diff --git a/post/2012-10-05-microblogging.md b/post/2012-10-05-microblogging.md new file mode 100644 index 0000000..0cc5f58 --- /dev/null +++ b/post/2012-10-05-microblogging.md @@ -0,0 +1,29 @@ +# Who needs "microblogging"? + +I don't. This is just some place safe to store random thoughts that people +probably don't care about (like most comments on most social networking +services), with the added benefit of distributed backup, a simple system and no +character limit. + + + +All the thoughts are commit messages; in particular, this means no versioning. +That's okay, because I'm not going to go back and modify them, but I do want +dates and I do want GPG signatures (to show that it's actually me thinking this +crap). + +This isn't a journal. + +This will mostly be a hacker's thought cesspool. + +This isn't a blog. + +Though, considering how much I ramble (look at this message), certain thoughts +could certainly seem like blog entries. Don't get the two confused---one +requires only thought defecation and the other endures the disturbing task of +arranging the thought matter into something coherent and useful to present to +others. + +Yeah. Enjoy. Or don't. You probably shouldn't, even if you do. If you don't, +you probably should just to see that you shouldn't. + diff --git a/post/2012-10-05-tired.md b/post/2012-10-05-tired.md new file mode 100644 index 0000000..08dbbd3 --- /dev/null +++ b/post/2012-10-05-tired.md @@ -0,0 +1,12 @@ +# Getting too tired to hack? At 23:00? + +This has been normal since becoming a father. I can't complain---I love being a +father. Of course, I also love hacking. I also love sleep. Knowing that my son +is going to wake me up a 6:00 in the morning has a slight influence in a +situation like this. + + + +I'd like to just suffer through it, but being a fiancé also has another +obligation: going to bed when your significant other decides that it's bed time +(and by "bed time" I mean sleep). I still manage to fit it in somehow. diff --git a/post/2012-10-06-trademarks.md b/post/2012-10-06-trademarks.md new file mode 100644 index 0000000..f827316 --- /dev/null +++ b/post/2012-10-06-trademarks.md @@ -0,0 +1,32 @@ +# The use of trademarks in free software has always been a curious and unclear concept to me, primarily due to my ignorance on the topic + +Trademarks, unless abused, are intended to protect consumers' interests---are +they getting the brand that they think they're getting? If you download Firefox, +are you getting Firefox, or a derivative? + + + +Firefox is precicely one of those things that has brought this issue to light +for me personally: the name is trademarked and derivatives must use their own +names, leading to IceCat, IceWeasel, Abrowser, etc. Even though FF is free +software, the trademark imposes additional restrictions that seem contrary to +the free software philosophy. As such, it was my opinion that trademarks should +be avoided or, if they exist, should not be exercised. (GNU, for example, is +trademarked[^0], but the FSF certainly [does not exercise it][1]; consider GNUplot, +a highly popular graphing program, which is not even part of the GNU project.) + +[This article][2] provides some perspective on the topic and arrives at much the +same conclusions: trademark enforcement stifles adoption and hurts the project +overall. + +I recommend that trademarks not be used for free software projects, though I am +not necessarily opposed to registering a trademark "just in case" (for example, +to prevent others from maliciously attempting to register a trademark for your +project). + +[1]: http://www.gnu.org/prep/standards/html_node/Trademarks.html +[2]: http://mako.cc/copyrighteous/20120902-00 + +[^0]: uspto.gov; serial number 85380218; reg. number 4125065. + From what I could find from the USPTO website, it was submitted by + Aaron Williamson of the SFLC (http://www.softwarefreedom.org/about/team/) diff --git a/post/2012-10-09-election-attack-ads.md b/post/2012-10-09-election-attack-ads.md new file mode 100644 index 0000000..d61a73f --- /dev/null +++ b/post/2012-10-09-election-attack-ads.md @@ -0,0 +1,17 @@ +# All these election attack ads are utterly useless + +There have been a lot of elections going on lately---local, state and national. +The majority of those ads are attack ads: immature and disrespectful; if you +want my vote, give me something positive to vote for instead of spending all of +your time and money attacking your candidate. If my vote is to go to the "least +horrible" candidate, then there is no point in voting at all. + + + +Even more frustrating is the deceptiveness of the ads---intentional +deceptiveness, nonetheless. And these are the ads that many in the United States +will be basing the majority of, if not all, of their vote on come election time +(how many will realistically research instead of sitting in front of the TV +absorbing all of the useless bullshit that they are spoonfed?). + +Frightening. diff --git a/post/2012-10-09-kid-iphone-game.md b/post/2012-10-09-kid-iphone-game.md new file mode 100644 index 0000000..cd5d27b --- /dev/null +++ b/post/2012-10-09-kid-iphone-game.md @@ -0,0 +1,42 @@ +# Why no kid (or kid at heart) should write an iPhone game + +I saw [this post][0] appear on HackerNews, talking about how building a game for +iOS is "fun" and "cool". The poster lures the reader in with talk of making +money and talks of a "unique sense of fulfillment" that comes with development +of these games, and then goes on to invite kids to learn how to develop games +for the iPhone (and presumably other iOS devices). + +[0]: http://blog.makegameswith.us/post/33263097029/call-to-arms + +This is a terrible idea. + + + +Getting children involved with hacking is an excellent idea, but introducing +them to the evils of Apple and associating that with a feeling of pleasure does +a great disservice; all software developed for iOS must be "purchased" (even +if it's of zero cost) through a walled garden called the "App Store". The +problem with this is that [the App Store is hostile toward free +software][1]---its overly restrictive terms are incompatible with free software +licenses like the GPL. Teaching children to develop software for this crippled, +DRM-laden system is teaching them that it is good to prevent sharing, stifle +innovation and deny aid to your neighbor. + +A better solution would be to suggest developing software for a completely free +mobile operating system instead of iOS, such as [Replicant][2] (a fully free +Android distribution). Even if Replicant itself were not used, Android itself, +so long as proprietary implementations and "stores" are avoided[[3]], is much +more [compatible with education][4] than iOS, since the children are then able +to freely write and distribute the software without being controlled by +malicious entities like Apple. Furthermore, they would then be able to use a +fully free operating system such as GNU/Linux to *write* the software. + +Do not let fun and wealth disguise this ugly issue. Even more importantly---do +not pass this practice and woeful acceptance down to our children. I receive a +"unique sense of fulfillment" each and every day hacking free software far +away from Apple's grasp. + +[1]: http://www.fsf.org/news/blogs/licensing/more-about-the-app-store-gpl-enforcement +[2]: http://replicant.us/ +[3]: http://www.gnu.org/philosophy/android-and-users-freedom.html +[4]: http://www.gnu.org/education/edu-schools.html diff --git a/post/2012-10-09-ssh-t.md b/post/2012-10-09-ssh-t.md new file mode 100644 index 0000000..416c1e6 --- /dev/null +++ b/post/2012-10-09-ssh-t.md @@ -0,0 +1,27 @@ +# Always use -t with ssh-add (and always set passwords on your ssh keys) + +Many people use SSH keys for the sole purpose of avoiding password entry when +logging into remote boxes. That is legtimate, especially if you frequently run +remote commands or wish to take advantage of remote tab complation, but creating +a key with an empty password is certainly the wrong approach---if an attacker +gets a hold of the key, then they have access to all of your boxes before you +have the chance to notice and revoke the key. + + + +ssh-agent exists for this purpose. The problem is---creating an agent only to +place the key in memory indefinately is also a terrible idea. If your system +does become compromised and the attacker is either root access or access as your +user, then they can simply connect to the ssh-agent (unless it's password +protected) and start using your key. Also consider that, should you leave your +box unattended for even a moment without locking it (for whatever reason---shit +happens), an attacker could gain physical access to your PC (and an attacker may +just be a coworker looking to play a prank). + +Every morning at work, I begin the day by typing ssh-add followed by an +appropriate lifetime (be it the duration of the work day, or the duration that I +think I will need the key). This way, your key is in memory when you are likely +to be physically present at the box and it is automatically removed from memory +after a given lifetime. Additionally, I like to add `ssh-add -D` to the script +that locks my PC when I walk away from my desk: that will immediately clear all +keys from memory, just in case. diff --git a/post/2012-10-10-school-rfid.md b/post/2012-10-10-school-rfid.md new file mode 100644 index 0000000..0440dcb --- /dev/null +++ b/post/2012-10-10-school-rfid.md @@ -0,0 +1,21 @@ +# Texas middle and high schools tracking student locations with RFID tags + +[An article][0] describes how a school district in Texas is attempting to force +its students to wear RFID tags at all times in order to track their location to +"stem the rampant truancy devastating the school's funding". + +[0]: http://rt.com/usa/news/texas-school-id-hernandez-033/ + +What? + + + +This is deeply concerning. Not only does this raise serious security and privacy +concerns (as mentioned near the end of the article), but it also costed the +schools over a half a million dollars to implement. In order words: Texas +taxpayer money has been wasted in an effort to track our children. + +Good thing they don't have anything [better to spend that money on.][1] + +[1]: http://fedupwithlunch.com/ + diff --git a/post/2012-10-13-day-changed.md b/post/2012-10-13-day-changed.md new file mode 100644 index 0000000..f85d6df --- /dev/null +++ b/post/2012-10-13-day-changed.md @@ -0,0 +1,8 @@ +# "Day changed to S" + +Whatever "S" may be (in this case, "13 Oct 2012"), there is always a sense +of peace and gratification that comes with witnessing that line appear in any +type of log; it shows a dedication to an art, should your days contain daylight. + + + diff --git a/post/2012-10-16-branch-pred.md b/post/2012-10-16-branch-pred.md new file mode 100644 index 0000000..cab6b61 --- /dev/null +++ b/post/2012-10-16-branch-pred.md @@ -0,0 +1,8 @@ +# Branch Prediction + +An enlightening discussion on branch prediction.[0] + +[0]: http://stackoverflow.com/questions/11227809/why-is-processing-a-sorted-array-faster-than-an-unsorted-array + + + diff --git a/post/2012-10-16-free-speech-western.md b/post/2012-10-16-free-speech-western.md new file mode 100644 index 0000000..27a738b --- /dev/null +++ b/post/2012-10-16-free-speech-western.md @@ -0,0 +1,7 @@ +# Free Speech in the Western World + +An interesting opinion piece on [free speech in the western world.][0] + +[0]: http://www.washingtonpost.com/opinions/the-four-arguments-the-western-world-uses-to-limit-free-speech/2012/10/12/e0573bd4-116d-11e2-a16b-2c110031514a_print.html + + diff --git a/post/2012-10-16-nyc-master-keys.md b/post/2012-10-16-nyc-master-keys.md new file mode 100644 index 0000000..9420b9b --- /dev/null +++ b/post/2012-10-16-nyc-master-keys.md @@ -0,0 +1,24 @@ +# NYC Master Keys + +[Bruce Schneier summarizes in a blog post][0] a disturbing topic regarding a New +York City locksmith selling "master keys" on eBay, providing access to various +services such as elevators and subway entrances. + +[A discussion about this blog post on Hacker News][1] yielded some interesting +conversation, including an [even more disturbing article describing how simple +it may be to create master keys][2] for a set of locks given only the lock, its +key and a number of attempts. + +[0]: http://www.schneier.com/blog/archives/2012/10/master_keys.html +[1]: http://news.ycombinator.com/item?id=4654777 +[2]: http://www.crypto.com/masterkey.html + + + +I'll let you ponder the implications of both of these topics. Here's something +to get you started: organized crime could use these keys to effectively evade +law enforcement or break into millions of "locked" homes. Crackers could gain +intimate access to various city systems whereby they may be able to further +obstruct or infect systems. A security system is only as strong as its weakest +link. Keeping citizens in the dark about these issues gives them a dangerous and +false sense of security. diff --git a/post/2012-10-16-verizon-router-backdoors.md b/post/2012-10-16-verizon-router-backdoors.md new file mode 100644 index 0000000..f4119d4 --- /dev/null +++ b/post/2012-10-16-verizon-router-backdoors.md @@ -0,0 +1,27 @@ +# Verizon router backdoors + +A [very disturbing article][0] makes mention of a Verizon TOS update for its +Internet service customers: + +[0]: http://www.linuxbsdos.com/2012/10/04/is-that-a-backdoor-or-an-administrative-password-on-your-verizon-internet-router/ + +> Section 10.4 was updated to clarify that Verizon may in limited instances +> modify administrative passwords for home routers in order to safeguard +> Internet security and our network, the security and privacy of subscriber +> information, to comply with the law, and/or to provide, upgrade and maintain +> service. + + + +...what? This is deeply disturbing, deeply perverted idea of security. Not only +is this a severe privacy concern (all internet traffic passes through your +router), but it's a deep *security* concern---what if a cracker is able to +figure out Verizon's password scheme, intercept the communication with your +router or otherwise? + +I recommend that you (a) use your own router, (b) change its default password if +you have not yet done so and (c) disallow remote access. Furthermore, I +recommend using a free (as in freedom) firmware such as [DD-WRT][1] if supported +by your hardware. + +[1]: http://dd-wrt.com/ diff --git a/post/2012-10-17-pacemaker-cracking.md b/post/2012-10-17-pacemaker-cracking.md new file mode 100644 index 0000000..8891f5a --- /dev/null +++ b/post/2012-10-17-pacemaker-cracking.md @@ -0,0 +1,34 @@ +# Crackers capable of causing pacemaker deaths + +[This article][0] demonstrates why medical devices must contain free software: +crackers are able to, with this particular type of pacemaker, exploit the device +to trigger a fatal electric shock to its host from as far as 30 feet away (the +article also mentions rewriting the firmware, which could of course be used to +schedule a deadly shock at a predetermined time). These issues would not exist +with free software, as the user and the community would be able to study the +source code and fix any defects (or hire someone who can) before placing it in +their bodies. + +[0]: http://www.scmagazine.com.au/News/319508,hacked-terminals-capable-of-causing-pacemaker-mass-murder.aspx + + + +(Note that this article mistakenly uses the term "hacker" when they really +mean "cracker".) + +The aforementioned article is an excellent supplement to [a discussion on free +software in pacemakers][1]. In particular, I had pointed out within this +discussion [a talk by Karen Sandler of the GNOME Foundation regarding this +issue][2] at OSCON 2011, in which she mentions potential issues of proprietary +software in pacemakers and the difficulty she faced in attempting to get the +source code for one that she was considering for herself. + +The discussion on HackerNews also yielded [an article by the SFLC][3] detailing +this issue. + +(Please do not use YouTube's proprietary video player to view the mentioned +YouTube video.) + +[1]: http://news.ycombinator.com/item?id=3959547 +[2]: https://www.youtube.com/watch?v=nFZGpES-St8 +[3]: https://www.softwarefreedom.org/news/2010/jul/21/software-defects-cardiac-medical-devices-are-life-/ diff --git a/post/2012-10-18-defense-of-marriage-act.md b/post/2012-10-18-defense-of-marriage-act.md new file mode 100644 index 0000000..76f7062 --- /dev/null +++ b/post/2012-10-18-defense-of-marriage-act.md @@ -0,0 +1,12 @@ +# Federal Appeals Court Declares "Defense of Marriage Act" Unconstitutional + +A step in the [right direction.][0] + +It should also be noted that New York State had also [legalized same sex +marriage back in July of 2011][1]---a move I was particularily proud of as a +resident of NY state. + +[0]: http://www.aclu.org/lgbt-rights/federal-appeals-court-declares-defense-marriage-act-unconstitutional +[1]: http://en.wikipedia.org/wiki/Same-sex_marriage_in_New_York + + diff --git a/post/2012-10-18-med-device-cracking.md b/post/2012-10-18-med-device-cracking.md new file mode 100644 index 0000000..06a4e75 --- /dev/null +++ b/post/2012-10-18-med-device-cracking.md @@ -0,0 +1,34 @@ +# Another crack at medical device cracking + +My previous post mentioned the dangers of running non-free software on implanted +medical devices. While reading over RMS' policital notes[0], I came across [an +article mentioning how viruses are rampant on medical equipment][1]. + +> "It's not unusual for those devices, for reasons we don't fully understand, to +> become compromised to the point where they can't record and track the data," +> Olson said during the meeting, referring to high-risk pregnancy monitors. + +The devices often run old, unpatches versions of Microsoft's Windoze operating +system. The article also mentions how the maleware often attempts to include its +host as part of a botnet. + +[0]: http://stallman.org/archives/2012-jul-oct.html#18_October_2012_%28Computerized_medical_devices_vulnerable_to_viruses%29 +[1]: http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices/ + + + +This is deeply concerning and incredibly dangerous. As non-free software is used +more and more in equipement that is responsible for our health and safety, we +are at increased risk for not only obvious software flaws, but also for crackers +with malicious intent; harming someone will become as easy as instructing your +botnet to locate and assassinate an individual while you go enjoy a warm (or +cold) beverage. + +These problems are *less likely* (not impossible) to occur in free software +beacuse the users and community are able to inspect the source code and fix +problems that arise (or hire someone that can)[2]. In particular, in the case of +the hospitals mentioned in [the article][1], they would be free to hire someone +to fix the problems themselves rather than falling at the mercy of the +corporations who supplied the proprietary software. + +[2]: http://www.gnu.org/philosophy/free-sw.html diff --git a/post/2012-10-19-aguild-v-hathitrust.md b/post/2012-10-19-aguild-v-hathitrust.md new file mode 100644 index 0000000..e9be502 --- /dev/null +++ b/post/2012-10-19-aguild-v-hathitrust.md @@ -0,0 +1,8 @@ +# Digitizing Books Is Fair Use: Author's Guild v. HathiTrust + +A New York court ruled that "digitizing" books for researched and disabled +individuals is lawful.[[0]] + +[0]: https://www.eff.org/deeplinks/2012/10/authors-guild-vhathitrustdecision + + diff --git a/post/2012-10-24-obama-wiretapping.md b/post/2012-10-24-obama-wiretapping.md new file mode 100644 index 0000000..0ad5970 --- /dev/null +++ b/post/2012-10-24-obama-wiretapping.md @@ -0,0 +1,28 @@ +# Obama and Warrantless Wiretapping + +The EFF has released an article with a [plethora of links describing warrantless +wiretapping under the Obama administration][0], spurred by Obama's response to +Jon Stewart's questioning on The Daily Show last Thursday. (Readers should also +be aware of the [NSA spy center][1] discussed earlier in the year, as is +mentioned in the EFF article.) + +[0]: https://www.eff.org/deeplinks/2012/10/fact-check-obamas-misleading-answer-about-warrantless-wiretapping-daily-show +[1]: http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/ + + + +It is clear that the United States government has no intent on protecting the +freedoms of individuals and instead is actively resisting attempts to correct +the problems. While we can hope that this will change, and we can be confident +that organizations like the EFF will continue to fight for our liberties, one +immediate option is to limit as much as possible what the NSA and other agencies +can discover about you. Consider using [Tor][2] for all of your network traffic +(at the very least, use HTTPS connections to prevent agencies and ISPs from viewing +specific web pages on a particular domain; HTTPS is unnecessary if using Tor.) +PGP/GPG can be used to encrypt e-mail messages to the intended recipients. Etc. + +It's unfortunate that such precautions are necessary. Privacy is important even +if you have nothing to hide; any suggestion to the contrary is absolutely +absurd. + +[2]: http://torproject.org diff --git a/post/2012-10-24-stingrays.md b/post/2012-10-24-stingrays.md new file mode 100644 index 0000000..0b76f0f --- /dev/null +++ b/post/2012-10-24-stingrays.md @@ -0,0 +1,15 @@ +# Stingrays: Cell Phone Privacy and Warrantless Surveillance + +How would you feel if law enforcement showed up in your living room, demanded +your cell phone, and started writing down your call history and text messages? +How would you feel if you didn't even know that they were in your home to begin +with, let alone stealing private data? [This is precisely what is happening when +law enforcement uses "Stingrays" to locate individuals][0], collecting data of +every other individual within range of the device in the process. Even *if* you +are the subject of surveillance, this is still an astonishing violation of +privacy. (Of course, law enforcement could always demand such records from your +service provider, but such an act at the very least has a paper trail.) + +[0]: https://www.eff.org/deeplinks/2012/10/stingrays-biggest-unknown-technological-threat-cell-phone-privacy + + diff --git a/post/2012-10-27-gnu-win8-launch.md b/post/2012-10-27-gnu-win8-launch.md new file mode 100644 index 0000000..b4dd3fc --- /dev/null +++ b/post/2012-10-27-gnu-win8-launch.md @@ -0,0 +1,63 @@ +# GNU Trick-Or-Treat---FSF Crashes Windows 8 Launch + +The FSF decided to [crash the Windows 8 launch even in New York City][0], +complete with [Trisquel][1] DVDs, FSF stickers and information about their +[pledge to upgrade to GNU/Linux instead of Windows 8][2]. + +I find this to be a fun, excellent alternative to blatant protesting that is +likely to be better received by those who would otherwise be turned off to +negativity. At the very least, the [walking gnu][3] would surely turn heads and +demand curiosity. + +[0]: http://www.fsf.org/news/activists-trick-or-treat-for-free-software-at-windows-8-launch-event-1 +[1]: http://trisquel.info/ +[2]: http://www.defectivebydesign.org/windows8 +[3]: http://www.fsf.org/blogs/community/gnus-trick-or-treat-at-windows-8-launch + + + +Here is the e-mail that was sent to the info at fsf.org mailing list: + +> Happy (almost) Halloween, everybody, +> +> You've probably been noticing Microsoft's ads for their new operating +> system -- after all, they've spent more money on them than any other +> software launch campaign in history. In fact, everything about the +> campaign has been meticulously planned and optimized, so you can +> imagine journalists' surprise when an unexpected guest showed up at an +> invite-only launch event on Thursday. +> +> Our volunteer, Tristan Chambers, was there and caught the whole thing +> on camera! Pictures here: +> . +> +> Reporters and security guards at the event weren't sure how to react +> when they were greeted by a real, live gnu. The gnu -- which, on +> closer inspection, was an activist in a gnu suit -- had come for some +> early trick-or-treating. But instead of candy, she had free software +> for the eager journalists. The gnu and the FSF campaigns team handed +> out dozens of copies of Trisquel, a fully free GNU/Linux distribution, +> along with press releases and stickers. Once they got over their +> confusion, the reporters were happy to see us and hear our message -- +> that Windows 8 is a downgrade, not an upgrade, because it steals +> users' freedom, security and privacy. +> +> Free software operating systems are the real upgrade, and they don't +> need a zillion-dollar launch event to prove it. To show Microsoft that +> their ads won't change our minds, we're starting an upgrade pledge: +> switch to a free OS, or if you're already using one, help a friend +> switch. We can pay Microsoft a chunk of change for their new, +> proprietary OS, or we can stand up for our freedom. The choice isn't +> as hard as Microsoft wants you to think. +> +> Sign the pledge now! -- . +> +> Thanks for making a commitment to free software. +> +> PS - If you'd like more details about the action, you can check out +> our press release here: +> . +> +> -Zak Rogoff +> Campaigns Manager + diff --git a/post/2012-10-30-abolishing-patents.md b/post/2012-10-30-abolishing-patents.md new file mode 100644 index 0000000..6b2c2e1 --- /dev/null +++ b/post/2012-10-30-abolishing-patents.md @@ -0,0 +1,30 @@ +# Abolishing Patents + +My issue with patents exceeds the [obvious case against software patents][0]; +indeed, I have long pondered the problems with patents in other fields. When I +hear the phrase "patent pending" or "patented technology" touted in ads, I +have never thought positive thoughts; instead, I have thought "you are damning +this otherwise excellent work to stagnation". What if someone has an excellent +idea to improve upon that particular product? Well, they'd better be prepared to +jump through some hoops or shell out some hefty licensing fees. Or maybe it's +just easier to abandon the idea entirely and forget that it had never happened. + +[0]: http://patentabsurdity.com/ + + + +However, I thought, it's not a simple case of ridding the world of patents. +How would that affect the incentive to innovate? How would people recoup +expensive R&D costs, especially in industries like pharmacy (both my parents are +pharmacists)? What about the incentive to describe your invention to the world? +Then again, nobody *has* to get a patent for their invention. It may be worth +keeping it secret if nobody can figure it out. + +The answers to all of these questions appeared in one place: [The Case Against +Patents][1], which I found referenced in an article regarding the [Swedish Pirate +Party's opinions on patents, trademarks and copyright][2]. While it is still a +draft at the time of this writing, I encourage you to give it a read, as it is +very enlightening. + +[1]: http://research.stlouisfed.org/wp/2012/2012-035.pdf +[2]: http://falkvinge.net/2012/10/13/what-the-swedish-pirate-party-wants-with-patents-trademarks-and-copyright/ diff --git a/post/2012-10-30-dcma-jailbreaking.md b/post/2012-10-30-dcma-jailbreaking.md new file mode 100644 index 0000000..05595c3 --- /dev/null +++ b/post/2012-10-30-dcma-jailbreaking.md @@ -0,0 +1,18 @@ +# Jailbreaking and DCMA---EFF Touts Victory, FSF Warns Of Failure + +While the [EFF is pleased to announce][0] that the Copyright Office has [renewed +DMCA exceptions upholding jailbreaking rights for cellphones][1], the FSF +cautions that [this right has not been extended to tablets, game consoles or +even PCs with restricted boot][2]. + +[0]: https://www.eff.org/press/releases/eff-wins-renewal-smartphone-jailbreaking-rights-plus-new-legal-protections-video +[1]: http://www.copyright.gov/fedreg/2012/77fr65260.pdf +[2]: http://www.fsf.org/blogs/licensing/copyright-office-fails-to-protect-users-from-dmca + + + +It should be noted that the EFF also successfully gained protection for the use +of short copyrighted clips in remixing,[0] and while this is a positive step +forward in its own, the implications of the first paragraph should not be +ignored. + diff --git a/post/2012-10-30-openwireless.md b/post/2012-10-30-openwireless.md new file mode 100644 index 0000000..7dda51e --- /dev/null +++ b/post/2012-10-30-openwireless.md @@ -0,0 +1,30 @@ +# OpenWireless.org + +The EFF [announces the launch of openwireless.org][0], which encourages users to +[share their network connections][1] to create a global network of freely +available wireless internet access. + +This is a noble movement. This reminds me of a point in history when MIT began +password protecting their accounts, which were previously open to anyone. +Stallman, disagreeing with such a practice, [encouraged users to create empty +passwords][2]. Stallman would even give out his account information so that +remote users may log into MIT's systems, all with good intent. + +[0]: https://www.eff.org/deeplinks/2012/10/why-we-have-open-wireless-movement +[1]: https://www.openwireless.org/ +[2]: http://shop.fsf.org/product/free-as-in-freedom-2/ + + + +Of course, with malice rampant in today's very different world, Stallman's +actions, although noble, would be both naive and a huge security risk. +Fortunately, [opening your wireless network isn't necessarily one of these +risks][3] and, if done properly, does not equate to opening your private network +to attack. + +Consider using [DD-WRT][4] as your router's firmware, if supported by your +device, as it is itself [free software][5]. + +[3]: https://openwireless.org/myths +[4]: http://dd-wrt.com +[5]: http://www.gnu.org/philosophy/free-sw.html diff --git a/post/2012-10-30-trademark-bullying.md b/post/2012-10-30-trademark-bullying.md new file mode 100644 index 0000000..78cb284 --- /dev/null +++ b/post/2012-10-30-trademark-bullying.md @@ -0,0 +1,12 @@ +# "Trademark" Bullying + +There's two problems with this post from the EFF describing [The Village Voice +suing Yelp for "Best of" trademark infringement][0]: firstly, there's the +obvious observation that such a trademark should not have been permitted by the +USPTO to begin with. Secondly---why do entities insist on gaming the system in +such a terribly unethical manner? It takes a special breed of people to do such +a thing. + +[0]: https://www.eff.org/deeplinks/2012/10/stupid-lawyer-tricks-and-government-officials-who-are-helping-them + + diff --git a/post/2012-10-30-ubuntu-amazon-ads.md b/post/2012-10-30-ubuntu-amazon-ads.md new file mode 100644 index 0000000..57f2eae --- /dev/null +++ b/post/2012-10-30-ubuntu-amazon-ads.md @@ -0,0 +1,15 @@ +# Ubuntu 12.10 Privacy: Amazon Ads and Data Leaks + +The EFF [cautions that Ubuntu 12.10 leaks user information to Amazon by +default][0] rather than requiring the user to opt *into* the system. + +Of course, I cannot recommend that you use Ubuntu, as it encourages the +installation of non-free device drivers, readily enables non-free software +repositories and contains non-free components in its kernel.[1] Instead, +consider a [fully free GNU/Linux distribution like Trisquel][2]. + +[0]: https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks +[1]: http://www.fsfla.org/svnwiki/selibre/linux-libre/ +[2]: https://trisquel.info + + diff --git a/post/2012-11-03-bahrain-rallying.md b/post/2012-11-03-bahrain-rallying.md new file mode 100644 index 0000000..02c377e --- /dev/null +++ b/post/2012-11-03-bahrain-rallying.md @@ -0,0 +1,8 @@ +# Ban On Public Rallying and Demonstrations in Bahrain + +The government of Bahrain found that the best solution to preventing violent +protests was to [ban all public rallying and demonstrations][0]. + +[0]: https://www.eff.org/deeplinks/2012/11/bahrain-goes-bad-worse + + diff --git a/post/2012-11-03-eff-dmca.md b/post/2012-11-03-eff-dmca.md new file mode 100644 index 0000000..6d28d89 --- /dev/null +++ b/post/2012-11-03-eff-dmca.md @@ -0,0 +1,8 @@ +# EFF Elaborates On DCMA Ruling + +In addition to my aforementioned links, the EFF has provided [a more detailed +analysis][0] of the decision. + +[0]: https://www.eff.org/deeplinks/2012/11/2012-dmca-rulemaking-what-we-got-what-we-didnt-and-how-to-improve + + diff --git a/post/2012-11-05-cali-prop-35.md b/post/2012-11-05-cali-prop-35.md new file mode 100644 index 0000000..22f5a9f --- /dev/null +++ b/post/2012-11-05-cali-prop-35.md @@ -0,0 +1,22 @@ +# California Proposition 35 Concerns + +The EFF [points out problems with California's Proposition 35][0], which would, +among other things, [require registered sex offenders to "disclose Internet +activities and identities"][1]: + +[0]: https://www.eff.org/deeplinks/2012/11/eff-urges-no-vote-california-proposition-35 +[1]: http://voterguide.sos.ca.gov/propositions/35/ + + + +> [...] Proposition 35 would force individuals to provide law enforcement with +> information about online accounts that are wholly unrelated to criminal +> activity – such as political discussion groups, book review sites, or blogs. +> In today’s online world, users may set up accounts on websites to communicate +> with family members, discuss medical conditions, participate in political +> advocacy, or even listen to Internet radio. An individual on the registered +> sex offender list would be forced to report each of these accounts to law +> enforcement within 24 hours of setting it up – or find themselves in jail. +> This will have a powerful chilling effect on free speech rights of tens of +> thousands of Californians. + diff --git a/post/2012-11-05-mediagoblin-grant.md b/post/2012-11-05-mediagoblin-grant.md new file mode 100644 index 0000000..72e8320 --- /dev/null +++ b/post/2012-11-05-mediagoblin-grant.md @@ -0,0 +1,14 @@ +# MediaGoblin $10k Matching Grant + +Congratulations to MediaGoblin for not only [meeting the $10k matching grant +from a generous anonymous donor][0], but also for raising $36k to date. + +[MediaGoblin][1] is a "free software media publishing platform that anyone can +run"; it is a distributed, free (as in freedom) alternative to services such as +YouTube, Flickr and others, and is part of the [GNU project][2]. + +[0]: http://mediagoblin.org/news/we-made-10k-matching.html +[1]: http://mediagoblin.org/ +[2]: http://gnu.org/ + + diff --git a/post/2012-11-05-nsa-useless.md b/post/2012-11-05-nsa-useless.md new file mode 100644 index 0000000..5848581 --- /dev/null +++ b/post/2012-11-05-nsa-useless.md @@ -0,0 +1,9 @@ +# Another Useless, False-Sense-Of-Security NSA Security Tactic + +A police officer [recalls a time he went through airport security][0] and +received a patdown from one of the security agents, which he found to be +absolutely useless. + +[0]: http://www.gizmodo.co.uk/2012/10/search-me/ + + diff --git a/post/2012-11-06-voting-machine-alter.md b/post/2012-11-06-voting-machine-alter.md new file mode 100644 index 0000000..0e9e914 --- /dev/null +++ b/post/2012-11-06-voting-machine-alter.md @@ -0,0 +1,11 @@ +# Video of 2012 Voting Machine Altering Votes + +A Reddit user [posted video of a 2012 voting machine preventing him from +selecting Barak Obama][0]. Malfunction or not, this is the type of thing that +could have possibly been caught if the software were free. Furthermore, from +reading the source code, one would be able to clearly tell whether or not it was +a bug or an intentional "feature". + +[0]: http://thenextweb.com/shareables/2012/11/06/reddit-user-captures-video-of-2012-voting-machines-altering-votes/ + + diff --git a/post/2012-11-14-olpc-ethiopia.md b/post/2012-11-14-olpc-ethiopia.md new file mode 100644 index 0000000..e56599f --- /dev/null +++ b/post/2012-11-14-olpc-ethiopia.md @@ -0,0 +1,19 @@ +# OLPC Tablet in Ethiopia + +A story mentions how [Ethiopian kids quickly learned to read and use tablet +PCs][0] provided by the [One Laptop Per Child][1] project. This is not only a +noble feat (as we would expect from OLPC), but also an impressive one, +considering that (as the article mentions) the children did not know how to +read, even in their own language. + +[0]: http://dvice.com/archives/2012/10/ethiopian-kids.php +[1]: http://one.laptop.org/ + + + +Now, while the OLPC does have [its own tablet][2], the article mentions that the +[children were given Motorola Zoom tablets][0]; I would hope that they run free +software to encourage freedom in these developing countries and to encourage the +children to hack and explore their devices in even greater detail. + +[2]: http://one.laptop.org/about/xo-3 diff --git a/post/2012-11-17-us-copyright-alert-system.md b/post/2012-11-17-us-copyright-alert-system.md new file mode 100644 index 0000000..d745dc9 --- /dev/null +++ b/post/2012-11-17-us-copyright-alert-system.md @@ -0,0 +1,10 @@ +# U.S. "Copyright Alert System" + +[The EFF warns][0] of [the "Copyright Alert System"][1]---a government +endorsed spy system---that will launched shortly to monitor peer-to-peer +networks for so-called "infringing" activity. + +[0]: https://www.eff.org/deeplinks/2012/11/us-copyright-surveillance-machine-about-be-switched-on +[1]: http://www.copyrightinformation.org/alerts + + diff --git a/post/2012-11-17-vlc-lgpl.md b/post/2012-11-17-vlc-lgpl.md new file mode 100644 index 0000000..0c125dc --- /dev/null +++ b/post/2012-11-17-vlc-lgpl.md @@ -0,0 +1,160 @@ +# VLC's Move to LGPL + +Jean-Baptiste Kempf of the VLC project explains that "most of the code of VLC" +has been [relicensed under the LGPL][0], moving *away from* the GPL. Some of the +reasons for the move include "competition, necessity to have more professional +developers around VLC and AppStores".[1] (With the "AppStore" comment, +Jean-Baptiste is likely referring to issues regarding free software in Apple's +App Store, which [the FSF has discussed on their website][2].) + +This is unfortunate; using the LGPL in place of the GPL is [not encouraged for +free software projects][3] because, while it ensures the freedom of the project +itself, it does not encourage the development of free software that *uses* the +project---the LGPL allows linking with proprietary software. Let's explore the +aforementioned reasons in a bit more detail. + +[0]: http://www.jbkempf.com/blog/post/2012/I-did-it +[1]: http://www.jbkempf.com/blog/post/2012/How-to-properly-relicense-a-large-open-source-project +[2]: http://www.fsf.org/news/blogs/licensing/more-about-the-app-store-gpl-enforcement +[3]: http://www.gnu.org/licenses/why-not-lgpl.html + + + +Firstly, let us consider the issue of competition. In one of the [discussions on +Hacker News][4], I pointed out the distinction between "open source" and Free +Software: + + [...] + It is important to understand the distinction between "open source" and "free + software". Open source focuses on the benefits of "open" code and development + and how it can create superior software. Free Software focuses on the ethical + issues---while free software developers certainly want contributors, the + emphasis is on the fact that the software respects your freedom and, for that, + it's far superior to any other proprietary alternative; free software users + constantly make sacrifices in functionality and usability, and we're okay with + that. + + [http://www.gnu.org/philosophy/open-source-misses-the-point.html][5] + [...] + +In this sense, why should competition be considered for software freedom, unless +it is between two free software projects, encouraging innovation in conjunction +*with* freedom? In such a case, one wouldn't change the software license from +the GPL to the LGPL, because the LGPL is less pursuant toward those freedoms. +Therefore, VLC instead adopts the ["open source"][5] development model, as it +cares more for competition. + +The next concern was to "have more professional developers around VLC".[1] Is +this to imply that free software hackers cannot be professional developers? I +certainly am. Consider projects like the kernel Linux---many companies have +contributed back to that project, which is licensed under the GPLv2. If the goal +is to have more people contributing to your project, then a license like the GPL +is certainly best, as it puts a legal obligation on the distributor to release +the source code, which the parent project may then incorporate. Now, the LGPL +also forces this (except for linked software); since the only [differences +between the GPL and the LGPL][6] deal with the linking exception, this means +that the author is either (a) mistaken in the concern or (b) wishes for more +*proprietary* development around VLC. Alternatively, the author may be +concerned that the GPL introduces compatibility issues between whatever other +"open source" license developers wish to use when linking VLC code, but +again---that means that VLC is devaluing freedom. Risky business, but this is +the model that BSD follows (permitting proprietary derivatives of the entire +software---not just linking---and receiving contributions back from proprietary +software makers.) + +Finally, let us consider the issue of Apple's App Store. This is issue is +certainly of strong concern---Apple's products are very popular and yet they do +not even make an attempt to respect the users' freedoms either with their +software or with any of the software they allow on their "App Store".[2] +However, Jean-Baptiste has made a fatal mistake---we should not be changing our +licenses to suit Apple! In effect, that is giving Apple even more power over +free software by allowing them to exert control not only over their users, but +also over the developers of the users' favorite software! We should instead +express our condolences with those users and suggest instead that they adopt a +device or operating system that respects their freedom, or that they jailbreak +their devices (which is [still legal][7]). + +I'll end this commentary with an additional response of mine from the +[aforementioned Hacker News thread][4]: + +> The freedoms represent an ethical issue---that software developers have +> unprecedented control over their users. Why should I, as a hacker, be able +> to tell you what you can and cannot do with your device? Furthermore, it +> raises deep privacy issues---what kind of data am I collecting and why +> should I have that data? +> +> I entered the free software movement slowly (I began software development on +> Windows as a young boy and was trained to think that bossing the user around +> was a good thing; I thought it was fun to write DRM system and +> anti-features). I began using GNU/Linux while still rationalizing my use of +> proprietary software through Wine or by dual-booting into Windows. I then +> saw the benefits of the "open source" development model. It wasn't until I +> spent the time researching the reasons behind the free software movement +> that things began to click. I was able to look back on everything I learned +> as a developer for Windows and see that I enjoyed the thought of controlling +> my users. I enjoyed the power I got from programming---programming was +> empowerment, and the only way to squeeze the money out of those unsuspecting +> users was to do it forcefully. +> +> People have fundamentally different philosophies when it comes to +> programming. Do all proprietary software developers do so out of greed? On +> some level, sure---they're not contributing that code so that others may +> benefit from it. But are they doing it for the purpose of controlling their +> users? Not necessarily, but they still are, even if they have the best of +> intentions. Is someone who creates proprietary educational software for +> children in third world companies "evil"? Certainly not. The problem is that +> they're denying them an additional right---the right to modify that +> software, learn from it and use their devices as they please. +> +> Of course, we often see proprietary software used unethically, often times +> for vendor lock-in or greed; corporations are worried that if they lighten +> their grip on their users, that the users may run, or worse, do something +> [il]legal. I don't believe that is the place of software developers. I +> remember, back when I used Windows, I was obsessed with magic/illusion. I +> purchased a ton of videos online teaching me various magic tricks, but the +> videos were laced with DRM (which, at the time, as a Windows developer, I +> applauded). The problem was, that I then upgraded my hardware. My videos no +> longer worked. I contacted them for a new key, and could view them again. +> Then I got a new PC. And now I use GNU/Linux. I can no longer watch those +> videos that I purchased because of this unnecessary, artificial restriction. +> Was I going to distribute those videos? No. Did that prevent others from +> stripping the restrictions and distributing it anyway? Certainly not. I was +> being punished for others' actions and the others weren't any worse off from +> the restrictions, because they understood how to defeat them. +> +> Of course, DRM's only one of the many issues (and DRM cannot exist in free +> software, because the community would simply remove the anti-feature). What +> if I were using some software---let's say Photoshop---and it crashed on me +> in the middle of my work. Crap. Well, if I were using GIMP, I would run gdb +> on the core dump (assuming a segfault) and inspect the problem. I would try +> to repeat it. I could, if I wanted to, get my hands on the source code, fix +> the problem and distribute that fix to others. If I didn't have the time or +> ability, others could fix the problem for me, and we have the right to share +> those changes. We have the right to benefit from those changes. With +> Photoshop, we'd better start waiting. What if I was able to magically come +> up with a fix, perhaps by modifying the machine code? Hold on---I'm not +> allowed to do that! And I'm certainly not allowed to distribute that fix to +> others. And I'm certainly not allowed to give my son a copy for his PC if he +> wanted to do an art project for school. +> +> The FSF provides a great deal of information on their philosophy: +> . You could also gain a great deal of +> insight by reading up on the history: +> or by reading RMS' +> essays: . +> +> And ultimately, you may find that you do not agree with our +> philosophy---many don't. That's certainly your right, and I respect that. +> What I cannot respect, and will not respect, is when that philosophy is used +> to exert control over others. +> +> (As a final note: many say we control developers through our "viral" +> licenses. But keep in mind that we're trying to protect the users *from* +> developers. This means taking power away from developers. This is +> intentional.) + +[4]: http://news.ycombinator.com/item?id=4787965 +[5]: http://www.gnu.org/philosophy/open-source-misses-the-point.html +[6]: http://www.gnu.org/licenses/lgpl.html +[7]: https://www.eff.org/press/releases/eff-wins-renewal-smartphone-jailbreaking-rights-plus-new-legal-protections-video + diff --git a/post/2012-11-19-copyright-reform.md b/post/2012-11-19-copyright-reform.md new file mode 100644 index 0000000..c67c814 --- /dev/null +++ b/post/2012-11-19-copyright-reform.md @@ -0,0 +1,16 @@ +# Copyright Reform? You're silly. + +Amazingly, the Republican Study Committee (RSC) had [released a report +suggesting copyright reform][0]. Of course, that's a silly thing to do when +you're in bed with organizations like the MPAA and RIAA; [the report was quickly +retracted][1]. + +It would have been a surprising step forward; maybe there's hope yet, assuming +the GOP can get a handle on itself. + +(Disclaimer: I have no party affiliation.) + +[0]: http://www.techdirt.com/articles/20121116/16481921080/house-republicans-copyright-law-destroys-markets-its-time-real-reform.shtml +[1]: http://www.techdirt.com/articles/20121117/16492521084/hollywood-lobbyists-have-busy-saturday-convince-gop-to-retract-copyright-reform-brief.shtml + + diff --git a/post/2012-11-19-privacy-petraeus.md b/post/2012-11-19-privacy-petraeus.md new file mode 100644 index 0000000..8f82b5c --- /dev/null +++ b/post/2012-11-19-privacy-petraeus.md @@ -0,0 +1,58 @@ +# Privacy In Light of the Petraeus Scandal + +I'm not usually one for scandals (in fact, I couldn't care less who government +employees are sleeping with). However, it did bring up deep privacy +concerns---how exactly did the government get a hold of the e-mails? + +The [EFF had released an article answering some questions][0] about the scandal, +which is worth a read. In particular, you should take a look at the [EFF's +Surveillance Self-Defense website][1] for an in-depth summary of the laws +surrounding government surveillance and tips on how to protect against it. + +[0]: https://www.eff.org/deeplinks/2012/11/when-will-our-email-betray-us-email-privacy-primer-light-petraeus-saga +[1]: https://ssd.eff.org + +I'd like to touch upon a couple things. In particular, [the article mentions][0]: + + + +> Broadwell apparently accessed the emails from hotels and other locations, not +> her home. So the FBI cross-referenced the IP addresses of these Wi-Fi +> hotspots "against guest lists from other cities and hotels, looking for common +> names." + +To stay anonymous in this situation, one should [consider using Tor][2] to mask +his/her IP address. Additionally, remove all cookies (or use your browser's +privacy mode if it will disable storing and sending of cookies for you) and +consider that your User Agent may be used to identify you, especially if +maleware has inserted its own unique identifiers. + +Also according to [the EFF article][0]: + +> According to reports, Patraeus and Broadwell adopted a technique of drafting +> emails, and reading them in the draft folder rather than sending them. + +That didn't work out so well. Consider [encrypting important communications][3] +using GPG/PGP so that (a) the e-mail cannot be deciphered in transit and (b) the +e-mail can only be read by the intended recipient. Of course, you are then at +risk of being asked to divulge your password, so to avoid the situation +entirely, it would be best to delete the e-mails after reading them. +Additionally, if you host your own services, it may be wise to host your own +e-mail (guides for doing this vary between operating system, but consider +looking at software like [Postfix][4] for mail delivery and maybe [Dovecot][5] +for retrieval). + +Privacy isn't only for those individuals who are trying to be sneaky or cheat on +their spouses. Feel free joining the EFF in trying to reform the ECPA to respect +our privacy in this modern era; storing a document digitally shouldn't change +its fundamental properties under the law. + +I'd also encourage you to read [Schneier's post on this topic][6], which +summarizes points from many articles that I did not cover here. + +[2]: https://ssd.eff.org/tech/tor +[3]: https://ssd.eff.org/tech/encryption +[4]: http://www.postfix.org +[5]: http://www.dovecot.org/ +[6]: http://www.schneier.com/blog/archives/2012/11/e-mail_security.html + diff --git a/post/2012-12-01-tor-node-raid.md b/post/2012-12-01-tor-node-raid.md new file mode 100644 index 0000000..d6868b1 --- /dev/null +++ b/post/2012-12-01-tor-node-raid.md @@ -0,0 +1,9 @@ +# Tor exit node operator raided in Austria + +[These things][0] mustn't be allowed to happen; they are an affront to privacy. +Tor exit node operators should not have to fear conviction for activities they +themselves did not perform. + +[0]: http://www.lowendtalk.com/discussion/6283/raided-for-running-a-tor-exit-accepting-donations-for-legal-expenses + + diff --git a/post/2012-12-06-email-warrant-us.md b/post/2012-12-06-email-warrant-us.md new file mode 100644 index 0000000..e924afc --- /dev/null +++ b/post/2012-12-06-email-warrant-us.md @@ -0,0 +1,10 @@ +# Warrants For E-mails in the United States + +The [Senate Judiciary Committee passed an amendment][0] that requires that they +receive a warrant before spying on our e-mails. + +This is excellent; let us hope that it becomes law. + +[0]: https://www.eff.org/deeplinks/2012/12/deep-dive-updating-electronic-communications-privacy-act + + diff --git a/post/2012-12-22-free-copyright-assign.md b/post/2012-12-22-free-copyright-assign.md new file mode 100644 index 0000000..7b6ea75 --- /dev/null +++ b/post/2012-12-22-free-copyright-assign.md @@ -0,0 +1,53 @@ +# Copyright Assignment Of Free Software Projects + +An [e-mail today from Paolo Bonzini][0], a maintainer of GNU sed, has prompted +additional discussion regarding copyright assignment to corporate entities; in +particular, the discussion focuses on copyright assignment to the FSF under the +GNU project. + +[0]: http://article.gmane.org/gmane.comp.lang.smalltalk.gnu.general/7873 + + + +An [article by Michael Kerrisk on LWN.net][1], posted a couple days earlier, +touches on the [same issue brought up by GnuTLS earlier in the month][2]. The +disagreements from the two aforementioned individuals of the GNU-maintained +projects prompt a thoughtful analysis of whether copyright assignment is +appropriate for your own free software project[1]. In contrast, consider the +[developer certificate of origin][3] policy adopted by the Linux project, under +which contributors maintain copyright for their contributions. + +There are benefits and downsides to both models---if a project requires +copyright assignment (such as the GNU projects), then enforcement and license +modifications are simplified. As an example, if the Linux project wanted to move +to the GPLv3, they would have to contact each contributor (a similar move was +done recently [by the VLC project][4], except that they moved from the GPL to +the LGPL). However, the Linux project has a much smaller barrier to entry---they +need not [assign copyright of their contributions to the project (such as is the +case with GNU)][5], meaning that individuals may be more likely to contribute. + +One of the major benefits touted by the FSF for copyright assignments from +contributors is [copyright enforcement][6]---another complication that would +arise from enforcing the GPL in a project such as Linux. That said, as the LWN +article mentions[2], what if [the FSF cannot find the time to enforce the +copyright on a project violation][7]? Then again, what of the flipside---do you +have the time or money to enforce violations on your own projects were they not +assigned to a corporation like the FSF? + +These are interesting discussions and certainly things that should be considered +when determining how to handle both contributions and the copyright for your +entire project. Ultimately, that decision falls on you, the author/maintainer, +and your needs. + +(Disclaimer: I am an associate member of the Free Software Foundation. This +article does not reflect any of my personal opinions; whether or not I would +assign copyright to the FSF for any of my projects would be determined based on +the goals and plan of that particular project.) + +[1]: http://lwn.net/SubscriberLink/529522/854aed3fb6398b79/ +[2]: http://lwn.net/Articles/529558/ +[3]: http://elinux.org/Developer_Certificate_Of_Origin +[4]: http://mikegerwitz.com/thoughts/2012/11/VLC-s-Move-to-LGPL.html +[5]: http://git.savannah.gnu.org/cgit/gnulib.git/tree/doc/Copyright/assign.changes.manual#n64 +[6]: http://www.gnu.org/licenses/why-assign.html +[7]: http://lwn.net/Articles/529777/ diff --git a/post/2012-12-28-fisa-5yr.md b/post/2012-12-28-fisa-5yr.md new file mode 100644 index 0000000..0c7b9ff --- /dev/null +++ b/post/2012-12-28-fisa-5yr.md @@ -0,0 +1,46 @@ +# Congress Approves FISA For Another 5 Years + +At a [vote of 73-23][0], Congress has voted to [extend FISA warentless spying +bill by five more years[1], even shooting down [proposed amendments][2] to the +bill.[3] + +[0]: https://www.senate.gov/legislative/LIS/roll_call_lists/roll_call_vote_cfm.cfm?congress=112&session=2&vote=00236 +[1]: https://www.eff.org/deeplinks/2012/12/congress-disgracefully-approves-fisa-warrantless-eavesdropping-bill-five-more +[2]: https://www.eff.org/deeplinks/2012/12/why-we-should-all-care-about-senates-vote-fisa-amendments-act-warrantless-domestic +[3]: http://arstechnica.com/tech-policy/2012/12/as-senate-votes-on-warrantless-wiretapping-opponents-offer-fixes/ + + + +Thank you to those senators that [opposed the bill][0]: + +> Akaka (D-HI); +> Baucus (D-MT); +> Begich (D-AK); +> Bingaman (D-NM); +> Brown (D-OH); +> Cantwell (D-WA); +> Coons (D-DE); +> Durbin (D-IL); +> Franken (D-MN); +> Harkin (D-IA); +> Leahy (D-VT); +> Lee (R-UT); +> Menendez (D-NJ); +> Merkley (D-OR); +> Murkowski (R-AK); +> Murray (D-WA); +> Paul (R-KY); +> Sanders (I-VT); +> Schatz (D-HI); +> Tester (D-MT); +> Udall (D-CO); +> Udall (D-NM); +> Wyden (D-OR). + +Unfortunately, the two senators from my own state cannot join that list. + +The [EFF has sumarized the surveillance issues of 2012][4] recently on their +website. + +[4]: https://www.eff.org/deeplinks/2012/12/2012-review-effs-fight-against-secret-surveillance-law + diff --git a/post/2013-01-01-new-year.md b/post/2013-01-01-new-year.md new file mode 100644 index 0000000..2716378 --- /dev/null +++ b/post/2013-01-01-new-year.md @@ -0,0 +1,9 @@ +# Happy New Year + +The greatest excitement in moving into a new year is the prospect of quantified +growth. + +Of course, it also means another year to look forward to the health of those you +care for. + + diff --git a/post/2013-01-07-dna-collection.md b/post/2013-01-07-dna-collection.md new file mode 100644 index 0000000..e0fea7d --- /dev/null +++ b/post/2013-01-07-dna-collection.md @@ -0,0 +1,29 @@ +# DNA Collection + +Consider a recent article from the EFF [regarding "Rapid DNA Analyzers"][0]. +The article poses the potetial issues involved, but also consider that any DNA +collected (if not destroyed) would violate not just your privacy, but your +entire blood line. What if DNA from immigrants were collected? Much of that +information is inherited, so generations down the line, your privacy is still +violated. + +[0]: https://www.eff.org/deeplinks/2012/12/rapid-dna-analysis + + + +I cannot comment intelligently on the matter since I haven't read deeply enough +into the proposed storage/hashing/etc policies, but those polices can be abused +and such data can be leaked. I highly oppose any sort of DNA collection outside +of personal at-home use (when the technology is available with free software) +and use by medical professionals for personal medical reasons so long as the +institution performing the test can provide stringent evidence of its +destruction. But even then, if law enforcement somehow got a hold of the DNA +before it were destroyed, then the problem still exists, so it would be best if +you had your own personal tools to analyze your own DNA and distribute only the +portions that were required (and encryption tools like [GPG][1] could be used +for distribution). + +One day, but not now. Let's make those scanners affordable and run free +software. + +[1]: http://www.gnupg.org/ diff --git a/post/2013-01-07-uspto-freefw-community.md b/post/2013-01-07-uspto-freefw-community.md new file mode 100644 index 0000000..1d36e3f --- /dev/null +++ b/post/2013-01-07-uspto-freefw-community.md @@ -0,0 +1,15 @@ +# USPTO Wants To Hear From Software Community + +The [USPTO wants to hear from the software community][0]. Interesting, but the +problem is that the "software community" includes more than just those who +find software patents to be an abomination. + +I have [mentioned issues with software patents in a previous post][1], but one +resource that may be worth looking at direclty is ["The Case Against +Patents"][2] [pdf]. + +[0]: http://www.groklaw.net/article.php?story=20130104012214868 +[1]: http://mikegerwitz.com/thoughts/2012/10/Abolishing-Patents.html +[2]: http://research.stlouisfed.org/wp/2012/2012-035.pdf + + diff --git a/post/2013-01-14-lulu-bye-drm.md b/post/2013-01-14-lulu-bye-drm.md new file mode 100644 index 0000000..53f4d38 --- /dev/null +++ b/post/2013-01-14-lulu-bye-drm.md @@ -0,0 +1,41 @@ +# LuLu Says Goodbye to DRM + +On January 8th, [LuLu announced that they would be dropping DRM][0] for users +who "[download] eBooks directly from Lulu.com to the device of their choice". +This is a wise move (for [those of us who oppose DRM][1]), but unfortunately, as +John Sullivan of the Free Software Foundation noted on the fsf-community-team +mailing list, the [comments on LuLu's website][0] are not all positive: + +[0]: http://www.lulu.com/blog/2013/01/drm-update/ +[1]: http://defectivebydesign.org/ + +> This is a positive development, but unfortunately there has been a lot +> of negative reaction in the comments on their announcement. +> +> It'd be great if people could chime in and support them their move away +> from DRM. + + + +At first glance, certain authors seem to be concerned that the absense of DRM +will lead to ["more illegal file sharing"][0]: + +> [...] I’ve got copies of my non-DRM ebooks all over the torrent sites and +> thousands of downloads registered, for which I haven’t received a cent. As +> soon as you push for them to be taken down, they’re posted up again. + +While it is unfortunate that those authors are not receiving compensation for +their hard work, it should be noted that this problem exists even *with* +DRM, so it is not a valid argument toward keeping it. + +I applaud this move by LuLu, though I'm disappointed to see [this comment in the +original post][0]: + +> Companies like Amazon, Apple and Barnes & Noble integrate a reader’s +> experience from purchasing to downloading and finally to reading. These +> companies do a fantastic job in this area, and eBooks published through Lulu +> and distributed through these retail sites will continue to have the same +> rights management applied as they do today. + +They do not do it well; no DRM is good DRM. + diff --git a/post/2013-01-26-re-fsf-waste-high-priority.md b/post/2013-01-26-re-fsf-waste-high-priority.md new file mode 100644 index 0000000..8725de1 --- /dev/null +++ b/post/2013-01-26-re-fsf-waste-high-priority.md @@ -0,0 +1,171 @@ +# Re: FSF Wastes Away Another "High Priority" Project + +A couple days ago, my attention was drawn to an article on Phoronix that +[criticized the FSF for its decision to stick with GPLv3 over GPLv2 on +LibreDWG][0] due to the number of projects that make use of it---licensed under +the GPLv2---under [a now incompatible][1] license. This article is very negative +and essentially boils down to this point (the last paragraph): + +> Unless the Free Software Foundation becomes more accomodating [sic] of these +> open-source developers -- who should all share a common goal of wanting to +> expand free/open-source software -- LibreDWG is likely another project that +> will ultimately waste away and go without seeing any major adoption due to +> not working with the GPLv2. + +It it worth mentioning why this view is misguided (though understandable for +those who adopt the ["open source" philosophy over that of software +freedom][2]). + +[0]: http://www.phoronix.com/scan.php?page=news_item&px=MTI4Mjc +[1]: http://www.gnu.org/licenses/gpl-faq.html#WhatDoesCompatMean +[2]: http://www.gnu.org/philosophy/open-source-misses-the-point.html + + + +Let me start with [this paragraph from the Phoronix article][0]: + +> The Free Software Foundation was contacted about making LibreDWG GPLv2+ +> instead (since the FSF is the copyright holder), but the FSF/Richard Stallman +> doesn't the DWG library on the earlier version of their own open-source +> license. + +The FSF's founding principle is that of [software freedom][3] (beginning with the +GNU project). Now, consider the reason for the creation of the GPLv3---the GPLv2 +[could not sufficiently protect against][4] software patents and newer threats such +as "tivoization". These goals further the FSF's mission of ensuring---in +this case---that free software *remains* free ([a concept that RMS coined +"copyleft"][5]). It would make sense, then, that the FSF (and RMS') position is +that [it is important that we adopt the GPLv3 for our software][6]. + +From this perspective, it does not make sense to "downgrade" LibreDWG's +license to the GPLv2, which contains various bugs that have since been patched +in GPLv3---it is not pursuant to the FSF's goals. (Of course, not all agree with +the GPLv3; one such notable disagreement (as well as issues +stemming from copyright assignment) leaves the kernel Linux [perpetually licensed +under the GPLv2][7] since it does not contain the ["or later" clause][8]). + +That is not to say that the author's concern is not legitimate---a number of +projects are licensed under the GPLv2 and therefore cannot use the newer (and +improved) versions of LibreDWG that are licensed under the GPLv3 (unless they +were to upgrade to the GPLv3, of course). Whether or not upgrading is feasible +(e.g., in the case of the kernel Linux, it is not) is irrelevant---let us +instead focus on the issue of adoption under the assumption that the project is +either unwilling or unable to make use of a library licensed under the GPLv3. + +As aforementioned, [the author focuses on the issue of adoption][0]: + +> LibreDWG is likely [...to] go without seeing any major adoption due to not +> working with the GPLv2 + +A focus on adoption is a [focus of "open source", not free software][2], the +latter of which the FSF represents. With a focus on software freedom, the goal +is to create software that respects the [users' four essential freedoms][9]; if +the software is adopted and used, great! However, freedom should never be +sacrificed in order to encourage adoption. One may argue that "downgrading" to +the GPLv2 is not sacrificing freedom because the software is still free (it is +even the GPL)---but it is important to again realize that the GPLv3 is "more +free" than the GPLv2 in the sense that it [*protects* additional freedoms][6]; +so, while the GPLv2 isn't necessarily sacrificing users' freedoms directly, it +does have such an indirect effect through means of enforcement. + +A reader familiar with GNU may then point out the LGPL---the Lesser General +Public License---under which popular (and very important) [libraries such as +glibc are licensed][10]. In fact, one could extend this argument to any +library---why not have LibreDWG licensed under the LGPL to avoid this problem in +its entirety, while still preserving the users' freedoms for that library in +itself? This understanding requires a brief lesson in history---the rationale +under which the LGPL was born. [To quote the GNU project][11]: + +> Using the ordinary GPL is not advantageous for every library. There are +> reasons that can make it better to use the Lesser GPL in certain cases. The +> most common case is when a free library's features are readily available for +> proprietary software through other alternative libraries. In that case, the +> library cannot give free software any particular advantage, so it is better to +> use the Lesser GPL for that library. + +It was for this reason that glibc was released under the LGPL---because it was +better to have the users adopt some sort of free software than none at all; +there were other alternatives that existed that users may flock to if they were +forced to liberate their own proprietary software (after all, the C API is also +standardized, so such a feat would be trivial). Now that glibc has since matured +greatly, it could be argued today that it has proved its usefulness and the LGPL +may no longer be necessary, but such a discussion is not necessarily relevant +for this conversation. + +What is important is that [the FSF does not recommend the LGPL for most +libraries][11] because that would encourage proprietary software developers to +take advantage of both the hard work of the free software community and the +users of the software. Now, I cannot speak toward the alternatives to +LibreDWG---do there exist proprietary alternatives that are reasonable +alternatives to non-commercial projects? I do not have experience with the +library. However, I hope by this point the FSF's position has been rationalize +(even if you---the reader---do not agree with it). + +Of course, this rationalization will still leave a sour taste in the mouth of +those "open source" developers (or perhaps even some free software developers) +that think in terms of what is "lost": these projects---which are themselves +free software and therefore beneficial to our community---cannot take advantage +of *other free software* due to this licensing issue. Since these projects had +already existed when LibreDWG was licensed under the GPLv2, the relicensing to +GPLv3 may seem unfair and, therefore, a "loss". It is difficult to counter +such an argument if the above rationale has not been sufficient; nor will I +argue that the situation is not unfortunate, should the projects be unable to +relicense. However, it must be understood that, to ensure the future of free +software, the FSF must adopt to combat today's threats and so too must other +free software projects. + +The Phoronix article mentioned two projects in particular that suffer from +LibreDWG's relicensing: [LibreCAD and FreeCAD][0]. LibreCAD omits the "or later" +clause that was mentioned above, preventing them from easily migrating to the +GPLv2 (which is [against the FSF's recommendation][12]). Unless the project +requires that contributors assign copyright to the project owner, then they +would have to get permission from each contributor (or rewrite the code) in +order to change the license (which is not unheard of; [VLC had done so recently +to migrate from the GPL to the LGPL][13]); this is a significant barrier for any +project with multiple contributors, especially when your project is a derivative +work (of QCad). + +The other project mention was FreeCAD, and the author of the article mentions +that the project depends on Coin3D and Open CASCADE, "both of which are +GPLv2", so [the project cannot migrate to GPLv3][0]. A quick look at Coin3D's +website shows that the software is actually licensed under the modified +(3-clause) BSD license, and so [migrating to the GPLv3 is not an issue][15]. Open +CASCADE has its own "public license" that I do not have the time to evaluate +(nor am I lawyer, so I do not wish to give such advice), so I cannot speak to +its compatibility with the GPLv3. That said, I'm unsure if it would be a barrier +toward FreeCAD's adoption of the GPLv3. + +Ultimately, the moral of the story is to plan for the *future*---if you use a +project licensed under the GPL, ensure that it has the "or later" clause that +allows it to be licensed under later version of the GPL, since you can be sure +that the FSF and many other free software developers will be quick to adopt the +license. Of course, many may not be comfortable with such a licensing decision: +you effectively are giving the FSF permission to relicense you work by simply +releasing a new version of the GPL. It is your decision whether you are willing +to place this kind of trust in the organization responsible for starting the +free software movement in the first place. + +Readers may now assume that I am placing the entire blame and onus on the +implementors of LibreDWG. The onus, perhaps, but not the blame---this truly is +an unfortunate circumstance that takes away from hacking a free software +project. Unfortunately, the projects are stuck in a bad place, but the FSF is +not to blame for standing firm in their ideals. Instead, this can be thought of +as a maintenance issue---rather than a source code refactoring resulting from a +library API change, we instead require a "legal code" refactoring resulting +from a "legal API" change. + +[3]: http://www.fsf.org/about/ +[4]: http://www.gnu.org/licenses/quick-guide-gplv3.html +[5]: http://www.gnu.org/copyleft/ +[6]: http://www.gnu.org/licenses/rms-why-gplv3.html +[7]: http://lwn.net/Articles/200422/ +[8]: http://www.gnu.org/licenses/gpl-faq.html#v2v3Compatibility +[9]: http://www.gnu.org/philosophy/free-sw.html +[10]: http://www.gnu.org/licenses/lgpl.html +[11]: http://www.gnu.org/licenses/why-not-lgpl.html +[12]: http://www.gnu.org/licenses/gpl-howto.html +[13]: http://mikegerwitz.com/thoughts/2012/11/VLC-s-Move-to-LGPL.html +[14]: https://bitbucket.org/Coin3D/coin/wiki/Home +[15]: http://www.gnu.org/licenses/license-list.html#ModifiedBSD +[16]: http://www.opencascade.org/getocc/license/ + diff --git a/post/2013-01-30-phone-unlocking-illegal.md b/post/2013-01-30-phone-unlocking-illegal.md new file mode 100644 index 0000000..5e775d6 --- /dev/null +++ b/post/2013-01-30-phone-unlocking-illegal.md @@ -0,0 +1,7 @@ +# Phone "Unlocking" Once Again Illegal + +[Ridiculous.][0] We should own the hardware that we purchase. + +[0]: https://www.eff.org/is-it-illegal-to-unlock-a-phone + + diff --git a/post/2013-01-30-re-skype-let-spy.md b/post/2013-01-30-re-skype-let-spy.md new file mode 100644 index 0000000..c75d056 --- /dev/null +++ b/post/2013-01-30-re-skype-let-spy.md @@ -0,0 +1,102 @@ +# Re: Who Does Skype Let Spy? + +Today, [Bruce Schneier brought attention to privacy concerns surrounding +Skype][0], a very popular ([over 600 million users][1]) VoIP service that has +since been acquired by Microsoft. In particular, [users are concerned over what +entities may be able to gain access to their "private" conversations][1] +through the service---Microsoft has refused to answer those kinds of questions. +While the specific example of Skype is indeed concerning, it raises a more +general issue that I wish to discuss: The role of free software and SaaS +(software as a service). + +[0]: http://www.schneier.com/blog/archives/2013/01/who_does_skype.html +[1]: http://www.skypeopenletter.com/ + + + +To [quote Schneier][0]: + +> We have no choice but to trust Microsoft. Microsoft has reasons to be +> trustworthy, but they also have reasons to betray our trust in favor of other +> interests. And all we can do is ask them nicely to tell us first. + +Schneier continues to admit, in similar words, that [we are but "vassals" to +these entities and that they are our serfs][2]. His essays regarding the [power of +corporations and governments over their users][3] echo the words of Lawrence +Lessig in his [predictions of a "perfectly regulated" future made possible by +the Internet][4]. While Lessig (despite what his critics have stated in the +past) seems to have been correct in many regards, we need not jump into the +perspective of an Orwellian dystopia where we are but "vassals" to the +Party.[^5] Indeed, this is only the case---at least at present---if you choose to +participate in the use of services such as Skype, as ubiquitous as they may be. + +Skype is a useful demonstration of the unfortunate situation that many users +place themselves in by trusting their private data to Microsoft. Skype itself is +proprietary---we cannot inspect its source code (easily) in order to ensure that +it is respecting our privacy. (Indeed, as a user on [the HackerNews +discussion][6] pointed out, [Skype has installed undesirable software in the +past][7].) If Skype were [free software][8], we would be able to inspect its +source code and modify it to suit our needs, ensuring that the software did only +what we wanted it to do---ensuring that Microsoft was not in control of us. + +However, even if Skype were free software, there is another issue at work that +is often overlooked by users: Software as a Service (SaaS). When you make use of +services that are hosted on remote servers (often called "cloud" +services)---such as with Skype, Facebook, Twitter, Flickr, Instagram, iTunes, +iCloud and many other popular services---you are blindly entrusting your data to +them. Even if the Skype software were free (as in freedom), for example, [we +still cannot know what their servers are doing with the data we provide to +them][9]. Even if Skype's source code was plainly visible, the servers act as a +black box. Do they monitor your calls? [Does Facebook abuse your data?][10] How is +that data stored---[what happens][1] in the event of a data breach, or in the event +of a warrant/subpoena? + +The only way to be safe from these providers is to [reject these services +entirely and use your own software on your own PC][9], or use software that will +connect directly to your intended recipient without going through a 3rd +party. (Never mind your ISP; that is a separate issue entirely.) If you must +use a 3rd party service, ensure that you can adequately encrypt your +communications (e.g. using GPG to encrypt e-mail communications)---something +that may not necessarily be easy/possible to do, especially if the software is +proprietary and works against you. + +The EFF has published [useful information on protecting yourself against +surveillance][11], covering topics such as encryption and anonymization. + +If we are to resist the worlds that [Lessig][4] and [Schneier][3] describe, then we +must [stand up for our right to privacy and demand action][12]. [Who will have +your back][13] when we're on the brink of ["perfect regulation"][4]; who will +stand up for your rights and work *with* you---not against you---to preserve +your liberties? Without this push, services like Skype empower governments and +other entities to work toward perfect regulation---to continuously spy on +everything that we do. With everyone putting their every thought and movement on +services like Facebook, [Twitter][14] and Skype, the Orwellian Thought Police have +the ability to manifest in a form that not even Orwell could have +imagined---unless it is stopped. + +To help [preserve your ever-dwindling rights online][15], consider becoming a +member of or participating in the campaigns of the [Free Software +Foundation][16], [Electronic Frontier Foundation][17], the [American Civil +Liberties Union][18] or any other organizations dedicated toward free society. + +(Disclaimer: I am a member of the Free Software Foundation.) + +[2]: http://www.schneier.com/essay-406.html +[3]: http://www.schneier.com/essay-409.html +[4]: http://codev2.cc/ +[6]: http://news.ycombinator.com/item?id=5139801 +[7]: http://blogs.skype.com/garage/2011/05/easybits_update_disabled_for_s.html +[8]: http://www.gnu.org/philosophy/free-sw.html +[9]: http://www.gnu.org/philosophy/who-does-that-server-really-serve.html +[10]: https://www.eff.org/deeplinks/2013/01/facebook-graph-search-privacy-control-you-still-dont-have +[11]: https://ssd.eff.org +[12]: https://www.eff.org/deeplinks/2013/01/its-time-transparency-reports-become-new-normal +[13]: https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back +[14]: https://www.eff.org/deeplinks/2013/01/google-twitters-new-transparency-report-shows-increase-government-demands-sheds +[15]: https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=8750 +[16]: http://www.fsf.org/register_form?referrer=5804 +[17]: https://supporters.eff.org/donate +[18]: https://www.aclu.org/donate/join-renew-give + +[^5]: Orwell, George. Nineteen Eighty-Four. ISBN 978-0-452-28423-4. + diff --git a/post/2013-02-26-cispa.md b/post/2013-02-26-cispa.md new file mode 100644 index 0000000..94e3dd6 --- /dev/null +++ b/post/2013-02-26-cispa.md @@ -0,0 +1,8 @@ +# What is CISPA and Why is it Dangerous? + +The EFF has put together an excellent [FAQ on CISPA][0], the "cybersecurity" +bill that was reintroduced to congress earlier this month. + +[0]: https://www.eff.org/deeplinks/2013/02/cispas-back-faq-what-it-and-why-its-still-dangerous + + diff --git a/post/2013-03-01-dmr-very-early-c.md b/post/2013-03-01-dmr-very-early-c.md new file mode 100644 index 0000000..9dfe0bd --- /dev/null +++ b/post/2013-03-01-dmr-very-early-c.md @@ -0,0 +1,15 @@ +# DMR: "Very early C compilers and language" + +An interesting article by Dennis Ritchie discussing [early C compilers][0] +recovered from old DECtapes. The source code and history are fascinating reads. +The quality of the code (the "kludgery"[1], as he puts it) to me just brings +smiles---I appreciate seeing the code in its original glory. + +It is also saddening reading the words of such a great man who is no longer with +us; perhaps it helps to better appreciate his legacy. + +[0]: http://cm.bell-labs.com/cm/cs/who/dmr/primevalC.html +[1]: http://www.catb.org/~esr/jargon/html/K/kludge.html + + + diff --git a/post/2013-03-01-lpc-winners.md b/post/2013-03-01-lpc-winners.md new file mode 100644 index 0000000..c5f6723 --- /dev/null +++ b/post/2013-03-01-lpc-winners.md @@ -0,0 +1,8 @@ +# Libreated Pixel Cup Winners Announced + +[Congratulations][0] to the [winners of the Liberated Pixel Cup][1]. + +[0]: http://www.fsf.org/news/winners-announced-for-free-software-gamings-highest-honor-the-liberated-pixel-cup +[1]: http://lpc.opengameart.org/content/code-judging-is-in + + diff --git a/post/2013-03-06-google-fbi-spying.md b/post/2013-03-06-google-fbi-spying.md new file mode 100644 index 0000000..32a06f6 --- /dev/null +++ b/post/2013-03-06-google-fbi-spying.md @@ -0,0 +1,35 @@ +# Google Says the FBI Is Secretly Spying on Some of Its Customers + +A Wired article mentions [figures released from Google][0] regarding National +Security Letters issued by the NSA under the Patriot Act. It is too early to +comment in much detail on this matter (I would like to wait for commentary from +the EFF), but, as the article mentions: + +[0]: http://www.wired.com/threatlevel/2013/03/google-nsl-range/?cid=co6199824 + +> Google said the number of accounts connected to National Security letters +> ranged between “1000-1999″ for each of the reported years other than 2010. In +> that year, the range was “2000-2999.” + + + +The [EFF provides additional information, including recommendations on what to +do about such requests][1] via their Surveillance Self-Defense website. As +quoted from that website: + +> And it's even worse for FISA subpoenas, which can be used to force anyone to +> hand over anything in complete secrecy, and which were greatly strengthened +> by Section 215 of the USA PATRIOT Act. The government doesn't have to show +> probable cause that the target is a foreign power or agent — only that they +> are seeking the requested records "for" an intelligence or terrorism +> investigation. Once the government makes this assertion, the court must +> issue the subpoena. + +To add insult to injury: + +> FISA orders and National Security Letters will also come with a gag order that +> forbids you from discussing them. Do NOT violate the gag order. Only speak to +> members of your organization whose participation is necessary to comply with +> the order, and your lawyer. + +[1]: https://ssd.eff.org/foreign/fisa diff --git a/post/2013-03-09-1-1-php.md b/post/2013-03-09-1-1-php.md new file mode 100644 index 0000000..237cbf7 --- /dev/null +++ b/post/2013-03-09-1-1-php.md @@ -0,0 +1,41 @@ +# Adding 1 and 1 in PHP + +An amusing demonstration; it is my hope that [readers will not take this PHP +library seriously][0]. This is likely a parody of the over-engineering that +often takes foot in Object-Oriented development (a game of "how many GoF[^4] +design patterns can we use in this project" anyone?). + +[0]: https://github.com/Herzult/SimplePHPEasyPlus + + + +That is not to say that "OOP is bad" (just as object-oriented developers often +consider procedural code bad, when they may just be terrible at writing +procedural code). Indeed, I wrote [an ECMAScript framework for Classical OOP +(ease.js)][1]. The problem is that, with the excitement and misunderstandings +that surround "good" object-oriented design, designers are eager to +over-abstract their implementations (I have been guilty of the same thing). +Object oriented programming is often taught to novice CS students (often with +the reign of Java in schools)---teaching practices that can be good principles +when properly applied and in moderation---which [I have also seen contribute to +such madness][2]. + +Abstractions are highly important, but only when necessary and when they lead to +more concise representations of the problem than would otherwise occur (note +that some problems are inherently complicated and, as such, a concise +representation may not seen concise). I'm a strong advocate of DSLs when +abstractions begin to get in the way and increase the verbosity of the code +(languages with strong macro systems like lisp help eliminate the need for +DSLs written from scratch)---design patterns exist because of deficiencies in +the language: They are "patterns" of code commonly used to achieve a certain +effect. + +[Criticisms against OOP are abundant][3], just as every other paradigm. + +[1]: http://easejs.org +[2]: http://c2.com/cgi/wiki?TextbookOo +[3]: http://c2.com/cgi/wiki?ArgumentsAgainstOop + +[^4]: Design Patterns: Elements of Reusable Object-Oriented Software. ISBN + 0-201-63361-2. Gamma, Helm, Johnson and Vlissides (the "Gang of Four"). + diff --git a/post/2013-03-09-oxford-uni-block-gdocs.md b/post/2013-03-09-oxford-uni-block-gdocs.md new file mode 100644 index 0000000..2954ad7 --- /dev/null +++ b/post/2013-03-09-oxford-uni-block-gdocs.md @@ -0,0 +1,50 @@ +# Oxford University Blocks Google Docs + +Oxford University decided to [block Google Docs][0] last month due to phishing +attacks against its users. To quote the blog post: + +[0]: http://blogs.oucs.ox.ac.uk/oxcert/2013/02/18/google-blocks/ + +> Almost all the recent attacks have used Google Docs URLs, and in some cases +> the phishing emails have been sent from an already-compromised University +> account to large numbers of other Oxford users. Seeing multiple such incidents +> the other afternoon tipped things over the edge. We considered these to be +> exceptional circumstances and felt that the impact on legitimate University +> business by temporarily suspending access to Google Docs was outweighed by the +> risks to University business by not taking such action. + + + +This incident was brought to my attention by [a blog post by Schneier][1], in +which he referenced his [essay on "feudal security"][2] (I commented in more +detail on this essay in [my response to a previous blog post of +his][3].[^blog]) In this case, Oxford is trusting that it knows better than its +users and has the right to exercise this power over them in light of their +inexperience with handling these situations (or even recognizing them). + +This may very well be the case---the Oxford IT department probably does have a +better understanding of security than many of their users. However, by blocking +access to Google Docs, they are also blocking access to millions of legitimate +articles hosted there, which is far from acceptable. Oxford is more than just a +workplace---for which many would argue these actions are acceptable; it is a +university that should encourage freedom of expression. They simply must find a +better way of dealing with these problems. If a user falls victim to a phishing +attack within Oxford, they will likely fall victim outside of it. + +Would Oxford consider blocking e-mail access too (where phishing attacks are +very cheap and common)? + +> We appreciate and apologise for the disruption this caused for our users. +> Nevertheless, we must always think in terms of the overall risk to the +> University as a whole, and we certainly cannot rule out taking such action +> again in future [...] + +N.B.: Google Docs is proprietary and I cannot recommend its use any more than I +can recommend use of Microsoft Office. + +[1]: https://www.schneier.com/blog/archives/2013/03/oxford_universi.html +[2]: https://www.schneier.com/essay-406.html +[3]: /2013/01/re-who-does-skype-let-spy + +[^blog]: (I posted a link to my response on his blog, but he did not approve the comment.) + diff --git a/post/2013-03-09-white-house-phone-unlocking.md b/post/2013-03-09-white-house-phone-unlocking.md new file mode 100644 index 0000000..827a660 --- /dev/null +++ b/post/2013-03-09-white-house-phone-unlocking.md @@ -0,0 +1,40 @@ +# White House Supports Cell Phone Unlocking + +Earlier this week, the starter of the [White House petition to "Make Unlocking +Cell Phones Legal"][0] posted a [thread on Hacker News][1] stating that the +White House had officially responded, stating: + +> The White House agrees with the 114,000+ of you who believe that consumers +> should be able to unlock their cell phones without risking criminal or other +> penalties. In fact, we believe the same principle should also apply to +> tablets, which are increasingly similar to smart phones. And if you have paid +> for your mobile device, and aren't bound by a service agreement or other +> obligation, you should be able to use it on another network. It's common +> sense, crucial for protecting consumer choice, and important for ensuring we +> continue to have the vibrant, competitive wireless market that delivers +> innovative products and solid service to meet consumers' needs. + + + +The petition---as stated in the above response---garnered over 114,000 +signatures. The response is exciting news because the Library of Congress had +[removed the phone unlocking exemption][2] at the beginning of this year. (As +the EFF points out, [this may not necessarily mean that unlocking your phone is +"illegal"][3]). + +However, although this response is getting a lot of attention (I was surprised +to see my local news station report on it), this is not yet cause for +celebration; it is my hope that the White House will now follow through with +this statement and act upon it appropriately. + +(The [EFF has also posted their own comments on the White House's response][4].) + +This is just one issue in [a string of problems that is the DMCA][5]. + +[0]: https://petitions.whitehouse.gov/petition/make-unlocking-cell-phones-legal/1g9KhZG7 +[1]: https://news.ycombinator.com/item?id=5319577 +[2]: /2013/01/phone-unlocking-once-again-illegal +[3]: https://www.eff.org/is-it-illegal-to-unlock-a-phone +[4]: https://www.eff.org/deeplinks/2013/03/white-house-supports-unlocking-phones-real-problem-runs-deeper +[5]: https://www.eff.org/wp/unintended-consequences-under-dmca + diff --git a/post/2013-03-15-html5-drm.md b/post/2013-03-15-html5-drm.md new file mode 100644 index 0000000..1725614 --- /dev/null +++ b/post/2013-03-15-html5-drm.md @@ -0,0 +1,109 @@ +# HTML5 DRM + +Two acronyms that, until very recently, would seem entirely incompatible---HTML, +which is associated with an unencumbered, free (as in freedom) representation of +a document, and [DRM][0], which [exists for the sole purpose of restricting +freedom][1].[^bias] Unfortunately, Tim Berners-Lee---the man attributed to +["inventing" the Internet][18]---mentioned in a [keynote talk at SXSW][15] that [he is +not opposed to introducing DRM into the HTML5 standard][4]: + +[^bias]: (Disclaimer: I am an associate member of the [Free Software +Foundation][2] and, as such, this reference is intentionally bias; feel free +to see the [Wikipedia article on DRM][3] for more general information.) + +> [Tim Berners-Lee] did not, however, present himself as an opponent of digital +> locks. During a post-talk Q&A, he defended proposals to add support for +> "digital rights management" usage restrictions to HTML5 as necessary to get +> more content on the open Web: "If we don't put the hooks for the use of DRM +> in, people will just go back to using Flash," he claimed. + + + +Many who oppose DRM refer to it as ["digital restrictions management"][0]---a +phrase that better describes how it affects the user. The "rights" that +"digital rights management" describes are the "rights" (in terms of +copyright) of publishers and copyright holders: They wish to lock down their +content so that [you, the user, can only access it as *they* please][5]. Has +["your" device][25] ever told you that [you cannot share a book with your +friends][6][17][24]? Has your device ever [deleted your content without your +permission][7][8]? Does your device grant you [less privileges if you decide to +liberate yourself from it][9] through "jailbreaking"?[^jb] Does the software you +run [potentially spy on you without telling you][11], without giving you the +option to correct it? Or perhaps the games you play [require you to be online, +even in single-player mode][12]. + +[^jb]: I go into more detail on jailbreaking and its current legality as of +the time of writing [in a previous article of mine][10]. + +These are but a small handful of [examples of the many mistakes and injustices +of Digital Restrictions Management][5]. These restrictions take additional +effort---that is, development time, which also means more money---to build into +software; computers, by their very nature, do exactly as they are told, meaning +that they can only work against you if someone else tells it to (unless you tell +your computer to make your life miserable...if you're into that sort of thing). +As such, we refer to these restrictions as ["anti-features"][23]. + +> Corporations claim that DRM is necessary to fight copyright infringement +> online and keep consumers safe from viruses. But there's no evidence that DRM +> helps fight either of those. Instead DRM helps big business stifle innovation +> and competition by making it easy to quash "unauthorized" uses of media and +> technology. + +It is this logic that [corporations][13] (and even some individuals, such as +[authors][14]) use to influence entities such as the W3C---and Tim +Berners-Lee---into [thinking that DRM is necessary][15]. The [W3C describes a +"trust infastructure"][16] that could be standardized for bringing DRM to the +web: + +> It is clear that user domains (eg eBook trading, sub-rights trading, streaming +> music, etc.) each require sets of Rights Primitives that those domains wish do +> useful things with. + +This is an unfortunate perspective, especially since those "useful things" are +exactly the opposite for users. The Internet strongly promotes the free, +(generally) unencumbered flow of information. To [quote W3C][19]: + +> The social value of the Web is that it enables human communication, commerce, +> and opportunities to share knowledge. One of W3C's primary goals is to make +> these benefits available to all people, whatever their hardware, software, +> network infrastructure, native language, culture, geographical location, or +> physical or mental ability. + +A DRM implementation flies in the face of those goals, as it is, by definition, +restrictive---how can we be encouraged to share by using systems that aim to +[prevent that very thing][0]? + +Richard Stallman has already announced that the [FSF will "campaign against W3C +support for DRM"][20]; let's hope that many others will join in on this +campaign, hope that organizations like the EFF will continue to fight for our +rights, and further hope that users will [reject DRM-laden products][22] +outright. [DRM cannot exist in free software][25] and it cannot exist on a +network that facilitates free information. + +[0]: http://www.defectivebydesign.org/what_is_drm +[1]: http://www.defectivebydesign.org/ +[2]: http://fsf.org +[3]: https://en.wikipedia.org/wiki/Digital_rights_management +[4]: http://boingboing.net/2013/03/10/tim-berners-lee-the-web-needs.html +[5]: https://www.eff.org/issues/drm +[6]: http://www.amazon.com/gp/help/customer/display.html?nodeId=200549320 +[7]: http://www.defectivebydesign.org/blog/1248 +[8]: http://boingboing.net/2012/10/22/kindle-user-claims-amazon-dele.html +[9]: http://arstechnica.com/apple/2011/02/ibooks-to-jailbreakers-no-yuo/ +[10]: /2013/03/white-house-supports-cell-phone-unlocking +[11]: /2013/01/re-who-does-skype-let-spy +[12]: https://www.eff.org/deeplinks/2013/03/tale-simcity-users-struggle-against-onerous-drm +[13]: http://venturebeat.com/2012/10/12/together-html5-and-drm-can-take-out-native-apps/ +[14]: /2013/01/lulu-says-goodbye-to-drm +[15]: http://www.guardian.co.uk/technology/blog/2013/mar/12/tim-berners-lee-drm-cory-doctorow +[16]: http://www.w3.org/2000/12/drm-ws/ +[17]: https://www.fsf.org/bulletin/e-books-must-increase-our-freedom-not-decrease-it +[18]: http://www.w3.org/People/Berners-Lee/ +[19]: http://www.w3.org/Consortium/mission#principles +[20]: http://lists.libreplanet.org/archive/html/libreplanet-discuss/2013-03/msg00007.html +[21]: https://www.eff.org/deeplinks/2012/11/2012-dmca-rulemaking-what-we-got-what-we-didnt-and-how-to-improve +[22]: http://www.defectivebydesign.org/guide +[23]: https://www.fsf.org/bulletin/2007/fall/antifeatures/ +[24]: https://www.gnu.org/philosophy/right-to-read.html +[25]: https://www.gnu.org/philosophy/can-you-trust.html + diff --git a/post/2013-03-15-nsl-unconstitutional.md b/post/2013-03-15-nsl-unconstitutional.md new file mode 100644 index 0000000..5d62ab7 --- /dev/null +++ b/post/2013-03-15-nsl-unconstitutional.md @@ -0,0 +1,33 @@ +# Federal Judge Rules NSLs (National Security Letters) Unconstitutional + +This news is huge and an incredible win for both the EFF and all U.S. citizens. +Today, [United States District Judge Susan Illston found the National Security +Letters' gag provisions unconstitutional][0] and---since the review procedures +violate the separation of powers and cannot be separated from the rest of the +statute---has consequently [ruled the NSLs themselves to be +unconstitutional][1]: + +[0]: http://www.wired.com/threatlevel/2013/03/nsl-found-unconstitutional/ +[1]: https://www.eff.org/press/releases/national-security-letters-are-unconstitutional-federal-judge-rules + +> In today's ruling, the court held that the gag order provisions of the statute +> violate the First Amendment and that the review procedures violate separation +> of powers. Because those provisions were not separable from the rest of the +> statute, the court declared the entire statute unconstitutional + + + +This is an exciting decision; let's see where it takes us. + +> U.S. District Judge Susan Illston ordered the government to stop issuing +> so-called NSLs across the board, in a stunning defeat for the Obama +> administration’s surveillance practices. She also ordered the government to +> cease enforcing the gag provision in any other cases. However, she stayed her +> order for 90 days to give the government a chance to appeal to the Ninth +> Circuit Court of Appeals.[[0]] + +[The issues surrounding NSLs][2] were highlighted just last week when [Google +released numbers relating to the orders that it received][3]. + +[2]: https://www.eff.org/issues/national-security-letters +[3]: /2013/03/google-says-the-fbi-is-secretly-spying-on-some-of-its-customers diff --git a/post/2013-03-23-dbd-w3c-drm.md b/post/2013-03-23-dbd-w3c-drm.md new file mode 100644 index 0000000..738fa56 --- /dev/null +++ b/post/2013-03-23-dbd-w3c-drm.md @@ -0,0 +1,46 @@ +# Defective By Design Campaign Against W3C DRM Standard + +[As I had mentioned late last week][0], RMS had mentioned that Defective By +Design (DBD) would be campaigning against the [introduction of DRM into the W3C +HTML5 standards][1]. (Please see [my previous mention of this topic][0] for a +detailed explanation of the problem and a slew of references for additional +information.) Well, [this campaign is now live and looking for +signatures][2]---50,000 by May 3rd, which is the [International Day Against +DRM][3]: + +> Hollywood is at it again. Its latest ploy to take over the Web? Use its +> influence at the World Wide Web Consortium (W3C) to weave [Digital +> Restrictions Management (DRM)][4] into HTML5 -- in other words, into the very +> fabric of the Web. +> +> [...] +> +> Help us reach 50,000 signers by May 3rd, 2013, the [International Day Against +> DRM][3]. We will deliver the signatures to the W3C (they are right down the +> street from us!) and [make your voice heard[[1]. + +[0]: /2013/03/html5-drm +[1]: https://www.eff.org/deeplinks/2013/03/defend-open-web-keep-drm-out-w3c-standards +[2]: http://www.defectivebydesign.org/no-drm-in-html5 +[3]: http://www.defectivebydesign.org/dayagainstdrm +[4]: http://www.defectivebydesign.org/what_is_drm + + + +To summarize the issue as [stated by the EFF][5]: + +> W3C is there to create comprehensible, publicly-implementable standards that +> will guarantee interoperability, not to facilitate an explosion of new +> mutually-incompatible software and of sites and services that can only be +> accessed by particular devices or applications. But EME is a proposal to bring +> exactly that dysfunctional dynamic into HTML5, even risking a return to the +> ["bad old days, before the Web"][5] of deliberately limited +> interoperability. +> +> it would be a terrible mistake for the Web community to leave the door open +> for Hollywood's gangrenous anti-technology culture to infect W3C standards. + +So please---[sign the petition now][2]! + +[5]: http://www.anybrowser.org/campaign/index.html + diff --git a/post/2013-03-23-freesw-award-winners.md b/post/2013-03-23-freesw-award-winners.md new file mode 100644 index 0000000..74c309d --- /dev/null +++ b/post/2013-03-23-freesw-award-winners.md @@ -0,0 +1,22 @@ +# Congratulations to the 2012 Free Software Award Winners + +Each year, the [Free Software Foundation][0] presents awards to individuals who +have made a [strong contribution to free software][1]: + +[0]: http://fsf.org + +> The Award for the Advancement of Free Software is given annually to an +> individual who has made a great contribution to the progress and development +> of free software, through activities that accord with the spirit of free +> software. + +[1]: https://www.fsf.org/news/2012-free-software-award-winners-announced-2 + + + +This year, announced at the LibrePlanet 2013 conference, [the winner was Dr. +Fernando Perez][1]---creator of IPython. The winner of the Award for Projects of +Social Benefit was [OpenMRS][2], which is a free (as in freedom) medical records +system for developing countries. + +[2]: http://openmrs.org/ diff --git a/post/2013-04-20-cispa-passes.md b/post/2013-04-20-cispa-passes.md new file mode 100644 index 0000000..1bf8b46 --- /dev/null +++ b/post/2013-04-20-cispa-passes.md @@ -0,0 +1,20 @@ +# U.S. House Passes CISPA + +Two days ago---on the 18th--[the U.S. House of Representatives decided to pass +CISPA 288-127][0]. + +> The legislation passed 288-127, despite a veto threat from Pres. Barack Obama, +> who expressed serious concerns about the danger CISPA poses to civil +> liberties. + +[0]: https://www.eff.org/deeplinks/2013/04/us-house-representatives-shamefully-passes-cispa-internet-freedom-advocates + + + +As the bill moves into the senate, [civil liberties groups will continue to +oppose it][1]; I personally hope that you will do the same. + +Move [information on CISPA][2] is available on the EFF's website. + +[1]: https://www.eff.org/deeplinks/2012/04/voices-against-cispa +[2]: https://www.eff.org/cybersecurity-bill-faq diff --git a/post/2013-06-06-improved-website.md b/post/2013-06-06-improved-website.md new file mode 100644 index 0000000..614f0a0 --- /dev/null +++ b/post/2013-06-06-improved-website.md @@ -0,0 +1,14 @@ +# Improved Website + +The old WordPress website has been replaced entirely by the "thoughts" site +(which was previously located at /thoughts). This website is generated from its +git repository---available on the Projects page---which is freely licensed. +There is some content that existed on the old site that is still useful; should +that content be transferred to this site, a redirect will be set up (assuming +that it hadn't already been lost to the search engines). + +Since all this content is static, there is no discussion system. I am still +debating whether or not I will add this in the future. Until that time, feel +free to contact me via e-mail. + + diff --git a/post/2013-06-10-national-uproar.md b/post/2013-06-10-national-uproar.md new file mode 100644 index 0000000..cba4005 --- /dev/null +++ b/post/2013-06-10-national-uproar.md @@ -0,0 +1,631 @@ +# National Uproar: A Comprehensive Overview of the NSA Leaks and Revelations + +I am finding it difficult to keep up with the flood of reports in my little free +time, while still finding the time to brush up on relevant history. My hope is +to provide a summary of recent events and additional background---along with a +plethora of references---that will allow the reader to perform further research +and to formulate educated, personal opinions on the topics. If you do not care +for my commentary, simply scroll to the list of references at the bottom of this +article. + +Many [individuals and organizations][0] have long warned of [digital privacy +issues][1], but there has been one agency in particular that has been the +subject of much scrutiny---the [National Security Agency (NSA)][2], which is a +[United States government agency][3] that has a [long history of controversial +spying tactics][4] on its country's own citizens. It is a chilling topic---one +that can easily make any person sound like they've latched onto an Orwellian +conspiracy. + +[0]: /2013/01/re-who-does-skype-let-spy +[1]: https://www.schneier.com/essay-418.html "The Internet Is a Surveillance State" +[2]: https://www.eff.org/nsa-spying "The EFF on NSA Spying" +[3]: https://www.eff.org/agency/national-security-agency "The National Security Agency" +[4]: https://www.eff.org/nsa-spying/timeline "Timeline of NSA Spying" + + + +**Wednesday, June 5th, 2013**---[the Guardian newspaper publishes a leaked +document][5][6][7] ordering Verizon to + +> [...] produce to the National Security Agency (NSA) upon service of this +> Order, and continue production on an ongoing daily basis thereafter for the +> duration of this Order, [...] an *electronic copy of* the following tangible +> things: *all call detail records or "telephony metadata"* created by Verizon +> for communications (i) between the United States and abroad; or (ii) wholly +> within the United States, *including local telephone calls*.[[6]] [emphasis +> added] + +The order goes on to describe "telephony metadata" to include routing +information, source and destination telephone numbers, IMSI and IMEI numbers, +and time and duration of the call; it "does not include the substantive content +of any communication"---the communication content itself.[[6]] This order was +[issued by the Foreign Intelligence Surveillance Court (FISC)][8] under [section 215 +of the Patriot Act][9]. (This news comes [less than three months after United +States District Judge Susal Illston ruled NSA Letters' gag provisions +unconstitutional][10].) + +This report caused a massive uproar, but [came as no surprise][11] to many +security researchers and privacy advocates. Early last year, Wired released an +article stating that [the NSA "Is Building the Country's Biggest Spy +Center"][14]. Privacy concerns were raised in November of last year by [the +Petraeus scandal][14]. In March of this year, Google released figures showing +that [the NSA is secretly spying on some of its customers][15]. Two months later, +[outrage][17] after the Associated Press discovers that [the Justice Department +collected the calling records of many of its reporters and editors][18]. +Additionally, [the EFF already had cases against the NSA's actions][2]---[Jewel +v. NSA][12] and [Hepting v. AT&T][13] both focus on unconstitutional dragnet +surveillance of innocent citizens' data and communications. These cases will be +explored in further detail throughout this article. + +But the chaos didn't end there. + +**Thursday, June 6th, 2013**---just one day after the Guardian reported on the +leaked Verizon order, the newspaper reports on [a leaked slideshow describing +PRISM][19], a top-secret program that "claims direct access to servers of firms +including Google, Apple and Facebook. According to the leaked document, the NSA +supposedly has the ability to collect material including e-mail, chat, video and +voice communications, photos, stored data and more.[[19]]. Responses from most +companies was immediate. In a [blog post entitled "What that...?"][20], Larry +Page---Google's CEO---put very plainly that Google does not participate in such +a program and denied any knowledge of PRISM: + +> First, we have not joined any program that would give the U.S. government—or +> any other government—direct access to our servers. Indeed, the U.S. government +> does not have direct access or a "back door" to the information stored in +> our data centers. We had not heard of a program called PRISM until yesterday. +> Second, we provide user data to governments only in accordance with the +> law.[[20]] --Larry Page, Google CEO + +[Mark Zuckerberg of Facebook also denied involvement][21], calling such claims +"outrageous" and encouraging governments to be "much more transparent about +all programs aimed at keep the public safe": + +> I want to respond personally to the outrageous press reports about PRISM: +> Facebook is not and has never been part of any program to give the US or any +> other government direct access to our servers. We have never received a +> blanket request or court order from any government agency asking for +> information or metadata in bulk, like the one Verizon reportedly received. And +> if we did, we would fight it aggressively. We hadn't even heard of PRISM +> before yesterday. [...] We strongly encourage all governments to be much more +> transparent about all programs aimed at keeping the public safe. It's the only +> way to protect everyone's civil liberties and create the safe and free society +> we all want over the long term.[[21]] --Mark Zuckerberg, Facebook CEO + +Indeed, [all companies eventually denied involvement with PRISM][22]. + +**Friday, June 7th, 2013**---Two days after the [initial Verizon report][5] and one day +after the publishing of [portions of the PRISM documents][19], the White House +responded to the Guardian reports with President Obama [defending his +administration][16]. Unfortunately, given the [history of the NSA surveillance +programs][4]---especially since the Bush administration after the 9/11 +attacks---it may be difficult to believe that his words are the whole truth. As +such, we will use [portions of his transcript][16] to guide the remainder of this +discussion. + +> **Jackie Calmes:** Mr. President, could you please react to the reports of +> secret government surveillance of phones and Internet? And can you also assure +> Americans that the government — your government doesn’t have some massive +> secret database of all their personal online information and activity? +> +> **Obama:** [...] Now, the programs that have been discussed over the last +> couple days in the press are secret in the sense that they’re classified, but +> they’re not secret in the sense that when it comes to telephone calls, every +> member of Congress has been briefed on this program. +> +> With respect to all these programs, the relevant intelligence committees are +> fully briefed on these programs. These are programs that have been authorized +> by broad, bipartisan majorities repeatedly since 2006. And so I think at the +> outset, it's important to understand that your duly elected representatives +> have been consistently informed on exactly what we’re doing.[[16]] + +There are some important notes regarding the phrasing of the President's +statement. Firstly, it is important to note that the President is *confirming the +existence of* the programs that "have been discussed over the last couple days +in the press"---that is, the [Verizon FISA Court order][5] and the [PRISM][19] +leak. However, it is also important to take a step back and note that the +President did *not* state outright that the reports tell the whole---or even the +correct---story. So what do we know? + +On June 6th---a day before the White House responded to the leaks---the Director +of National Intelligence James Clapper [declassified certain information pertaining +to the "business records" provision of FISA][23], stating, "I believe it is +important for the American people to understand the limits of this targeted +counterterrorism program and the principles that govern its use". This statement +mentions that: + +> Although this program has been properly classified, the leak of one order, +> without any context, has created a misleading impression of how it operates. +> [...] The program does not allow the Government to listen in on anyone's phone +> calls. The information acquired does not include the content of any +> communications or the identity of any subscriber. The only type of information +> acquired under the Court's order is telephony metadata, such as telephone +> numbers dialed and length of calls.[[23]] + +The term "telephony metadata" could mean anything; the "numbers dialed" and +"length of calls" are part of it, but what does [the Court order][6] +specifically request? + +> IT IS HEREBY ORDERED that [Verizon] shall produce to the [NSA] [...], and +> continue production on an ongoing daily basis [...] for the duration of this +> Order, [...] all call detail records or "telephony metadata" [...]. +> Telephony metadata includes comprehensive communications routing information, +> including but not limited to [...] originating and terminating telephone +> number, [...] International Mobile Subscriber Identity (IMSI) number, +> International Mobile station Equipment Identity (IMEI) number, [...] trunk +> identifier, telephone calling card numbers, and time and duration of call. +> Telephony metadata does not include the substantive content of any +> communication [...], or the name, address, or financial information of a +> subscriber or customer.[[6]] --FISA Court order + +The President made this point very clear: + +> **Obama:** When it comes to telephone calls, nobody is listening to your +> telephone calls. That’s not what this program’s about. As was indicated, what +> the intelligence community is doing is looking at phone numbers and durations +> of calls. They are not looking at people’s names, and they’re not looking at +> content. But by sifting through this so-called metadata, they may identify +> potential leads with respect to folks who might engage in terrorism. If these +> folks — if the intelligence community then actually wants to listen to a phone +> call, they’ve got to go back to a federal judge, just like they would in a +> criminal investigation. So I want to be very clear. Some of the hype that +> we’ve been hearing over the last day or so — nobody’s listening to the content +> of people’s phone calls.[[16]] + +The EFF provides compelling arguments as to why [metadata is important to our +privacy][24]. One such example: "They know you spoke with an HIV testing +service, then your doctor, then your health insurance company in the same hour. +But they don't know what was discussed." The EFF further states, "the +government has given no assurances that this data will never be correlated with +other easily obtained data". So, while the President may try reassuring us by +stating that "they've got to go back to a federal judge", he certainly does +not make it clear that they may already have enough information *without* having +to do so---from this supposedly non-content metadata. They do not need to +subpoena the phone company for the name or address of the individual in most +cases, as reverse telephone directories are readily available. With that, they +then have the names of yourself, everyone you have called and GPS data. + +Another argument worthy of strong consideration is posed by Daniel J. +Solove---[what if the government is wrong about your intentions][25]? How can +you go about correcting incorrect data if its very existence is hidden from the +public? + +> What if the government leaks the information to the public? What if the +> government mistakenly determines that based on your pattern of activities, +> you're likely to engage in a criminal act? What if it denies you the right to +> fly? What if the government thinks your financial transactions look odd—even +> if you've done nothing wrong—and freezes your accounts? What if the government +> doesn't protect your information with adequate security, and an identity thief +> obtains it and uses it to defraud you?[[25]] + +These are serious questions. Even if you---the reader---are of the type that sates +"I don't care; I have nothing to hide", then consider that, despite the government's +best efforts to secure and protect the data, [it could possibly fall prey to +enemies of the United States][25]. Consider that the [Chinese cracked into +Pentagon systems][26], taking "designs for more than two dozen major weapon systems +used by the United States military". + +Of course, we are now assuming that that the NSA is (a) operating in accordance with the +Court order with respect to the privacy of communications content and (b) that +the President's statement is not intentionally omitting projects that *do* +warrantlessly wiretap innocent Americans' communications. Historically, the NSA has not +given us reason to entertain either of these thoughts. + +**January 31, 2006**---[Hepting v. AT&T][13]; the EFF files a case suing AT&T on +behalf of its customers for "violating privacy law by collaborating with the +NSA in the massive, illegal program to wiretap and data-min Americans' +communications". This case included "undisputed evidence" from former AT&T technician +Mark Klein showing that [AT&T routed a copy of all Internet traffic to an NSA-controlled +room in San Francisco][27]: + +> Through the "splitter cabinet," the content of all of the electronic voice +> and data communications going across the Peering Links [...] was transferred +> from the WorldNet Internet room's fiber optical circuits into the +> [NSA-controlled] SG3 Secure Room [...] including such equipment as Sun servers +> and Juniper (M40e and M160) "backbone" routers. The list also included a +> Narus STA 6400, which is a "Semantic Traffic Analyzer."[[27]] + +That is---allegedly, AT&T indiscriminately passed *all* of the traffic passing +through its San Francisco facility into the NSA-controlled "SG3 Secure Room" +where the NSA performed their *own* filtering, storage and analysis however they +pleased. This is an astounding accusation. Additionally, Klein further states +that "other such `splitter cabinets' were being installed in other cities, +including Seattle, San Jose, Los Angeles and San Diego".[[27]] + +Unfortunately, Hepting was dealt a fatal blow in July 2008 when both the +government and AT&T were [awarded retroactive immunity][28] by the [FISA +Amendments Act (FAA)][29]. This startling turn was signed by President Bush in +response to the EFF's court victories in the case and "allows the Attourney +General to require the dismissal of the lawsuits over the telecoms' +participation in the warrantless surveillance program".[[13]] The case was +dismissed in June 2009 and dozens of other lawsuits. + +Fortunately, the battle is not over. The EFF then filed [Jewel v. NSA][12] which +directly targets the "NSA and other government agencies on behalf of AT&T +customers to stop the illegal unconstitutional and ongoing dragnet surveillance +of their communications and communications records". This case was too based +on [the testimony of Klein][27]. Additionally, the EFF had declarations of William +Binney, Thomas Drake and Kirk Wiebe---[three NSA whistleblowers][30]. Most +interesting (and damning) for the purposes of our discussion is the [Summary of +Voluminous Evidence][31]. + +> I have served on the Intelligence Committee for over a decade and I wish to +> deliver a warning this afternoon. When the American people find out how their +> government has secretly interpreted [the business records provision of +> FISA], they are going to be stunned and they are going to be angry.[^32] +> --Senator Ron Wyden + +Note that the Senator is referring to precisely the same provision---business +records---that was partly declassified by James Clapper on Thursday.[[23]] Of +course, we are assuming that the NSA decides to go to the FISA Court for +permission; this apparently has not always been the case. + +According to [the summary of evidence][31], the NSA stated: + +> To perform both its offensive and defensive mission, NSA must "live on the +> network." [The program would be] a powerful and permanent presence on a +> global telecommunications infrastructure where protected American +> communications and targeted adversary communications will coexist. + +This certainly shares some similarities with the Verizon case. But FISA stood +in the way of this goal; John Yoo explains why FISA was insufficient for such +a dragnet operation: + +> [U]nder existing laws like FISA, you have to have the name of somebody, have +> to already suspect that someone's a terrorist before you can get a warrant. +> [...] it doesn't allow you as a government to use judgment based on +> probability to say: "[...] there's a high probability that some of those +> calls are terrorist communications. But we don't know the names of the people +> making those calls." You want to get at those phone calls, those e-mails, but +> under FISA you can't do that.[^33] --Jon Yoo + +After the September 11th attacks, "FISA ceased to be an operative +concern".[[31]] If that statement sounds unsettling, that is because it is; +President Bush subsequently authorized the NSA to "conduct electronic +surveillance within the United States" without an order from the FISA Court +(FISC). General Hayden phrased it as such: the program "is a more [...] +`aggressive' program than would be traditionally available under FISA".[^34] +What---if anything---does this mean about any current NSA operations (including +the Verizon order)? If Bush is able to authorize such actions, what is to say +that Obama will not (and has not)? + +Let us return to the statements from both Clapper[[23]] and Obama stating that +"nobody is listening to the content of your phone calls".[[16]] We can certainly +hope that this is the case, but we shall continue to draw from evidence in the +[Jewel v. NSA case][12] to see what the NSA has done in the past. + +> It was the biggest legal mess I've ever encountered.[^35] --Jack Goldsmith, Justice +> Department's Office of Legal Consel + +The program operated "in lieu of" court orders.[^36] Even more alarming (if such a +thing is possible), "neither the President nor Attorney General approved the specific +interceptions; rather, the decision to listen or read particular communications was +made by intelligence analysts"; the only authorization needed was by an NSA +"shift supervisor".[^37] So, let's reiterate: + +> **Obama:** If these folks — if the intelligence community then actually wants to listen +> to a phone call, they've got to go back to a federal judge, just like they +> would in a criminal investigation.[[16]] + +It may very well be that Obama is being truthful within context of the Verizon +order; perhaps they have learned from their mistakes with the AT&T dragnet. +Unfortunately, their secrecy is making it very difficult for the public to make +an informed analysis of the matter. + +Ultimately, it is believed that Attorney General Comey's initial certifications of +the program were "based on a misimpression of those activities" due to a botched +legal analysis by Jon Yoo that was described as "at a minimum [...] factually +flawed". Yoo was the only OLC official to read into the program since its +inception in October 2001 until his leaving in May 2003.[[31]] When Comey refused +to reauthorize the program, Bush did so himself, resulting in threats of resignation +from Comey and "about two dozen Bush appointees". However, "[d]espite the illegality +of the Program, no officials resigned."[[31]]. + +In 2009, the New York Times published a series of articles regarding the +program, exposing a ["serious issue involving the NSA" concerning +"significant misconduct"][38]. This included a "`flagrant' overcollection +of domestic email".[[31]] + +> Because each court order could single out hundreds or even thousands of phone +> numbers or e-mail addresses, the number of individual communications that +> were improperly collected could number in the millions, officials said.[[31]] + +That was then; this is now, right? How can we be sure of any connection between +the NSA of a decade ago vs. the NSA of today? Well, as an average citizen with +no security clearance, I can't. However, there are some important connections that +can be made. Firstly, recall Ron Wyden's quote above stating that the public +will be "stunned" and "angry".[^32] On Thursday, June 6th, he [released this +statement on his Senate website][39]: + +> The program Senators Feinstein and Chambliss publicly referred to today is one +> that I have been concerned about for years. I am barred by Senate rules from +> commenting on some of the details at this time. However, I believe that when +> law-abiding Americans call their friends, who they call, when they call, and +> where they call from is private information. Collecting this data about every +> single phone call that every American makes every day would be a massive +> invasion of Americans’ privacy.[[39]] --Senator Ron Wyden + +Perhaps the most obvious and direct connection is that the [government asked for +more time in Jewel v. NSA (and Shubert v. Obama) in light of the NSA +revelations][40]. + +> The revelations not only confirmed what EFF has long alleged, they went even +> further and honestly, we’re still reeling. EFF will, of course, be continuing +> its efforts to get this egregious situation addressed by the courts. +> +> [...] EFF and others had long alleged that, despite the rhetoric surrounding +> the Patriot Act and the FISA Amendments Act, the government was still +> vacuuming up the records of the purely domestic communications of millions of +> Americans. And yesterday, of course, with the Verizon order, we got solid +> proof.. And it appears that the reach of this vacuum goes much further, into +> the records of our Internet service providers as well.[[41]] --Electronic +> Frontier Foundation + +This brings us back to [PRISM][19]. Numerous sources reported that [the White +House confirmed][42] its existence. Indeed, if you consider the President's +original words--- "the programs that have been discussed over the last couple +days in the press are secret in the sense that they’re classified"[[16]]---this +does seem to be a verification of the project's existence. However, confusion ensued +when [companies like Google and Facebook denied involvement][43], despite what +the [leaked information seems to state][19]. Yonatan Zunger---chief architect at +Google---[reiterated the words of Larry Page][44]: + +> I can also tell you that the suggestion that PRISM involved anything happening +> directly inside our datacenters surprised me a great deal; owing to the nature +> of my work at Google over the past decade, it would have been challenging -- +> not impossible, but definitely a major surprise -- if something like this +> could have been done without my ever hearing of it. And I can categorically +> state that *nothing* resembling the mass surveillance of individuals by +> governments within our systems has ever crossed my plate.[[44]] --Yonatan +> Zunger, Chief Architect, Google + +Questions then arose as to what exactly "PRISM" is. Marc Ambinder with The Week +reported that [PRISM is nothing more than one of many different "data collection +tools"][45] that may be used by the NSA. One day later, Marc posted another article +entitled ["Solving the mystery of PRISM"][46] + +> Each data processing tool, collection platform, mission and source for raw +> intelligence is given a specific numeric signals activity/address designator, +> or a SIGAD. [...] PRISM is US-984XN. Each SIGAD is basically a collection +> site, physical or virtual; [...] PRISM is a kick-ass GUI that allows an +> analyst to look at, collate, monitor, and cross-check different data types +> provided to the NSA from internet companies located inside the United States.[[46]] + +Others hypothesized that, due to the denial of involvement from various +companies[[44]], PRISM may operate by intercepting communications. The Guardian +[countered by releasing another slide from the leaked presentation][47], stating +outright that "[b]oth of these theories appear to be contradicted by internal +NSA documents". + +> It clearly distinguishes Prism, which involves data collection from servers, +> as distinct from four different programs involving data collection from "fiber +> cables and infrastructure as data flows past".[[47]] + +This sounds a great deal like Klein's description of the SG3 Secure Room at +AT&T[[27]] (though I do not intend to imply that they are the same thing---that is +not clear, nor does Klien state that he ever noted the word "PRISM" on any +documents). The Guardian goes on to state that "[a] far fuller picture of the exact +operation of Prism [...] is expected to emerge in the coming weeks and months". +(Is that foreshadowing or an educated guess?) + +There is, of course, the other obvious hypothesis---that organizations including +Google, Facebook and Microsoft are being [deceptive or not telling the whole +truth][48]. Alternatively, maybe such operations were being done under the noses +of executives. On Friday, the New York Times published an article stating that +the technology companies ["cooperated at least a bit"][49]. + +> [Google, Micorsoft, Yahoo, Facebook, AOL, Apple and Paltalk] were legally +> required to share the data under the Foreign Intelligence Surveillance Act. +> [...] But instead of adding a back door to their servers, the companies were +> essentially asked to erect a locked mailbox and give the government the key, +> people briefed on the negotiations said. Facebook, for instance, built such a +> system for requesting and sharing the information, they said.[[49]] + +This does not necessarily mean that these companies had any knowledge, +specifically, of "PRISM". As the Guardian said, I will be curious to see what +information surfaces in the coming months; the gag provisions of the orders make +for an unfortunate situation for everyone involved. + +Let us return to the President's statements. + +> **Obama:** And I welcome this debate. And I think it's healthy for our +> democracy. I think it's a sign of maturity, because probably five years ago, +> six years ago, we might not have been having this debate.[[16]] + +This is a difficult debate to have, Mr. President, when the public does not know +of the existence of these programs; we only have knowledge of these programs due +to the aforementioned leaks---courageous individuals who feel that their +government is not representative of the democracy and freedom that it supposedly +represents. This segues into another statement from the President: + +> **Jackie Calmes:** Do you welcome the leak, sir? Do you welcome the leak if +> you welcome the debate? +> +> **Obama:** I don't---I don't welcome leaks, because there's a reason why these +> programs are classified. [...] But that's also why we've set up congressional +> oversight. These are the folks you all vote for as your representative in +> Congress, and they’re being fully briefed on these programs. + +Unfortunately, Obama seems to have missed another critical fact. We---the +people---vote for representatives that, well, "represent" *the issues that we +care about*. Those who are strongly opposed to gun legislation will vote for +those representatives that share those feelings and will fight to oppose such +legislation. Similarly, a pro-life supporter will probably not vote for a +candidate in favor of abortion. But what if there is a candidate that shares one +opinion but not another---say, opposes gun regulation but supports abortion, +when you as a voter are a pro-life gun-owner against gun legislation? Then you +will likely vote for the issues that you feel most strongly about (or what you +feel is a fair balance between all the other issues you follow). The problem +here, Mr. President, is that we---the people---are not made aware of these +issues because they are *classified*. How many people may not have voted for +you, Mr. President, had they known that you would support dragnet surveillance +of innocent Americans? + +**Sunday, June 9th, 2013**---The Guardian continues to surprise the world by +[releasing the name of the NSA whistleblower at his request][50]. Edward +Snowden, a 29-year-old former CIA technical assistant and current defense +contractor employee is responsible for what The Guardian is calling "the +biggest intelligence leak in the NSA's history". Reporting from Hong +Kong---where Snowden fled to on May 20th in the hope of resisting the +U.S. government---Glenn Greenwald, Ewen MacAskill and Laura Poitras report +on his motives. + +> Three weeks ago, Snowden made final preparations [...] [a]t the NSA office in +> Hawaii where he was working, [copying] the last set of documents he intended +> to disclose.[[50]] + +Snowden describes situations where he began to begin questioning his government, +such as a case where a CIA operative purposely encouraged a Swiss banker to get +intoxicated and drive drunk so that he would be arrested. "Much of what I saw +in Geneva really disillusioned me about how my government functions and what its +impact is in the world." He mentioned that the election of Obama in 2008 gave +him hope for reform, but watched in 2009 as "Obama advanced the very policies +that I thought would be reined in. [...] I got hardened."[[50]] + +It is this statement from Snowden that, if accurate, suggests that Obama not +only supports Bush's initial dragnet operation[[31]], but has further expanded it. + +At this point, since the news is still quite young at the time that this article +was written, the world must wait to see what action the government will attempt +to take against Snowden. Reuters had already reported the previous day that +[the government is likely to open a criminal probe into the NSA leaks][51]. + +> James Clapper, the director of U.S. national intelligence, condemned the leaks +> and asserted that the news articles about PRISM contained "numerous +> inaccuracies."[[51]] + +Snowden is not the first to come forward as a whistleblower from the NSA---as we +discussed previously, three NSA whistleblowers came fourth previously to back the +EFF in Jewel v. NSA;[[30]] they each had the charges either cleared or dropped. That +said, [Obama has been aggressively pursuing whistleblowers][59]. Snowden +mentioned that he views his best hope of freedom as the possibility of asylum +with Iceland.[[50]] It appears that such may already be working in his favor, with +[Iclandic Legislator Birgitta Jonsdottir already starting the process to apply +for asylum][52], although it is not clear if Snowden has already applied. + +There is a great deal to think about. Even though the [evidence against the NSA +dates far back][4], the recent revelations invoke emotions that are difficult to +describe. With countless individuals working to sift through the information, +the Obama administration under attack and nobody knowing if the Guardian is +sitting on even more information, the entire world will continue to watch +impatiently...and act. + +While all this is going on, it would be useful to reiterate certain privacy and +security topics that have already been covered at large. Firstly, consider +checking out the EFF's [Surveillance Self-Defense][53] website, which contains +information on a number of topics including anonymity and how to respond to +court orders. Consider using [Tor for anonymity][54] online (but recognize that +it is not a full solution in itself). Consider [keeping your data to +yourself][55] rather than storing it on "cloud" services---[Richard Stallman +explains how Software as a Service (SaaS) differs in dangers from proprietary +software][56]. Consider using only [free software][57] to limit further +sacrifices in personal freedom and to limit the information that corporations +and third parties collect from you while using your computer and other devices. +Finally, if you have information that you want to leak to the press (whether or +not you are an [NSA employee][58]), you may be able to consider tools such as +[The New Yorker's Strongbox][60]; it uses [software created by Aaron Swartz][61] +shortly before his untimely death early this year. + +Finally, aid senators like Rand Paul in developing [legislation to curb the powers +of the government][62]. We must also do our best to fight for the rights of +brave whistleblowers like Snowden. To end with the words of the EFF, ["we need +a new church committee and we need it now"][41]. + +[5]: http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order + "NSA collecting phone records of millions of Verizon customers daily" +[6]: http://s3.documentcloud.org/documents/709012/verizon.pdf "PDF of the FISA Court order to Verizon." +[7]: http://s3.documentcloud.org/documents/709012/verizon.txt "Ibid; plain text version." +[8]: https://www.eff.org/deeplinks/2013/06/confirmed-nsa-spying-millions-americans + "Confirmed: NSA Spying on Millions of Americans" +[9]: https://www.eff.org/deeplinks/2011/10/ten-years-later-look-three-scariest-provisions-usa-patriot-act + "Three Scariest Provisions of thet USA Patriot Act" +[10]: /2013/03/federal-judge-rules-nsls-national-security-letters-unconstitutional + "Federal Judge Declares National Security Letters Unconstitutional" +[11]: http://www.theatlantic.com/politics/archive/2013/06/what-we-dont-know-about-spying-on-citizens-scarier-than-what-we-know/276607/ + "Bruce Schneier comments on NSA leak" +[12]: https://www.eff.org/cases/jewel "Jewel v. NSA" +[13]: https://www.eff.org/cases/hepting "Hepting v. AT&T" +[14]: /2012/11/privacy-in-light-of-the-petraeus-scandal + "Privacy In Light of the Petraeus Scandal" +[15]: /2013/03/google-says-the-fbi-is-secretly-spying-on-some-of-its-customers + "Google Says the FBI Is Secretly Spying on Some of Its Customers" +[16]: http://blogs.wsj.com/washwire/2013/06/07/transcript-what-obama-said-on-nsa-controversy/ + "Obama on the NSA controversy" +[17]: https://www.eff.org/deeplinks/2013/05/congressional-outrage-over-ap-phone-records + "Congressional outrate of AP phone records" +[18]: https://www.eff.org/deeplinks/2013/05/doj-subpoena-ap-journalists-shows-need-protect-calling-records +[19]: http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data +[20]: http://googleblog.blogspot.com/2013/06/what.html "Larry Page denies PRISM involvement" +[21]: https://www.facebook.com/zuck/posts/10100828955847631 "Mark Zuckerberg denies PRISM involvement" +[22]: http://www.guardian.co.uk/world/2013/jun/07/google-facebook-prism-surveillance-program +[23]: http://www.dni.gov/index.php/newsroom/press-releases/191-press-releases-2013/868-dni-statement-on-recent-unauthorized-disclosures-of-classified-information + "James Clapper---Directory of National Intelligence---declassifies + information pertaining to the "business records" provision of FISA" +[24]: https://www.eff.org/deeplinks/2013/06/why-metadata-matters + "The EFF describes why telephony metadata can have a significant impact on our privacy." +[25]: http://mashable.com/2013/06/08/china-hack-nsa/ "What if crackers get a hold of the NSA's databases?" +[26]: http://rt.com/usa/us-chinese-report-defense-888/ "The Chinese crack into Pentagon systems." +[27]: https://www.eff.org/file/28823 "Public unredacted Mark Klein declaration" +[28]: https://www.eff.org/pages/case-against-retroactive-amnesty-telecoms "The Case Against Retroactive Amnesty for Telecoms." +[29]: http://www.govtrack.us/congress/bills/110/hr6304/text "FISA Amendments Act (FAA)." +[30]: https://www.eff.org/press/releases/three-nsa-whistleblowers-back-effs-lawsuit-over-governments-massive-spying-program + "Three NSA whistleblowers back the EFF in Jewel v. NSA" +[31]: https://www.eff.org/node/72021 "Summary of Voluminous Evidence, Jewel v. NSA" +[38]: http://www.nytimes.com/2009/04/16/us/16nsa.html?pagewanted=all "Officials Say U.S. Wiretaps Exceeded Law" +[39]: http://www.wyden.senate.gov/news/press-releases/wyden-statement-on-alleged-large-scale-collection-of-phone-records + "Ron Wyden comments on the collection of Verizon phone records" +[40]: https://www.eff.org/deeplinks/2013/06/government-asks-more-time-eff-surveillance-cases + "In Light of NSA Revelations, Government Asks for More Time in EFF Surveillance Cases" +[41]: https://www.eff.org/deeplinks/2013/06/response-nsa-we-need-new-church-commission-and-we-need-it-now + "In Response to the NSA, We Need A New Church Committee and We Need It Now" +[42]: http://www.theweek.co.uk/us/53475/white-house-admits-it-has-access-facebook-google + "White House admits it has "access" to Facebook, Google" +[43]: http://www.guardian.co.uk/world/2013/jun/07/google-facebook-prism-surveillance-program + "Facebook and Google insist they did not know of Prism surveillance program" +[44]: https://plus.google.com/+YonatanZunger/posts/huwQsphBron + "Yonatan Zunger---Chief Architect at Google---expresses his distaste of PRISM" +[45]: http://theweek.com/article/index/245311/sources-nsa-sucks-in-data-from-50-companies + "Sources: NSA sucks in data from 50 companies" +[46]: http://theweek.com/article/index/245360/solving-the-mystery-of-prism + "Solving the mystery of PRISM" +[47]: http://www.guardian.co.uk/world/2013/jun/08/nsa-prism-server-collection-facebook-google + "NSA's Prism surveillance program: how it works and what it can do." +[48]: http://www.guardian.co.uk/world/2013/jun/08/obama-response-nsa-surveillance-democrats + "Obama deflects criticism over NSA surveillance as Democrats sound alarm." +[49]: http://www.nytimes.com/2013/06/08/technology/tech-companies-bristling-concede-to-government-surveillance-efforts.html?ref=global-home&_r=2&pagewanted=all& + "Tech Companies Concede to Surveillance Program" +[50]: http://www.guardian.co.uk/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance + "Edward Snowden: the whistleblower behind the NSA surveillance revelations." +[51]: http://www.reuters.com/article/2013/06/08/us-usa-security-leaks-idUSBRE95700C20130608 + "Government likely to open criminal probe into NSA leaks: officials." +[52]: http://www.forbes.com/sites/andygreenberg/2013/06/09/icelandic-legislator-im-ready-to-help-nsa-whistleblower-seek-asylum/ + "Icelandic Legislator: I'm Ready To Help NSA Whistleblower Edward Snowden Seek Asylum" +[53]: https://ssd.eff.org/ "EFF Surveillance Self-Defense." +[54]: https://www.torproject.org/ "The Tor project offers anonymity online." +[55]: http://www.guardian.co.uk/technology/2008/sep/29/cloud.computing.richard.stallman + "Cloud computing is a trap, warns GNU founder Richard Stallman" +[56]: http://www.gnu.org/philosophy/who-does-that-server-really-serve.html + "Who does that server really serve?" +[57]: http://www.gnu.org/philosophy/free-sw.html "What is free software?" +[58]: http://www.whistleblowers.org/index.php?option=com_content&task=view&id=984&Itemid=173 + "National Security Employees Know Your Rights" +[59]: http://www.theatlanticwire.com/politics/2011/05/obamas-war-whistle-blowers/38106/ + "Obama's War on Whistle-Blowers" +[60]: http://www.newyorker.com/strongbox/ "The New Yorker Strongbox" +[61]: http://www.newyorker.com/online/blogs/newsdesk/2013/05/strongbox-and-aaron-swartz.html + "Strongbox and Aaron Swartz" +[62]: http://abcnews.go.com/blogs/politics/2013/06/rand-paul-bill-would-curb-nsa-on-phone-records/ + "Rand Paul Bill Would Curb NSA on Phone Records" + +[^32]: Ibid.[[31]] 157 Cong. Rec. S3372--3402, S3386 (May 26, 2011) [Vol. VI, Ex. 111, p. 4286] + (Statement of Sen. Ron Wyden, On Patriot Act Reauthorization) +[^33]: Ibid.[[31]] PBS Frontline, Spying on the Homefront, Interview with John C. Yoo at 4 + (Jan. 10, 2007) [Vol. I, Ex. 10, p. 394] +[^34]: Ibid.[[31]] Press Briefing by Att’y Gen. Alberto Gonzalez and Gen. Michael Hayden, + Principal Dep. Dir. for Nat’l Intelligence (Dec. 19, 2005) +[^35]: Ibid.[[31]] Preserving the Rule of Law in the Fight Against Terror: + Hearing before the S. Comm. on the Judiciary, 110th Cong. 7 (Oct. 2, 2007) + [Vol. III, Ex. 42, p. 1307] (testimony of Jack Goldsmith) +[^36]: Ibid.[[31]] Press Briefing by Att’y Gen. Alberto Gonzalez and Gen. Michael Hayden, Principal Dep. Dir. + for Nat’l Intelligence (Dec. 19, 2005) +[^37]: Ibid.[[31]] Remarks by Gen. Michael Hayden, Address to the National Press Club, Washington, D.C. (Jan. 23, 2006) + [Vol. IV, Ex. 73, p. 1809] diff --git a/post/2013-06-16-thoughts-cc-by-sa.md b/post/2013-06-16-thoughts-cc-by-sa.md new file mode 100644 index 0000000..73bb706 --- /dev/null +++ b/post/2013-06-16-thoughts-cc-by-sa.md @@ -0,0 +1,159 @@ +# All "Thoughts" and Site Text Now Licensed Under CC BY-SA + +All "thoughts"---that is, my blog-like entries that are generated by the +repository commit messages---and site text are hereby retroactively relicensed +under the [Creative Commons Attribution-ShareAlike 3.0 Unported License][0]. +This license shall not supersede any license that is explicitly put forth within +a work; see the COPYING file within the thoughts repository---available on the +"Projects" page---for more information. + +[0]: http://creativecommons.org/licenses/by-sa/3.0/ + + + +This is not a decision I take lightly; it has received much thought over the +course of recent years. For some time, I accepted [the view of Richard Stallman +and the Free Software Foundation][1] on opinion pieces in that, since they +express personal opinions, it is not unreasonable to require that they be +distributed verbatim. Indeed, it would seem wise not to allow someone to change +your words, especially on something that you are passionate about. + +However, I have come to adopt another perspective. What is the motivation behind +releasing content under a license that permits modification (that is, the +creation of derivative works)? Often, the primary reason is to allow others to +improve upon the content or to modify it to suit their particular needs. To +prevent others from locking down those changes---preventing others from having +the same rights as they did---many will often release their works under licenses +that require that all derivatives be released under the same terms. In the case +of Creative Commons, this is called ["ShareAlike"][2], which is motivated by +GNU's copyright hack called [copyleft][3] (popularized by the [GNU General +Public License][4]). + +For [free software][5] advocates, the question of whether or not to permit +modification is generally not even raised---it is a necessity. Software serves a +functional purpose: Prohibiting modification could prevent users from altering +the software in ways that they may find useful and could be used to exert +control over the users. Software does stuff. Software can control what the user +can and cannot do. + +Creative works are often considered in a different light. Like software, they +are indeed useful---they can be tools to learn, to entertain, etc. However, does +prohibiting modification do any harm? In the case of [documentation for free +software][6], yes---documentation is very important and can make the difference +between highly useful software and impenetrable software. Free documentation +ensures that, as the software grows, the documentation can grow with it. Since +the documentation for many projects is often scarce or poorly written (great +computer hackers are not necessarily great language hackers), the freedom to +modify the documentation is a necessity. + +Then what of texts that have nothing to do with a free software project? Texts +that serve as an educational resource of any kind would benefit from being free +just as a free software project would---experts could contribute, teachers could +alter it to suit their particular teaching style or their classroom setting, +etc. But what of texts that exist purely as opinion pieces? + +I'm not sure there's such a thing as a "pure" opinion piece, unless it is +utter garbage. + +An author would do well to substantiate their opinion with appropriate +references (though often times, this is not the case). With those +references (or lack thereof) comes the need to connect them to the content---the +author must explain his or her opinion. This explanation is educational, even if +the reader does not agree with the opinion. Perhaps the reader wishes to use the +opinion piece as a resource, but notices that it is lacking in some respect. +Should they not be able to improve it, perhaps to even further the author's +point? Or, perhaps the opinion piece could be extended to the contrary---to +prove additional references to either make it neutral or even work against the +author's original opinion. Even though this may not be what the author wants, +this is still a useful derivation of the original work. + +As an example, consider this very post. This is clearly an opinion piece---I +have made the choice to release my content under a Creative Commons license and +I am substantiating my opinion in the hope that others may gain insight and +possibly even choose the same path for their own creative works. What if someone +wished to present this article to a group of individuals---maybe in the +workplace---but found my "garbage" comment to be unnecessarily harsh? What +personal harm would I incur if they were to remove that statement? However, what +if they wished to go further by replacing all references to "free software" +with references to "open source"---a term which I [reject][7]? Well, this +could potentially affect my image, depending on the group's philosophy. What +now? + +There are a few important points to note from this. Firstly, the license +mandates that: + +> If You Distribute, or Publicly Perform the Work or any Adaptations or +> Collections, You must, unless a request has been made pursuant to Section +> 4(a), keep intact all copyright notices for the Work and provide, reasonable +> to the medium or means You are utilizing: (i) the name of the Original Author +> (or pseudonym, if applicable) if supplied, and/or if the Original Author +> and/or Licensor designate another party or parties (e.g., a sponsor institute, +> publishing entity, journal) for attribution ("Attribution Parties") in +> Licensor's copyright notice, terms of service or by other reasonable means, +> the name of such party or parties; (ii) the title of the Work if supplied; +> (iii) to the extent reasonably practicable, the URI, if any, that Licensor +> specifies to be associated with the Work, unless such URI does not refer to +> the copyright notice or licensing information for the Work; and (iv) , +> consistent with Ssection [sic] 3(b), in the case of an Adaptation, a credit +> identifying the use of the Work in the Adaptation (e.g., "French translation +> of the Work by Original Author," or "Screenplay based on original Work by +> Original Author").[8] + +In plain English---you must provide attribution to the original author and +indicate that the work has been modified from the original. Furthermore: + +> The credit required by this Section 4(c) may be implemented in any reasonable +> manner; provided, however, that in the case of a Adaptation or Collection, at +> a minimum such credit will appear, if a credit for all contributing authors of +> the Adaptation or Collection appears, then as part of these credits and in a +> manner at least as prominent as the credits for the other contributing +> authors.[8] + +It would therefore be appropriate to assume that an author of a derivate work +will, in good faith, make clear attribution. Should this not be the case, then +what is to say that the author would not have simply modified a work which is +not licensed to permit modifications? + +The next point is another simple one: Under United States copyright law, the +[fair use doctrine][9] permits limited use of a copyrighted work without prior +consent from the author; it is this doctrine that allows, for example, authors +and journalists to quote portions of other works to report on or back up their +arguments. This means that, even if the license did not permit, an author could +still incorporate *portions* of my work to support their own arguments or agenda, +regardless of whether or not I may agree with it. This segues into the final +point. + +Who am I to [dictate others opinions][10]? It would not be right of me to limit +one's freedom simply because they violate my own personal opinions or beliefs. +Therefore, if this is one condition under which I would decide to restrict my +creative works, then that reason should be immediately dismissed. This means +that---within the context of my previous example---if someone wanted to alter +all the references to "free software" in my work to adapt it to their own +personal style, then they should be permitted to do so. Such a work is no longer +my own: They must clearly state that it has been altered from the original. +Hopefully readers take notice of that. My works are always published on my own +personal website where the originals can be found; with today's search engines, +such a task is trivial. If someone neglects to do so---and I do understand that +many will neglect to do so---then they have not made an informed opinion on the +material. + +Another minor point would be that, for the majority of my works, it is unlikely +that anyone will be making any sort of alteration. + +As such, I find that I have little ground to stand on should I attempt to +rationalize a more restrictive license. Any remaining arguments, such as "what +if they sell your content or modify it only slightly and are given more credit +for the work than they deserve?" are already covered by the free software +philosophy can may be easily adopted here. + +[1]: http://www.gnu.org/licenses/license-list.html#OpinionLicenses +[2]: http://creativecommons.org/licenses/ +[3]: https://www.gnu.org/copyleft/copyleft.html +[4]: https://www.gnu.org/copyleft/gpl.html +[5]: https://www.gnu.org/philosophy/free-sw.html +[6]: https://www.gnu.org/philosophy/free-doc.html +[7]: http://www.gnu.org/philosophy/open-source-misses-the-point.html +[8]: http://creativecommons.org/licenses/by-sa/3.0/legalcode +[9]: http://en.wikipedia.org/wiki/Fair_use +[10]: http://www.gnu.org/philosophy/programs-must-not-limit-freedom.html + diff --git a/post/2013-07-12-snowden-asylum.md b/post/2013-07-12-snowden-asylum.md new file mode 100644 index 0000000..3c0b66d --- /dev/null +++ b/post/2013-07-12-snowden-asylum.md @@ -0,0 +1,64 @@ +# Snowden Statement at Moscow Airport; Accepts Asylum Offers + +**See Also:** [National Uproar: A Comprehensive Overview of the NSA Leaks and +Revelations][0]; I have not yet had the time to devote to writing a thorough +follow-up of recent events and will likely wait until further information and +leaks are presented. + +[Edward Snowden][1]---the whistleblower responsible for [exposing various NSA +dragnet spying programs][0], among other documents---has been [stuck in the +Moscow airport][2] for quite some time while trying to figure out how he will +travel to countries offering him asylum, which may involve traveling through +territories that may cooperate with the United States' extradition requests. + +[0]: /2013/06/national-uproar-a-comprehensive-overview-of-the-nsa-leaks-and-revelations +[1]: https://en.wikipedia.org/wiki/Edward_Snowden (Now with his own Wikipedia page) +[2]: http://www.guardian.co.uk/world/2013/jul/01/edward-snowden-escape-moscow-airport + + + +Snowden [issued a statement today to Human Rights groups at Moscow's +Sheremetyevo airport][3], within which he mentioned: + +> I announce today my formal acceptance of all offers of support or asylum I +> have been extended and all others that may be offered in the future. With, for +> example, the grant of asylum provided by Venezuela’s President Maduro, my +> asylee status is now formal, and no state has a basis by which to limit or +> interfere with my right to enjoy that asylum. [...] I ask for your assistance +> in requesting guarantees of safe passage from the relevant nations in securing +> my travel to Latin America, as well as requesting asylum in Russia until such +> time as these states accede to law and my legal travel is permitted. I will be +> submitting my request to Russia today, and hope it will be accepted +> favorably.[3] + +Snowden had previously [withdrawn his request for political asylum in Russia][4] +after [Vladmir Putin stated that he could stay][5] only if he stopped "bringing +harm to our American partners"---something which [Snowden does not believe that +he is doing][6]. Although Venezuela has offered Snowden asylum, as [explained by +the Guardian][6], "he remains unable to travel there without travel +documents". Even if he does obtain travel documents, there are still +worries---earlier this month, the [Bolivian president's plane was diverted with +suspicion that Snowden was on board][7], showing that certain countries may be +willing to aid the U.S. in his extradition or otherwise prevent him from +traveling. + +My focus on these issues will seldom be on Snowden himself---I would prefer to +focus primarily on what he sacrificed his life to bring to light. But it is +precisely this sacrifice that makes it important to ensure that Snowden does not +fall out of the picture (though it does not appear that he will any time soon). +The Guardian also seems to have adopted the strategy of slowly providing more +information on the leaks over time---such as the recent revelation that +[Microsoft cooperated with the NSA's Prisim program to provide access to +unencrypted contents of Outlook.com, Hotmail, Skype and SkyDrive services][8]; I +will have more on that later. + +I end this with a photograph taken yesterday of [Richard Stallman with Julian +Assange holding up a picture of Snowden][9] that brings a smile to my face. + +[3]: http://wikileaks.org/Statement-by-Edward-Snowden-to.html +[4]: http://www.guardian.co.uk/world/2013/jul/02/edward-snowden-nsa-withdraws-asylum-russia-putin +[5]: http://www.guardian.co.uk/world/2013/jul/01/putin-snowden-remain-russia-offer +[6]: http://m.guardiannews.com/world/2013/jul/12/edward-snowden-accuses-us-illegal-campaign +[7]: http://www.guardian.co.uk/world/2013/jul/05/european-states-snowden-morales-plane-nsa +[8]: http://www.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data +[9]: http://twitpic.com/d279tx diff --git a/post/2013-08-11-london-trash-spies.md b/post/2013-08-11-london-trash-spies.md new file mode 100644 index 0000000..b8c520d --- /dev/null +++ b/post/2013-08-11-london-trash-spies.md @@ -0,0 +1,99 @@ +# London Trashcan Spies + +We're not talking about kids hiding out in trashcans talking on +walkie-talkies and giggling to each other. + +[Ars has reported on London trashcans][0] rigged to collect the [MAC +addresses][1] of mobile devices that pass by. Since we do not often see +mobile devices carrying themselves around, we may as well rephrase this as +"collect the MAC addresses of people that pass by": + +> During a one-week period in June, just 12 cans, or about 10 percent of the +> company's fleet, tracked more than 4 million devices and allowed company +> marketers to map the "footfall" of their owners within a 4-minute +> walking distance to various stores. + +[0]: http://arstechnica.com/security/2013/08/no-this-isnt-a-scene-from-minority-report-this-trash-can-is-stalking-you/ +[1]: http://en.wikipedia.org/wiki/MAC_address + + + +Your device's---er, *your*---MAC address is a unique identifier that, in +the case of wireless networks, is used by the networks to state that a +message is intended specifically for you---something that is necessary since +wireless devices communicate through open air and, therefore, your device is +[also able to pick up the communications of other devices][2]: + +> In IEEE 802 networks such as Ethernet, token ring, and IEEE 802.11, and in +> FDDI, each frame includes a destination Media Access Control address (MAC +> address). In non-promiscuous mode, when a NIC receives a frame, it +> normally drops it unless the frame is addressed to that NIC's MAC address +> or is a broadcast or multicast frame. + +Therefore, in such networks, a MAC address is required for communication. So +why does your device freely give away such a unique identifier that can be +used to track you? Consider that, when wireless is enabled (and, as [the Ars +article][0] mentions, sometimes [even when it's not][3]), your device +generally scans your surroundings in order to provide you with a list of +networks to connect to. This list is generally populated when various access +points broadcast their own information to advertise themselves so that you +can select them to connect. However, some access points are hidden---they do +not broadcast their information, which helps to deter unwanted or malicious +users. To connect to these access points, you generally provide the name +that the access point administrator has given to it (e.g. "mysecretap"). + +Let's say you disconnect from mysecretap. Since the access point (AP) is not +broadcasting itself, how does your device know when it is available again? +It must attempt to ping it and see if it gets a response. With this ping is +your MAC address. Since many devices conveniently like to connect +automatically to known access points when they become available, it is +likely that your device is pinging rather frequently. + +But what if you do not use hidden access points? Well, it is likely that the +same issue still stands---what if the access point that you connected to was +once listed but then becomes hidden? (Maybe the administrator of the access +point allowed broadcasts for a period of time to allow people to connect +easily, but then hid it at a later time.) Your device would need to account +for that, and therefore, to be helpful, likely broadcasts pings for any +access point you have connected to recently (where "recently" would depend +on your device). + +Now, back to the [NSA][5]-wannabe-trashcans: At this point, all an observer +must do is lay in wait for those broadcasts and record the MAC addresses. By +placing these devices at various locations, you could easily track the +movements of individuals, including their speed, destinations, durations of +their visits, visit frequencies, favorite areas, dwellings, travel patterns, +etc. Since devices may broadcast a whole slew of recent access points that +it connected to, you could also see areas that the owner may have been to +(oh, I see that you connected to the free wifi in that strip joint). You +[could be evil][6]. + +Turn off wireless on your device when you are not using it---especially when +you are traveling. Ensure that your device [does not continue pinging access +points when wireless is disabled][3]. + +Better yet, fight back. Consider exploring how to spoof your MAC address, +perhaps randomly generating one every so often. Consider the possibilities +of activist groups that may pollute these spy databases by gathering a list +of unique MAC addresses of passerbys for the purpose of rebroadcasting them +at random intervals---which you could even do using long-range antennas +targeted at these devices.[^7] If done properly to mimic models of common +travel patterns, the data that these spy devices gather would become +unreliable.[^8] + +Surveillance by any entity---be it [governments][5], corporations, +individuals or otherwise---is not acceptable. + +[2]: http://en.wikipedia.org/wiki/Promiscuous_mode +[3]: http://arstechnica.com/gadgets/2013/08/review-android-4-3-future-proofs-the-platform-with-multitude-of-minor-changes/3/#p15 +[4]: http://arstechnica.com/security/2013/08/diy-stalker-boxes-spy-on-wi-fi-users-cheaply-and-with-maximum-creep-value/ +[5]: /2013/06/national-uproar-a-comprehensive-overview-of-the-nsa-leaks-and-revelations +[6]: http://renewlondon.com + +[^7]: Disclaimer: Please research your local laws. + +[^8]: Of course, it is important that such an activity in itself does not +violate a person's privacy, and so such collection must be done in a manner +that cannot in itself identify the person's travel patterns (e.g. by +not storing information on what access point the data was collected from). + diff --git a/post/2013-08-12-facebook-spying.md b/post/2013-08-12-facebook-spying.md new file mode 100644 index 0000000..d07d2a7 --- /dev/null +++ b/post/2013-08-12-facebook-spying.md @@ -0,0 +1,17 @@ +# Facebook knows about you even if you are not a member + +An article about [the scope of Facebook's data collection][0] speaks for +itself; this really does not come as a surprise, but is nonetheless +unsettling. + +[0]: http://www.groovypost.com/news/facebook-shadow-accounts-non-users/ + + + +Encourage your friends, colleagues and acquaintances to use services like +[Diaspora][1] that are respectful of your data instead. Better yet: explain +to those individuals the problems of social media services and ask that they +respectfully leave you out of it. + +[1]: https://joindiaspora.com/ + diff --git a/post/2013-08-12-win8-ads.md b/post/2013-08-12-win8-ads.md new file mode 100644 index 0000000..82febd1 --- /dev/null +++ b/post/2013-08-12-win8-ads.md @@ -0,0 +1,40 @@ +# Windows 8.1 to display targeted advertisements on local system searches + +It is very disturbing that [Microsoft decided that it would be a good idea +to display targeted ads on local searches][0]---that is, if you search for a +file on your PC named "finances", you may get ads for finance software, +taxes, etc. If you search for "porn", well, you get the idea. + +> Bing Ads will be an integral part of this new Windows 8.1 Smart Search +> experience. Now, with a single campaign setup, advertisers can connect +> with consumers across Bing, Yahoo! and the new Windows Search with highly +> relevant ads for their search queries. In addition, Bing Ads will include +> Web previews of websites and the latest features like site links, location +> and call extensions, making it easier for consumers to complete tasks and +> for advertisers to drive qualified leads.[[1]] + +[0]: http://www.computerworld.com/s/article/9241524/Steven_J._Vaughan_Nichols_Microsoft_Bing_bang_bungles_local_search +[1]: http://community.bingads.microsoft.com/ads/en/bingads/b/blog/archive/2013/07/02/new-search-ad-experiences-within-windows-8-1.aspx + + + +While that is certainly obnoxious, consider the larger issue of privacy +(which seems to be in the news a lot lately[[2]][[3]]): Late last year, there +was an uproar in the Free Software community when [Ubuntu decided to query +Amazon---enabled by default---on local searches][4] using their new Unity +interface. The problem is that your personal queries are being sent to a +third party---queries that you generally would expect to be private. If I +run a `find' or `grep' command on my system, I certainly do not expect it to +report to Amazon or Microsoft what I am searching for. + +And to make matters even worse, Microsoft is exploiting this information to +allow advertisers to target you. [Ironic.][5] + +[Do not use Windows 8][6] (or any other proprietary software, for that +matter). + +[2]: /2013/08/facebook-knows-about-you-even-if-you-are-not-a-member +[3]: /2013/06/national-uproar-a-comprehensive-overview-of-the-nsa-leaks-and-revelations +[4]: http://www.fsf.org/blogs/rms/ubuntu-spyware-what-to-do +[5]: http://www.scroogled.com/email/ +[6]: https://www.fsf.org/windows8 diff --git a/post/2013-08-13-air-temp-phone-battery.md b/post/2013-08-13-air-temp-phone-battery.md new file mode 100644 index 0000000..c2f419b --- /dev/null +++ b/post/2013-08-13-air-temp-phone-battery.md @@ -0,0 +1,64 @@ +# Measuring Air Temperature With Phone Batteries + +OpenSignal---a company responsible for mapping wireless signal +strength by gathering data using mobile device software---noticed [an +interest correlation between battery temperature on devices and air +temperature][0]. + +> Aggregating daily battery temperature readings to city level revealed a +> strong correlation with historic outdoor air temperature. With a +> mathematical transformation, the average battery temperature across a +> group of phones gives the outdoor air temperature. + +[0]: http://opensignal.com/reports/battery-temperature-weather/ + + + +**Note:** Graph renderings on their website require proprietary JavaScript, but +the article does describe it in detail, so it is not necessary. In +particular, note that, from [their provided equation][0], their scaling factor +`m' implies that there is a smaller variance in battery temperature in the +graph than there is in the actual air temperature, but that there is still a +correlation. + +This is an interesting find. The article further states that "[...] we have +one data point where the Android data is actually more reliable than the +traditional source." + +Such data can be very useful in providing decentralized data, so long as +[issues of privacy][1] are addressed. Doing so is not terribly difficult, +but would have a number of factors. In particular, the user would need the +means to submit data anonymously, which could be done via software/networks +such as [Tor][2]. GPS location data is certainly a privacy issue when it is +tied to your mobile device, but fortunately, it's unneeded: you can trust +your users to let you know where they reside by either (a) opting into using +location services or (b) allowing them to specify a location or approximate +location of their choosing (approximations would be important since a user +may not wish to change their location manually while they travel, say, to +and from work). If enough devices submit data, then legitimate data would +drown out those who are trying to purposefully pollute the database. Such an +example can be seen with Bitcoin, in which networks will [reach a consensus +on correct blockchains][3] so long as "a majority of computing power is +controlled by nodes that are not cooperating to attack the network". Of +course, users would be able to pollute the network by sending false data as +it is, and the [data is already tarnished from various factors such as body +heat][0]. + +Of course, I do assume that mobile devices will contain temperature sensors +in the future; [some already do][4] (but I cannot encourage their use, as +they use [proprietary software][5]). However, this is still a clever hack (I +suppose that term is redundant). In my searching while writing this article, +I did notice [prior examples of ambient temperature readings using Android +software][6] ([proprietary][5]), but the software does not aggregate data +for purposes of determining weather patterns. + +Finally, please do not download OpenSignal's app; it too is +[proprietary][5]; this discussion was purely from a conceptual standpoint +and does not endorse any software. + +[1]: /2013/08/london-trashcan-spies +[2]: https://www.torproject.org/ +[3]: http://en.wikipedia.org/wiki/Protocol_of_Bitcoin +[4]: http://stackoverflow.com/a/11628921 +[5]: http://www.gnu.org/philosophy/free-sw.html +[6]: https://play.google.com/store/apps/details?id=androidesko.android.electronicthermometer&hl=en diff --git a/post/2013-08-13-copyleft-vs-community.md b/post/2013-08-13-copyleft-vs-community.md new file mode 100644 index 0000000..5c7a226 --- /dev/null +++ b/post/2013-08-13-copyleft-vs-community.md @@ -0,0 +1,209 @@ +# FreeBSD, Clang and GCC: Copyleft vs. Community + +A useful perspective explaining why [FreeBSD is moving away from GCC in +favor of Clang][0]; indeed, they are moving away from GPL-licensed software +in general. While this is [not a perspective that I personally agree +with][1], it is one that I will respect for the project. It is worth +understanding the opinions of those who disagree with you to better +understand and formulate your own perspective. + +[0]: http://unix.stackexchange.com/a/49970 +[1]: /2012/11/vlcs-move-to-lgpl + +But I am still a free software activist. + + + +According to the [FreeBSD FAQ][2]: + +> The goal of the FreeBSD Project is to provide a stable and fast general +> purpose operating system that may be used for any purpose without strings +> attached. + +As is mentioned in [the aforementioned article][0], the BSD community does not +hold the same opinions on what constitutes "without strings +attached"---the BSD community [considers the restriction on the user's +right to make proprietary use of the software to be a "string"][2], +whereas the free software community under [RMS][3] believes that [the +ability to make a free program proprietary is unjust][4]: + +> Making a program proprietary is an exercise of power. Copyright law today +> grants software developers that power, so they and only they choose the +> rules to impose on everyone else—a relatively small number of people make +> the basic software decisions for all users, typically by denying their +> freedom. When users lack the freedoms that define free software, they +> can't tell what the software is doing, can't check for back doors, can't +> monitor possible viruses and worms, can't find out what personal +> information is being reported (or stop the reports, even if they do find +> out). If it breaks, they can't fix it; they have to wait for the developer +> to exercise its power to do so. If it simply isn't quite what they need, +> they are stuck with it. They can't help each other improve it. + +The [Modified BSD License][5] is a GPL-compatible Free Software +license---that is, software licensed under the Modified BSD license meets +the requirements of the [Free Software Definition][6]. The additional +"string" that the BSD community is referring to is the concept of +[copyleft][7]---Richard Stallman's copyright hack and one of his most +substantial contributions to free software and free society. To put it into +the [words of the FSF][7]: + +> Copyleft is a general method for making a program (or other work) free, +> and requiring all modified and extended versions of the program to be free +> as well. + +Critics often adopt the term ["viral" in place of "copyleft"][8] because +of the requirement that all derivatives must contain the same copyleft +terms---the derivative must itself be Free Software, perpetually (until, of +course, the copyright term expires and it becomes part of the public domain, +[if such a thing will ever happen at this rate][9]). In the case of the +Modified BSD license---being a more permissive license that is non-copyleft +and thus allows proprietary derivatives---derivative works that include both +BSD- and GPL-licensed code essentially consume the [Modified BSD license's +terms][10], which are a subset of the [GPL's][11]. Of course, this is not +pursuant to [FreeBSD's goals][2] and so they consider this to be a bad +thing: There are "strings attached". + +This is more demonstrative of the ["open source" philosophy than that of +"Free Software"][12] (yes, notice the bias in my capitalization of these +terms). + +[Copyleft is important][7] because it ensures that all users will forever +have the [four fundamental freedoms associated with Free Software][6]. The +GPL incorporates copyleft; BSD licenses do not. Consider why this is a +problem: Imagine some software Foo licensed under [the Modified BSD +license][10]. Foo is free software; it is licensed under a [free software +license (Modified BSD)][5]. Now consider that someone makes a fork---a +derivative---of Foo, which we will call "Foobar". Since [the Modified BSD +license is not copyleft][10], the author of Foobar decides that he or she +does not wish to release its source code; this is perfectly compliant with +the Modified BSD license, as it does not require that source code be +distributed with a binary (it only requires---via its [second +clause][10]---that the copyright notice, list of conditions and disclaimer be +provided). + +The author has just taken Foo and made it proprietary. + +The FreeBSD community is okay with this; [the free software community is +not][4]. There is a distinction between these two parties: When critics of +copyleft state that they believe the GPL is "less free" than more +permissive licenses such as the BSD licenses, they are taking into +consideration the freedoms of developers and distributors; the GPL, on the +other hand, explicirly *restricts* these parties' rights in order to protect +the *users* because those parties are precisely those that seek to *restrict +the users' freedoms*; we cannot provide such freedoms to developers and +distributors without sacrificing the rights of the vulnerable users who +generally do not have the skills to protect themselves from being taken +advantage of.[^13] Free software advocates have exclusive, unwaivering +loyalty to users. + +As an example of the friction between the two communities, consider a +concept that has been termed ["tivoization"][14]: + +> Tivoization means certain “appliances” (which have computers inside) +> contain GPL-covered software that you can't effectively change, because +> the appliance shuts down if it detects modified software. The usual +> motive for tivoization is that the software has features the manufacturer +> knows people will want to change, and aims to stop people from changing +> them. The manufacturers of these computers take advantage of the freedom +> that free software provides, but they don't let you do likewise. + +This [anti-feature][15] is a type of [Digital Restrictions Management +(DRM)][16] that exposes a [loophole in the GPL that was closed in +Section 3 of the GPLv3][14], which [requires that][11]: + +> When you convey a covered work, you waive any legal power to forbid +> circumvention of technological measures to the extent such circumvention +> is effected by exercising rights under this License with respect to the +> covered work, and you disclaim any intention to limit operation or +> modification of the work as a means of enforcing, against the work's +> users, your or third parties' legal rights to forbid circumvention of +> technological measures. + +Unfortunately, not everyone has agreed with this move. A number of +[developers of the kernel Linux expressed their opposition of GPLv3][17]. In +response to the aforementioned GPLv3 provision, they stated: + +> While we find the use of DRM by media companies in their attempts to reach +> into user owned devices to control content deeply disturbing, our belief +> in the essential freedoms of section 3 forbids us from ever accepting any +> licence which contains end use restrictions. The existence of DRM abuse is +> no excuse for curtailing freedoms. + +Linus Torvalds---the original author of the kernel Linux---also [expressed +his distaste toward the GPLv3][18]; the kernel is today still licensed under +the GPLv2. + +[The BSD camp has similar objections][19]: + +> Appliance vendors in particular have the most to lose if the large body of +> software currently licensed under GPLv2 today migrates to the new license. +> They will no longer have the freedom to use GPLv3 software and restrict +> modification of the software installed on their hardware. High support +> costs ("I modified the web server on my Widget 2000 and it stopped +> running...") and being unable to guarantee adherence to specifications in +> order to gain licensing (e.g. FCC spectrum use, Cable TV and media DRM +> requirements) are only two of a growing list of issues for these +> users. --Justin Gibbs, VP of The FreeBSD Foundation + +My thoughts while reading the above where echoed by Gibbs further on in his +statement: "[T]he stark difference between the BSD licensing philosophy and +that of the Free Software Foundation are only too clear." For the FreeBSD +community, this is a very serious issue and their argument is certainly a +legitimate concern on the surface. However, it is an argument that the Free +Software community would do well to reject: Why would we wish to sacrifice +users' freedoms for any reason, let alone these fairly absurd ones. In +particular, a support contract could dictate that only unmodified software +will be provided assistance and even mandate that the hardware indicate +changes in software: like breaking the "void" sticker when opening a +hardware component. Moreover, how frequently would such a situation +actually happen relative to their entire customer base? My guess is: fairly +infrequently. The second issue is a more complicated one, as I am not as +familiar on such topics, but a manufacturer can still assert that the +software that it provides with its devices is compliant. If the compliance +process forbids any possibility of brining the software into +non-compliance---that is, allowing the user to modify the software---then +the hardware manufacturer can choose to not use free software (and free +software advocates will subsequently reject it until standards bodies grow +up). + +As I mentioned at the beginning of this article: this is a view that I will +respect for the project. I disagree with it, but FreeBSD is still free +software and we would do well not to discriminate against it simply because +someone else may decide to bastardize it and betray their users by making it +proprietary or providing [shackles][16]. However, provided the licensing; +option for your own software, you should choose the GPL. + +**Colophon:** The title of this article is a play on [RMS' "Copyright vs. +Communty"][20], which is a title to a speech he frequently provides +worldwide. His speech covers how copyright works against the interests of +the community; here, BSD advocates aruge that [copyleft][7] works against +the interests of *their* community and their users; I figured that I would +snag this title as a free software advocate before someone else opposing +copyleft did. + +[2]: http://www.freebsd.org/doc/faq/introduction.html#FreeBSD-goals +[3]: http://en.wikipedia.org/wiki/Richard_Stallman +[4]: http://www.gnu.org/philosophy/freedom-or-power.html +[5]: http://www.gnu.org/licenses/license-list.html#ModifiedBSD +[6]: http://www.gnu.org/philosophy/free-sw.html +[7]: http://www.gnu.org/copyleft/ +[8]: http://en.wikipedia.org/wiki/Copyleft#Viral_licensing +[9]: http://www.gnu.org/philosophy/misinterpreting-copyright.html +[10]: http://en.wikipedia.org/wiki/BSD_licenses +[11]: http://www.gnu.org/licenses/gpl.html +[12]: http://www.gnu.org/philosophy/open-source-misses-the-point.html + +[^13]: Technically, the GPL exercises restrictions only on distributors; a + developer can integrate GPL'd code into their proprietary software so + long as they do not distribute it [(as defined in the GPL)][11]. However, + developers often have to cater to distributors, since software will + generally be distributed; if it is not, then it is not relevant to this + discussion. + +[14]: http://www.gnu.org/licenses/rms-why-gplv3.html +[15]: http://www.fsf.org/blogs/community/antifeatures +[16]: http://www.defectivebydesign.org/what_is_drm_digital_restrictions_management +[17]: http://lwn.net/Articles/200422/ +[18]: http://en.wikipedia.org/wiki/Linux_kernel +[19]: http://www.freebsdfoundation.org/press/2007Aug-newsletter.shtml +[20]: http://www.gnu.org/philosophy/copyright-versus-community.html diff --git a/post/2014-03-20-re-copyleft-vs-community.md b/post/2014-03-20-re-copyleft-vs-community.md new file mode 100644 index 0000000..30fd0d8 --- /dev/null +++ b/post/2014-03-20-re-copyleft-vs-community.md @@ -0,0 +1,60 @@ +# Re: FreeBSD, Clang and GCC: Copyleft vs. Community + +I recently received a comment via e-mail from a fellow GNU hacker Antonio +Diaz, who is the author and maintainer of [GNU Ocrad][0], a [free (as in +freedom)][1] optical character recognition (OCR) program. His comment was in +response to my article entitled [FreeBSD, Clang and GCC: Copyleft vs. +Community][2], which details the fundamental difference in philosophy +between free software and "open source". + +[0]: https://www.gnu.org/software/ocrad/ocrad.html +[1]: https://www.gnu.org/philosophy/free-sw.html +[2]: /2013/08/freebsd-clang-and-gcc-copyleft-vs.community + +I found Antonio's perspective to be enlightening, so I asked for his +permission to share it here. + + + +> I imagine a world where all the Free Software is GPLed. The amount and +> usefulness of Free Software grows incesantly because free projects can +> reuse the code of previous free projects. Proprietary software is +> expensive because every company has to write most of its "products" from +> scratch. Most people use Free Software, and proprietary software is mainly +> used for specialized tasks for which no free replacement exists yet. +> +> Now I imagine a world where all the Free Software is really "open source" +> (BSD license). Free Software is restricted to the operating system and +> basic aplications because the license does not guarantee reciprocity. +> Proprietary software is cheap to produce because it is built using the +> code of free projects, but it is expensive for the user (in money and +> freedom) because there is no real competition from Free Software. Most +> people use proprietary software, as Free Software is too basic for most +> tasks. +> +> I think "open source" organizations (specially BSD) are wilfully +> destroying the long-term benefits for society of the GPL, and they are +> doing it for short-term benefits like popularity and greed: +> +> "As these companies devise strategies for dealing with GPLv3, so must the +> FreeBSD community - strategies that capitalize on this opportunity to +> increase adoption of FreeBSD." "Fundraising Update [...] This has +> increased the number of people actively approaching companies to make +> large contributions." +> +> https://www.freebsdfoundation.org/press/2007Aug-newsletter.shtml +> +> Human beings have an innate sense of justice. In absence of reciprocity +> one wants to be paid, but I think that reciprocity is much better for +> society in the long term.[^3] + +Antonio compels us to think toward the future: while developers releasing +their code under permissive licenses like the [Modified BSD License][4] are +still making a generous contribution to the free software community today, +it may eventually lead to negative consequences by empowering non-free +software tomorrow. + +[^3]: Comment by Antonio Diaz; the only modifications made were for +formatting. + +[4]: https://www.gnu.org/licenses/license-list.html#ModifiedBSD diff --git a/post/2014-05-16-fsf-mozilla-adobe-drm.md b/post/2014-05-16-fsf-mozilla-adobe-drm.md new file mode 100644 index 0000000..3c939f7 --- /dev/null +++ b/post/2014-05-16-fsf-mozilla-adobe-drm.md @@ -0,0 +1,128 @@ +# FSF Condemns Partnership Between Mozilla and Adobe to Support DRM + +Two days ago, the Free Software Foundation published [an announcement +strongly condemning Mozilla's partnership with Adobe][0] to implement the +[controversial W3C Encrypted Media Extensions (EME) API][1]. EME has been +strongly criticized by a number of organizations, including the [EFF][2] and +the [FSF's DefectiveByDesign campaign team][3] ("Hollyweb"). + +[Digital Restrictions Management][4] imposes artificial restrictions on +users, telling them what they can and cannot do; it is a system [that does +not make sense][5] and is harmful to society. Now, just about [a week after +the International Day Against DRM][6], Mozilla decides to [cave into the +pressure in an attempt to stay relevant][7] to modern web users, instead of +sticking to their [core philosophy about "openness, innovation, and +opportunity"][8]. + +[0]: http://www.fsf.org/news/fsf-condemns-partnership-between-mozilla-and-adobe-to-support-digital-restrictions-management +[1]: https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html +[2]: https://www.eff.org/deeplinks/2013/03/defend-open-web-keep-drm-out-w3c-standards +[3]: /2013/03/defective-by-design-campaign-against-w3c-drm-standard +[4]: http://www.defectivebydesign.org/what_is_drm_digital_restrictions_management +[5]: https://plus.google.com/+IanHickson/posts/iPmatxBYuj2 +[6]: http://www.defectivebydesign.org/dayagainstdrm +[7]: https://blog.mozilla.org/blog/2014/05/14/drm-and-the-challenge-of-serving-users/ +[8]: http://www.mozilla.org/en-US/about/manifesto/ + +John Sullivan requested in the [FSF's announcement] that the community +contact Mozilla CTO Andreas Gal in opposition of the decision. This is my +message to him: + + + +``` +Date: Wed, 14 May 2014 22:57:02 -0400 +From: Mike Gerwitz +To: agal@mozilla.com +Subject: Firefox EME + +Andreas, + +I am writing to you as a free software hacker, activist, and user; notably, +I have been using Firefox for over ten years. It has been pivotal, as I do +not need to tell you, in creating a free (as in freedom), standard, and +accessible internet for millions of users. Imagine my bewildered +disappointment, then, to learn that Firefox has chosen to cave into the +pressure to [support Digital Restrictions Management through the +implementation of EME][0]. + +Mitchell Baker made a feeble attempt at [rationalizing this decision][0] as +follows: + + [...] Mozilla alone cannot change the industry on DRM at this point. In + the past Firefox has changed the industry, and we intend to do so again. + Today, however, we cannot cause the change we want regarding DRM. The + other major browser vendors =E2=80=94 Google, Microsoft and Apple have already + implemented the new system. In addition, the old system will be retired + shortly. As a result, the new implementation of DRM will soon become the + only way browsers can provide access to DRM-controlled content. + +She goes on to explain how "video is an important aspect of online life" +and that Firefox would be "deeply flawed as a consumer product" if it did +not implement Digital Restrictions Management. This is precisely the FUD +that the "content owners" she describes, and corporations like Adobe, have +been pushing: Mozilla understands that the solution is not to implement DRM, +but to fight to encourage content to be published *without* being +DRM-encumbered. Unfortunately, they will now have little motivation to do +so, with every major browser endorsing EME. + +She defers to a post by Andreas Gal [for more implementation details][1], in +which he mentions that the proprietary CDM virus (which will be happily +provided by Adobe) will be protected by a sandbox to prevent certain spying +activities like fingerprinting. While this is better than nothing, it's a +clear attempt by Mozilla to help make a terrible situation a little bit +better. + +He goes on to say: + + There is also a silver lining to the W3C EME specification becoming + ubiquitous. With direct support for DRM we are eliminating a major use + case of plugins on the Web, and in the near future this should allow us to + retire plugins altogether.=20 + +Let us not try to veil the problem and make things look more rosy than they +actually are: this is not a silver lining; it is not appropriate to have a +standardized way of manipulating and taking advantage of users. + +It is true that Firefox was in an unfortunate position: many users would +indeed grow frustrated that they cannot watch their favorite TV shows and +movies using Firefox. But Firefox could have served, when the EME API was +used, static content that provided a brief explanation and a link for more +information on the problem. They could have educated users and encourage an +even stronger outcry. + +Instead, we are working with the corrupt W3C to implement a seamlessly +shackled web. Mozilla wants to propose alternative solutions to DRM/EME, but +by implementing it, their position is weakened. + + This is a difficult and uncomfortable step for us given our vision of a + completely open Web, but it also gives us the opportunity to actually + shape the DRM space and be an advocate for our users and their rights in + this debate. [1] + +Such advocacy has been done and can continue to be done by Mozilla without +the implementation of EME; once implemented, the standard will be virtually +solidified---what is the incentive for W3C et. al. to find alternatives to a +system that is already "better than" the existing Flash and Silverlight +situation? + +On behalf of the free software community, I strongly encourage your +reconsideration on the matter. Mozilla is valued by the free software +community for its attention to freedoms. Stand with us and fight. You're in +a powerful position to do so. + +[0]: https://blog.mozilla.org/blog/2014/05/14/drm-and-the-challenge-of-serving-users/ +[1]: https://hacks.mozilla.org/2014/05/reconciling-mozillas-mission-and-w3c-eme/ +``` + +The following day, I [submitted the FSF announcement to HackerNews][9] +(surprised that it was not there already) in an attempt to bring further +coverage to the matter and hopefully spur on some discussion. And discuss +they did: it was on the front page for the entire day and, at the time of +writing, boasts 261 comments, many of them confused and angry. I sent the HN +link to Andreas in a follow-up as well. + +Mozilla has a vast userbase and is in the position to fight for a DRM-free +web. Please voice your opinion and hope that they reverse their decision. + +[9]: https://news.ycombinator.com/item?id=7749108 diff --git a/post/2014-11-30-stop-using-slideshare.md b/post/2014-11-30-stop-using-slideshare.md new file mode 100644 index 0000000..144839c --- /dev/null +++ b/post/2014-11-30-stop-using-slideshare.md @@ -0,0 +1,65 @@ +# Please stop using SlideShare + +There are many great presentations out there---many that I enjoy +reading, or that I would enjoy to read. Unfortunately, many of them +are hosted on SlideShare, which requires me to download proprietary +JavaScript. + +[JavaScript programs require the same freedoms as any other +software][0]. While SlideShare does (sometimes/always?) provide a +transcript in plain text---which is viewable without JavaScript---this +is void of the important and sometimes semantic formatting/images that +presenters put much time into; you know: the actual presentation bits. +(I'm a fan of plain-text presentations, but they each have their own +design elements). + +[0]: https://www.gnu.org/software/easejs/whyfreejs.html + +There are ways around this. SlideShare's interactive UI appears to +simply be an image viewer, so it is possible to display all sides +using a fairly simple hack: + + + +```javascript +Array.prototype.slice.call( + document.getElementsByClassName( 'slide' ) ) + .forEach( function( slide ) { + slide.classList.add( 'show' ); + + var img = slide.getElementsByClassName( 'slide_image' )[0]; + img.src = img.dataset.full; + } ); +``` + +This will display all slides inline. But there's a clear problem with +this: how is the non-JS-programmer supposed to know that? Even +JavaScript programmers have to research the issue in order to come up +with a solution. + +But ideally, I'd like to download the presentation PDF. SlideShare +does offer a download link, but not only does it not work with +JavaScript disabled, but it requires that the user create an account. +This is no good, as it can be used to track users or discover +identities by analyzing viewing habits. This would allow +de-anonymizing users, even if they have [taken measures to remain +anonymous][1]. + +(By the way: at the time that I wrote this post, the [EFF's +Surveillance Self-Defense Guide][1] is [LibreJS compatible][2] and the +JavaScript code that it runs is mostly free.) + +I encourage presenters (and authors in general) to release the slides +in an [unencumbered document format][3], like PDF, HTML, OpenDocument, +or plain text. Those formats should be hosted on their own website, +or websites that allow downloading those files without having to +execute proprietary JavaScript, and without having to log in. If +those authors *must* use SlideShare for whatever reason, then they +should clearly provide a link to that free document format somewhere +that users can access without having to execute SlideShare's +proprietary JavaScript, such as on the first slide. (The description +is iffy, since it is truncated and requires JavaScript to expand.) + +[1]: https://ssd.eff.org/ +[2]: https://www.gnu.org/software/librejs/ +[3]: http://www.fsf.org/campaigns/opendocument/reject diff --git a/post/2015-05-20-gitlab-gitorious-freesw.md b/post/2015-05-20-gitlab-gitorious-freesw.md new file mode 100644 index 0000000..916d4d3 --- /dev/null +++ b/post/2015-05-20-gitlab-gitorious-freesw.md @@ -0,0 +1,257 @@ +# Gitlab, Gitorious, and Free Software + +*This article originally appeared as a guest post on the [GitLab +blog][orig-post].* + +In early March of this year, it was announced that +[GitLab would acquire Gitorious][0] and shut down `gitorious.org` by 1 +June, 2015. [Reactions from the community][1] were mixed, and +understandably so: while GitLab itself is a formidable alternative to wholly +proprietary services, its acquisition of Gitorious strikes a chord with the +free software community that gathered around Gitorious in the name of +[software freedom][2]. + +[0]: https://about.gitlab.com/2015/03/03/gitlab-acquires-gitorious/ +[1]: https://news.ycombinator.com/item?id=9138419 +[2]: https://www.gnu.org/philosophy/free-sw.html + + + +After hearing that announcement, +[as a free software hacker and activist myself][11], I was naturally +uneasy. Discussions of alternatives to Gitorious and GitLab ensued on the +[`libreplanet-discuss`][12] mailing list. Sytse Sijbrandij (GitLab +B.V. CEO) happened to be present on that list; +[I approached him very sternly][13] with a number of concerns, just as I +would with anyone that I feel does not understand certain aspects of the +[free software philosophy][2]. To my surprise, this was not the case at +all. + +Sytse has spent a lot of time accepting and considering community input for +both the Gitorious acquisition and GitLab itself. He has also worked with +me to address some of the issues that I had raised. And while these issues +won't address everyone's concerns, they do strengthen GitLab's commitment to +[software freedom][2], and are commendable. + +I wish to share some of these details here; but to do so, I first have to +provide some background to explain what the issues are, and why they are +important. + + +## Free Software Ideology +[Gitorious][3] was (and still is) one of the most popular Git repository +hosts, and largely dominated until the introduction of GitHub. But even as +users flocked to [GitHub's proprietary services][28], users who value freedom +continued to support Gitorious, both on `gitorious.org` and by installing +their own instances on their own servers. Since Gitorious is +[free software][2], users are free to study, modify, and share it with +others. But [software freedom does not apply to Services as a +Software Substitute (SaaSS)][4] or remote services---you cannot apply the +[four freedoms][2] to something that you do not yourself possess---so why do +users still insist on using `gitorious.org` despite this? + +The matter boils down to supporting a philosophy: The +[GNU General Public License (GPL)][6] is a license that turns copyright on +its head: rather than using copyright to restrict what users can do with a +program, the GPL instead [ensures users' freedoms][8] to study, modify, and +share it. But that isn't itself enough: to ensure that the software always +remains free (as in freedom), the GPL ensures that all *derivatives* are +*also* licensed under similar terms. This is known as [copyleft][9], and it +is vital to the free software movement. + +Gitorious is licensed under the +[GNU Affero General Public License Version 3 (AGPLv3)][5]---this takes the +[GPL][6] and adds an additional requirement: if a modified version of the +program is run on a sever, users communicating with the program on that +server must have access to the modified program's source code. This ensures +that [modifications to the program are available to all users][7]; they +would otherwise be hidden in private behind the server, with others unable +to incorporate, study, or share them. The AGPLv3 is an ideal license for +Gitorious, since most of its users will only ever interact with it over a +network. + +GitLab is also free software: its [Expat license][10] (commonly referred to +ambiguously as the "MIT license") permits all of the same freedoms that +are granted under the the GNU GPL. But it does so in a way that is highly +permissive: it permits relicensing under *any* terms, free or not. In other +words, one can fork GitLab and derive a proprietary version from it, making +changes that deny users [their freedoms][2] and cannot be incorporated back +into the original work. + +This is the issue that the free software community surrounding Gitorious has +a problem with: any changes contributed to GitLab could in turn benefit a +proprietary derivative. This situation isn't unique to GitLab: it applies +to all non-copyleft ("permissive") [free software licenses][26]. And this +issue is realized by GitLab itself in the form of its GitLab Enterprise +Edition (GitLab EE): a proprietary derivative that adds additional +features atop of GitLab's free Community Edition (CE). For this reason, +many free software advocates are uncomfortable contributing to GitLab, and +feel that they should instead support other projects; this, in turn, means +not supporting GitLab by using and drawing attention to their hosting +services. + +The copyleft vs. permissive licensing debate is one of the free software +movement's most heated. I do not wish to get into such a debate here. One +thing is clear: GitLab Community Edition (GitLab CE) is free +software. Richard Stallman (RMS) [responded directly to the thread on +`libreplanet-discuss`][20], stating plainly: + +> We have a simple way of looking at these two versions. The free +> version is free software, so it is ethical. The nonfree version is +> nonfree software, so it is not ethical. + +Does GitLab CE deserve attention from the free software community? I +believe so. Importantly, there is another strong consideration: displacing +proprietary services like GitHub and Bitbucket, which host a large number of +projects and users. GitLab has a strong foothold, which is an excellent +place for a free software project to be in. + +If we are to work together as a community, we need to respect GitLab's +free licensing choices just as we expect GitLab to respect ours. Providing +respect does not mean that you are conceding: I will never personally use a +non-copyleft license for my software; I'm firmly rooted in my dedication to +the [free software philosophy][2], and I'm sure that many other readers are +too. But using a non-copyleft license, although many of us consider it to +be a weaker alternative, [is not wrong][23]. + + +## Free JavaScript +As I mentioned above, +[software freedom and network services are separate issues][4]---the four +freedoms do not apply to interacting with `gitlab.com` purely over a network +connection, for example, because you are not running its software on your +computer. However, there is an overlap: JavaScript code downloaded to be +executed in your web browser. + +[Non-free JavaScript][15] is a particularly nasty concern: it is software +that is downloaded automatically from a server---often without prompting +you---and then immediately executed. Software is now being executed on your +machine, and [your four freedoms][2] are once again at risk. This, then, +[is the primary concern][16] for any users visiting `gitlab.com`: not only +would this affect users that use `gitlab.com` as a host, but it would also +affect *any user that visits* the website. That would be a problem, since +hosting your project there would be inviting users to run proprietary +JavaScript. + +As I was considering migrating my projects to GitLab, this was the +[first concern I brought up to Sytse][14]. This problem arises because +`gitlab.com` uses a GitLab EE instance: if it had used only its Community +Edition (GitLab CE)---which is free software---then all served JavaScript +would have been free. But any scripts served by GitLab EE that are not +identical to those served by GitLab CE are proprietary, and therefore +unethical. This same concern applies to GitHub, Bitbucket, and other +proprietary hosts that serve JavaScript. + +Sytse surprised me by stating that he would be willing to +[freely license all JavaScript in GitLab EE][17], and by offering to give +anyone access to the GitLab EE source code who wants to help out. I took +him up on that offer. Initially, I had submitted a patch to merge all +GitLab EE JavaScript into GitLab CE, but Sytse came up with another, +superior suggestion, that ultimately provided even greater reach. + +**I'm pleased to announce that Sytse and I were able to agree on a license +change (with absolutely no friction or hesitation on his part) that +liberates all JavaScript served to the client from GitLab EE instances.** +There are two concerns that I had wanted to address: JavaScript code +directly written for the client, and any code that produced JavaScript as +output. In the former case, this includes JavaScript derived from other +sources: for example, GitLab uses CoffeeScript, which compiles *into* +JavaScript. The latter case is important: if there is any code that +generates fragments of JavaScript---e.g. dynamically at runtime---then that +code must also be free, or users would not be able to modify and share the +resulting JavaScript that is actually being run on the client. Sytse +accepted my change verbatim, while adding his own sentence after mine to +disambiguate. At the time of writing this post, GitLab EE's source code +isn't yet publicly visible, so here is the relevant snippet from its +`LICENSE` file: + +> The above copyright notices applies only to the part of this Software that +> is not distributed as part of GitLab Community Edition (CE), and that is +> not a file that produces client-side JavaScript, in whole or in part. Any +> part of this Software distributed as part of GitLab CE or that is a file +> that produces client-side JavaScript, in whole or in part, is copyrighted +> under the MIT Expat license. + + +## Further Discussion +My discussions with Sytse did not end there: there are other topics that +have not been able to be addressed before my writing of this post that would +do well to demonstrate commitment toward [software freedom][2]. + +The license change liberating client-side JavaScript was an excellent +move. To expand upon it, I wish to submit a patch that would make GitLab +[LibreJS compliant][21]; this provides even greater guarantees, since it +would allow for users to continue to block other non-free JavaScript that +may be served by the GitLab instance, but not produced by it. For example: +a website/host that uses GitLab may embed proprietary JavaScript, or modify +it without releasing the source code. Another common issue is the user of +analytics software; `gitlab.com` uses Google Analytics. + +If you would like to help with LibreJS compliance, please [contact me][11]. + +I was brought into another discussion between Sytse and RMS that is +unrelated to the GitLab software itself, but still a positive demonstration +of a commitment to [software freedom][2]---the replacement of Disqus on the +`gitlab.com` blog with a free alternative. Sytse ended up making a +suggestion, saying he'd be "happy to switch to" [Juvia][22] if I'd help with +the migration. I'm looking forward to this, as it is an important +discussion area (that I honestly didn't know existed until Sytse told me +about it, because I don't permit proprietary JavaScript!). He was even kind +enough to compile a PDF of comments for one of our discussions, since he was +cognizant ahead of time that I would not want to use Disqus. (Indeed, I +will be unable to read and participate in the comments to this guest post +unless I take the time to freely read and reply without running Disqus' +proprietary JavaScript.) + +Considering the genuine interest and concern expressed by Sytse in working +with myself and the free software community, I can only expect that GitLab +will continue to accept and apply community input. + +It is not possible to address the copyleft issue without a change in +license, which GitLab is not interested in doing. So the best way to +re-assure the community is through action. [To quote Sytse][18]: + +> I think the only way to prove we're serious about open source is in our +> actions, licenses or statements don't help. + +There are fundamental disagreements that will not be able to be +resolved between GitLab and the free software community---like their +["open core" business model][19]. But after working with Sytse and seeing +his interactions with myself, RMS, and many others in the free software +community, I find his actions to be very encouraging. + +*Are you interested in helping other websites liberate their JavaScript? + Consider [joining the FSF's campaign][27], and + [please liberate your own][16]!* + +*This post is licensed under the + [Creative Commons Attribution-ShareAlike 3.0 Unported License][25].* + +[3]: https://gitorious.org/ +[4]: https://www.gnu.org/philosophy/who-does-that-server-really-serve.html +[5]: https://www.gnu.org/licenses/agpl.html +[6]: https://www.gnu.org/licenses/gpl.html +[7]: https://www.gnu.org/licenses/why-affero-gpl.html +[8]: https://www.gnu.org/licenses/quick-guide-gplv3.html +[9]: https://www.gnu.org/philosophy/pragmatic.html +[10]: https://www.gnu.org/licenses/license-list.html#Expat +[11]: http://mikegerwitz.com/ +[12]: https://lists.gnu.org/mailman/listinfo/libreplanet-discuss +[13]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-03/msg00075.html +[14]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-04/msg00019.html +[15]: https://www.gnu.org/philosophy/javascript-trap.html +[16]: https://www.gnu.org/software/easejs/whyfreejs.html +[17]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-04/msg00020.html +[18]: https://news.ycombinator.com/item?id=9141801 +[19]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-03/msg00076.html +[20]: https://lists.gnu.org/archive/html/libreplanet-discuss/2015-03/msg00095.html +[21]: https://www.gnu.org/software/librejs/free-your-javascript.html +[22]: https://github.com/phusion/juvia +[23]: https://www.fsf.org/blogs/rms/selling-exceptions +[24]: https://gnu.org/software/easejs +[25]: http://creativecommons.org/licenses/by-sa/3.0/ +[26]: https://www.gnu.org/licenses/license-list.html +[27]: https://fsf.org/campaigns/freejs +[28]: http://mikegerwitz.com/about/githubbub +[orig-post]: https://about.gitlab.com/2015/05/20/gitlab-gitorious-free-software/ + diff --git a/post/2015-11-20-comcast-inject-js.md b/post/2015-11-20-comcast-inject-js.md new file mode 100644 index 0000000..2677b13 --- /dev/null +++ b/post/2015-11-20-comcast-inject-js.md @@ -0,0 +1,60 @@ +# Comcast injects JavaScript into web pages + +It seems that Comcast has decided that it is a good idea to [inject +JavaScript into web pages][js] visited by its customers in order to inform +them of Copyright violations. + +[js]: https://gist.github.com/Jarred-Sumner/90362639f96807b8315b + +This is a huge violation of user privacy and trust. Further, it shows that +an ISP (and probably others) feel that they have the authority to dictate +what is served to the user on a free (as in speech) Internet. Why should we +believe that they won't start injecting other types of scripts that spy on +the user or introduce advertising? What if a malicious actor compromises +Comcast's servers and serves exploits to users? + +It is no surprise that Comcast is capable of doing this---they know the IP +address of the customer, so they are able to intercept traffic and alter it +in transit. But the fact that they _can_ do this demonstrates something far +more important: _that they have spent the money on the infrastructure to do +so_! + + + +Comcast isn't the only ISP to have betrayed users by injecting data. One +year ago, it was discovered that [Verizon was injecting "perma-cookies" into +requests to track users][verizon]. This is only one example of the +insidious abuses that unchecked ISPs can take. + +So what can you do to protect yourself? + +What Comcast is doing is called a [man-in-the-middle (MITM) attack][mitm]: +Comcast sits in the middle of you and your connection to the website that +you are visiting, proxying your request. Before relaying the website's +response to you, it modifies it. + +In order to do this, Comcast needs to be able to read your communications, +and must be able to modify them: the request must be read in order to +determine how the JavaScript should be injected and what request it should +be injected into; and it must be modified to perform the injection. It +cannot (given a properly configured web server) do so if your connection is +encrypted. In the case of web traffic, `https` URLs with the little lock +icon in your web browser generally indicates that your communications are +encrypted, making MITM attacks +unlikely. + +(We're assuming that Comcast won't ask you to install a root CA so that they +can decrypt your traffic! But that would certainly be noticed, if they did +so on a large enough scale.) + +Not all websites use SSL. Another method is to use encrypted proxies, VPNs, +or services like like [Tor][tor]. This way, Comcast will not be able to +read or modify the communications. + +See also: [HackerNews discussion][hn]; [original Reddit discussion][reddit]. + +[verizon]: https://www.eff.org/deeplinks/2014/11/verizon-x-uidh +[mitm]: https://en.wikipedia.org/wiki/Man-in-the-middle_attack +[hn]: https://news.ycombinator.com/item?id=10592775 +[reddit]: https://www.reddit.com/r/HuntsvilleAlabama/comments/35v4sn/comcast_is_injecting_bad_javascript_to_your/ +[tor]: https://tor.org/ diff --git a/post/2015-12-09-gnu-social-instance.md b/post/2015-12-09-gnu-social-instance.md new file mode 100644 index 0000000..918f95f --- /dev/null +++ b/post/2015-12-09-gnu-social-instance.md @@ -0,0 +1,14 @@ +# Now Hosting Personal GNU Social Instance + +When I started writing this blog, my intent was to post notices more +frequently and treat it more like a microblogging platform; but that's not +how it ended up. Instead, I use this site to write more detailed posts with +solid references to back up my statements. + +[GNU Social](https://gnu.org/software/social/) is a federated social +network---you can host your own instances and they all communicate with +one-another. You can find mine at the top of this page under "Notices", or +at [https://social.mikegerwitz.com/](https://social.mikegerwitz.com/). I +will be using this site to post much more frequent miscellaneous notices. + + diff --git a/post/2016-01-24-more-than-freedom.md b/post/2016-01-24-more-than-freedom.md new file mode 100644 index 0000000..ccc3cd6 --- /dev/null +++ b/post/2016-01-24-more-than-freedom.md @@ -0,0 +1,92 @@ +# Google Analytics Removed from GitLab.com Instance + +*This was originally written as a guest post for GitLab in November of 2015, +but they [decided not to publish it][gitlab-merge].* + +[gitlab-merge]: https://gitlab.com/gitlab-com/www-gitlab-com/merge_requests/1094 + +Back in May of of 2015, I [announced GitLab's liberation of their Enterprise +Edition JavaScript][ggfs] and made some comments about GitLab's course and +approach to software freedom. In liberating GitLab EE's JavaScript, all +code served to the browser by GitLab.com's GitLab instance was [Free (as in +freedom)][free-sw], except for one major offender: Google Analytics. + +[ggfs]: https://about.gitlab.com/2015/05/20/gitlab-gitorious-free-software/ +[free-sw]: https://www.gnu.org/philosophy/free-sw.html + +Since Google Analytics was not necessary for the site to function, users +could simply block the script and continue to use GitLab.com +[ethically][free-sw]. However, encouraging users to visit a project on +GitLab.com while knowing that it loads Google Analytics is a problem both +for users' freedoms, and for their privacy. + + + +GitLab is more than service and front-end to host Git repositories; it has a +number of other useful features as well. Using those features, however, +would mean that GitLab.com is no longer just a mirror for a project---it +would be endorsed by the project's author, requiring that users visit the +project on GitLab.com in order to collaborate. For example, if an author +were to use the GitLab issue tracker on GitLab.com, then she would be +actively inviting users to the website by telling them to report issues and +feature requests there. + +We cannot realistically expect that anything more than a minority of +visitors will know how to block Google Analytics (or even understand that it +is a problem). Therefore, if concerned authors wanted to use those features +of GitLab, they had to use another hosted instance of GitLab, or host their +own. But the better option was to encourage GitLab.com to remove Google +Analytics entirely, so that _all_ JavaScript code served to the users is +[Free][free-sw]. + +GitLab has chosen to actively +[work with the Free Software movement][ggfs]---enough so that they are now +considered an [acceptable host for GNU projects][gitlab-gnu-criteria] +according to [GNU's ethical repository criteria][gnu-repo-criteria]. And +they have chosen to do so again---headed by Sytse Sijbrandij (GitLab +Inc. CEO), Google Analytics has been removed from the GitLab.com instance +and replaced with [Piwik][piwik]. + +## More Than Just Freedom +This change is more than a commitment to users' freedoms---it's also a +commitment to users' privacy that cannot be understated. By downloading and +running Google Analytics, users are being infected with some of the most +[sophisticated examples of modern spyware][ga-wikipedia]: vast amounts of +[personal and behavioral data][ga-google] are sent to Google for them to use +and share as they wish. Google Analytics also tracks users across [many +different websites][ga-popularity], allowing them to discover your interests +and behaviors in ways that users themselves may not even know. + +GitLab.com has committed to using [Piwik][piwik] on their GitLab instance, +which [protects users' privacy][piwik-privacy] in a number of very important +ways: it allows users to opt out of tracking, anonymizes IP addresses, +retains logs for limited time periods, respects [DoNotTrack][eff-dnt], and +more. Further, all logs _will be kept on GitLab.com's own servers_, and is +therefore governed solely by +[GitLab.com's Privacy Policy][gitlab-privacy]; this means that other +services will not be able to use these data to analyze users' behavior on +other websites, and advertisers and others will know less about them. + +Users should not have to try to [anonymize themselves][eff-ssd] in +order to maintain their privacy---privacy should be a default, and a +respected one at that. GitLab has taken a strong step in the right +direction; I hope that others will take notice and do the same. + +*Are you interested in helping other websites liberate their JavaScript? + Consider [joining the FSF's campaign][freejs], and + [please liberate your own][whyfreejs]!* + +[eff-dnt]: https://www.eff.org/dnt-policy +[eff-ssd]: http://ssd.eff.org/ +[freejs]: https://fsf.org/campaigns/freejs +[ga-google]: https://www.google.com/analytics/standard/features/ +[ga-popularity]: http://w3techs.com/technologies/overview/traffic_analysis/all +[ga-wikipedia]: https://en.wikipedia.org/wiki/Google_Analytics +[gitlab-featurse]: https://about.gitlab.com/features/ +[gitlab-gnu-criteria]: https://lists.gnu.org/archive/html/repo-criteria-discuss/2015-11/msg00012.html +[gitlab-privacy]: https://about.gitlab.com/privacy/ +[gnu-repo-criteria]: https://www.gnu.org/software/repo-criteria.html +[mtg]: http://mikegerwitz.com/ +[piwik]: https://piwik.org/ +[piwik-privacy]: https://piwik.org/privacy/ +[whyfreejs]: https://www.gnu.org/software/easejs/whyfreejs.html diff --git a/post/2016-02-28-lp2016-rof.md b/post/2016-02-28-lp2016-rof.md new file mode 100644 index 0000000..c39ad6d --- /dev/null +++ b/post/2016-02-28-lp2016-rof.md @@ -0,0 +1,45 @@ +# Join me at LibrePlanet 2016 for my talk "Restore Online Freedom!" + +I will be [speaking at LibrePlanet this year][lp2016] (2016) about freedom +on the Web. Here's the session description: + +[lp2016]: https://www.libreplanet.org/2016/program/ + +> Imagine a world where surveillance is the default and users must opt-in to +> privacy. Imagine that your every action is logged and analyzed to learn +> how you behave, what your interests are, and what you might do next. +> Imagine that, even on your fully free operating system, proprietary +> software is automatically downloaded and run not only without your +> consent, but often without your knowledge. In this world, even free +> software cannot be easily modified, shared, or replaced. In many cases, +> you might not even be in control of your own computing -- your actions and +> your data might be in control by a remote entity, and only they decide +> what you are and are not allowed to do. +> +> This may sound dystopian, but this is the world you're living in right +> now. The Web today is an increasingly hostile, freedom-denying place that +> propagates to nearly every aspect of the average users' lives -- from +> their PCs to their phones, to their TVs and beyond. But before we can +> stand up and demand back our freedoms, we must understand what we're being +> robbed of, how it's being done, and what can (or can't) be done to stop +> it. + + + +There are a number of other [great sessions][lp2016] this year from a +[number of speakers][lp2016s], many well-known. We also have an opening +keynote from Edward Snowden! + +All [FSF associate members get free entry][fsfmember]. If you can't join +us, the conference will be streamed live. You can also see [videos of past +talks][lpvideos] on the FSF's self-hosted [GNU MediaGoblin][goblin] +instance. + +Special thanks to the FSF for covering a large portion of my travel +expenses; I otherwise might not have been able to attend. Thank you to all +who donated to the conference scholarship fund. + +[lp2016s]: https://www.libreplanet.org/2016/program/speakers.html +[fsfmember]: https://crm.fsf.org/join +[lpvideos]: https://media.libreplanet.org/ +[goblin]: http://mediagoblin.org/ diff --git a/post/2016-04-02-reddit-nsl.md b/post/2016-04-02-reddit-nsl.md new file mode 100644 index 0000000..6887312 --- /dev/null +++ b/post/2016-04-02-reddit-nsl.md @@ -0,0 +1,37 @@ +# Reddit suspected to have been served with an NSL + +It is suspected that Reddit has been [served with an NSL][schneier]. +[National Security Letters (NSLs)][nsl] are subpoena served by the United +States federal government and often come with a gag order that prevents the +recipient from even stating that they received the letter. + +[schneier]: https://www.schneier.com/blog/archives/2016/04/reddits_warrant.html +[nsl]: https://en.wikipedia.org/wiki/National_Security_Letter + + + +[Warrant canaries][canary] are used to circumvent gag orders by stating +that requests have *not* been received, under the [legal theory][court] +that, while courts can compel persons not to speak, they can't compel them +to lie. [Reddit's canary has died][reddit-report]---the canary is absent +from their most recent 2015 transparency report, where it was [present in +the 2014 report][reddit-report-2014]. + +Does this mean that you should stop using Reddit? No; canaries are an +important transparency method. If you are worried about your privacy, you +shouldn't disclose the information to a third party to begin with. Note +that this includes metadata that are gathered about you when you, for +example, browse subreddits while logged in. You can help mitigate that by +[browsing anonymously using Tor][donot], being sure never to log in during +the same session. + +The website [Canary Watch][cw] is a website that tracks warrant canaries. + +I'm awaiting further analysis after the weekend. + +[canary]: https://en.wikipedia.org/wiki/Warrant_canary +[cw]: https://www.canarywatch.org/ +[court]: https://gigaom.com/2014/10/10/are-warrant-canaries-legal-twitter-wants-to-save-techs-warning-signal-of-government-spying/ +[reddit-report]: https://web.archive.org/web/20160331210850/https://www.reddit.com/wiki/transparency/2015 +[reddit-report-2014]: https://web.archive.org/web/20160331204815/https://www.reddit.com/wiki/transparency/2014 +[donot]: https://www.whonix.org/wiki/DoNot diff --git a/post/2016-04-03-fb-vr-spy.md b/post/2016-04-03-fb-vr-spy.md new file mode 100644 index 0000000..7f8fe4b --- /dev/null +++ b/post/2016-04-03-fb-vr-spy.md @@ -0,0 +1,27 @@ +# Facebook will use software for the VR headset Occulus Rift to spy on you + +Anything coming out of Facebook should be [cause for concern][rms-fb]. So, +naturally, one might be concerned when they decide to get into the virtual +reality (VR) scene by [purchasing the startup Occulus VR][fb-vr], makers of +the Occulus Rift VR headset. One can only imagine all the fun ways Facebook +will be able to track, manipulate, spy on, and otherwise screw over users +while they are immersed in a virtual reality. + +[rms-fb]: https://stallman.org/facebook.html#privacy +[fb-vr]: http://www.theguardian.com/technology/2014/jul/22/facebook-oculus-rift-acquisition-virtual-reality + +Sure enough, we have our first peak: [the software that Facebook has you +install for the Occulus Rift is spyware][fb-spy], reporting on what +*unrelated* software you use on your system, your location (including GPS +data and nearby Wifi networks), the type of device you're using, unique +device identifiers, your movements while using the VR headset, and more. + +[fb-spy]: http://uploadvr.com/facebook-oculus-privacy/ + + + +This is absurd. Do not play into Facebook's games through temptation of +cool new technology; reject their terms and see if there's other ways you +can use the headset without their proprietary spyware. If not, perhaps you +should ask for a refund, and tell them why. + diff --git a/post/2016-04-06-gnu-kwindows.md b/post/2016-04-06-gnu-kwindows.md new file mode 100644 index 0000000..bd613f2 --- /dev/null +++ b/post/2016-04-06-gnu-kwindows.md @@ -0,0 +1,183 @@ +# GNU/kWindows + +There has been a lot of talk lately about a most unique combination: + [GNU][gnu]---the [fully free/libre][free-sw] operating system---and + Microsoft Windows---the [freedom-denying, user-controlling, + surveillance system][woe]. +There has also been a great deal of misinformation. +I'd like to share my thoughts. + +[gnu]: https://gnu.org/gnu/gnu.html +[free-sw]: https://gnu.org/philosophy/free-sw.html +[woe]: https://www.gnu.org/proprietary/malware-microsoft.en.html + + + +Before we can discuss this subject, + we need to clarify some terminology: +We have a [free/libre][free-sw] operating system called [GNU][gnu]. +Usually, it's used with the kernel Linux, and is together called the + [GNU/Linux (or GNU+Linux) operating system][gnulinux]. +But that's not always the case. +For example, GNU can be run with its own kernel, [The GNU Hurd][hurd] + (GNU/Hurd). +It might be run on a system with a BSD kernel (e.g. GNU/kFreeBSD). +But now, we have a situation where we're taking GNU/Linux, removing Linux, + and adding in its place a Windows kernel. +This combination is referred to as GNU/kWindows (GNU with the Windows kernel + added).[^kwindows] + +GNU values users' freedoms. +Windows [does exactly the opposite][woe]. + +When users talk about the operating system "Linux", what they are referring + to is the [GNU operating system][gnu] with the kernel Linux added. +If you are using the GNU operating system in some form, then many of the + programs you are familiar with on the command line are GNU programs: + `bash`, `(g)awk`, `grep`, `ls`, `cat`, `bc`, `tr`, `gcc`, `emacs`, and + so on. +But GNU is a fully free/libre Unix replacement, [not just a collection of GNU + programs][gnu]. +Linux is the kernel that supports what the operating system is trying to do; + it provides what are called system calls to direct the kernel to perform + certain actions, like fork new processes or allocate memory. +This is an important distinction---not only is calling all of this software + "Linux" incorrect, but it discredits the project that created a fully + free/libre Unix replacement---[GNU][gnu]. + +This naming issue is so widespread that + [most users would not recognize what GNU is][gnu-noheard], even if they + are _using_ a [GNU/Linux][gnulinux] operating system. +I recently read an article that referred to GNU Bash as "Linux's Bash"; + this is simply a slap in the face to all the hackers that have for the + past 26 years been writing what is one of today's most widely used + shells on Unix-like systems (including on [Apple's][apple] proprietary + Mac OSX), and all the other GNU hackers. + +Microsoft and Canonical have apparently been working together to write a + subsystem that translates Linux system calls into something Windows will + understand---a compatibility layer. +So, software compiled to run on a system with the kernel Linux will work on + Windows through system call translation. +Many articles are calling this "Linux on Windows". +This is a fallacy: the kernel Linux is not at all involved! +What we are witnessing is the [_GNU_ operating system][gnu] running with + a Windows kernel _instead_ of Linux. + +This is undoubtedly a technical advantage for Microsoft---Windows users want + to do their computing in a superior environment that they might be + familiar with on [GNU/Linux][gnulinux] or other Unix-like operating + systems, like [Apple's][apple] freedom-denying Mac OSX. +But thinking about it like this is missing an essential concept: + +When users talk about "Linux" as the name of the operating system, they + avoid talking about [GNU][gnu]. +And by avoiding mention of GNU, + they are also avoiding discussion of the core principles upon which GNU is + founded---the belief that all users deserve + [software granting _four essential freedoms_][free-sw]: + the freedom to use the program for any purpose; + the freedom to study the program and modify it to suit your needs (or + have someone do it on your behalf); + the freedom to share the program with others; + and the freedom to share your changes with others. +We call software that respects these four freedoms + [_free/libre software_][free-sw]. + +Free software is absolutely essential: + it ensures that _users_, + who are the most vulnerable, + are in control of their computing---not software developers or + corporations. +Any program that denies users any one of their [four freedoms][free-sw] is + _non-free_ (or _proprietary_)---that is, freedom-denying software. +This means that any non-free software, no matter its features or + performance, will [_always_ be inferior to free software][oss] that + performs a similar task. + +Not everyone likes talking about freedom or the + [free software philosophy][free-sw]. +This disagreement resulted in the + ["open source" development methodology][oss], + which exists to sell the benefits of free software to businesses *without* + discussing the essential ideological considerations. +Under the "open source" philosophy, + if a non-free program provides better features or performance, + then surely it must be "better", + because they have outperformed the "open source" development methodology; + non-free software isn't always considered to be a bad thing. + +So why would users want to use GNU/kWindows? +Well, probably for the same reason that they want GNU tools on Mac OSX: + they want to use software they want to use, but they also want the + technical benefits of GNU that they like. +What we have here is the ["open source" philosophy][oss]---because if the + user truly valued her freedom, she would use a + [fully free operating system like GNU/Linux][gnulinux-distros]. +If a user is _already_ using Windows (that is, before considering + GNU/kWindows), then she does gain some freedom by installing GNU: + she has more software on her system that respects her freedoms, + and she is better off because of that. + +But what if you're using GNU/Linux today? +In that case, + it is a major downgrade to switch to a GNU/kWindows system; + by doing so, you are [surrendering your freedom to Microsoft][woe]. +It does not matter how many shiny features Microsoft might introduce into + its [freedom-denying surveillance system][woe]; + an [operating system that respects your freedoms][gnulinux-distros] will + _always_ be a superior choice. +We would do our best to dissuade users from switching to a GNU/kWindows + system for the technical benefits that GNU provides. + +So we have a couple different issues---some factual, some philosophical: + +Firstly, + please don't refer to GNU/kWindows as "Linux on Windows", or any variant + thereof; + doing so simply propagates misinformation that not only confounds the + situation, but discredits the thousands of hackers working on the + [GNU operating system][gnu]. +It would also be best if you avoid calling it "Ubuntu on Windows"; + it isn't a factually incorrect statement---you are running Ubuntu's + distribution of GNU---but it still avoids mentioning the + [GNU Project][gnu]. If you want to give Ubuntu credit for working with + Microsoft, please call it "Ubuntu GNU/kWindows" instead of "Ubuntu". +By mentioning GNU, + users will ask questions about the project, + and might look it up on their own. +They will read about [the free software philosophy][free-sw], + and will hopefully begin to understand these issues---issues that they + might not have even been aware of to begin with. + +Secondly, + when you see someone using a GNU/kWindows system, + politely ask them why. +Tell them that there is a _better_ operating system out there---the + [GNU/Linux operating system][gnu]---that not only provides those technical + features, + but also provides the feature of _freedom_! +Tell them what [free software][free-sw] is, + and try to relate it to them so that they understand why it is important, + and even practical. + +It's good to see more people benefiting from GNU; + but we can't be happy when it is being sold as a means to draw users into + an otherwise [proprietary surveillance system][woe], + without so much as a mention of our name, + or [what it is that we stand for][gnu]. + +[^kwindows]: This name comes from [Richard Stallman][rms], founder of the + [GNU Project][gnu]. + +[hurd]: https://gnu.org/software/hurd/ +[oss]: http://www.gnu.org/philosophy/open-source-misses-the-point.html +[gnulinux]: https://www.gnu.org/gnu/linux-and-gnu.html +[gnulinux-distros]: https://www.gnu.org/distros/free-distros.html +[apple]: https://stallman.org/apple.html +[rms]: https://www.fsf.org/about/staff-and-board +[gnu-noheard]: https://gnu.org/gnu/gnu-users-never-heard-of-gnu.html + +--- +featured: true +--- diff --git a/post/2016-05-03-idad.md b/post/2016-05-03-idad.md new file mode 100644 index 0000000..22f9518 --- /dev/null +++ b/post/2016-05-03-idad.md @@ -0,0 +1,88 @@ +# International Day Against DRM 2016 + +Today is the [10th annual International Day Against DRM][day-drm]---a day + where activists from around the world organize events in protest against + [Digital Restrictions Management][drm]. + +[day-drm]: https://www.defectivebydesign.org/dayagainstdrm +[drm]: https://www.defectivebydesign.org/what_is_drm_digital_restrictions_management + + + +DRM is a scheme by which tyrants use [antifeatures][] to lock down what + users are able to do with their systems, often cryptographically. +For example, + your media player might tell you how many times you can listen to a song, + or watch a video, or read a book; + it might [delete books][1984] that you thought you owned; + it might require that you are [always online][always-on] when playing a + game, and then stop working when you disconnect, or when they decide to + stop supporting the game. +If you try to circumvent these locks, + then you might be [called a pirate][pirate] and be thrown in prision under + the ["anti-circumvention" privisons of the Digital Millenium Copyright Act + (DMCA)][dmca]. +These are all things [that have been long predicated][right-to-read], and + are only expected to get worse with time. + +That is, unless we take a stand and fight back. + +I had the pleasure of participating in + the [largest ever protest against the W3C][w3c-protest] and their attempts + to introduce DRM as a _web standard_ via the [Encrypted Media Extensions + (EME)][eme] proposal.[^photos] +This event was organized beautifully by Zak Rogoff of the [Free Software + Foundation][fsf] and began just outside the Strata Center doors where the + W3C was _actively meeting_, + and then continued to stop outside the Google and Microsoft offices, + both just blocks away. +We were [joined outside Microsoft][eff-protest] by Danny O'Brien, + the EFF's International Director, + who stepped out of the W3C meeting to address the protesters. + +Afterward, most of us [traveled to the MIT Media Lab][media-lab] where + Richard Stallman---who joined us in the protest---sat on a panel along + with Danny O'Brien, Joi Ito of the MIT Media Lab, and Harry Halpin of the + W3C. +The W3C was invited to participate in a discussion on EME, but they never + showed. +As a demonstration of the severity of these issues, + [Harry Halpin vowed to resign from the W3C][hh-resign] if the EME proposal + ever became a W3C Recommendation. + +I can say without hesitation that the protest and following discussion were + some of the most powerful and memorable events of my life---there is no + feeling like being a part of a group that shares such a fundamental + passion (and distaste!) for something important. + +And it _is_ very important. + +[DRM is pervasive][dbd]---the Web is just one corner where it rears its ugly + head. +The [International Day Against DRM][day-drm] gives you and others an + excellent opportunity to hold your own protests, demonstrations, and events + to raise these issues to others---and to do so as part of an + _international group_; + to send a strong, world-wide message: + a message that it is _not_ acceptable to act as tyrants and treat users as + slaves and puppets through use of digital handcuffs and [draconian + punishments for circumventing them][dmca]. + +[^photos]: The EFF has some [great photots][eff-protest]; I'm the one in the + hoodie between the giant GNU head and Zak Rogoff. + +[antifeatures]: https://www.fsf.org/bulletin/2007/fall/antifeatures/ +[lp2016]: https://libreplanet.org/2016/ +[w3c-protest]: https://www.defectivebydesign.org/from-the-web-to-the-streets-protesting-drm +[eme]: https://w3c.github.io/encrypted-media/ +[eff-protest]: https://w3c.github.io/encrypted-media/ +[w3c]: https://www.w3.org/ +[fsf]: https://fsf.org/ +[media-lab]: https://motherboard.vice.com/read/we-marched-with-richard-stallman-at-a-drm-protest-last-night-w3-consortium-MIT-joi-ito +[hh-resign]: https://www.defectivebydesign.org/blog/w3c_staff_member_pledges_resignation_if_drm_added_web_standards +[dmca]: https://www.eff.org/issues/dmca +[dbd]: https://www.defectivebydesign.org/ +[1984]: https://www.defectivebydesign.org/amazon-kindle-swindle +[always-on]: https://en.wikipedia.org/wiki/Always-on_DRM +[right-to-read]: https://www.gnu.org/philosophy/right-to-read.en.html +[pirate]: https://www.eff.org/deeplinks/2015/02/go-prison-sharing-files-thats-what-hollywood-wants-secret-tpp-deal diff --git a/post/2016-07-16-cfaa.md b/post/2016-07-16-cfaa.md new file mode 100644 index 0000000..ccfab06 --- /dev/null +++ b/post/2016-07-16-cfaa.md @@ -0,0 +1,55 @@ +# CFAA, "Authorized" Access, and Common Sense + +There is little common sense to be had with the [Computer Fraud and Abuse + Act][cfaa] (CFAA) to begin with. +To add to the confusion, + the Ninth Circuit Court of Appeals last week held 2-1 in [United States + v. Nosal][uvn] that accessing a service using someone else's + password---even if that person gave you permission to do so---[violates + the CFAA][cfaa-passwd], + stating that only the _owner_ of a computer can give such authorization. +This is absurd even with complete lack of understanding of what the law is: + should your spouse be held criminally liable for paying your bills online + using your account? + +[cfaa]: https://www.eff.org/issues/cfaa +[uvn]: https://www.eff.org/cases/u-s-v-nosal +[cfaa-passwd]: https://www.eff.org/deeplinks/2016/07/ever-use-someone-elses-password-go-jail-says-ninth-circuit + +Common sense says no. + + + +In another case this week---[Facebook v. Power Ventures][fvp]---the same + court (though a different panel of judges) stepped back from the original + decision and stated that computer _users_ can indeed provide + authorization. +This authorization holds even if the service's Terms of Service say + otherwise. +Yet: the computer owner (in this case, Facebook) can revoke authorization, + which takes precedence over any authorization provided by a user of that + system. +So with a seemingly magical incantation, + a benign situation can be made into a federal crime, + just like that. + +These situations highlight dangerous confusion over the interpretation of an + already dangerously vague law. +The CFAA is the law that was used to prosecute Aaron Swartz for federal + "crimes"---with a punishment of up to thirty-five years in prison---for + liberating documents hosted on JSTOR. +Because of this [draconian threat][eff-punish], + [Aaron committed suicide][aaron] on January 11th, 2013. + +The CFAA already has blood on its hands; + it needs to be reined _in_, + not be given further broad powers. +So don't take news of the decisions in US v. Nosal and Facebook v. Power + Ventures as canceling one-another out; + things may appear the same for now, + but serious problems still need to be resolved. + +[cfaa-back]: https://www.eff.org/deeplinks/2016/07/ninth-circuit-panel-backs-away-dangerous-password-sharing-decision-creates-even +[fvp]: https://www.eff.org/cases/facebook-v-power-ventures +[eff-punish]: https://www.eff.org/deeplinks/2013/02/rebooting-computer-crime-part-3-punishment-should-fit-crime +[aaron]: https://www.eff.org/deeplinks/2013/01/farewell-aaron-swartz diff --git a/post/2016-07-29-election.md b/post/2016-07-29-election.md new file mode 100644 index 0000000..17a0bde --- /dev/null +++ b/post/2016-07-29-election.md @@ -0,0 +1,41 @@ +# "Election" + +The past few days of the DNC have demanded pause. I am an Independent. I +do not like Hillary Clinton. I am a Bernie supporter, and I was upset by his +endorsement of Hillary. I had vowed not to vote for Hillary; I would +instead vote for Jill Stein. The DNC, while very well done with a deeply +compelling facade, has not changed my perspective on Clinton. + +It is perhaps said best by Bernie himself: "It's easy to boo, but it's +harder to look your kids in the face who would be living under a Donald +Trump presidency". The conflict here is between my deep ideologies and +reality. It's often said that a vote for Hillary is a vote against Trump; +such a perspective would shallow and purposeless. But this isn't an +election for president---this is the most threatening assault on everything +I stand for that I hope I will ever witness in my lifetime. To stand for +ideological purity would be to stand atop a mountain while the world around +me burns. This is why Bernie chose to unite. + +Should Trump win, my ideals that seem within reach could be blown back +decades. As a matter of strategy, I cannot justify _not_ swallowing every +ounce of my pride. Hillary's presidency is an unfortunate but necessary +consequence of the only permissible outcome. I am not electing a president +of the United States. I am electing _a United States_. + + + +So I am doing what I never thought I would do: proposing that others too +factor this obscene equation and recognize how the very few remaining +variables affect the result. My ideals continue to exist in part and in +spirit with Hillary as president. With Trump, they are all but +vanquished. Donald Trump must not be elected president of the United +States. When (and if) you vote, think of it as a shot fired, not as a vote +cast. + +"Election". + +More information about my opinions on this topic can be found +[here][social-1] and [here][social-2]. + +[social-1]: https://social.mikegerwitz.com/conversation/21864 +[social-2]: https://social.mikegerwitz.com/conversation/22026 diff --git a/post/2016-08-25-nso-group-target-activist.md b/post/2016-08-25-nso-group-target-activist.md new file mode 100644 index 0000000..37125c4 --- /dev/null +++ b/post/2016-08-25-nso-group-target-activist.md @@ -0,0 +1,103 @@ +# NSO Group, Pegasus, Trident---iOS Exploits Targeting Human Rights Activist + +[Citizen Lab released a report][cl] describing the attempted use of iOS + 0-days on human rights activist [Ahmed Mansoor][] by the United Arab + Emirates. +They named this chain of exploits _Trident_, + and with the help of [Lookout Security][paper], + were able to analyze them. + +It begins with [arbitrary code execution (CVE-2016-4655)][4655] by + exploiting a memory corruption vulnerability in WebKit, + which downloads a payload unknown to the user. +That payload is able to bypass KASLR and [determine the kernel memory + location (CVE-2016-4656)][4656], + then allowing it to exploit a [memory corruption vulnerability in the + kernel itself (CVE-2016-4657)][4657]; + this "jailbreaks" the device and is a complete compromise of the system. + +[cl]: https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ +[Ahmed Mansoor]: https://en.wikipedia.org/wiki/Ahmed_Mansoor +[paper]: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf +[4655]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4655 +[4656]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4656 +[4657]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4657 + + + +This payload is [Pegasus][paper], + a complex surveillance tool sold to governments, + often used for espionage. +In this case, + Monsoor received a suspicious text message and wisely [tipped off Citizen + Lab][cl] rather than opening the presented link. +Had he done so, + he would have unknowingly downloaded this spyware that could very well + have put his life in extreme danger: + it has the capability to track his location; + record his calls and texts; + record communications through software like WhatsApp and Skype; + download his contact information; + grab passwords and encryption keys from his keyring; + and much more. + +This malware was written by [NSO Group][], + which is so poorly known that their [Wikipedia page didn't even exist + until today][nso-wikipedia]. +The software company is based in Israel, + founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio. +They were purchased in 2014 by [Francisco Partners][], + a private equity firm in the United States, + for $110 million. +They exist to sell exploits to governments. + +Anyone familiar with security research is aware of [responsible + disclosure][]: + it is a model whereby researchers who discover a vulnerability + release their research publicly only _after_ they notify the authors + of the software, + and a patch mitigating the vulnerability has been released. +This is what Citizen Lab did---Apple [fixed the vulnerability][apple] in + iOS 9.3.5.[^rms-apple] +This is not what NSO Group does: + Instead, they horde their exploits[^0day] and sell them to governments as + weapons for surveillance or espionage. +In this case, + the United Arab Emirates (or so it seems). +This is not only unethical, + but to sell to a government that is known for this type of abuse is + inexcusable and negligent---the people behind NSO Group are absolute + scum.[^scum] +They are empowering a foreign government known for their civil and human + rights abuses. +I have trouble finding words. + +There is much more that can be said on this topic with respect to security, + civil and human rights, + and various other topics. +But I don't want to distract from the topic at hand. +Let this sink in. +Read the [Citizen Lab][cl] report and the [paper by Lookout Security][paper]. +Today I leave my soapbox be. + +[NSO Group]: https://en.wikipedia.org/wiki/NSO_Group +[nso-wikipedia]: https://en.wikipedia.org/w/index.php?title=NSO_Group&action=history +[Francisco Partners]: https://en.wikipedia.org/wiki/Francisco_Partners +[responsible disclosure]: https://en.wikipedia.org/wiki/Responsible_disclosure +[apple]: https://support.apple.com/en-us/HT207107 + +[^rms-apple]: I [can't recommend that you use Apple + devices](https://stallman.org/apple.html), but if you do, you + should upgrade immediately; + you are vulnerable to exploitation by simply visiting a + malicious webpage. + +[^0day]: Called 0-days, + because they haven't been disclosed and there has been no time to + prepare or release a fix. + +[^scum]: For other scum, see the organization behind [FinFisher][]; and the + group [Hacking Team][]. + +[FinFisher]: https://en.wikipedia.org/wiki/FinFisher +[Hacking Team]: https://en.wikipedia.org/wiki/Hacking_Team diff --git a/post/2017-05-16-self-discovery-pre-internet.md b/post/2017-05-16-self-discovery-pre-internet.md new file mode 100644 index 0000000..3e66a1f --- /dev/null +++ b/post/2017-05-16-self-discovery-pre-internet.md @@ -0,0 +1,79 @@ +# Self-Discovery Before the Internet + +This is an autobiographical opinion piece prompted by [a HackerNews +post][hn] discussing what it was like to learn programming before Stack +Overflow (and other parts of the Internet). + +[hn]: https://news.ycombinator.com/item?id=14339293 + + + +I'm not old. I was born in 1989. I started programming around 1999. The +Internet sure did exist back then, but I was 10, and my parents weren't keen +on having me just go exploring. Besides, it was dial-up---you couldn't go +search real quick; especially if someone was on the phone. Using the +Internet was an _event_, and an exciting one at that, listening to those +dial tones, logging in using that old Prodigy dialog. Back then you had +Dogpile and Ask Jeeves. Most sites I'd visit by name; usually that was +GameFAQs or CNET download.com, because those are the sites my friend told me +about when he introduced me to the Internet. + +I'm entirely self-taught. I didn't know any programmers. I didn't have +contact with any. I told my parents that I wanted to learn how to program +and they skeptically brought me to Barnes and Noble where we picked out +Learn to Program with Visual Basic 6 by John Smiley (*gasp* yes I started as +a Windows programmer). It came with a VB6 CD that for a while I was +convinced could only run the book examples, because I had no idea what I was +doing. I struggled. I tinkered. Hacker culture was on the complete +opposite end of where I was, but by the time I discovered it years later, I +felt like I finally found myself---I finally discovered who I was. The +struggle made me a hacker. + +It's easy to half-ass it today. It's easy to simply say "eh I can Google +it" and forego committing knowledge. But it also makes it easy to gain +knowledge, for those who do care to do so. It makes trivia easy. It makes +discovery easy. It also exposes people to subcultures quickly and +demands conformance to stereotypes and norms before one can discover +_themselves_. Who would I be today without having to struggle for myself +rather than someone else _telling_ me who I am, and what I do? + +This is more than just technical knowledge. This is the difference between +dropping a child off in the wild or dropping them off at the local +scouts. And at least scouts will discover themselves together. With the +Internet, you absorb a body of existing knowledge; you _rediscover others_, +not yourself. You often read blogs containing opinions of others, not books +or manuals. + +That's not to say that you can't learn on your own. Many still do. Many +focus on manuals and books and source code rather than social media. It's +sure hard, though, when everything is integrated as such. Social media +can be beneficial---you do want communication and collaboration. I sure as +hell want to communicate with others. Opinions of others are deeply +important too. Some of the best things I've read are on blogs, not in +books. But I've already found my niche. I've found myself. I wasn't +tainted or manipulated---I learned in a world of proprietary software where +developing license systems was fun and emerged a free software +activist. Because I was forced to look inward, not post on Stack Overflow +or HN or Reddit expecting a hand-guided tour or `dd` of thoughts (okay, +you're not getting that on HN). + +Not everyone needs to be a passionate hacker or developer. Really, the +world needs both. And based on what I've seen being pumped out of schools +and universities, the self-taught are generally better off either way. The +vast resources available to modern programmers make many tasks easier and +cheaper, though it also increases maintenance costs if all the programmer is +doing is using code snippets or concepts without actually grokking +them. But this is what most of the world runs off of. + +Let yourself struggle. Go offline. Sit down with a print book and get out +a pen and take notes in the margin, write out your ideas. Getting syntax +errors in your editor or REPL? Figure it out! Or maybe consult the manual, +or the book you're reading. Don't search for the solution. When I learned +Algebra in middle school, I had little interest, and forgot all of +it. Years later, I needed it as a foundation for other things. I +discovered the rules for myself on pen and paper. Not only do I remember it +now (or can rediscover on a whim), but I understand _why_ it works the way +it does. I've had those epiphanies. It's easy to miss the forest for the +trees when you don't gain that essential intuition to help yourself +out. And the forest is vast and beautiful. + diff --git a/post/2017-06-03-gnu-more-software.md b/post/2017-06-03-gnu-more-software.md new file mode 100644 index 0000000..89b76e2 --- /dev/null +++ b/post/2017-06-03-gnu-more-software.md @@ -0,0 +1,35 @@ +# GNU is more than a collection of software + +GNU is more than just a collection of software; it is an operating system: + + [https://www.gnu.org/gnu/thegnuproject.html]() + +Many hackers and activists within the free software community don't +understand this well, and it's a shame to see attacks on GNU's relevance (as +measured by programs written by GNU on a given system) going +unchallenged. Software for GNU was written by the GNU Project when a +suitable free program was not available. It wouldn't have made sense to +write everything from scratch if free programs already solved the problem. + + + +When we say GNU/Linux, we really are referring to the GNU operating system +that just happens to be using Linux. It could be using the FreeBSD kernel +([GNU/kFreeBSD][]). It could be using a Windows kernel with a Linux API +([GNU/kWindows][]). It could be using the [Hurd][] ([GNU/Hurd][]). The +disambiguation is important, but the end result is pretty much the same. + +There are many systems that use Linux that are not GNU. Android is not GNU, +for example. We shouldn't attempt to call those systems "GNU/Linux" +blindly. (Also note how it's called "Android", not "Android/Linux", or just +"Linux". Somehow GNU is controversial, though.) + +So if you see someone challenging GNU's relevance because GNU/Linux contains +so much software that isn't part of a GNU package, then please provide the +above link, and kindly explain to them that their observation is correct, +because GNU is an operating system, not a collection of programs. + +[GNU/kFreeBSD]: https://en.wikipedia.org/wiki/Debian_GNU/kFreeBSD +[GNU/kWindows]: https://mikegerwitz.com/2016/04/GNU-kWindows +[Hurd]: https://www.gnu.org/software/hurd/ +[GNU/Hurd]: https://www.debian.org/ports/hurd/ diff --git a/post/2017-06-24-russia-review-source.md b/post/2017-06-24-russia-review-source.md new file mode 100644 index 0000000..b54c6e1 --- /dev/null +++ b/post/2017-06-24-russia-review-source.md @@ -0,0 +1,79 @@ +# Russia wants to review source code of Western security software + +Reuters [released an article][0] entitled "Under pressure, Western tech + firms bow to Russian demands to share cyber secrets". +Should Russia be permitted to do so? +Should companies "bow" to these demands? + +I want to draw a parallel to another highly controversial case regarding + access to source code: + the [Apple v. FBI][2] case early last year. +For those who don't recall, + one of the concerns was the government trying to compel Apple to make + changes to iOS to permit brute forcing the San Bernardino attacker's + PIN; + this is a [violation of First Amendment rights][3] (compelled speech), + and this afforded Apple strong support from even communities that + otherwise oppose them on nearly all other issues. +The alternative was to have the FBI make changes to the software instead of + compelling Apple to do so, + which would require access to the source code of iOS. + +[0]: http://www.reuters.com/article/us-usa-russia-tech-insight-idUSKBN19E0XB +[2]: https://en.wikipedia.org/wiki/FBI%E2%80%93Apple_encryption_dispute + + + +Becuase of the hostility toward the FBI in this case, + even many in the [free software community][4] took the stance that the FBI + being able to modify the software would set terrible precedent. +But that's missing the point a bit. +Being able to modify software doesn't give you the right to install it on + others' devices; + the FBI would have had to compell Apple to release their signing keys + as well---_that_ is a dangerous precedent. +If the government compelled Apple to made changes themselves, + _that_ is dangerous precedent. + +"Cyber secrets" in the above title refers to source code to software written + by companies like Cisco, IBM, SAP, and others; + secrets that can only exist in proprietary software that + [denies users the right to inspect, modify, and share][1] the software + that they are running. + +For those who agree with the free software philosophy, + it's important to remove consideration of _who_ is trying to exercise their + [four freedoms][1]. +In the case of the FBI, + from a free software perspective, + of course they should be able to modify the software---we + believe that _all_ software should be free! + (But that doesn't mean they should be able to install it on _someone + else's_ device.) +In the context of this article by Reuters: + Russia doesn't have to ask to examine software that is free/libre. + And if they did, it shouldn't be a concern; + restricting who can use and examine software is [a slippery slope][5]. + +Unfortunately, not all software is free/libre. +But if we extend the free software philsophy---there + should be no _ethical_ concerns with a foreign power wanting to inspect + proprietary source code. +But proprietary software might have something of concern to hide: + it might be something malicious like a backdoor, + or it might be something like a lack of security or poor development + practices; + [proprietary software exists only to keep secrets][6], after all. + +If Russia has to ask to inspect source code for security software, + you probably do too. +And if that's the case, + the security being provided to you is merely a facade. +It's not Russia to be suspicious of for asking---it's + the companies that keep secrets to begin with. + +[1]: https://www.gnu.org/philosophy/free-software-even-more-important.html +[3]: https://www.eff.org/deeplinks/2016/03/deep-dive-why-forcing-apple-write-and-sign-code-violates-first-amendment +[4]: https://www.gnu.org/philosophy/free-sw.en.html +[5]: https://www.gnu.org/philosophy/programs-must-not-limit-freedom.html +[6]: https://www.gnu.org/proprietary/proprietary.html diff --git a/post/2017-06-27-no-force-use-tools.md b/post/2017-06-27-no-force-use-tools.md new file mode 100644 index 0000000..5cfdbf7 --- /dev/null +++ b/post/2017-06-27-no-force-use-tools.md @@ -0,0 +1,85 @@ +# Don't force me to use your tools [on the Web] + +There was an interesting discussion on [libreplanet-discuss][] recently + regarding web interfaces. +Below is a rather informal off-the-cuff statement regarding the use of Web + interfaces (specificlaly Discourse) over my own tools. + +[libreplanet-discuss]: https://lists.gnu.org/archive/html/libreplanet-discuss/2017-06/msg00032.html + + + +----- + +I live a huge chunk of my life in my mail client + (which happens to be my editor as well). +It's scripted, + heavily customized, + and integrated with other things. +I do task management with Org mode, + which integrates simply but well enough with Gnus. +I can use my editor keybindings and such when composing messages. +The same goes with my IRC client. +I never have to leave home, if you will. + +Contrast that with websites: + if I have to write anything substantial, + I often have to write it in my editor first and paste it in. + +Many of us hackers don't care for flashy interfaces; + we'd rather use the tools we've invested our lives into and know well. + Tools that can compose and work well in pipelines. +Trying to use interfaces that reinvent the wheel poorly is painful. +And let's not be fooled---these are programs. +Especially when they're heavy on JavaScript. +There's no difference between this and someone asking me to download Foo and + put my Emacs toy away, as cute as it is. + +But I know that many people don't feel that way. +I have coworkers that think I'm crazy (respectfully so). +And I think they're crazy too. ;) +Admittedly, using your own tools is a large barrier to entry---my + tools are useful because I've spent a great deal of time learning and + researching and customizing. +And now I can reuse them for everything. +For your average user looking to get into activism, + who may not even be a programmer, + that's a bit different; + it's easier to say "here's your single tool (Web)---go use it". + +There are systems that allow for a level of integration + (e.g. mailing lists and forums). +But they're often treated as fallbacks---as second-class citizens. +They might provide a subset of features; + it leaves certain members of the community out---those + who want to use their own tools. + +I haven't used Discourse. +I do see "mailing list support"; + maybe that's a good sign. +But one of the phrases at the top of the features page is + "[w]e're reimagining what a modern discussion platform should + be". +Many of us don't want to see it reimagined. +That's the opposite of what many want. + +Trying to strike a balance isn't a bad thing if that's the audience + we're looking to attract. +But it's difficult, + and something I struggle with a great deal. + +----- + +tl;dr: + Asking someone to use an interface on the Web is asking them to use + /your/ program instead of their own. + Be respectful by using [Web standards for accessibility][accessibility]; + [progressive enhancement][]; + and make use of well-established standards with rich histories, + especially if your audience makes use of them + (e.g. mailing lists, RSS feeds, federation standards, etc). + +Thank you. + +[accessibility]: https://en.wikipedia.org/wiki/Web_accessibility +[progressive enhancement]: https://en.wikipedia.org/wiki/Progressive_enhancement diff --git a/post/2018-01-05-lp2018-ev.md b/post/2018-01-05-lp2018-ev.md new file mode 100644 index 0000000..96fc0bd --- /dev/null +++ b/post/2018-01-05-lp2018-ev.md @@ -0,0 +1,40 @@ +# The Ethics Void: Join Me at LibrePlanet 2018! + +I got word today that I'll be speaking again at this year's [LibrePlanet][]! +I was going to attend even if I were not speaking, + but I'm very excited to be able to continue to build off of last year's + talk and further my activism on these topics. + +[LibrePlanet]: https://libreplanet.org/2018/ + +The title of this year's talk is _The Ethics Void_. +Here's a rough abstract: + + + +> Medicine, legal, finance, journalism, scientific research—each of these +> fields and many others have widely adopted codes of ethics governing the +> lives of their professionals. Some of these codes may even be enshrined in +> law. And this is for good reason: these are fields that have enormous +> consequences. + +> Software and technology pervade not only through these fields, but through +> virtually every aspect of our lives. Yet, when compared to other fields, our +> community leaders and educators have produced an ethics void. Last year, I +> introduced numerous topics concerning #privacy, #security, and #freedom that +> raise serious ethical concerns. Join me this year as we consider some of +> those examples and others in an attempt to derive a code of ethics that +> compares to each of these other fields, and to consider how leaders and +> educators should approach ethics within education and guidance. + +(My previous talks can be found on my ["Talks" page][talks].) + +For this talk, + I want to solicit the community at various points. +I know what _I_ want to talk about, + but what are some of the most important ethical issues to _you_? +Unfortunately there's far too much to fit into a 40-minute talk! +Feel free to send me an e-mail or reply to the [thread on GNU Social][thread]. + +[talks]: /talks +[thread]: https://social.mikegerwitz.com/conversation/99140 diff --git a/post/2018-01-08-meltdown-spectre-web.md b/post/2018-01-08-meltdown-spectre-web.md new file mode 100644 index 0000000..9e4f73f --- /dev/null +++ b/post/2018-01-08-meltdown-spectre-web.md @@ -0,0 +1,44 @@ +# Meltdown/Spectre and the Web + +The recently-released [Meltdown][] and [Spectre][] CPU timing attacks + affect virtually every user in some way; + the consequences are profound. +There are plenty of good write-ups on the topic, + so I don't feel the need to re-iterate the technical details here. +(See an easily digestible one [from the Raspberry Pi][rpi] project, and an + in-depth analysis [from Project Zero][zero].) + +[Meltdown]: https://meltdownattack.com/ +[Spectre]: https://spectreattack.com/ +[rpi]: https://www.raspberrypi.org/blog/why-raspberry-pi-isnt-vulnerable-to-spectre-or-meltdown/ +[zero]: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html + +What I do want to draw attention to is that these attacks [are exploitable + via web browsers][mozilla]. + +[mozilla]: https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ + + + +The reason for this is that your web browser, + by default, + automatically downloads and executes programs without your knowledge or + consent. +Most commonly, + web pages embed software in the form of JavaScript code. +Because of the features available in modern JavaScript environments, + CPU cache timing attacks are possible. + +[I spoke about the security issues][lp2016] of running these programs in your web + browser back in 2016---it + was a bad idea then, + and it's still a bad idea now. +[I spoke further of privacy issues][lp2017] last year at LibrePlanet 2017. +I encourage you to use extensions like [NoScript][] to block the execution of + JavaScript by default, + and stop random people from treating your computer as a puppet to do + their own bidding. + +[lp2016]: https://media.libreplanet.org/u/libreplanet/collection/restore-online-freedom/ +[lp2017]: https://media.libreplanet.org/u/libreplanet/m/the-surreptitious-assault-on-privacy-security-and-freedom/ +[NoScript]: http://noscript.net/ diff --git a/post/2018-04-15-mobile-tracking-veil.md b/post/2018-04-15-mobile-tracking-veil.md new file mode 100644 index 0000000..c926bce --- /dev/null +++ b/post/2018-04-15-mobile-tracking-veil.md @@ -0,0 +1,60 @@ +# When Talking About Mobile Tracking, Don't Veil Bad Actors With Blanket Statements + +It's difficult to have useful conversations about mobile tracking when + someone says "your phone / mobile device tracks you"; + such statements don't often lead to constructive conversation because they + are too vague and therefore easily dismissed as sensationalism or + paranoia. + And they are all too often without substance because, + while users do have legitimate concerns, + they aren't necessarily aware of the specific problems contributing to + those concerns. + + + +A mobile device is nothing more than a small computer that you carry around + with you. +The networks that you connect to can spy on you---your + cellular network, bluetooth, wifi, etc. +To help mitigate these threats, + you can disable those communications until you are in a safe place that + you don't mind others knowing about. +We can only have confidence that these connections have been disabled by + physical means, + like a hardware switch or a bag that acts like a Faraday cage. +[iOS deceives users][ios-deceive] when they ask to disable those communications + for example. + +The software running on your device often spies on you: + the operating system itself often spies; + the apps you install often spy. +This is the fault of the individual _authors_---_they_ + are the problem. +Consider using free/libre software that empowers you and serves _you_ rather + than its creators; + it's much harder to hide secrets in free software. +On Android, + consider using only free software available in [F-Droid][]. +We also need fully free mobile operating systems, + like [Replicant][] and hopefully Purism's Librem 5 that is still under + development. +Don't be fooled into thinking the Android on most phones is free + software---only + its core (AOSP) is. + +Call out those that do harm---don't + veil and protect them using statements like "your phone tracks you". +Talk about the specific issues. +Demand change and have the courage to reject them entirely. +This involves inconvenience and sacrifice. +But if we're strong now, + then in the near future perhaps we won't have to make any sacrifices, + much like the fully free GNU/Linux system desktops we have today. + +Fore more information on tracking, + see my [LibrePlanet 2017 and 2018 talks](/talks) "The Surreptitious Assault on Privacy, + Security, and Freedom" and "The Ethics Void", respectively. + +[F-Droid]: https://f-droid.org +[ios-deceive]: https://web.archive.org/web/20170922011748/https://support.apple.com/en-us/HT208086 +[Replicant]: https://replicant.us diff --git a/post/2018-09-06-lp2019-announce.md b/post/2018-09-06-lp2019-announce.md new file mode 100644 index 0000000..5775e2a --- /dev/null +++ b/post/2018-09-06-lp2019-announce.md @@ -0,0 +1,28 @@ +# LibrePlanet 2019 will be March 23--24 in Boston, MA + +It's already time to start thinking about LibrePlanet 2019, which will be +March 23--24 in the Greater Boston Area in MA: + +[https://libreplanet.org/2019/]() + +This is the one event that I must make it to each year, and I encourage +everyone to attend and see the faces of many that are at the heart of the +free software community. + + + +Consider [submitting a session][submit]! Or, if you can't make it but plan +on watching online, maybe help someone else attend by [contributing to the +travel fund][travel-fund]. The call for sessions ends October 26th. + +I'll be attending again this year, and I plan on submitting a session +proposal. I won't have the time to do [my 100+hr research talks like the +past couple years][talks], so maybe I'll fall back on something more +technical that I won't have to research. + +It's still a ways off, but if you do plan on attending, do let me know so I +can say hello! + +[submit]: https://my.fsf.org/lp-call-for-sessions +[travel-fund]: https://my.fsf.org/civicrm/contribute/transact?reset=1&id=60 +[talks]: /talks/ diff --git a/post/2018-10-05-webmaster-no-block-tor.md b/post/2018-10-05-webmaster-no-block-tor.md new file mode 100644 index 0000000..ee78c3a --- /dev/null +++ b/post/2018-10-05-webmaster-no-block-tor.md @@ -0,0 +1,66 @@ +# Webmasters: Please, Don't Block Tor + +[Tor][] is a privacy and anonymity tool that [helps users to defend + themselves][tor-about] against traffic analysis online. +Some people, like me, use it as an important tool to help defend against + [various online threats to privacy][sapsf]. +[Others use it][tor-users] to avoid censorship, + perhaps by the country in which they live. +Others use it because their lives depend on it---they + may live under an oppressive regime that forbids access to certain + information or means of communication. + +[Tor]: https://www.torproject.org/ +[tor-about]: https://www.torproject.org/about/overview.html.en#whyweneedtor +[tor-users]: https://www.torproject.org/about/torusers.html.en +[sapsf]: /talks/sapsf + +Unfortunately, some people also hide behind Tor to do bad things, + like attack websites or commit fraud. +Because of this, + many website owners and network administrators see Tor as a security threat, + and choose to block Tor users from accessing their website. + + + +But in doing so, + you aren't just keeping out some of the malicious users: + you're also keeping out those who [use Tor for important, legitimate + reasons][tor-users]. +Malicious users have other means to achieve anonymity and often have the + skill and understanding to do so. +But average Tor users aren't necessarily technology experts, + and certainly don't have the extra (often maliciously-acquired) resources + that bad actors do, + so they are disprortionally affected by blocks. + +A particularly unsettling problem I often encounter is that a website will + outright prohibit access by Tor users _even on read-only resources like + articles or information_. +I've even seen this on informational resources on United States Government + domains! +Blocking access to interactive website features---like + posting comments or making purchases---can + be understandable, + or maybe even necessary sometimes. +For example, + Wikipedia prohibits page edits over Tor. +But Wikipedia _does not block reading_ over Tor. + +If you are considering threats that may mask themselves behind Tor and you + are running a blog, news site, or other informational resource, + please, consider how your actions [may affect innocent + users][tor-users]. +Allow users to read over Tor, + even if you decide to prohibit them from interacting. + +For users of Tor who do find themselves stuck from time to time: + I will often prepend `https://web.achive.org/` to the URL of a page that + is blocked, + which allows me to view the page in the Internet Archive's [Wayback + Machine][]. +For example, + to view my website in the Wayback Machine, + you'd visit `https://web.archive.org/https://mikegerwitz.com/`. + +[Wayback Machine]: https://web.archive.org/