important that such an activity in itself does not
|
||||
violate a person's privacy, and so such collection must be done in a manner
|
||||
that cannot in itself identify the person's travel patterns (e.g. by
|
||||
not storing information on what access point the data was collected from).
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
# Facebook knows about you even if you are not a member
|
||||
|
||||
An article about [the scope of Facebook's data collection][0] speaks for
|
||||
itself; this really does not come as a surprise, but is nonetheless
|
||||
unsettling.
|
||||
|
||||
[0]: http://www.groovypost.com/news/facebook-shadow-accounts-non-users/
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Encourage your friends, colleagues and acquaintances to use services like
|
||||
[Diaspora][1] that are respectful of your data instead. Better yet: explain
|
||||
to those individuals the problems of social media services and ask that they
|
||||
respectfully leave you out of it.
|
||||
|
||||
[1]: https://joindiaspora.com/
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
# Windows 8.1 to display targeted advertisements on local system searches
|
||||
|
||||
It is very disturbing that [Microsoft decided that it would be a good idea
|
||||
to display targeted ads on local searches][0]---that is, if you search for a
|
||||
file on your PC named "finances", you may get ads for finance software,
|
||||
taxes, etc. If you search for "porn", well, you get the idea.
|
||||
|
||||
> Bing Ads will be an integral part of this new Windows 8.1 Smart Search
|
||||
> experience. Now, with a single campaign setup, advertisers can connect
|
||||
> with consumers across Bing, Yahoo! and the new Windows Search with highly
|
||||
> relevant ads for their search queries. In addition, Bing Ads will include
|
||||
> Web previews of websites and the latest features like site links, location
|
||||
> and call extensions, making it easier for consumers to complete tasks and
|
||||
> for advertisers to drive qualified leads.[[1]]
|
||||
|
||||
[0]: http://www.computerworld.com/s/article/9241524/Steven_J._Vaughan_Nichols_Microsoft_Bing_bang_bungles_local_search
|
||||
[1]: http://community.bingads.microsoft.com/ads/en/bingads/b/blog/archive/2013/07/02/new-search-ad-experiences-within-windows-8-1.aspx
|
||||
|
||||
<!-- more -->
|
||||
|
||||
While that is certainly obnoxious, consider the larger issue of privacy
|
||||
(which seems to be in the news a lot lately[[2]][[3]]): Late last year, there
|
||||
was an uproar in the Free Software community when [Ubuntu decided to query
|
||||
Amazon---enabled by default---on local searches][4] using their new Unity
|
||||
interface. The problem is that your personal queries are being sent to a
|
||||
third party---queries that you generally would expect to be private. If I
|
||||
run a `find' or `grep' command on my system, I certainly do not expect it to
|
||||
report to Amazon or Microsoft what I am searching for.
|
||||
|
||||
And to make matters even worse, Microsoft is exploiting this information to
|
||||
allow advertisers to target you. [Ironic.][5]
|
||||
|
||||
[Do not use Windows 8][6] (or any other proprietary software, for that
|
||||
matter).
|
||||
|
||||
[2]: /2013/08/facebook-knows-about-you-even-if-you-are-not-a-member
|
||||
[3]: /2013/06/national-uproar-a-comprehensive-overview-of-the-nsa-leaks-and-revelations
|
||||
[4]: http://www.fsf.org/blogs/rms/ubuntu-spyware-what-to-do
|
||||
[5]: http://www.scroogled.com/email/
|
||||
[6]: https://www.fsf.org/windows8
|
|
@ -0,0 +1,64 @@
|
|||
# Measuring Air Temperature With Phone Batteries
|
||||
|
||||
OpenSignal---a company responsible for mapping wireless signal
|
||||
strength by gathering data using mobile device software---noticed [an
|
||||
interest correlation between battery temperature on devices and air
|
||||
temperature][0].
|
||||
|
||||
> Aggregating daily battery temperature readings to city level revealed a
|
||||
> strong correlation with historic outdoor air temperature. With a
|
||||
> mathematical transformation, the average battery temperature across a
|
||||
> group of phones gives the outdoor air temperature.
|
||||
|
||||
[0]: http://opensignal.com/reports/battery-temperature-weather/
|
||||
|
||||
<!-- more -->
|
||||
|
||||
**Note:** Graph renderings on their website require proprietary JavaScript, but
|
||||
the article does describe it in detail, so it is not necessary. In
|
||||
particular, note that, from [their provided equation][0], their scaling factor
|
||||
`m' implies that there is a smaller variance in battery temperature in the
|
||||
graph than there is in the actual air temperature, but that there is still a
|
||||
correlation.
|
||||
|
||||
This is an interesting find. The article further states that "[...] we have
|
||||
one data point where the Android data is actually more reliable than the
|
||||
traditional source."
|
||||
|
||||
Such data can be very useful in providing decentralized data, so long as
|
||||
[issues of privacy][1] are addressed. Doing so is not terribly difficult,
|
||||
but would have a number of factors. In particular, the user would need the
|
||||
means to submit data anonymously, which could be done via software/networks
|
||||
such as [Tor][2]. GPS location data is certainly a privacy issue when it is
|
||||
tied to your mobile device, but fortunately, it's unneeded: you can trust
|
||||
your users to let you know where they reside by either (a) opting into using
|
||||
location services or (b) allowing them to specify a location or approximate
|
||||
location of their choosing (approximations would be important since a user
|
||||
may not wish to change their location manually while they travel, say, to
|
||||
and from work). If enough devices submit data, then legitimate data would
|
||||
drown out those who are trying to purposefully pollute the database. Such an
|
||||
example can be seen with Bitcoin, in which networks will [reach a consensus
|
||||
on correct blockchains][3] so long as "a majority of computing power is
|
||||
controlled by nodes that are not cooperating to attack the network". Of
|
||||
course, users would be able to pollute the network by sending false data as
|
||||
it is, and the [data is already tarnished from various factors such as body
|
||||
heat][0].
|
||||
|
||||
Of course, I do assume that mobile devices will contain temperature sensors
|
||||
in the future; [some already do][4] (but I cannot encourage their use, as
|
||||
they use [proprietary software][5]). However, this is still a clever hack (I
|
||||
suppose that term is redundant). In my searching while writing this article,
|
||||
I did notice [prior examples of ambient temperature readings using Android
|
||||
software][6] ([proprietary][5]), but the software does not aggregate data
|
||||
for purposes of determining weather patterns.
|
||||
|
||||
Finally, please do not download OpenSignal's app; it too is
|
||||
[proprietary][5]; this discussion was purely from a conceptual standpoint
|
||||
and does not endorse any software.
|
||||
|
||||
[1]: /2013/08/london-trashcan-spies
|
||||
[2]: https://www.torproject.org/
|
||||
[3]: http://en.wikipedia.org/wiki/Protocol_of_Bitcoin
|
||||
[4]: http://stackoverflow.com/a/11628921
|
||||
[5]: http://www.gnu.org/philosophy/free-sw.html
|
||||
[6]: https://play.google.com/store/apps/details?id=androidesko.android.electronicthermometer&hl=en
|
|
@ -0,0 +1,209 @@
|
|||
# FreeBSD, Clang and GCC: Copyleft vs. Community
|
||||
|
||||
A useful perspective explaining why [FreeBSD is moving away from GCC in
|
||||
favor of Clang][0]; indeed, they are moving away from GPL-licensed software
|
||||
in general. While this is [not a perspective that I personally agree
|
||||
with][1], it is one that I will respect for the project. It is worth
|
||||
understanding the opinions of those who disagree with you to better
|
||||
understand and formulate your own perspective.
|
||||
|
||||
[0]: http://unix.stackexchange.com/a/49970
|
||||
[1]: /2012/11/vlcs-move-to-lgpl
|
||||
|
||||
But I am still a free software activist.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
According to the [FreeBSD FAQ][2]:
|
||||
|
||||
> The goal of the FreeBSD Project is to provide a stable and fast general
|
||||
> purpose operating system that may be used for any purpose without strings
|
||||
> attached.
|
||||
|
||||
As is mentioned in [the aforementioned article][0], the BSD community does not
|
||||
hold the same opinions on what constitutes "without strings
|
||||
attached"---the BSD community [considers the restriction on the user's
|
||||
right to make proprietary use of the software to be a "string"][2],
|
||||
whereas the free software community under [RMS][3] believes that [the
|
||||
ability to make a free program proprietary is unjust][4]:
|
||||
|
||||
> Making a program proprietary is an exercise of power. Copyright law today
|
||||
> grants software developers that power, so they and only they choose the
|
||||
> rules to impose on everyone else—a relatively small number of people make
|
||||
> the basic software decisions for all users, typically by denying their
|
||||
> freedom. When users lack the freedoms that define free software, they
|
||||
> can't tell what the software is doing, can't check for back doors, can't
|
||||
> monitor possible viruses and worms, can't find out what personal
|
||||
> information is being reported (or stop the reports, even if they do find
|
||||
> out). If it breaks, they can't fix it; they have to wait for the developer
|
||||
> to exercise its power to do so. If it simply isn't quite what they need,
|
||||
> they are stuck with it. They can't help each other improve it.
|
||||
|
||||
The [Modified BSD License][5] is a GPL-compatible Free Software
|
||||
license---that is, software licensed under the Modified BSD license meets
|
||||
the requirements of the [Free Software Definition][6]. The additional
|
||||
"string" that the BSD community is referring to is the concept of
|
||||
[copyleft][7]---Richard Stallman's copyright hack and one of his most
|
||||
substantial contributions to free software and free society. To put it into
|
||||
the [words of the FSF][7]:
|
||||
|
||||
> Copyleft is a general method for making a program (or other work) free,
|
||||
> and requiring all modified and extended versions of the program to be free
|
||||
> as well.
|
||||
|
||||
Critics often adopt the term ["viral" in place of "copyleft"][8] because
|
||||
of the requirement that all derivatives must contain the same copyleft
|
||||
terms---the derivative must itself be Free Software, perpetually (until, of
|
||||
course, the copyright term expires and it becomes part of the public domain,
|
||||
[if such a thing will ever happen at this rate][9]). In the case of the
|
||||
Modified BSD license---being a more permissive license that is non-copyleft
|
||||
and thus allows proprietary derivatives---derivative works that include both
|
||||
BSD- and GPL-licensed code essentially consume the [Modified BSD license's
|
||||
terms][10], which are a subset of the [GPL's][11]. Of course, this is not
|
||||
pursuant to [FreeBSD's goals][2] and so they consider this to be a bad
|
||||
thing: There are "strings attached".
|
||||
|
||||
This is more demonstrative of the ["open source" philosophy than that of
|
||||
"Free Software"][12] (yes, notice the bias in my capitalization of these
|
||||
terms).
|
||||
|
||||
[Copyleft is important][7] because it ensures that all users will forever
|
||||
have the [four fundamental freedoms associated with Free Software][6]. The
|
||||
GPL incorporates copyleft; BSD licenses do not. Consider why this is a
|
||||
problem: Imagine some software Foo licensed under [the Modified BSD
|
||||
license][10]. Foo is free software; it is licensed under a [free software
|
||||
license (Modified BSD)][5]. Now consider that someone makes a fork---a
|
||||
derivative---of Foo, which we will call "Foobar". Since [the Modified BSD
|
||||
license is not copyleft][10], the author of Foobar decides that he or she
|
||||
does not wish to release its source code; this is perfectly compliant with
|
||||
the Modified BSD license, as it does not require that source code be
|
||||
distributed with a binary (it only requires---via its [second
|
||||
clause][10]---that the copyright notice, list of conditions and disclaimer be
|
||||
provided).
|
||||
|
||||
The author has just taken Foo and made it proprietary.
|
||||
|
||||
The FreeBSD community is okay with this; [the free software community is
|
||||
not][4]. There is a distinction between these two parties: When critics of
|
||||
copyleft state that they believe the GPL is "less free" than more
|
||||
permissive licenses such as the BSD licenses, they are taking into
|
||||
consideration the freedoms of developers and distributors; the GPL, on the
|
||||
other hand, explicirly *restricts* these parties' rights in order to protect
|
||||
the *users* because those parties are precisely those that seek to *restrict
|
||||
the users' freedoms*; we cannot provide such freedoms to developers and
|
||||
distributors without sacrificing the rights of the vulnerable users who
|
||||
generally do not have the skills to protect themselves from being taken
|
||||
advantage of.[^13] Free software advocates have exclusive, unwaivering
|
||||
loyalty to users.
|
||||
|
||||
As an example of the friction between the two communities, consider a
|
||||
concept that has been termed ["tivoization"][14]:
|
||||
|
||||
> Tivoization means certain “appliances” (which have computers inside)
|
||||
> contain GPL-covered software that you can't effectively change, because
|
||||
> the appliance shuts down if it detects modified software. The usual
|
||||
> motive for tivoization is that the software has features the manufacturer
|
||||
> knows people will want to change, and aims to stop people from changing
|
||||
> them. The manufacturers of these computers take advantage of the freedom
|
||||
> that free software provides, but they don't let you do likewise.
|
||||
|
||||
This [anti-feature][15] is a type of [Digital Restrictions Management
|
||||
(DRM)][16] that exposes a [loophole in the GPL that was closed in
|
||||
Section 3 of the GPLv3][14], which [requires that][11]:
|
||||
|
||||
> When you convey a covered work, you waive any legal power to forbid
|
||||
> circumvention of technological measures to the extent such circumvention
|
||||
> is effected by exercising rights under this License with respect to the
|
||||
> covered work, and you disclaim any intention to limit operation or
|
||||
> modification of the work as a means of enforcing, against the work's
|
||||
> users, your or third parties' legal rights to forbid circumvention of
|
||||
> technological measures.
|
||||
|
||||
Unfortunately, not everyone has agreed with this move. A number of
|
||||
[developers of the kernel Linux expressed their opposition of GPLv3][17]. In
|
||||
response to the aforementioned GPLv3 provision, they stated:
|
||||
|
||||
> While we find the use of DRM by media companies in their attempts to reach
|
||||
> into user owned devices to control content deeply disturbing, our belief
|
||||
> in the essential freedoms of section 3 forbids us from ever accepting any
|
||||
> licence which contains end use restrictions. The existence of DRM abuse is
|
||||
> no excuse for curtailing freedoms.
|
||||
|
||||
Linus Torvalds---the original author of the kernel Linux---also [expressed
|
||||
his distaste toward the GPLv3][18]; the kernel is today still licensed under
|
||||
the GPLv2.
|
||||
|
||||
[The BSD camp has similar objections][19]:
|
||||
|
||||
> Appliance vendors in particular have the most to lose if the large body of
|
||||
> software currently licensed under GPLv2 today migrates to the new license.
|
||||
> They will no longer have the freedom to use GPLv3 software and restrict
|
||||
> modification of the software installed on their hardware. High support
|
||||
> costs ("I modified the web server on my Widget 2000 and it stopped
|
||||
> running...") and being unable to guarantee adherence to specifications in
|
||||
> order to gain licensing (e.g. FCC spectrum use, Cable TV and media DRM
|
||||
> requirements) are only two of a growing list of issues for these
|
||||
> users. --Justin Gibbs, VP of The FreeBSD Foundation
|
||||
|
||||
My thoughts while reading the above where echoed by Gibbs further on in his
|
||||
statement: "[T]he stark difference between the BSD licensing philosophy and
|
||||
that of the Free Software Foundation are only too clear." For the FreeBSD
|
||||
community, this is a very serious issue and their argument is certainly a
|
||||
legitimate concern on the surface. However, it is an argument that the Free
|
||||
Software community would do well to reject: Why would we wish to sacrifice
|
||||
users' freedoms for any reason, let alone these fairly absurd ones. In
|
||||
particular, a support contract could dictate that only unmodified software
|
||||
will be provided assistance and even mandate that the hardware indicate
|
||||
changes in software: like breaking the "void" sticker when opening a
|
||||
hardware component. Moreover, how frequently would such a situation
|
||||
actually happen relative to their entire customer base? My guess is: fairly
|
||||
infrequently. The second issue is a more complicated one, as I am not as
|
||||
familiar on such topics, but a manufacturer can still assert that the
|
||||
software that it provides with its devices is compliant. If the compliance
|
||||
process forbids any possibility of brining the software into
|
||||
non-compliance---that is, allowing the user to modify the software---then
|
||||
the hardware manufacturer can choose to not use free software (and free
|
||||
software advocates will subsequently reject it until standards bodies grow
|
||||
up).
|
||||
|
||||
As I mentioned at the beginning of this article: this is a view that I will
|
||||
respect for the project. I disagree with it, but FreeBSD is still free
|
||||
software and we would do well not to discriminate against it simply because
|
||||
someone else may decide to bastardize it and betray their users by making it
|
||||
proprietary or providing [shackles][16]. However, provided the licensing;
|
||||
option for your own software, you should choose the GPL.
|
||||
|
||||
**Colophon:** The title of this article is a play on [RMS' "Copyright vs.
|
||||
Communty"][20], which is a title to a speech he frequently provides
|
||||
worldwide. His speech covers how copyright works against the interests of
|
||||
the community; here, BSD advocates aruge that [copyleft][7] works against
|
||||
the interests of *their* community and their users; I figured that I would
|
||||
snag this title as a free software advocate before someone else opposing
|
||||
copyleft did.
|
||||
|
||||
[2]: http://www.freebsd.org/doc/faq/introduction.html#FreeBSD-goals
|
||||
[3]: http://en.wikipedia.org/wiki/Richard_Stallman
|
||||
[4]: http://www.gnu.org/philosophy/freedom-or-power.html
|
||||
[5]: http://www.gnu.org/licenses/license-list.html#ModifiedBSD
|
||||
[6]: http://www.gnu.org/philosophy/free-sw.html
|
||||
[7]: http://www.gnu.org/copyleft/
|
||||
[8]: http://en.wikipedia.org/wiki/Copyleft#Viral_licensing
|
||||
[9]: http://www.gnu.org/philosophy/misinterpreting-copyright.html
|
||||
[10]: http://en.wikipedia.org/wiki/BSD_licenses
|
||||
[11]: http://www.gnu.org/licenses/gpl.html
|
||||
[12]: http://www.gnu.org/philosophy/open-source-misses-the-point.html
|
||||
|
||||
[^13]: Technically, the GPL exercises restrictions only on distributors; a
|
||||
developer can integrate GPL'd code into their proprietary software so
|
||||
long as they do not distribute it [(as defined in the GPL)][11]. However,
|
||||
developers often have to cater to distributors, since software will
|
||||
generally be distributed; if it is not, then it is not relevant to this
|
||||
discussion.
|
||||
|
||||
[14]: http://www.gnu.org/licenses/rms-why-gplv3.html
|
||||
[15]: http://www.fsf.org/blogs/community/antifeatures
|
||||
[16]: http://www.defectivebydesign.org/what_is_drm_digital_restrictions_management
|
||||
[17]: http://lwn.net/Articles/200422/
|
||||
[18]: http://en.wikipedia.org/wiki/Linux_kernel
|
||||
[19]: http://www.freebsdfoundation.org/press/2007Aug-newsletter.shtml
|
||||
[20]: http://www.gnu.org/philosophy/copyright-versus-community.html
|
|
@ -0,0 +1,60 @@
|
|||
# Re: FreeBSD, Clang and GCC: Copyleft vs. Community
|
||||
|
||||
I recently received a comment via e-mail from a fellow GNU hacker Antonio
|
||||
Diaz, who is the author and maintainer of [GNU Ocrad][0], a [free (as in
|
||||
freedom)][1] optical character recognition (OCR) program. His comment was in
|
||||
response to my article entitled [FreeBSD, Clang and GCC: Copyleft vs.
|
||||
Community][2], which details the fundamental difference in philosophy
|
||||
between free software and "open source".
|
||||
|
||||
[0]: https://www.gnu.org/software/ocrad/ocrad.html
|
||||
[1]: https://www.gnu.org/philosophy/free-sw.html
|
||||
[2]: /2013/08/freebsd-clang-and-gcc-copyleft-vs.community
|
||||
|
||||
I found Antonio's perspective to be enlightening, so I asked for his
|
||||
permission to share it here.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
> I imagine a world where all the Free Software is GPLed. The amount and
|
||||
> usefulness of Free Software grows incesantly because free projects can
|
||||
> reuse the code of previous free projects. Proprietary software is
|
||||
> expensive because every company has to write most of its "products" from
|
||||
> scratch. Most people use Free Software, and proprietary software is mainly
|
||||
> used for specialized tasks for which no free replacement exists yet.
|
||||
>
|
||||
> Now I imagine a world where all the Free Software is really "open source"
|
||||
> (BSD license). Free Software is restricted to the operating system and
|
||||
> basic aplications because the license does not guarantee reciprocity.
|
||||
> Proprietary software is cheap to produce because it is built using the
|
||||
> code of free projects, but it is expensive for the user (in money and
|
||||
> freedom) because there is no real competition from Free Software. Most
|
||||
> people use proprietary software, as Free Software is too basic for most
|
||||
> tasks.
|
||||
>
|
||||
> I think "open source" organizations (specially BSD) are wilfully
|
||||
> destroying the long-term benefits for society of the GPL, and they are
|
||||
> doing it for short-term benefits like popularity and greed:
|
||||
>
|
||||
> "As these companies devise strategies for dealing with GPLv3, so must the
|
||||
> FreeBSD community - strategies that capitalize on this opportunity to
|
||||
> increase adoption of FreeBSD." "Fundraising Update [...] This has
|
||||
> increased the number of people actively approaching companies to make
|
||||
> large contributions."
|
||||
>
|
||||
> https://www.freebsdfoundation.org/press/2007Aug-newsletter.shtml
|
||||
>
|
||||
> Human beings have an innate sense of justice. In absence of reciprocity
|
||||
> one wants to be paid, but I think that reciprocity is much better for
|
||||
> society in the long term.[^3]
|
||||
|
||||
Antonio compels us to think toward the future: while developers releasing
|
||||
their code under permissive licenses like the [Modified BSD License][4] are
|
||||
still making a generous contribution to the free software community today,
|
||||
it may eventually lead to negative consequences by empowering non-free
|
||||
software tomorrow.
|
||||
|
||||
[^3]: Comment by Antonio Diaz; the only modifications made were for
|
||||
formatting.
|
||||
|
||||
[4]: https://www.gnu.org/licenses/license-list.html#ModifiedBSD
|
|
@ -0,0 +1,128 @@
|
|||
# FSF Condemns Partnership Between Mozilla and Adobe to Support DRM
|
||||
|
||||
Two days ago, the Free Software Foundation published [an announcement
|
||||
strongly condemning Mozilla's partnership with Adobe][0] to implement the
|
||||
[controversial W3C Encrypted Media Extensions (EME) API][1]. EME has been
|
||||
strongly criticized by a number of organizations, including the [EFF][2] and
|
||||
the [FSF's DefectiveByDesign campaign team][3] ("Hollyweb").
|
||||
|
||||
[Digital Restrictions Management][4] imposes artificial restrictions on
|
||||
users, telling them what they can and cannot do; it is a system [that does
|
||||
not make sense][5] and is harmful to society. Now, just about [a week after
|
||||
the International Day Against DRM][6], Mozilla decides to [cave into the
|
||||
pressure in an attempt to stay relevant][7] to modern web users, instead of
|
||||
sticking to their [core philosophy about "openness, innovation, and
|
||||
opportunity"][8].
|
||||
|
||||
[0]: http://www.fsf.org/news/fsf-condemns-partnership-between-mozilla-and-adobe-to-support-digital-restrictions-management
|
||||
[1]: https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html
|
||||
[2]: https://www.eff.org/deeplinks/2013/03/defend-open-web-keep-drm-out-w3c-standards
|
||||
[3]: /2013/03/defective-by-design-campaign-against-w3c-drm-standard
|
||||
[4]: http://www.defectivebydesign.org/what_is_drm_digital_restrictions_management
|
||||
[5]: https://plus.google.com/+IanHickson/posts/iPmatxBYuj2
|
||||
[6]: http://www.defectivebydesign.org/dayagainstdrm
|
||||
[7]: https://blog.mozilla.org/blog/2014/05/14/drm-and-the-challenge-of-serving-users/
|
||||
[8]: http://www.mozilla.org/en-US/about/manifesto/
|
||||
|
||||
John Sullivan requested in the [FSF's announcement] that the community
|
||||
contact Mozilla CTO Andreas Gal in opposition of the decision. This is my
|
||||
message to him:
|
||||
|
||||
<!-- more -->
|
||||
|
||||
```
|
||||
Date: Wed, 14 May 2014 22:57:02 -0400
|
||||
From: Mike Gerwitz <mikegerwitz@gnu.org>
|
||||
To: agal@mozilla.com
|
||||
Subject: Firefox EME
|
||||
|
||||
Andreas,
|
||||
|
||||
I am writing to you as a free software hacker, activist, and user; notably,
|
||||
I have been using Firefox for over ten years. It has been pivotal, as I do
|
||||
not need to tell you, in creating a free (as in freedom), standard, and
|
||||
accessible internet for millions of users. Imagine my bewildered
|
||||
disappointment, then, to learn that Firefox has chosen to cave into the
|
||||
pressure to [support Digital Restrictions Management through the
|
||||
implementation of EME][0].
|
||||
|
||||
Mitchell Baker made a feeble attempt at [rationalizing this decision][0] as
|
||||
follows:
|
||||
|
||||
[...] Mozilla alone cannot change the industry on DRM at this point. In
|
||||
the past Firefox has changed the industry, and we intend to do so again.
|
||||
Today, however, we cannot cause the change we want regarding DRM. The
|
||||
other major browser vendors =E2=80=94 Google, Microsoft and Apple have already
|
||||
implemented the new system. In addition, the old system will be retired
|
||||
shortly. As a result, the new implementation of DRM will soon become the
|
||||
only way browsers can provide access to DRM-controlled content.
|
||||
|
||||
She goes on to explain how "video is an important aspect of online life"
|
||||
and that Firefox would be "deeply flawed as a consumer product" if it did
|
||||
not implement Digital Restrictions Management. This is precisely the FUD
|
||||
that the "content owners" she describes, and corporations like Adobe, have
|
||||
been pushing: Mozilla understands that the solution is not to implement DRM,
|
||||
but to fight to encourage content to be published *without* being
|
||||
DRM-encumbered. Unfortunately, they will now have little motivation to do
|
||||
so, with every major browser endorsing EME.
|
||||
|
||||
She defers to a post by Andreas Gal [for more implementation details][1], in
|
||||
which he mentions that the proprietary CDM virus (which will be happily
|
||||
provided by Adobe) will be protected by a sandbox to prevent certain spying
|
||||
activities like fingerprinting. While this is better than nothing, it's a
|
||||
clear attempt by Mozilla to help make a terrible situation a little bit
|
||||
better.
|
||||
|
||||
He goes on to say:
|
||||
|
||||
There is also a silver lining to the W3C EME specification becoming
|
||||
ubiquitous. With direct support for DRM we are eliminating a major use
|
||||
case of plugins on the Web, and in the near future this should allow us to
|
||||
retire plugins altogether.=20
|
||||
|
||||
Let us not try to veil the problem and make things look more rosy than they
|
||||
actually are: this is not a silver lining; it is not appropriate to have a
|
||||
standardized way of manipulating and taking advantage of users.
|
||||
|
||||
It is true that Firefox was in an unfortunate position: many users would
|
||||
indeed grow frustrated that they cannot watch their favorite TV shows and
|
||||
movies using Firefox. But Firefox could have served, when the EME API was
|
||||
used, static content that provided a brief explanation and a link for more
|
||||
information on the problem. They could have educated users and encourage an
|
||||
even stronger outcry.
|
||||
|
||||
Instead, we are working with the corrupt W3C to implement a seamlessly
|
||||
shackled web. Mozilla wants to propose alternative solutions to DRM/EME, but
|
||||
by implementing it, their position is weakened.
|
||||
|
||||
This is a difficult and uncomfortable step for us given our vision of a
|
||||
completely open Web, but it also gives us the opportunity to actually
|
||||
shape the DRM space and be an advocate for our users and their rights in
|
||||
this debate. [1]
|
||||
|
||||
Such advocacy has been done and can continue to be done by Mozilla without
|
||||
the implementation of EME; once implemented, the standard will be virtually
|
||||
solidified---what is the incentive for W3C et. al. to find alternatives to a
|
||||
system that is already "better than" the existing Flash and Silverlight
|
||||
situation?
|
||||
|
||||
On behalf of the free software community, I strongly encourage your
|
||||
reconsideration on the matter. Mozilla is valued by the free software
|
||||
community for its attention to freedoms. Stand with us and fight. You're in
|
||||
a powerful position to do so.
|
||||
|
||||
[0]: https://blog.mozilla.org/blog/2014/05/14/drm-and-the-challenge-of-serving-users/
|
||||
[1]: https://hacks.mozilla.org/2014/05/reconciling-mozillas-mission-and-w3c-eme/
|
||||
```
|
||||
|
||||
The following day, I [submitted the FSF announcement to HackerNews][9]
|
||||
(surprised that it was not there already) in an attempt to bring further
|
||||
coverage to the matter and hopefully spur on some discussion. And discuss
|
||||
they did: it was on the front page for the entire day and, at the time of
|
||||
writing, boasts 261 comments, many of them confused and angry. I sent the HN
|
||||
link to Andreas in a follow-up as well.
|
||||
|
||||
Mozilla has a vast userbase and is in the position to fight for a DRM-free
|
||||
web. Please voice your opinion and hope that they reverse their decision.
|
||||
|
||||
[9]: https://news.ycombinator.com/item?id=7749108
|
|
@ -0,0 +1,65 @@
|
|||
# Please stop using SlideShare
|
||||
|
||||
There are many great presentations out there---many that I enjoy
|
||||
reading, or that I would enjoy to read. Unfortunately, many of them
|
||||
are hosted on SlideShare, which requires me to download proprietary
|
||||
JavaScript.
|
||||
|
||||
[JavaScript programs require the same freedoms as any other
|
||||
software][0]. While SlideShare does (sometimes/always?) provide a
|
||||
transcript in plain text---which is viewable without JavaScript---this
|
||||
is void of the important and sometimes semantic formatting/images that
|
||||
presenters put much time into; you know: the actual presentation bits.
|
||||
(I'm a fan of plain-text presentations, but they each have their own
|
||||
design elements).
|
||||
|
||||
[0]: https://www.gnu.org/software/easejs/whyfreejs.html
|
||||
|
||||
There are ways around this. SlideShare's interactive UI appears to
|
||||
simply be an image viewer, so it is possible to display all sides
|
||||
using a fairly simple hack:
|
||||
|
||||
<!-- more -->
|
||||
|
||||
```javascript
|
||||
Array.prototype.slice.call(
|
||||
document.getElementsByClassName( 'slide' ) )
|
||||
.forEach( function( slide ) {
|
||||
slide.classList.add( 'show' );
|
||||
|
||||
var img = slide.getElementsByClassName( 'slide_image' )[0];
|
||||
img.src = img.dataset.full;
|
||||
} );
|
||||
```
|
||||
|
||||
This will display all slides inline. But there's a clear problem with
|
||||
this: how is the non-JS-programmer supposed to know that? Even
|
||||
JavaScript programmers have to research the issue in order to come up
|
||||
with a solution.
|
||||
|
||||
But ideally, I'd like to download the presentation PDF. SlideShare
|
||||
does offer a download link, but not only does it not work with
|
||||
JavaScript disabled, but it requires that the user create an account.
|
||||
This is no good, as it can be used to track users or discover
|
||||
identities by analyzing viewing habits. This would allow
|
||||
de-anonymizing users, even if they have [taken measures to remain
|
||||
anonymous][1].
|
||||
|
||||
(By the way: at the time that I wrote this post, the [EFF's
|
||||
Surveillance Self-Defense Guide][1] is [LibreJS compatible][2] and the
|
||||
JavaScript code that it runs is mostly free.)
|
||||
|
||||
I encourage presenters (and authors in general) to release the slides
|
||||
in an [unencumbered document format][3], like PDF, HTML, OpenDocument,
|
||||
or plain text. Those formats should be hosted on their own website,
|
||||
or websites that allow downloading those files without having to
|
||||
execute proprietary JavaScript, and without having to log in. If
|
||||
those authors *must* use SlideShare for whatever reason, then they
|
||||
should clearly provide a link to that free document format somewhere
|
||||
that users can access without having to execute SlideShare's
|
||||
proprietary JavaScript, such as on the first slide. (The description
|
||||
is iffy, since it is truncated and requires JavaScript to expand.)
|
||||
|
||||
[1]: https://ssd.eff.org/
|
||||
[2]: https://www.gnu.org/software/librejs/
|
||||
[3]: http://www.fsf.org/campaigns/opendocument/reject
|
|
@ -0,0 +1,257 @@
|
|||
# Gitlab, Gitorious, and Free Software
|
||||
|
||||
*This article originally appeared as a guest post on the [GitLab
|
||||
blog][orig-post].*
|
||||
|
||||
In early March of this year, it was announced that
|
||||
[GitLab would acquire Gitorious][0] and shut down `gitorious.org` by 1
|
||||
June, 2015. [Reactions from the community][1] were mixed, and
|
||||
understandably so: while GitLab itself is a formidable alternative to wholly
|
||||
proprietary services, its acquisition of Gitorious strikes a chord with the
|
||||
free software community that gathered around Gitorious in the name of
|
||||
[software freedom][2].
|
||||
|
||||
[0]: https://about.gitlab.com/2015/03/03/gitlab-acquires-gitorious/
|
||||
[1]: https://news.ycombinator.com/item?id=9138419
|
||||
[2]: https://www.gnu.org/philosophy/free-sw.html
|
||||
|
||||
<!-- more -->
|
||||
|
||||
After hearing that announcement,
|
||||
[as a free software hacker and activist myself][11], I was naturally
|
||||
uneasy. Discussions of alternatives to Gitorious and GitLab ensued on the
|
||||
[`libreplanet-discuss`][12] mailing list. Sytse Sijbrandij (GitLab
|
||||
B.V. CEO) happened to be present on that list;
|
||||
[I approached him very sternly][13] with a number of concerns, just as I
|
||||
would with anyone that I feel does not understand certain aspects of the
|
||||
[free software philosophy][2]. To my surprise, this was not the case at
|
||||
all.
|
||||
|
||||
Sytse has spent a lot of time accepting and considering community input for
|
||||
both the Gitorious acquisition and GitLab itself. He has also worked with
|
||||
me to address some of the issues that I had raised. And while these issues
|
||||
won't address everyone's concerns, they do strengthen GitLab's commitment to
|
||||
[software freedom][2], and are commendable.
|
||||
|
||||
I wish to share some of these details here; but to do so, I first have to
|
||||
provide some background to explain what the issues are, and why they are
|
||||
important.
|
||||
|
||||
|
||||
## Free Software Ideology
|
||||
[Gitorious][3] was (and still is) one of the most popular Git repository
|
||||
hosts, and largely dominated until the introduction of GitHub. But even as
|
||||
users flocked to [GitHub's proprietary services][28], users who value freedom
|
||||
continued to support Gitorious, both on `gitorious.org` and by installing
|
||||
their own instances on their own servers. Since Gitorious is
|
||||
[free software][2], users are free to study, modify, and share it with
|
||||
others. But [software freedom does not apply to Services as a
|
||||
Software Substitute (SaaSS)][4] or remote services---you cannot apply the
|
||||
[four freedoms][2] to something that you do not yourself possess---so why do
|
||||
users still insist on using `gitorious.org` despite this?
|
||||
|
||||
The matter boils down to supporting a philosophy: The
|
||||
[GNU General Public License (GPL)][6] is a license that turns copyright on
|
||||
its head: rather than using copyright to restrict what users can do with a
|
||||
program, the GPL instead [ensures users' freedoms][8] to study, modify, and
|
||||
share it. But that isn't itself enough: to ensure that the software always
|
||||
remains free (as in freedom), the GPL ensures that all *derivatives* are
|
||||
*also* licensed under similar terms. This is known as [copyleft][9], and it
|
||||
is vital to the free software movement.
|
||||
|
||||
Gitorious is licensed under the
|
||||
[GNU Affero General Public License Version 3 (AGPLv3)][5]---this takes the
|
||||
[GPL][6] and adds an additional requirement: if a modified version of the
|
||||
program is run on a sever, users communicating with the program on that
|
||||
server must have access to the modified program's source code. This ensures
|
||||
that [modifications to the program are available to all users][7]; they
|
||||
would otherwise be hidden in private behind the server, with others unable
|
||||
to incorporate, study, or share them. The AGPLv3 is an ideal license for
|
||||
Gitorious, since most of its users will only ever interact with it over a
|
||||
network.
|
||||
|
||||
GitLab is also free software: its [Expat license][10] (commonly referred to
|
||||
ambiguously as the "MIT license") permits all of the same freedoms that
|
||||
are granted under the the GNU GPL. But it does so in a way that is highly
|
||||
permissive: it permits relicensing under *any* terms, free or not. In other
|
||||
words, one can fork GitLab and derive a proprietary version from it, making
|
||||
changes that deny users [their freedoms][2] and cannot be incorporated back
|
||||
into the original work.
|
||||
|
||||
This is the issue that the free software community surrounding Gitorious has
|
||||
a problem with: any changes contributed to GitLab could in turn benefit a
|
||||
proprietary derivative. This situation isn't unique to GitLab: it applies
|
||||
to all non-copyleft ("permissive") [free software licenses][26]. And this
|
||||
issue is realized by GitLab itself in the form of its GitLab Enterprise
|
||||
Edition (GitLab EE): a proprietary derivative that adds additional
|
||||
features atop of GitLab's free Community Edition (CE). For this reason,
|
||||
many free software advocates are uncomfortable contributing to GitLab, and
|
||||
feel that they should instead support other projects; this, in turn, means
|
||||
not supporting GitLab by using and drawing attention to their hosting
|
||||
services.
|
||||
|
||||
The copyleft vs. permissive licensing debate is one of the free software
|
||||
movement's most heated. I do not wish to get into such a debate here. One
|
||||
thing is clear: GitLab Community Edition (GitLab CE) is free
|
||||
software. Richard Stallman (RMS) [responded directly to the thread on
|
||||
`libreplanet-discuss`][20], stating plainly:
|
||||
|
||||
> We have a simple way of looking at these two versions. The free
|
||||
> version is free software, so it is ethical. The nonfree version is
|
||||
> nonfree software, so it is not ethical.
|
||||
|
||||
Does GitLab CE deserve attention from the free software community? I
|
||||
believe so. Importantly, there is another strong consideration: displacing
|
||||
proprietary services like GitHub and Bitbucket, which host a large number of
|
||||
projects and users. GitLab has a strong foothold, which is an excellent
|
||||
place for a free software project to be in.
|
||||
|
||||
If we are to work together as a community, we need to respect GitLab's
|
||||
free licensing choices just as we expect GitLab to respect ours. Providing
|
||||
respect does not mean that you are conceding: I will never personally use a
|
||||
non-copyleft license for my software; I'm firmly rooted in my dedication to
|
||||
the [free software philosophy][2], and I'm sure that many other readers are
|
||||
too. But using a non-copyleft license, although many of us consider it to
|
||||
be a weaker alternative, [is not wrong][23].
|
||||
|
||||
|
||||
## Free JavaScript
|
||||
As I mentioned above,
|
||||
[software freedom and network services are separate issues][4]---the four
|
||||
freedoms do not apply to interacting with `gitlab.com` purely over a network
|
||||
connection, for example, because you are not running its software on your
|
||||
computer. However, there is an overlap: JavaScript code downloaded to be
|
||||
executed in your web browser.
|
||||
|
||||
[Non-free JavaScript][15] is a particularly nasty concern: it is software
|
||||
that is downloaded automatically from a server---often without prompting
|
||||
you---and then immediately executed. Software is now being executed on your
|
||||
machine, and [your four freedoms][2] are once again at risk. This, then,
|
||||
[is the primary concern][16] for any users visiting `gitlab.com`: not only
|
||||
would this affect users that use `gitlab.com` as a host, but it would also
|
||||
affect *any user that visits* the website. That would be a problem, since
|
||||
hosting your project there would be inviting users to run proprietary
|
||||
JavaScript.
|
||||
|
||||
As I was considering migrating my projects to GitLab, this was the
|
||||
[first concern I brought up to Sytse][14]. This problem arises because
|
||||
`gitlab.com` uses a GitLab EE instance: if it had used only its Community
|
||||
Edition (GitLab CE)---which is free software---then all served JavaScript
|
||||
would have been free. But any scripts served by GitLab EE that are not
|
||||
identical to those served by GitLab CE are proprietary, and therefore
|
||||
unethical. This same concern applies to GitHub, Bitbucket, and other
|
||||
proprietary hosts that serve JavaScript.
|
||||
|
||||
Sytse surprised me by stating that he would be willing to
|
||||
[freely license all JavaScript in GitLab EE][17], and by offering to give
|
||||
anyone access to the GitLab EE source code who wants to help out. I took
|
||||
him up on that offer. Initially, I had submitted a patch to merge all
|
||||
GitLab EE JavaScript into GitLab CE, but Sytse came up with another,
|
||||
superior suggestion, that ultimately provided even greater reach.
|
||||
|
||||
**I'm pleased to announce that Sytse and I were able to agree on a license
|
||||
change (with absolutely no friction or hesitation on his part) that
|
||||
liberates all JavaScript served to the client from GitLab EE instances.**
|
||||
There are two concerns that I had wanted to address: JavaScript code
|
||||
directly written for the client, and any code that produced JavaScript as
|
||||
output. In the former case, this includes JavaScript derived from other
|
||||
sources: for example, GitLab uses CoffeeScript, which compiles *into*
|
||||
JavaScript. The latter case is important: if there is any code that
|
||||
generates fragments of JavaScript---e.g. dynamically at runtime---then that
|
||||
code must also be free, or users would not be able to modify and share the
|
||||
resulting JavaScript that is actually being run on the client. Sytse
|
||||
accepted my change verbatim, while adding his own sentence after mine to
|
||||
disambiguate. At the time of writing this post, GitLab EE's source code
|
||||
isn't yet publicly visible, so here is the relevant snippet from its
|
||||
`LICENSE` file:
|
||||
|
||||
> The above copyright notices applies only to the part of this Software that
|
||||
> is not distributed as part of GitLab Community Edition (CE), and that is
|
||||
> not a file that produces client-side JavaScript, in whole or in part. Any
|
||||
> part of this Software distributed as part of GitLab CE or that is a file
|
||||
> that produces client-side JavaScript, in whole or in part, is copyrighted
|
||||
> under the MIT Expat license.
|
||||
|
||||
|
||||
## Further Discussion
|
||||
My discussions with Sytse did not end there: there are other topics that
|
||||
have not been able to be addressed before my writing of this post that would
|
||||
do well to demonstrate commitment toward [software freedom][2].
|
||||
|
||||
The license change liberating client-side JavaScript was an excellent
|
||||
move. To expand upon it, I wish to submit a patch that would make GitLab
|
||||
[LibreJS compliant][21]; this provides even greater guarantees, since it
|
||||
would allow for users to continue to block other non-free JavaScript that
|
||||
may be served by the GitLab instance, but not produced by it. For example:
|
||||
a website/host that uses GitLab may embed proprietary JavaScript, or modify
|
||||
it without releasing the source code. Another common issue is the user of
|
||||
analytics software; `gitlab.com` uses Google Analytics.
|
||||
|
||||
If you would like to help with LibreJS compliance, please [contact me][11].
|
||||
|
||||
I was brought into another discussion between Sytse and RMS that is
|
||||
unrelated to the GitLab software itself, but still a positive demonstration
|
||||
of a commitment to [software freedom][2]---the replacement of Disqus on the
|
||||
`gitlab.com` blog with a free alternative. Sytse ended up making a
|
||||
suggestion, saying he'd be "happy to switch to" [Juvia][22] if I'd help with
|
||||
the migration. I'm looking forward to this, as it is an important
|
||||
discussion area (that I honestly didn't know existed until Sytse told me
|
||||
about it, because I don't permit proprietary JavaScript!). He was even kind
|
||||
enough to compile a PDF of comments for one of our discussions, since he was
|
||||
cognizant ahead of time that I would not want to use Disqus. (Indeed, I
|
||||
will be unable to read and participate in the comments to this guest post
|
||||
unless I take the time to freely read and reply without running Disqus'
|
||||
proprietary JavaScript.)
|
||||
|
||||
Considering the genuine interest and concern expressed by Sytse in working
|
||||
with myself and the free software community, I can only expect that GitLab
|
||||
will continue to accept and apply community input.
|
||||
|
||||
It is not possible to address the copyleft issue without a change in
|
||||
license, which GitLab is not interested in doing. So the best way to
|
||||
re-assure the community is through action. [To quote Sytse][18]:
|
||||
|
||||
> I think the only way to prove we're serious about open source is in our
|
||||
> actions, licenses or statements don't help.
|
||||
|
||||
There are fundamental disagreements that will not be able to be
|
||||
resolved between GitLab and the free software community---like their
|
||||
["open core" business model][19]. But after working with Sytse and seeing
|
||||
his interactions with myself, RMS, and many others in the free software
|
||||
community, I find his actions to be very encouraging.
|
||||
|
||||
*Are you interested in helping other websites liberate their JavaScript?
|
||||
Consider [joining the FSF's campaign][27], and
|
||||
[please liberate your own][16]!*
|
||||
|
||||
*This post is licensed under the
|
||||
[Creative Commons Attribution-ShareAlike 3.0 Unported License][25].*
|
||||
|
||||
[3]: https://gitorious.org/
|
||||
[4]: https://www.gnu.org/philosophy/who-does-that-server-really-serve.html
|
||||
[5]: https://www.gnu.org/licenses/agpl.html
|
||||
[6]: https://www.gnu.org/licenses/gpl.html
|
||||
[7]: https://www.gnu.org/licenses/why-affero-gpl.html
|
||||
[8]: https://www.gnu.org/licenses/quick-guide-gplv3.html
|
||||
[9]: https://www.gnu.org/philosophy/pragmatic.html
|
||||
[10]: https://www.gnu.org/licenses/license-list.html#Expat
|
||||
[11]: http://mikegerwitz.com/
|
||||
[12]: https://lists.gnu.org/mailman/listinfo/libreplanet-discuss
|
||||
[13]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-03/msg00075.html
|
||||
[14]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-04/msg00019.html
|
||||
[15]: https://www.gnu.org/philosophy/javascript-trap.html
|
||||
[16]: https://www.gnu.org/software/easejs/whyfreejs.html
|
||||
[17]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-04/msg00020.html
|
||||
[18]: https://news.ycombinator.com/item?id=9141801
|
||||
[19]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-03/msg00076.html
|
||||
[20]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-03/msg00095.html
|
||||
[21]: https://www.gnu.org/software/librejs/free-your-javascript.html
|
||||
[22]: https://github.com/phusion/juvia
|
||||
[23]: https://www.fsf.org/blogs/rms/selling-exceptions
|
||||
[24]: https://gnu.org/software/easejs
|
||||
[25]: http://creativecommons.org/licenses/by-sa/3.0/
|
||||
[26]: https://www.gnu.org/licenses/license-list.html
|
||||
[27]: https://fsf.org/campaigns/freejs
|
||||
[28]: http://mikegerwitz.com/about/githubbub
|
||||
[orig-post]: https://about.gitlab.com/2015/05/20/gitlab-gitorious-free-software/
|
||||
|
|
@ -0,0 +1,60 @@
|
|||
# Comcast injects JavaScript into web pages
|
||||
|
||||
It seems that Comcast has decided that it is a good idea to [inject
|
||||
JavaScript into web pages][js] visited by its customers in order to inform
|
||||
them of Copyright violations.
|
||||
|
||||
[js]: https://gist.github.com/Jarred-Sumner/90362639f96807b8315b
|
||||
|
||||
This is a huge violation of user privacy and trust. Further, it shows that
|
||||
an ISP (and probably others) feel that they have the authority to dictate
|
||||
what is served to the user on a free (as in speech) Internet. Why should we
|
||||
believe that they won't start injecting other types of scripts that spy on
|
||||
the user or introduce advertising? What if a malicious actor compromises
|
||||
Comcast's servers and serves exploits to users?
|
||||
|
||||
It is no surprise that Comcast is capable of doing this---they know the IP
|
||||
address of the customer, so they are able to intercept traffic and alter it
|
||||
in transit. But the fact that they _can_ do this demonstrates something far
|
||||
more important: _that they have spent the money on the infrastructure to do
|
||||
so_!
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Comcast isn't the only ISP to have betrayed users by injecting data. One
|
||||
year ago, it was discovered that [Verizon was injecting "perma-cookies" into
|
||||
requests to track users][verizon]. This is only one example of the
|
||||
insidious abuses that unchecked ISPs can take.
|
||||
|
||||
So what can you do to protect yourself?
|
||||
|
||||
What Comcast is doing is called a [man-in-the-middle (MITM) attack][mitm]:
|
||||
Comcast sits in the middle of you and your connection to the website that
|
||||
you are visiting, proxying your request. Before relaying the website's
|
||||
response to you, it modifies it.
|
||||
|
||||
In order to do this, Comcast needs to be able to read your communications,
|
||||
and must be able to modify them: the request must be read in order to
|
||||
determine how the JavaScript should be injected and what request it should
|
||||
be injected into; and it must be modified to perform the injection. It
|
||||
cannot (given a properly configured web server) do so if your connection is
|
||||
encrypted. In the case of web traffic, `https` URLs with the little lock
|
||||
icon in your web browser generally indicates that your communications are
|
||||
encrypted, making MITM attacks
|
||||
unlikely.
|
||||
|
||||
(We're assuming that Comcast won't ask you to install a root CA so that they
|
||||
can decrypt your traffic! But that would certainly be noticed, if they did
|
||||
so on a large enough scale.)
|
||||
|
||||
Not all websites use SSL. Another method is to use encrypted proxies, VPNs,
|
||||
or services like like [Tor][tor]. This way, Comcast will not be able to
|
||||
read or modify the communications.
|
||||
|
||||
See also: [HackerNews discussion][hn]; [original Reddit discussion][reddit].
|
||||
|
||||
[verizon]: https://www.eff.org/deeplinks/2014/11/verizon-x-uidh
|
||||
[mitm]: https://en.wikipedia.org/wiki/Man-in-the-middle_attack
|
||||
[hn]: https://news.ycombinator.com/item?id=10592775
|
||||
[reddit]: https://www.reddit.com/r/HuntsvilleAlabama/comments/35v4sn/comcast_is_injecting_bad_javascript_to_your/
|
||||
[tor]: https://tor.org/
|
|
@ -0,0 +1,14 @@
|
|||
# Now Hosting Personal GNU Social Instance
|
||||
|
||||
When I started writing this blog, my intent was to post notices more
|
||||
frequently and treat it more like a microblogging platform; but that's not
|
||||
how it ended up. Instead, I use this site to write more detailed posts with
|
||||
solid references to back up my statements.
|
||||
|
||||
[GNU Social](https://gnu.org/software/social/) is a federated social
|
||||
network---you can host your own instances and they all communicate with
|
||||
one-another. You can find mine at the top of this page under "Notices", or
|
||||
at [https://social.mikegerwitz.com/](https://social.mikegerwitz.com/). I
|
||||
will be using this site to post much more frequent miscellaneous notices.
|
||||
|
||||
<!-- more -->
|
|
@ -0,0 +1,92 @@
|
|||
# Google Analytics Removed from GitLab.com Instance
|
||||
|
||||
*This was originally written as a guest post for GitLab in November of 2015,
|
||||
but they [decided not to publish it][gitlab-merge].*
|
||||
|
||||
[gitlab-merge]: https://gitlab.com/gitlab-com/www-gitlab-com/merge_requests/1094
|
||||
|
||||
Back in May of of 2015, I [announced GitLab's liberation of their Enterprise
|
||||
Edition JavaScript][ggfs] and made some comments about GitLab's course and
|
||||
approach to software freedom. In liberating GitLab EE's JavaScript, all
|
||||
code served to the browser by GitLab.com's GitLab instance was [Free (as in
|
||||
freedom)][free-sw], except for one major offender: Google Analytics.
|
||||
|
||||
[ggfs]: https://about.gitlab.com/2015/05/20/gitlab-gitorious-free-software/
|
||||
[free-sw]: https://www.gnu.org/philosophy/free-sw.html
|
||||
|
||||
Since Google Analytics was not necessary for the site to function, users
|
||||
could simply block the script and continue to use GitLab.com
|
||||
[ethically][free-sw]. However, encouraging users to visit a project on
|
||||
GitLab.com while knowing that it loads Google Analytics is a problem both
|
||||
for users' freedoms, and for their privacy.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
GitLab is more than service and front-end to host Git repositories; it has a
|
||||
number of other useful features as well. Using those features, however,
|
||||
would mean that GitLab.com is no longer just a mirror for a project---it
|
||||
would be endorsed by the project's author, requiring that users visit the
|
||||
project on GitLab.com in order to collaborate. For example, if an author
|
||||
were to use the GitLab issue tracker on GitLab.com, then she would be
|
||||
actively inviting users to the website by telling them to report issues and
|
||||
feature requests there.
|
||||
|
||||
We cannot realistically expect that anything more than a minority of
|
||||
visitors will know how to block Google Analytics (or even understand that it
|
||||
is a problem). Therefore, if concerned authors wanted to use those features
|
||||
of GitLab, they had to use another hosted instance of GitLab, or host their
|
||||
own. But the better option was to encourage GitLab.com to remove Google
|
||||
Analytics entirely, so that _all_ JavaScript code served to the users is
|
||||
[Free][free-sw].
|
||||
|
||||
GitLab has chosen to actively
|
||||
[work with the Free Software movement][ggfs]---enough so that they are now
|
||||
considered an [acceptable host for GNU projects][gitlab-gnu-criteria]
|
||||
according to [GNU's ethical repository criteria][gnu-repo-criteria]. And
|
||||
they have chosen to do so again---headed by Sytse Sijbrandij (GitLab
|
||||
Inc. CEO), Google Analytics has been removed from the GitLab.com instance
|
||||
and replaced with [Piwik][piwik].
|
||||
|
||||
## More Than Just Freedom
|
||||
This change is more than a commitment to users' freedoms---it's also a
|
||||
commitment to users' privacy that cannot be understated. By downloading and
|
||||
running Google Analytics, users are being infected with some of the most
|
||||
[sophisticated examples of modern spyware][ga-wikipedia]: vast amounts of
|
||||
[personal and behavioral data][ga-google] are sent to Google for them to use
|
||||
and share as they wish. Google Analytics also tracks users across [many
|
||||
different websites][ga-popularity], allowing them to discover your interests
|
||||
and behaviors in ways that users themselves may not even know.
|
||||
|
||||
GitLab.com has committed to using [Piwik][piwik] on their GitLab instance,
|
||||
which [protects users' privacy][piwik-privacy] in a number of very important
|
||||
ways: it allows users to opt out of tracking, anonymizes IP addresses,
|
||||
retains logs for limited time periods, respects [DoNotTrack][eff-dnt], and
|
||||
more. Further, all logs _will be kept on GitLab.com's own servers_, and is
|
||||
therefore governed solely by
|
||||
[GitLab.com's Privacy Policy][gitlab-privacy]; this means that other
|
||||
services will not be able to use these data to analyze users' behavior on
|
||||
other websites, and advertisers and others will know less about them.
|
||||
|
||||
Users should not have to try to [anonymize themselves][eff-ssd] in
|
||||
order to maintain their privacy---privacy should be a default, and a
|
||||
respected one at that. GitLab has taken a strong step in the right
|
||||
direction; I hope that others will take notice and do the same.
|
||||
|
||||
*Are you interested in helping other websites liberate their JavaScript?
|
||||
Consider [joining the FSF's campaign][freejs], and
|
||||
[please liberate your own][whyfreejs]!*
|
||||
|
||||
[eff-dnt]: https://www.eff.org/dnt-policy
|
||||
[eff-ssd]: http://ssd.eff.org/
|
||||
[freejs]: https://fsf.org/campaigns/freejs
|
||||
[ga-google]: https://www.google.com/analytics/standard/features/
|
||||
[ga-popularity]: http://w3techs.com/technologies/overview/traffic_analysis/all
|
||||
[ga-wikipedia]: https://en.wikipedia.org/wiki/Google_Analytics
|
||||
[gitlab-featurse]: https://about.gitlab.com/features/
|
||||
[gitlab-gnu-criteria]: https://lists.gnu.org/archive/html/repo-criteria-discuss/2015-11/msg00012.html
|
||||
[gitlab-privacy]: https://about.gitlab.com/privacy/
|
||||
[gnu-repo-criteria]: https://www.gnu.org/software/repo-criteria.html
|
||||
[mtg]: http://mikegerwitz.com/
|
||||
[piwik]: https://piwik.org/
|
||||
[piwik-privacy]: https://piwik.org/privacy/
|
||||
[whyfreejs]: https://www.gnu.org/software/easejs/whyfreejs.html
|
|
@ -0,0 +1,45 @@
|
|||
# Join me at LibrePlanet 2016 for my talk "Restore Online Freedom!"
|
||||
|
||||
I will be [speaking at LibrePlanet this year][lp2016] (2016) about freedom
|
||||
on the Web. Here's the session description:
|
||||
|
||||
[lp2016]: https://www.libreplanet.org/2016/program/
|
||||
|
||||
> Imagine a world where surveillance is the default and users must opt-in to
|
||||
> privacy. Imagine that your every action is logged and analyzed to learn
|
||||
> how you behave, what your interests are, and what you might do next.
|
||||
> Imagine that, even on your fully free operating system, proprietary
|
||||
> software is automatically downloaded and run not only without your
|
||||
> consent, but often without your knowledge. In this world, even free
|
||||
> software cannot be easily modified, shared, or replaced. In many cases,
|
||||
> you might not even be in control of your own computing -- your actions and
|
||||
> your data might be in control by a remote entity, and only they decide
|
||||
> what you are and are not allowed to do.
|
||||
>
|
||||
> This may sound dystopian, but this is the world you're living in right
|
||||
> now. The Web today is an increasingly hostile, freedom-denying place that
|
||||
> propagates to nearly every aspect of the average users' lives -- from
|
||||
> their PCs to their phones, to their TVs and beyond. But before we can
|
||||
> stand up and demand back our freedoms, we must understand what we're being
|
||||
> robbed of, how it's being done, and what can (or can't) be done to stop
|
||||
> it.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
There are a number of other [great sessions][lp2016] this year from a
|
||||
[number of speakers][lp2016s], many well-known. We also have an opening
|
||||
keynote from Edward Snowden!
|
||||
|
||||
All [FSF associate members get free entry][fsfmember]. If you can't join
|
||||
us, the conference will be streamed live. You can also see [videos of past
|
||||
talks][lpvideos] on the FSF's self-hosted [GNU MediaGoblin][goblin]
|
||||
instance.
|
||||
|
||||
Special thanks to the FSF for covering a large portion of my travel
|
||||
expenses; I otherwise might not have been able to attend. Thank you to all
|
||||
who donated to the conference scholarship fund.
|
||||
|
||||
[lp2016s]: https://www.libreplanet.org/2016/program/speakers.html
|
||||
[fsfmember]: https://crm.fsf.org/join
|
||||
[lpvideos]: https://media.libreplanet.org/
|
||||
[goblin]: http://mediagoblin.org/
|
|
@ -0,0 +1,37 @@
|
|||
# Reddit suspected to have been served with an NSL
|
||||
|
||||
It is suspected that Reddit has been [served with an NSL][schneier].
|
||||
[National Security Letters (NSLs)][nsl] are subpoena served by the United
|
||||
States federal government and often come with a gag order that prevents the
|
||||
recipient from even stating that they received the letter.
|
||||
|
||||
[schneier]: https://www.schneier.com/blog/archives/2016/04/reddits_warrant.html
|
||||
[nsl]: https://en.wikipedia.org/wiki/National_Security_Letter
|
||||
|
||||
<!-- more -->
|
||||
|
||||
[Warrant canaries][canary] are used to circumvent gag orders by stating
|
||||
that requests have *not* been received, under the [legal theory][court]
|
||||
that, while courts can compel persons not to speak, they can't compel them
|
||||
to lie. [Reddit's canary has died][reddit-report]---the canary is absent
|
||||
from their most recent 2015 transparency report, where it was [present in
|
||||
the 2014 report][reddit-report-2014].
|
||||
|
||||
Does this mean that you should stop using Reddit? No; canaries are an
|
||||
important transparency method. If you are worried about your privacy, you
|
||||
shouldn't disclose the information to a third party to begin with. Note
|
||||
that this includes metadata that are gathered about you when you, for
|
||||
example, browse subreddits while logged in. You can help mitigate that by
|
||||
[browsing anonymously using Tor][donot], being sure never to log in during
|
||||
the same session.
|
||||
|
||||
The website [Canary Watch][cw] is a website that tracks warrant canaries.
|
||||
|
||||
I'm awaiting further analysis after the weekend.
|
||||
|
||||
[canary]: https://en.wikipedia.org/wiki/Warrant_canary
|
||||
[cw]: https://www.canarywatch.org/
|
||||
[court]: https://gigaom.com/2014/10/10/are-warrant-canaries-legal-twitter-wants-to-save-techs-warning-signal-of-government-spying/
|
||||
[reddit-report]: https://web.archive.org/web/20160331210850/https://www.reddit.com/wiki/transparency/2015
|
||||
[reddit-report-2014]: https://web.archive.org/web/20160331204815/https://www.reddit.com/wiki/transparency/2014
|
||||
[donot]: https://www.whonix.org/wiki/DoNot
|
|
@ -0,0 +1,27 @@
|
|||
# Facebook will use software for the VR headset Occulus Rift to spy on you
|
||||
|
||||
Anything coming out of Facebook should be [cause for concern][rms-fb]. So,
|
||||
naturally, one might be concerned when they decide to get into the virtual
|
||||
reality (VR) scene by [purchasing the startup Occulus VR][fb-vr], makers of
|
||||
the Occulus Rift VR headset. One can only imagine all the fun ways Facebook
|
||||
will be able to track, manipulate, spy on, and otherwise screw over users
|
||||
while they are immersed in a virtual reality.
|
||||
|
||||
[rms-fb]: https://stallman.org/facebook.html#privacy
|
||||
[fb-vr]: http://www.theguardian.com/technology/2014/jul/22/facebook-oculus-rift-acquisition-virtual-reality
|
||||
|
||||
Sure enough, we have our first peak: [the software that Facebook has you
|
||||
install for the Occulus Rift is spyware][fb-spy], reporting on what
|
||||
*unrelated* software you use on your system, your location (including GPS
|
||||
data and nearby Wifi networks), the type of device you're using, unique
|
||||
device identifiers, your movements while using the VR headset, and more.
|
||||
|
||||
[fb-spy]: http://uploadvr.com/facebook-oculus-privacy/
|
||||
|
||||
<!-- more -->
|
||||
|
||||
This is absurd. Do not play into Facebook's games through temptation of
|
||||
cool new technology; reject their terms and see if there's other ways you
|
||||
can use the headset without their proprietary spyware. If not, perhaps you
|
||||
should ask for a refund, and tell them why.
|
||||
|
|
@ -0,0 +1,183 @@
|
|||
# GNU/kWindows
|
||||
|
||||
There has been a lot of talk lately about a most unique combination:
|
||||
[GNU][gnu]---the [fully free/libre][free-sw] operating system---and
|
||||
Microsoft Windows---the [freedom-denying, user-controlling,
|
||||
surveillance system][woe].
|
||||
There has also been a great deal of misinformation.
|
||||
I'd like to share my thoughts.
|
||||
|
||||
[gnu]: https://gnu.org/gnu/gnu.html
|
||||
[free-sw]: https://gnu.org/philosophy/free-sw.html
|
||||
[woe]: https://www.gnu.org/proprietary/malware-microsoft.en.html
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Before we can discuss this subject,
|
||||
we need to clarify some terminology:
|
||||
We have a [free/libre][free-sw] operating system called [GNU][gnu].
|
||||
Usually, it's used with the kernel Linux, and is together called the
|
||||
[GNU/Linux (or GNU+Linux) operating system][gnulinux].
|
||||
But that's not always the case.
|
||||
For example, GNU can be run with its own kernel, [The GNU Hurd][hurd]
|
||||
(GNU/Hurd).
|
||||
It might be run on a system with a BSD kernel (e.g. GNU/kFreeBSD).
|
||||
But now, we have a situation where we're taking GNU/Linux, removing Linux,
|
||||
and adding in its place a Windows kernel.
|
||||
This combination is referred to as GNU/kWindows (GNU with the Windows kernel
|
||||
added).[^kwindows]
|
||||
|
||||
GNU values users' freedoms.
|
||||
Windows [does exactly the opposite][woe].
|
||||
|
||||
When users talk about the operating system "Linux", what they are referring
|
||||
to is the [GNU operating system][gnu] with the kernel Linux added.
|
||||
If you are using the GNU operating system in some form, then many of the
|
||||
programs you are familiar with on the command line are GNU programs:
|
||||
`bash`, `(g)awk`, `grep`, `ls`, `cat`, `bc`, `tr`, `gcc`, `emacs`, and
|
||||
so on.
|
||||
But GNU is a fully free/libre Unix replacement, [not just a collection of GNU
|
||||
programs][gnu].
|
||||
Linux is the kernel that supports what the operating system is trying to do;
|
||||
it provides what are called system calls to direct the kernel to perform
|
||||
certain actions, like fork new processes or allocate memory.
|
||||
This is an important distinction---not only is calling all of this software
|
||||
"Linux" incorrect, but it discredits the project that created a fully
|
||||
free/libre Unix replacement---[GNU][gnu].
|
||||
|
||||
This naming issue is so widespread that
|
||||
[most users would not recognize what GNU is][gnu-noheard], even if they
|
||||
are _using_ a [GNU/Linux][gnulinux] operating system.
|
||||
I recently read an article that referred to GNU Bash as "Linux's Bash";
|
||||
this is simply a slap in the face to all the hackers that have for the
|
||||
past 26 years been writing what is one of today's most widely used
|
||||
shells on Unix-like systems (including on [Apple's][apple] proprietary
|
||||
Mac OSX), and all the other GNU hackers.
|
||||
|
||||
Microsoft and Canonical have apparently been working together to write a
|
||||
subsystem that translates Linux system calls into something Windows will
|
||||
understand---a compatibility layer.
|
||||
So, software compiled to run on a system with the kernel Linux will work on
|
||||
Windows through system call translation.
|
||||
Many articles are calling this "Linux on Windows".
|
||||
This is a fallacy: the kernel Linux is not at all involved!
|
||||
What we are witnessing is the [_GNU_ operating system][gnu] running with
|
||||
a Windows kernel _instead_ of Linux.
|
||||
|
||||
This is undoubtedly a technical advantage for Microsoft---Windows users want
|
||||
to do their computing in a superior environment that they might be
|
||||
familiar with on [GNU/Linux][gnulinux] or other Unix-like operating
|
||||
systems, like [Apple's][apple] freedom-denying Mac OSX.
|
||||
But thinking about it like this is missing an essential concept:
|
||||
|
||||
When users talk about "Linux" as the name of the operating system, they
|
||||
avoid talking about [GNU][gnu].
|
||||
And by avoiding mention of GNU,
|
||||
they are also avoiding discussion of the core principles upon which GNU is
|
||||
founded---the belief that all users deserve
|
||||
[software granting _four essential freedoms_][free-sw]:
|
||||
the freedom to use the program for any purpose;
|
||||
the freedom to study the program and modify it to suit your needs (or
|
||||
have someone do it on your behalf);
|
||||
the freedom to share the program with others;
|
||||
and the freedom to share your changes with others.
|
||||
We call software that respects these four freedoms
|
||||
[_free/libre software_][free-sw].
|
||||
|
||||
Free software is absolutely essential:
|
||||
it ensures that _users_,
|
||||
who are the most vulnerable,
|
||||
are in control of their computing---not software developers or
|
||||
corporations.
|
||||
Any program that denies users any one of their [four freedoms][free-sw] is
|
||||
_non-free_ (or _proprietary_)---that is, freedom-denying software.
|
||||
This means that any non-free software, no matter its features or
|
||||
performance, will [_always_ be inferior to free software][oss] that
|
||||
performs a similar task.
|
||||
|
||||
Not everyone likes talking about freedom or the
|
||||
[free software philosophy][free-sw].
|
||||
This disagreement resulted in the
|
||||
["open source" development methodology][oss],
|
||||
which exists to sell the benefits of free software to businesses *without*
|
||||
discussing the essential ideological considerations.
|
||||
Under the "open source" philosophy,
|
||||
if a non-free program provides better features or performance,
|
||||
then surely it must be "better",
|
||||
because they have outperformed the "open source" development methodology;
|
||||
non-free software isn't always considered to be a bad thing.
|
||||
|
||||
So why would users want to use GNU/kWindows?
|
||||
Well, probably for the same reason that they want GNU tools on Mac OSX:
|
||||
they want to use software they want to use, but they also want the
|
||||
technical benefits of GNU that they like.
|
||||
What we have here is the ["open source" philosophy][oss]---because if the
|
||||
user truly valued her freedom, she would use a
|
||||
[fully free operating system like GNU/Linux][gnulinux-distros].
|
||||
If a user is _already_ using Windows (that is, before considering
|
||||
GNU/kWindows), then she does gain some freedom by installing GNU:
|
||||
she has more software on her system that respects her freedoms,
|
||||
and she is better off because of that.
|
||||
|
||||
But what if you're using GNU/Linux today?
|
||||
In that case,
|
||||
it is a major downgrade to switch to a GNU/kWindows system;
|
||||
by doing so, you are [surrendering your freedom to Microsoft][woe].
|
||||
It does not matter how many shiny features Microsoft might introduce into
|
||||
its [freedom-denying surveillance system][woe];
|
||||
an [operating system that respects your freedoms][gnulinux-distros] will
|
||||
_always_ be a superior choice.
|
||||
We would do our best to dissuade users from switching to a GNU/kWindows
|
||||
system for the technical benefits that GNU provides.
|
||||
|
||||
So we have a couple different issues---some factual, some philosophical:
|
||||
|
||||
Firstly,
|
||||
please don't refer to GNU/kWindows as "Linux on Windows", or any variant
|
||||
thereof;
|
||||
doing so simply propagates misinformation that not only confounds the
|
||||
situation, but discredits the thousands of hackers working on the
|
||||
[GNU operating system][gnu].
|
||||
It would also be best if you avoid calling it "Ubuntu on Windows";
|
||||
it isn't a factually incorrect statement---you are running Ubuntu's
|
||||
distribution of GNU---but it still avoids mentioning the
|
||||
[GNU Project][gnu]. If you want to give Ubuntu credit for working with
|
||||
Microsoft, please call it "Ubuntu GNU/kWindows" instead of "Ubuntu".
|
||||
By mentioning GNU,
|
||||
users will ask questions about the project,
|
||||
and might look it up on their own.
|
||||
They will read about [the free software philosophy][free-sw],
|
||||
and will hopefully begin to understand these issues---issues that they
|
||||
might not have even been aware of to begin with.
|
||||
|
||||
Secondly,
|
||||
when you see someone using a GNU/kWindows system,
|
||||
politely ask them why.
|
||||
Tell them that there is a _better_ operating system out there---the
|
||||
[GNU/Linux operating system][gnu]---that not only provides those technical
|
||||
features,
|
||||
but also provides the feature of _freedom_!
|
||||
Tell them what [free software][free-sw] is,
|
||||
and try to relate it to them so that they understand why it is important,
|
||||
and even practical.
|
||||
|
||||
It's good to see more people benefiting from GNU;
|
||||
but we can't be happy when it is being sold as a means to draw users into
|
||||
an otherwise [proprietary surveillance system][woe],
|
||||
without so much as a mention of our name,
|
||||
or [what it is that we stand for][gnu].
|
||||
|
||||
[^kwindows]: This name comes from [Richard Stallman][rms], founder of the
|
||||
[GNU Project][gnu].
|
||||
|
||||
[hurd]: https://gnu.org/software/hurd/
|
||||
[oss]: http://www.gnu.org/philosophy/open-source-misses-the-point.html
|
||||
[gnulinux]: https://www.gnu.org/gnu/linux-and-gnu.html
|
||||
[gnulinux-distros]: https://www.gnu.org/distros/free-distros.html
|
||||
[apple]: https://stallman.org/apple.html
|
||||
[rms]: https://www.fsf.org/about/staff-and-board
|
||||
[gnu-noheard]: https://gnu.org/gnu/gnu-users-never-heard-of-gnu.html
|
||||
|
||||
---
|
||||
featured: true
|
||||
---
|
|
@ -0,0 +1,88 @@
|
|||
# International Day Against DRM 2016
|
||||
|
||||
Today is the [10th annual International Day Against DRM][day-drm]---a day
|
||||
where activists from around the world organize events in protest against
|
||||
[Digital Restrictions Management][drm].
|
||||
|
||||
[day-drm]: https://www.defectivebydesign.org/dayagainstdrm
|
||||
[drm]: https://www.defectivebydesign.org/what_is_drm_digital_restrictions_management
|
||||
|
||||
<!-- more -->
|
||||
|
||||
DRM is a scheme by which tyrants use [antifeatures][] to lock down what
|
||||
users are able to do with their systems, often cryptographically.
|
||||
For example,
|
||||
your media player might tell you how many times you can listen to a song,
|
||||
or watch a video, or read a book;
|
||||
it might [delete books][1984] that you thought you owned;
|
||||
it might require that you are [always online][always-on] when playing a
|
||||
game, and then stop working when you disconnect, or when they decide to
|
||||
stop supporting the game.
|
||||
If you try to circumvent these locks,
|
||||
then you might be [called a pirate][pirate] and be thrown in prision under
|
||||
the ["anti-circumvention" privisons of the Digital Millenium Copyright Act
|
||||
(DMCA)][dmca].
|
||||
These are all things [that have been long predicated][right-to-read], and
|
||||
are only expected to get worse with time.
|
||||
|
||||
That is, unless we take a stand and fight back.
|
||||
|
||||
I had the pleasure of participating in
|
||||
the [largest ever protest against the W3C][w3c-protest] and their attempts
|
||||
to introduce DRM as a _web standard_ via the [Encrypted Media Extensions
|
||||
(EME)][eme] proposal.[^photos]
|
||||
This event was organized beautifully by Zak Rogoff of the [Free Software
|
||||
Foundation][fsf] and began just outside the Strata Center doors where the
|
||||
W3C was _actively meeting_,
|
||||
and then continued to stop outside the Google and Microsoft offices,
|
||||
both just blocks away.
|
||||
We were [joined outside Microsoft][eff-protest] by Danny O'Brien,
|
||||
the EFF's International Director,
|
||||
who stepped out of the W3C meeting to address the protesters.
|
||||
|
||||
Afterward, most of us [traveled to the MIT Media Lab][media-lab] where
|
||||
Richard Stallman---who joined us in the protest---sat on a panel along
|
||||
with Danny O'Brien, Joi Ito of the MIT Media Lab, and Harry Halpin of the
|
||||
W3C.
|
||||
The W3C was invited to participate in a discussion on EME, but they never
|
||||
showed.
|
||||
As a demonstration of the severity of these issues,
|
||||
[Harry Halpin vowed to resign from the W3C][hh-resign] if the EME proposal
|
||||
ever became a W3C Recommendation.
|
||||
|
||||
I can say without hesitation that the protest and following discussion were
|
||||
some of the most powerful and memorable events of my life---there is no
|
||||
feeling like being a part of a group that shares such a fundamental
|
||||
passion (and distaste!) for something important.
|
||||
|
||||
And it _is_ very important.
|
||||
|
||||
[DRM is pervasive][dbd]---the Web is just one corner where it rears its ugly
|
||||
head.
|
||||
The [International Day Against DRM][day-drm] gives you and others an
|
||||
excellent opportunity to hold your own protests, demonstrations, and events
|
||||
to raise these issues to others---and to do so as part of an
|
||||
_international group_;
|
||||
to send a strong, world-wide message:
|
||||
a message that it is _not_ acceptable to act as tyrants and treat users as
|
||||
slaves and puppets through use of digital handcuffs and [draconian
|
||||
punishments for circumventing them][dmca].
|
||||
|
||||
[^photos]: The EFF has some [great photots][eff-protest]; I'm the one in the
|
||||
hoodie between the giant GNU head and Zak Rogoff.
|
||||
|
||||
[antifeatures]: https://www.fsf.org/bulletin/2007/fall/antifeatures/
|
||||
[lp2016]: https://libreplanet.org/2016/
|
||||
[w3c-protest]: https://www.defectivebydesign.org/from-the-web-to-the-streets-protesting-drm
|
||||
[eme]: https://w3c.github.io/encrypted-media/
|
||||
[eff-protest]: https://w3c.github.io/encrypted-media/
|
||||
[w3c]: https://www.w3.org/
|
||||
[fsf]: https://fsf.org/
|
||||
[media-lab]: https://motherboard.vice.com/read/we-marched-with-richard-stallman-at-a-drm-protest-last-night-w3-consortium-MIT-joi-ito
|
||||
[hh-resign]: https://www.defectivebydesign.org/blog/w3c_staff_member_pledges_resignation_if_drm_added_web_standards
|
||||
[dmca]: https://www.eff.org/issues/dmca
|
||||
[dbd]: https://www.defectivebydesign.org/
|
||||
[1984]: https://www.defectivebydesign.org/amazon-kindle-swindle
|
||||
[always-on]: https://en.wikipedia.org/wiki/Always-on_DRM
|
||||
[right-to-read]: https://www.gnu.org/philosophy/right-to-read.en.html
|
||||
[pirate]: https://www.eff.org/deeplinks/2015/02/go-prison-sharing-files-thats-what-hollywood-wants-secret-tpp-deal
|
|
@ -0,0 +1,55 @@
|
|||
# CFAA, "Authorized" Access, and Common Sense
|
||||
|
||||
There is little common sense to be had with the [Computer Fraud and Abuse
|
||||
Act][cfaa] (CFAA) to begin with.
|
||||
To add to the confusion,
|
||||
the Ninth Circuit Court of Appeals last week held 2-1 in [United States
|
||||
v. Nosal][uvn] that accessing a service using someone else's
|
||||
password---even if that person gave you permission to do so---[violates
|
||||
the CFAA][cfaa-passwd],
|
||||
stating that only the _owner_ of a computer can give such authorization.
|
||||
This is absurd even with complete lack of understanding of what the law is:
|
||||
should your spouse be held criminally liable for paying your bills online
|
||||
using your account?
|
||||
|
||||
[cfaa]: https://www.eff.org/issues/cfaa
|
||||
[uvn]: https://www.eff.org/cases/u-s-v-nosal
|
||||
[cfaa-passwd]: https://www.eff.org/deeplinks/2016/07/ever-use-someone-elses-password-go-jail-says-ninth-circuit
|
||||
|
||||
Common sense says no.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
In another case this week---[Facebook v. Power Ventures][fvp]---the same
|
||||
court (though a different panel of judges) stepped back from the original
|
||||
decision and stated that computer _users_ can indeed provide
|
||||
authorization.
|
||||
This authorization holds even if the service's Terms of Service say
|
||||
otherwise.
|
||||
Yet: the computer owner (in this case, Facebook) can revoke authorization,
|
||||
which takes precedence over any authorization provided by a user of that
|
||||
system.
|
||||
So with a seemingly magical incantation,
|
||||
a benign situation can be made into a federal crime,
|
||||
just like that.
|
||||
|
||||
These situations highlight dangerous confusion over the interpretation of an
|
||||
already dangerously vague law.
|
||||
The CFAA is the law that was used to prosecute Aaron Swartz for federal
|
||||
"crimes"---with a punishment of up to thirty-five years in prison---for
|
||||
liberating documents hosted on JSTOR.
|
||||
Because of this [draconian threat][eff-punish],
|
||||
[Aaron committed suicide][aaron] on January 11th, 2013.
|
||||
|
||||
The CFAA already has blood on its hands;
|
||||
it needs to be reined _in_,
|
||||
not be given further broad powers.
|
||||
So don't take news of the decisions in US v. Nosal and Facebook v. Power
|
||||
Ventures as canceling one-another out;
|
||||
things may appear the same for now,
|
||||
but serious problems still need to be resolved.
|
||||
|
||||
[cfaa-back]: https://www.eff.org/deeplinks/2016/07/ninth-circuit-panel-backs-away-dangerous-password-sharing-decision-creates-even
|
||||
[fvp]: https://www.eff.org/cases/facebook-v-power-ventures
|
||||
[eff-punish]: https://www.eff.org/deeplinks/2013/02/rebooting-computer-crime-part-3-punishment-should-fit-crime
|
||||
[aaron]: https://www.eff.org/deeplinks/2013/01/farewell-aaron-swartz
|
|
@ -0,0 +1,41 @@
|
|||
# "Election"
|
||||
|
||||
The past few days of the DNC have demanded pause. I am an Independent. I
|
||||
do not like Hillary Clinton. I am a Bernie supporter, and I was upset by his
|
||||
endorsement of Hillary. I had vowed not to vote for Hillary; I would
|
||||
instead vote for Jill Stein. The DNC, while very well done with a deeply
|
||||
compelling facade, has not changed my perspective on Clinton.
|
||||
|
||||
It is perhaps said best by Bernie himself: "It's easy to boo, but it's
|
||||
harder to look your kids in the face who would be living under a Donald
|
||||
Trump presidency". The conflict here is between my deep ideologies and
|
||||
reality. It's often said that a vote for Hillary is a vote against Trump;
|
||||
such a perspective would shallow and purposeless. But this isn't an
|
||||
election for president---this is the most threatening assault on everything
|
||||
I stand for that I hope I will ever witness in my lifetime. To stand for
|
||||
ideological purity would be to stand atop a mountain while the world around
|
||||
me burns. This is why Bernie chose to unite.
|
||||
|
||||
Should Trump win, my ideals that seem within reach could be blown back
|
||||
decades. As a matter of strategy, I cannot justify _not_ swallowing every
|
||||
ounce of my pride. Hillary's presidency is an unfortunate but necessary
|
||||
consequence of the only permissible outcome. I am not electing a president
|
||||
of the United States. I am electing _a United States_.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
So I am doing what I never thought I would do: proposing that others too
|
||||
factor this obscene equation and recognize how the very few remaining
|
||||
variables affect the result. My ideals continue to exist in part and in
|
||||
spirit with Hillary as president. With Trump, they are all but
|
||||
vanquished. Donald Trump must not be elected president of the United
|
||||
States. When (and if) you vote, think of it as a shot fired, not as a vote
|
||||
cast.
|
||||
|
||||
"Election".
|
||||
|
||||
More information about my opinions on this topic can be found
|
||||
[here][social-1] and [here][social-2].
|
||||
|
||||
[social-1]: https://social.mikegerwitz.com/conversation/21864
|
||||
[social-2]: https://social.mikegerwitz.com/conversation/22026
|
|
@ -0,0 +1,103 @@
|
|||
# NSO Group, Pegasus, Trident---iOS Exploits Targeting Human Rights Activist
|
||||
|
||||
[Citizen Lab released a report][cl] describing the attempted use of iOS
|
||||
0-days on human rights activist [Ahmed Mansoor][] by the United Arab
|
||||
Emirates.
|
||||
They named this chain of exploits _Trident_,
|
||||
and with the help of [Lookout Security][paper],
|
||||
were able to analyze them.
|
||||
|
||||
It begins with [arbitrary code execution (CVE-2016-4655)][4655] by
|
||||
exploiting a memory corruption vulnerability in WebKit,
|
||||
which downloads a payload unknown to the user.
|
||||
That payload is able to bypass KASLR and [determine the kernel memory
|
||||
location (CVE-2016-4656)][4656],
|
||||
then allowing it to exploit a [memory corruption vulnerability in the
|
||||
kernel itself (CVE-2016-4657)][4657];
|
||||
this "jailbreaks" the device and is a complete compromise of the system.
|
||||
|
||||
[cl]: https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
|
||||
[Ahmed Mansoor]: https://en.wikipedia.org/wiki/Ahmed_Mansoor
|
||||
[paper]: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf
|
||||
[4655]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4655
|
||||
[4656]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4656
|
||||
[4657]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4657
|
||||
|
||||
<!-- more -->
|
||||
|
||||
This payload is [Pegasus][paper],
|
||||
a complex surveillance tool sold to governments,
|
||||
often used for espionage.
|
||||
In this case,
|
||||
Monsoor received a suspicious text message and wisely [tipped off Citizen
|
||||
Lab][cl] rather than opening the presented link.
|
||||
Had he done so,
|
||||
he would have unknowingly downloaded this spyware that could very well
|
||||
have put his life in extreme danger:
|
||||
it has the capability to track his location;
|
||||
record his calls and texts;
|
||||
record communications through software like WhatsApp and Skype;
|
||||
download his contact information;
|
||||
grab passwords and encryption keys from his keyring;
|
||||
and much more.
|
||||
|
||||
This malware was written by [NSO Group][],
|
||||
which is so poorly known that their [Wikipedia page didn't even exist
|
||||
until today][nso-wikipedia].
|
||||
The software company is based in Israel,
|
||||
founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio.
|
||||
They were purchased in 2014 by [Francisco Partners][],
|
||||
a private equity firm in the United States,
|
||||
for $110 million.
|
||||
They exist to sell exploits to governments.
|
||||
|
||||
Anyone familiar with security research is aware of [responsible
|
||||
disclosure][]:
|
||||
it is a model whereby researchers who discover a vulnerability
|
||||
release their research publicly only _after_ they notify the authors
|
||||
of the software,
|
||||
and a patch mitigating the vulnerability has been released.
|
||||
This is what Citizen Lab did---Apple [fixed the vulnerability][apple] in
|
||||
iOS 9.3.5.[^rms-apple]
|
||||
This is not what NSO Group does:
|
||||
Instead, they horde their exploits[^0day] and sell them to governments as
|
||||
weapons for surveillance or espionage.
|
||||
In this case,
|
||||
the United Arab Emirates (or so it seems).
|
||||
This is not only unethical,
|
||||
but to sell to a government that is known for this type of abuse is
|
||||
inexcusable and negligent---the people behind NSO Group are absolute
|
||||
scum.[^scum]
|
||||
They are empowering a foreign government known for their civil and human
|
||||
rights abuses.
|
||||
I have trouble finding words.
|
||||
|
||||
There is much more that can be said on this topic with respect to security,
|
||||
civil and human rights,
|
||||
and various other topics.
|
||||
But I don't want to distract from the topic at hand.
|
||||
Let this sink in.
|
||||
Read the [Citizen Lab][cl] report and the [paper by Lookout Security][paper].
|
||||
Today I leave my soapbox be.
|
||||
|
||||
[NSO Group]: https://en.wikipedia.org/wiki/NSO_Group
|
||||
[nso-wikipedia]: https://en.wikipedia.org/w/index.php?title=NSO_Group&action=history
|
||||
[Francisco Partners]: https://en.wikipedia.org/wiki/Francisco_Partners
|
||||
[responsible disclosure]: https://en.wikipedia.org/wiki/Responsible_disclosure
|
||||
[apple]: https://support.apple.com/en-us/HT207107
|
||||
|
||||
[^rms-apple]: I [can't recommend that you use Apple
|
||||
devices](https://stallman.org/apple.html), but if you do, you
|
||||
should upgrade immediately;
|
||||
you are vulnerable to exploitation by simply visiting a
|
||||
malicious webpage.
|
||||
|
||||
[^0day]: Called 0-days,
|
||||
because they haven't been disclosed and there has been no time to
|
||||
prepare or release a fix.
|
||||
|
||||
[^scum]: For other scum, see the organization behind [FinFisher][]; and the
|
||||
group [Hacking Team][].
|
||||
|
||||
[FinFisher]: https://en.wikipedia.org/wiki/FinFisher
|
||||
[Hacking Team]: https://en.wikipedia.org/wiki/Hacking_Team
|
|
@ -0,0 +1,79 @@
|
|||
# Self-Discovery Before the Internet
|
||||
|
||||
This is an autobiographical opinion piece prompted by [a HackerNews
|
||||
post][hn] discussing what it was like to learn programming before Stack
|
||||
Overflow (and other parts of the Internet).
|
||||
|
||||
[hn]: https://news.ycombinator.com/item?id=14339293
|
||||
|
||||
<!-- more -->
|
||||
|
||||
I'm not old. I was born in 1989. I started programming around 1999. The
|
||||
Internet sure did exist back then, but I was 10, and my parents weren't keen
|
||||
on having me just go exploring. Besides, it was dial-up---you couldn't go
|
||||
search real quick; especially if someone was on the phone. Using the
|
||||
Internet was an _event_, and an exciting one at that, listening to those
|
||||
dial tones, logging in using that old Prodigy dialog. Back then you had
|
||||
Dogpile and Ask Jeeves. Most sites I'd visit by name; usually that was
|
||||
GameFAQs or CNET download.com, because those are the sites my friend told me
|
||||
about when he introduced me to the Internet.
|
||||
|
||||
I'm entirely self-taught. I didn't know any programmers. I didn't have
|
||||
contact with any. I told my parents that I wanted to learn how to program
|
||||
and they skeptically brought me to Barnes and Noble where we picked out
|
||||
Learn to Program with Visual Basic 6 by John Smiley (*gasp* yes I started as
|
||||
a Windows programmer). It came with a VB6 CD that for a while I was
|
||||
convinced could only run the book examples, because I had no idea what I was
|
||||
doing. I struggled. I tinkered. Hacker culture was on the complete
|
||||
opposite end of where I was, but by the time I discovered it years later, I
|
||||
felt like I finally found myself---I finally discovered who I was. The
|
||||
struggle made me a hacker.
|
||||
|
||||
It's easy to half-ass it today. It's easy to simply say "eh I can Google
|
||||
it" and forego committing knowledge. But it also makes it easy to gain
|
||||
knowledge, for those who do care to do so. It makes trivia easy. It makes
|
||||
discovery easy. It also exposes people to subcultures quickly and
|
||||
demands conformance to stereotypes and norms before one can discover
|
||||
_themselves_. Who would I be today without having to struggle for myself
|
||||
rather than someone else _telling_ me who I am, and what I do?
|
||||
|
||||
This is more than just technical knowledge. This is the difference between
|
||||
dropping a child off in the wild or dropping them off at the local
|
||||
scouts. And at least scouts will discover themselves together. With the
|
||||
Internet, you absorb a body of existing knowledge; you _rediscover others_,
|
||||
not yourself. You often read blogs containing opinions of others, not books
|
||||
or manuals.
|
||||
|
||||
That's not to say that you can't learn on your own. Many still do. Many
|
||||
focus on manuals and books and source code rather than social media. It's
|
||||
sure hard, though, when everything is integrated as such. Social media
|
||||
can be beneficial---you do want communication and collaboration. I sure as
|
||||
hell want to communicate with others. Opinions of others are deeply
|
||||
important too. Some of the best things I've read are on blogs, not in
|
||||
books. But I've already found my niche. I've found myself. I wasn't
|
||||
tainted or manipulated---I learned in a world of proprietary software where
|
||||
developing license systems was fun and emerged a free software
|
||||
activist. Because I was forced to look inward, not post on Stack Overflow
|
||||
or HN or Reddit expecting a hand-guided tour or `dd` of thoughts (okay,
|
||||
you're not getting that on HN).
|
||||
|
||||
Not everyone needs to be a passionate hacker or developer. Really, the
|
||||
world needs both. And based on what I've seen being pumped out of schools
|
||||
and universities, the self-taught are generally better off either way. The
|
||||
vast resources available to modern programmers make many tasks easier and
|
||||
cheaper, though it also increases maintenance costs if all the programmer is
|
||||
doing is using code snippets or concepts without actually grokking
|
||||
them. But this is what most of the world runs off of.
|
||||
|
||||
Let yourself struggle. Go offline. Sit down with a print book and get out
|
||||
a pen and take notes in the margin, write out your ideas. Getting syntax
|
||||
errors in your editor or REPL? Figure it out! Or maybe consult the manual,
|
||||
or the book you're reading. Don't search for the solution. When I learned
|
||||
Algebra in middle school, I had little interest, and forgot all of
|
||||
it. Years later, I needed it as a foundation for other things. I
|
||||
discovered the rules for myself on pen and paper. Not only do I remember it
|
||||
now (or can rediscover on a whim), but I understand _why_ it works the way
|
||||
it does. I've had those epiphanies. It's easy to miss the forest for the
|
||||
trees when you don't gain that essential intuition to help yourself
|
||||
out. And the forest is vast and beautiful.
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
# GNU is more than a collection of software
|
||||
|
||||
GNU is more than just a collection of software; it is an operating system:
|
||||
|
||||
[https://www.gnu.org/gnu/thegnuproject.html]()
|
||||
|
||||
Many hackers and activists within the free software community don't
|
||||
understand this well, and it's a shame to see attacks on GNU's relevance (as
|
||||
measured by programs written by GNU on a given system) going
|
||||
unchallenged. Software for GNU was written by the GNU Project when a
|
||||
suitable free program was not available. It wouldn't have made sense to
|
||||
write everything from scratch if free programs already solved the problem.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
When we say GNU/Linux, we really are referring to the GNU operating system
|
||||
that just happens to be using Linux. It could be using the FreeBSD kernel
|
||||
([GNU/kFreeBSD][]). It could be using a Windows kernel with a Linux API
|
||||
([GNU/kWindows][]). It could be using the [Hurd][] ([GNU/Hurd][]). The
|
||||
disambiguation is important, but the end result is pretty much the same.
|
||||
|
||||
There are many systems that use Linux that are not GNU. Android is not GNU,
|
||||
for example. We shouldn't attempt to call those systems "GNU/Linux"
|
||||
blindly. (Also note how it's called "Android", not "Android/Linux", or just
|
||||
"Linux". Somehow GNU is controversial, though.)
|
||||
|
||||
So if you see someone challenging GNU's relevance because GNU/Linux contains
|
||||
so much software that isn't part of a GNU package, then please provide the
|
||||
above link, and kindly explain to them that their observation is correct,
|
||||
because GNU is an operating system, not a collection of programs.
|
||||
|
||||
[GNU/kFreeBSD]: https://en.wikipedia.org/wiki/Debian_GNU/kFreeBSD
|
||||
[GNU/kWindows]: https://mikegerwitz.com/2016/04/GNU-kWindows
|
||||
[Hurd]: https://www.gnu.org/software/hurd/
|
||||
[GNU/Hurd]: https://www.debian.org/ports/hurd/
|
|
@ -0,0 +1,79 @@
|
|||
# Russia wants to review source code of Western security software
|
||||
|
||||
Reuters [released an article][0] entitled "Under pressure, Western tech
|
||||
firms bow to Russian demands to share cyber secrets".
|
||||
Should Russia be permitted to do so?
|
||||
Should companies "bow" to these demands?
|
||||
|
||||
I want to draw a parallel to another highly controversial case regarding
|
||||
access to source code:
|
||||
the [Apple v. FBI][2] case early last year.
|
||||
For those who don't recall,
|
||||
one of the concerns was the government trying to compel Apple to make
|
||||
changes to iOS to permit brute forcing the San Bernardino attacker's
|
||||
PIN;
|
||||
this is a [violation of First Amendment rights][3] (compelled speech),
|
||||
and this afforded Apple strong support from even communities that
|
||||
otherwise oppose them on nearly all other issues.
|
||||
The alternative was to have the FBI make changes to the software instead of
|
||||
compelling Apple to do so,
|
||||
which would require access to the source code of iOS.
|
||||
|
||||
[0]: http://www.reuters.com/article/us-usa-russia-tech-insight-idUSKBN19E0XB
|
||||
[2]: https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_dispute
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Becuase of the hostility toward the FBI in this case,
|
||||
even many in the [free software community][4] took the stance that the FBI
|
||||
being able to modify the software would set terrible precedent.
|
||||
But that's missing the point a bit.
|
||||
Being able to modify software doesn't give you the right to install it on
|
||||
others' devices;
|
||||
the FBI would have had to compell Apple to release their signing keys
|
||||
as well---_that_ is a dangerous precedent.
|
||||
If the government compelled Apple to made changes themselves,
|
||||
_that_ is dangerous precedent.
|
||||
|
||||
"Cyber secrets" in the above title refers to source code to software written
|
||||
by companies like Cisco, IBM, SAP, and others;
|
||||
secrets that can only exist in proprietary software that
|
||||
[denies users the right to inspect, modify, and share][1] the software
|
||||
that they are running.
|
||||
|
||||
For those who agree with the free software philosophy,
|
||||
it's important to remove consideration of _who_ is trying to exercise their
|
||||
[four freedoms][1].
|
||||
In the case of the FBI,
|
||||
from a free software perspective,
|
||||
of course they should be able to modify the software---we
|
||||
believe that _all_ software should be free!
|
||||
(But that doesn't mean they should be able to install it on _someone
|
||||
else's_ device.)
|
||||
In the context of this article by Reuters:
|
||||
Russia doesn't have to ask to examine software that is free/libre.
|
||||
And if they did, it shouldn't be a concern;
|
||||
restricting who can use and examine software is [a slippery slope][5].
|
||||
|
||||
Unfortunately, not all software is free/libre.
|
||||
But if we extend the free software philsophy---there
|
||||
should be no _ethical_ concerns with a foreign power wanting to inspect
|
||||
proprietary source code.
|
||||
But proprietary software might have something of concern to hide:
|
||||
it might be something malicious like a backdoor,
|
||||
or it might be something like a lack of security or poor development
|
||||
practices;
|
||||
[proprietary software exists only to keep secrets][6], after all.
|
||||
|
||||
If Russia has to ask to inspect source code for security software,
|
||||
you probably do too.
|
||||
And if that's the case,
|
||||
the security being provided to you is merely a facade.
|
||||
It's not Russia to be suspicious of for asking---it's
|
||||
the companies that keep secrets to begin with.
|
||||
|
||||
[1]: https://www.gnu.org/philosophy/free-software-even-more-important.html
|
||||
[3]: https://www.eff.org/deeplinks/2016/03/deep-dive-why-forcing-apple-write-and-sign-code-violates-first-amendment
|
||||
[4]: https://www.gnu.org/philosophy/free-sw.en.html
|
||||
[5]: https://www.gnu.org/philosophy/programs-must-not-limit-freedom.html
|
||||
[6]: https://www.gnu.org/proprietary/proprietary.html
|
|
@ -0,0 +1,85 @@
|
|||
# Don't force me to use your tools [on the Web]
|
||||
|
||||
There was an interesting discussion on [libreplanet-discuss][] recently
|
||||
regarding web interfaces.
|
||||
Below is a rather informal off-the-cuff statement regarding the use of Web
|
||||
interfaces (specificlaly Discourse) over my own tools.
|
||||
|
||||
[libreplanet-discuss]: https://lists.gnu.org/archive/html/libreplanet-discuss/2017-06/msg00032.html
|
||||
|
||||
<!-- more -->
|
||||
|
||||
-----
|
||||
|
||||
I live a huge chunk of my life in my mail client
|
||||
(which happens to be my editor as well).
|
||||
It's scripted,
|
||||
heavily customized,
|
||||
and integrated with other things.
|
||||
I do task management with Org mode,
|
||||
which integrates simply but well enough with Gnus.
|
||||
I can use my editor keybindings and such when composing messages.
|
||||
The same goes with my IRC client.
|
||||
I never have to leave home, if you will.
|
||||
|
||||
Contrast that with websites:
|
||||
if I have to write anything substantial,
|
||||
I often have to write it in my editor first and paste it in.
|
||||
|
||||
Many of us hackers don't care for flashy interfaces;
|
||||
we'd rather use the tools we've invested our lives into and know well.
|
||||
Tools that can compose and work well in pipelines.
|
||||
Trying to use interfaces that reinvent the wheel poorly is painful.
|
||||
And let's not be fooled---these are programs.
|
||||
Especially when they're heavy on JavaScript.
|
||||
There's no difference between this and someone asking me to download Foo and
|
||||
put my Emacs toy away, as cute as it is.
|
||||
|
||||
But I know that many people don't feel that way.
|
||||
I have coworkers that think I'm crazy (respectfully so).
|
||||
And I think they're crazy too. ;)
|
||||
Admittedly, using your own tools is a large barrier to entry---my
|
||||
tools are useful because I've spent a great deal of time learning and
|
||||
researching and customizing.
|
||||
And now I can reuse them for everything.
|
||||
For your average user looking to get into activism,
|
||||
who may not even be a programmer,
|
||||
that's a bit different;
|
||||
it's easier to say "here's your single tool (Web)---go use it".
|
||||
|
||||
There are systems that allow for a level of integration
|
||||
(e.g. mailing lists and forums).
|
||||
But they're often treated as fallbacks---as second-class citizens.
|
||||
They might provide a subset of features;
|
||||
it leaves certain members of the community out---those
|
||||
who want to use their own tools.
|
||||
|
||||
I haven't used Discourse.
|
||||
I do see "mailing list support";
|
||||
maybe that's a good sign.
|
||||
But one of the phrases at the top of the features page is
|
||||
"[w]e're reimagining what a modern discussion platform should
|
||||
be".
|
||||
Many of us don't want to see it reimagined.
|
||||
That's the opposite of what many want.
|
||||
|
||||
Trying to strike a balance isn't a bad thing if that's the audience
|
||||
we're looking to attract.
|
||||
But it's difficult,
|
||||
and something I struggle with a great deal.
|
||||
|
||||
-----
|
||||
|
||||
tl;dr:
|
||||
Asking someone to use an interface on the Web is asking them to use
|
||||
/your/ program instead of their own.
|
||||
Be respectful by using [Web standards for accessibility][accessibility];
|
||||
[progressive enhancement][];
|
||||
and make use of well-established standards with rich histories,
|
||||
especially if your audience makes use of them
|
||||
(e.g. mailing lists, RSS feeds, federation standards, etc).
|
||||
|
||||
Thank you.
|
||||
|
||||
[accessibility]: https://en.wikipedia.org/wiki/Web_accessibility
|
||||
[progressive enhancement]: https://en.wikipedia.org/wiki/Progressive_enhancement
|
|
@ -0,0 +1,40 @@
|
|||
# The Ethics Void: Join Me at LibrePlanet 2018!
|
||||
|
||||
I got word today that I'll be speaking again at this year's [LibrePlanet][]!
|
||||
I was going to attend even if I were not speaking,
|
||||
but I'm very excited to be able to continue to build off of last year's
|
||||
talk and further my activism on these topics.
|
||||
|
||||
[LibrePlanet]: https://libreplanet.org/2018/
|
||||
|
||||
The title of this year's talk is _The Ethics Void_.
|
||||
Here's a rough abstract:
|
||||
|
||||
<!-- more -->
|
||||
|
||||
> Medicine, legal, finance, journalism, scientific research—each of these
|
||||
> fields and many others have widely adopted codes of ethics governing the
|
||||
> lives of their professionals. Some of these codes may even be enshrined in
|
||||
> law. And this is for good reason: these are fields that have enormous
|
||||
> consequences.
|
||||
|
||||
> Software and technology pervade not only through these fields, but through
|
||||
> virtually every aspect of our lives. Yet, when compared to other fields, our
|
||||
> community leaders and educators have produced an ethics void. Last year, I
|
||||
> introduced numerous topics concerning #privacy, #security, and #freedom that
|
||||
> raise serious ethical concerns. Join me this year as we consider some of
|
||||
> those examples and others in an attempt to derive a code of ethics that
|
||||
> compares to each of these other fields, and to consider how leaders and
|
||||
> educators should approach ethics within education and guidance.
|
||||
|
||||
(My previous talks can be found on my ["Talks" page][talks].)
|
||||
|
||||
For this talk,
|
||||
I want to solicit the community at various points.
|
||||
I know what _I_ want to talk about,
|
||||
but what are some of the most important ethical issues to _you_?
|
||||
Unfortunately there's far too much to fit into a 40-minute talk!
|
||||
Feel free to send me an e-mail or reply to the [thread on GNU Social][thread].
|
||||
|
||||
[talks]: /talks
|
||||
[thread]: https://social.mikegerwitz.com/conversation/99140
|
|
@ -0,0 +1,44 @@
|
|||
# Meltdown/Spectre and the Web
|
||||
|
||||
The recently-released [Meltdown][] and [Spectre][] CPU timing attacks
|
||||
affect virtually every user in some way;
|
||||
the consequences are profound.
|
||||
There are plenty of good write-ups on the topic,
|
||||
so I don't feel the need to re-iterate the technical details here.
|
||||
(See an easily digestible one [from the Raspberry Pi][rpi] project, and an
|
||||
in-depth analysis [from Project Zero][zero].)
|
||||
|
||||
[Meltdown]: https://meltdownattack.com/
|
||||
[Spectre]: https://spectreattack.com/
|
||||
[rpi]: https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/
|
||||
[zero]: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
|
||||
|
||||
What I do want to draw attention to is that these attacks [are exploitable
|
||||
via web browsers][mozilla].
|
||||
|
||||
[mozilla]: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
|
||||
|
||||
<!-- more -->
|
||||
|
||||
The reason for this is that your web browser,
|
||||
by default,
|
||||
automatically downloads and executes programs without your knowledge or
|
||||
consent.
|
||||
Most commonly,
|
||||
web pages embed software in the form of JavaScript code.
|
||||
Because of the features available in modern JavaScript environments,
|
||||
CPU cache timing attacks are possible.
|
||||
|
||||
[I spoke about the security issues][lp2016] of running these programs in your web
|
||||
browser back in 2016---it
|
||||
was a bad idea then,
|
||||
and it's still a bad idea now.
|
||||
[I spoke further of privacy issues][lp2017] last year at LibrePlanet 2017.
|
||||
I encourage you to use extensions like [NoScript][] to block the execution of
|
||||
JavaScript by default,
|
||||
and stop random people from treating your computer as a puppet to do
|
||||
their own bidding.
|
||||
|
||||
[lp2016]: https://media.libreplanet.org/u/libreplanet/collection/restore-online-freedom/
|
||||
[lp2017]: https://media.libreplanet.org/u/libreplanet/m/the-surreptitious-assault-on-privacy-security-and-freedom/
|
||||
[NoScript]: http://noscript.net/
|
|
@ -0,0 +1,60 @@
|
|||
# When Talking About Mobile Tracking, Don't Veil Bad Actors With Blanket Statements
|
||||
|
||||
It's difficult to have useful conversations about mobile tracking when
|
||||
someone says "your phone / mobile device tracks you";
|
||||
such statements don't often lead to constructive conversation because they
|
||||
are too vague and therefore easily dismissed as sensationalism or
|
||||
paranoia.
|
||||
And they are all too often without substance because,
|
||||
while users do have legitimate concerns,
|
||||
they aren't necessarily aware of the specific problems contributing to
|
||||
those concerns.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
A mobile device is nothing more than a small computer that you carry around
|
||||
with you.
|
||||
The networks that you connect to can spy on you---your
|
||||
cellular network, bluetooth, wifi, etc.
|
||||
To help mitigate these threats,
|
||||
you can disable those communications until you are in a safe place that
|
||||
you don't mind others knowing about.
|
||||
We can only have confidence that these connections have been disabled by
|
||||
physical means,
|
||||
like a hardware switch or a bag that acts like a Faraday cage.
|
||||
[iOS deceives users][ios-deceive] when they ask to disable those communications
|
||||
for example.
|
||||
|
||||
The software running on your device often spies on you:
|
||||
the operating system itself often spies;
|
||||
the apps you install often spy.
|
||||
This is the fault of the individual _authors_---_they_
|
||||
are the problem.
|
||||
Consider using free/libre software that empowers you and serves _you_ rather
|
||||
than its creators;
|
||||
it's much harder to hide secrets in free software.
|
||||
On Android,
|
||||
consider using only free software available in [F-Droid][].
|
||||
We also need fully free mobile operating systems,
|
||||
like [Replicant][] and hopefully Purism's Librem 5 that is still under
|
||||
development.
|
||||
Don't be fooled into thinking the Android on most phones is free
|
||||
software---only
|
||||
its core (AOSP) is.
|
||||
|
||||
Call out those that do harm---don't
|
||||
veil and protect them using statements like "your phone tracks you".
|
||||
Talk about the specific issues.
|
||||
Demand change and have the courage to reject them entirely.
|
||||
This involves inconvenience and sacrifice.
|
||||
But if we're strong now,
|
||||
then in the near future perhaps we won't have to make any sacrifices,
|
||||
much like the fully free GNU/Linux system desktops we have today.
|
||||
|
||||
Fore more information on tracking,
|
||||
see my [LibrePlanet 2017 and 2018 talks](/talks) "The Surreptitious Assault on Privacy,
|
||||
Security, and Freedom" and "The Ethics Void", respectively.
|
||||
|
||||
[F-Droid]: https://f-droid.org
|
||||
[ios-deceive]: https://web.archive.org/web/20170922011748/https://support.apple.com/en-us/HT208086
|
||||
[Replicant]: https://replicant.us
|
|
@ -0,0 +1,28 @@
|
|||
# LibrePlanet 2019 will be March 23--24 in Boston, MA
|
||||
|
||||
It's already time to start thinking about LibrePlanet 2019, which will be
|
||||
March 23--24 in the Greater Boston Area in MA:
|
||||
|
||||
[https://libreplanet.org/2019/]()
|
||||
|
||||
This is the one event that I must make it to each year, and I encourage
|
||||
everyone to attend and see the faces of many that are at the heart of the
|
||||
free software community.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
Consider [submitting a session][submit]! Or, if you can't make it but plan
|
||||
on watching online, maybe help someone else attend by [contributing to the
|
||||
travel fund][travel-fund]. The call for sessions ends October 26th.
|
||||
|
||||
I'll be attending again this year, and I plan on submitting a session
|
||||
proposal. I won't have the time to do [my 100+hr research talks like the
|
||||
past couple years][talks], so maybe I'll fall back on something more
|
||||
technical that I won't have to research.
|
||||
|
||||
It's still a ways off, but if you do plan on attending, do let me know so I
|
||||
can say hello!
|
||||
|
||||
[submit]: https://my.fsf.org/lp-call-for-sessions
|
||||
[travel-fund]: https://my.fsf.org/civicrm/contribute/transact?reset=1&id=60
|
||||
[talks]: /talks/
|
|
@ -0,0 +1,66 @@
|
|||
# Webmasters: Please, Don't Block Tor
|
||||
|
||||
[Tor][] is a privacy and anonymity tool that [helps users to defend
|
||||
themselves][tor-about] against traffic analysis online.
|
||||
Some people, like me, use it as an important tool to help defend against
|
||||
[various online threats to privacy][sapsf].
|
||||
[Others use it][tor-users] to avoid censorship,
|
||||
perhaps by the country in which they live.
|
||||
Others use it because their lives depend on it---they
|
||||
may live under an oppressive regime that forbids access to certain
|
||||
information or means of communication.
|
||||
|
||||
[Tor]: https://www.torproject.org/
|
||||
[tor-about]: https://www.torproject.org/about/overview.html.en#whyweneedtor
|
||||
[tor-users]: https://www.torproject.org/about/torusers.html.en
|
||||
[sapsf]: /talks/sapsf
|
||||
|
||||
Unfortunately, some people also hide behind Tor to do bad things,
|
||||
like attack websites or commit fraud.
|
||||
Because of this,
|
||||
many website owners and network administrators see Tor as a security threat,
|
||||
and choose to block Tor users from accessing their website.
|
||||
|
||||
<!-- more -->
|
||||
|
||||
But in doing so,
|
||||
you aren't just keeping out some of the malicious users:
|
||||
you're also keeping out those who [use Tor for important, legitimate
|
||||
reasons][tor-users].
|
||||
Malicious users have other means to achieve anonymity and often have the
|
||||
skill and understanding to do so.
|
||||
But average Tor users aren't necessarily technology experts,
|
||||
and certainly don't have the extra (often maliciously-acquired) resources
|
||||
that bad actors do,
|
||||
so they are disprortionally affected by blocks.
|
||||
|
||||
A particularly unsettling problem I often encounter is that a website will
|
||||
outright prohibit access by Tor users _even on read-only resources like
|
||||
articles or information_.
|
||||
I've even seen this on informational resources on United States Government
|
||||
domains!
|
||||
Blocking access to interactive website features---like
|
||||
posting comments or making purchases---can
|
||||
be understandable,
|
||||
or maybe even necessary sometimes.
|
||||
For example,
|
||||
Wikipedia prohibits page edits over Tor.
|
||||
But Wikipedia _does not block reading_ over Tor.
|
||||
|
||||
If you are considering threats that may mask themselves behind Tor and you
|
||||
are running a blog, news site, or other informational resource,
|
||||
please, consider how your actions [may affect innocent
|
||||
users][tor-users].
|
||||
Allow users to read over Tor,
|
||||
even if you decide to prohibit them from interacting.
|
||||
|
||||
For users of Tor who do find themselves stuck from time to time:
|
||||
I will often prepend `https://web.achive.org/` to the URL of a page that
|
||||
is blocked,
|
||||
which allows me to view the page in the Internet Archive's [Wayback
|
||||
Machine][].
|
||||
For example,
|
||||
to view my website in the Wayback Machine,
|
||||
you'd visit `https://web.archive.org/https://mikegerwitz.com/`.
|
||||
|
||||
[Wayback Machine]: https://web.archive.org/
|
Loading…
Reference in New Issue