Commit Graph

54 Commits (084d4d6e4c8e3a0d352539195095777d339eca52)

Author SHA1 Message Date
Mike Gerwitz 084d4d6e4c
Oxford University Blocks Google Docs
Oxford University decided to [block Google Docs][0] last month due to phishing
attacks against its users. To quote the blog post:

  Almost all the recent attacks have used Google Docs URLs, and in some cases
  the phishing emails have been sent from an already-compromised University
  account to large numbers of other Oxford users. Seeing multiple such incidents
  the other afternoon tipped things over the edge. We considered these to be
  exceptional circumstances and felt that the impact on legitimate University
  business by temporarily suspending access to Google Docs was outweighed by the
  risks to University business by not taking such action.[0]

This incident was brought to my attention by a blog post by Schneier,[1] in
which he referenced his [essay on ``feudal security''][2] (I commented in more
detail on this essay in [my response to a previous blog post of his][3]). In
this case, Oxford is trusting that it knows better than its users and has the
right to exercise this power over them in light of their inexperience with
handling these situations (or even recognizing them).[0]

This may very well be the case---the Oxford IT department probably does have a
better understanding of security than many of their users. However, by blocking
access to Google Docs, they are also blocking access to millions of legitimate
articles hosted there, which is far from acceptable. Oxford is more than just a
workplace---for which many would argue these actions are acceptable; it is a
university that should encourage freedom of expression. They simply must find a
better way of dealing with these problems. If a user falls victim to a phishing
attack within Oxford, they will likely fall victim outside of it.

Would Oxford consider blocking e-mail access too (where phishing attacks are
very cheap and common)?

  We appreciate and apologise for the disruption this caused for our users.
  Nevertheless, we must always think in terms of the overall risk to the
  University as a whole, and we certainly cannot rule out taking such action
  again in future [...][0]

N.B.: Google Docs is proprietary and I cannot recommend its use any more than I
can recommend use of Microsoft Office.

[0] http://blogs.oucs.ox.ac.uk/oxcert/2013/02/18/google-blocks/
[1] https://www.schneier.com/blog/archives/2013/03/oxford_universi.html
[2] https://www.schneier.com/essay-406.html
[3] [cref:3fa69da6531cb2131a7f52d17eb77a75e01794ba] (I posted a link to my
response on his blog, but he did not approve the comment.)
2013-03-09 15:59:35 -05:00
Mike Gerwitz 07e36d7fe4
Adding 1 and 1 in PHP
An amusing demonstration; it is my hope that [readers will not take this PHP
library seriously][0]. This is likely a parody of the over-engineering that
often takes foot in Object-Oriented development (a game of ``how many GoF[4]
design patterns can we use in this project'' anyone?).

That is not to say that ``OOP is bad'' (just as object-oriented developers often
consider procedural code bad, when they may just be terrible at writing
procedural code). Indeed, I wrote [an ECMAScript framework for Classical OOP
(ease.js)][1].  The problem is that, with the excitement and misunderstandings
that surround ``good'' object-oriented design, designers are eager to
over-abstract their implementations (I have been guilty of the same thing).
Object oriented programming is often taught to novice CS students (often with
the reign of Java in schools)---teaching practices that can be good principles
when properly applied and in moderation---which I have also seen contribute to
such madness.[2]

Abstractions are highly important, but only when necessary and when they lead to
more concise representations of the problem than would otherwise occur (note
that some problems are inherently complicated and, as such, a concise
representation may not seen concise). I'm a strong advocate of DSLs when
abstractions begin to get in the way and increase the verbosity of the code
(languages with strong macro systems like lisp help eliminate the need for
DSLs written from scratch)---design patterns exist because of deficiencies in
the language: They are ``patterns'' of code commonly used to achieve a certain
effect.

[Criticisms against OOP are abundant][3], just as every other paradigm.

[0] https://github.com/Herzult/SimplePHPEasyPlus
[1] http://easejs.org
[2] http://c2.com/cgi/wiki?TextbookOo
[3] http://c2.com/cgi/wiki?ArgumentsAgainstOop
[4] Design Patterns: Elements of Reusable Object-Oriented Software. ISBN
0-201-63361-2. Gamma, Helm, Johnson and Vlissides (the "Gang of Four").
2013-03-09 15:10:59 -05:00
Mike Gerwitz a1f8634296
Google Says the FBI Is Secretly Spying on Some of Its Customers
A Wired article mentions [figures released from Google][0] regarding National
Security Letters issued by the NSA under the Patriot Act. It is too early to
comment in much detail on this matter (I would like to wait for commentary from
the EFF), but, as the article mentions:

  Google said the number of accounts connected to National Security letters
  ranged between “1000-1999″ for each of the reported years other than 2010. In
  that year, the range was “2000-2999.”

The [EFF provides additional information, including recommendations on what to
do about such requests][1] via their Surveillance Self-Defense website. As
quoted from that website:

    And it's even worse for FISA subpoenas, which can be used to force anyone to
    hand over anything in complete secrecy, and which were greatly strengthened
    by Section 215 of the USA PATRIOT Act. The government doesn't have to show
    probable cause that the target is a foreign power or agent — only that they
    are seeking the requested records "for" an intelligence or terrorism
    investigation. Once the government makes this assertion, the court must
    issue the subpoena.[1]

To add insult to injury:

  FISA orders and National Security Letters will also come with a gag order that
  forbids you from discussing them. Do NOT violate the gag order. Only speak to
  members of your organization whose participation is necessary to comply with
  the order, and your lawyer.[1]

[0] http://www.wired.com/threatlevel/2013/03/google-nsl-range/?cid=co6199824
[1] https://ssd.eff.org/foreign/fisa
2013-03-06 00:44:56 -05:00
Mike Gerwitz 47023ce212
DMR: ``Very early C compilers and language''
An interesting article by Dennis Ritchie discussing [early C compilers][0]
recovered from old DECtapes. The source code and history are fascinating reads.
The quality of the code (the ``kludgery''[1], as he puts it) to me just brings
smiles---I appreciate seeing the code in its original glory.

It is also saddening reading the words of such a great man who is no longer with
us; perhaps it helps to better appreciate his legacy.

[0] http://cm.bell-labs.com/cm/cs/who/dmr/primevalC.html
[1] http://www.catb.org/~esr/jargon/html/K/kludge.html
2013-03-01 23:25:41 -05:00
Mike Gerwitz 7a265a6909
Libreated Pixel Cup Winners Announced
[Congratulations][0] to the [winners of the Liberated Pixel Cup][1].

[0] http://www.fsf.org/news/winners-announced-for-free-software-gamings-highest-honor-the-liberated-pixel-cup
[1] http://lpc.opengameart.org/content/code-judging-is-in
2013-03-01 22:35:29 -05:00
Mike Gerwitz 13081f14a7
What is CISPA and Why is it Dangerous?
The EFF has put together an excellent [FAQ on CISPA][0], the ``cybersecurity''
bill that was reintroduced to congress earlier this month.

[0] https://www.eff.org/deeplinks/2013/02/cispas-back-faq-what-it-and-why-its-still-dangerous
2013-02-26 20:13:12 -05:00
Mike Gerwitz 9ceb433174
Phone ``Unlocking'' Once Again Illegal
[Ridiculous.][0] We should own the hardware that we purchase.

[0] https://www.eff.org/is-it-illegal-to-unlock-a-phone
2013-01-30 23:05:01 -05:00
Mike Gerwitz 3fa69da653
Re: Who Does Skype Let Spy?
Today, [Bruce Schneier brought attention to privacy concerns surrounding
Skype][0], a very popular (over 600 million users[1]) VoIP service that has
since been acquired by Microsoft. In particular, [users are concerned over what
entities may be able to gain access to their ``private'' conversations][1]
through the service---Microsoft has refused to answer those kinds of questions.
While the specific example of Skype is indeed concerning, it raises a more
general issue that I wish to discuss: The role of free software and SaaS
(software as a service).

To quote Schneier:[0]

   We have no choice but to trust Microsoft. Microsoft has reasons to be
   trustworthy, but they also have reasons to betray our trust in favor of other
   interests. And all we can do is ask them nicely to tell us first.

Schneier continues to admit, in similar words, that we are but ``vassals'' to
these entities and that they are our serfs.[2] His essays regarding the power of
corporations and governments over their users[3] echo the words of Lawrence
Lessig in his [predictions of a ``perfectly regulated'' future made possible by
the Internet][4]. While Lessig (despite what his critics have stated in the
past) seems to have been correct in many regards, we need not jump into the
perspective of an Orwellian dystopia where we are but ``vassals'' to the
Party.[5] Indeed, this is only the case---at least at present---if you choose to
participate in the use of services such as Skype, as ubiquitous as they may be.

Skype is a useful demonstration of the unfortunate situation that many users
place themselves in by trusting their private data to Microsoft. Skype itself is
proprietary---we cannot inspect its source code (easily) in order to ensure that
it is respecting our privacy. (Indeed, as a user on [the HackerNews
discussion][6] pointed out, Skype has installed undesirable software in the
past.[7]) If Skype were [free software][8], we would be able to inspect its
source code and modify it to suit our needs, ensuring that the software did only
what we wanted it to do---ensuring that Microsoft was not in control of us.

However, even if Skype were free software, there is another issue at work that
is often overlooked by users: Software as a Service (SaaS). When you make use of
services that are hosted on remote servers (often called ``cloud''
services)---such as with Skype, Facebook, Twitter, Flickr, Instagram, iTunes,
iCloud and many other popular services---you are blindly entrusting your data to
them. Even if the Skype software were free (as in freedom), for example, [we
still cannot know what their servers are doing with the data we provide to
them][9]. Even if Skype's source code was plainly visible, the servers act as a
black box. Do they monitor your calls? Does Facebook abuse your data?[10] How is
that data stored---what happens in the event of a data breach, or in the event
of a warrant/subpoena?[1]

The only way to be safe from these providers is to reject these services
entirely and use your own software on your own PC, or use software that will
connect directly to your intended recipient without going through a 3rd
party.[9] (Never mind your ISP; that is a separate issue entirely.) If you must
use a 3rd party service, ensure that you can adequately encrypt your
communications (e.g. using GPG to encrypt e-mail communications)---something
that may not necessarily be easy/possible to do, especially if the software is
proprietary and works against you.

The EFF has published [useful information on protecting yourself against
surveillance][11], covering topics such as encryption and anonymization.

If we are to resist the worlds that Lessig[4] and Schneier[3] describe, then we
must [stand up for our right to privacy and demand action][12]. [Who will have
your back][13] when we're on the brink of ``perfect regulation''[4]; who will
stand up for your rights and work *with* you---not against you---to preserve
your liberties? Without this push, services like Skype empower governments and
other entities to work toward perfect regulation---to continuously spy on
everything that we do. With everyone putting their every thought and movement on
services like Facebook, Twitter[14] and Skype, the Orwellian Thought Police[5] have
the ability to manifest in a form that not even Orwell could have
imagined---unless it is stopped.

To help preserve your ever-dwindling rights online,[15] consider becoming a
member of or participating in the campaigns of the [Free Software
Foundation][16], [Electronic Frontier Foundation][17], the [American Civil
Liberties Union][18] or any other organizations dedicated toward free society.

(Disclaimer: I am a member of the Free Software Foundation.)

[0] http://www.schneier.com/blog/archives/2013/01/who_does_skype.html
[1] http://www.skypeopenletter.com/
[2] http://www.schneier.com/essay-406.html
[3] http://www.schneier.com/essay-409.html
[4] http://codev2.cc/
[5] Orwell, George. Nineteen Eighty-Four. ISBN 978-0-452-28423-4.
[6] http://news.ycombinator.com/item?id=5139801
[7] http://blogs.skype.com/garage/2011/05/easybits_update_disabled_for_s.html
[8] http://www.gnu.org/philosophy/free-sw.html
[9] http://www.gnu.org/philosophy/who-does-that-server-really-serve.html
[10] https://www.eff.org/deeplinks/2013/01/facebook-graph-search-privacy-control-you-still-dont-have
[11] https://ssd.eff.org
[12] https://www.eff.org/deeplinks/2013/01/its-time-transparency-reports-become-new-normal
[13] https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back
[14] https://www.eff.org/deeplinks/2013/01/google-twitters-new-transparency-report-shows-increase-government-demands-sheds
[15] https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=8750
[16] http://www.fsf.org/register_form?referrer=5804
[17] https://supporters.eff.org/donate
[18] https://www.aclu.org/donate/join-renew-give
2013-01-30 20:39:31 -05:00
Mike Gerwitz 2ae3e94d21
Re: FSF Wastes Away Another ``High Priority'' Project
A couple days ago, my attention was drawn to an article on Phoronix that
[criticized the FSF for its decision to stick with GPLv3 over GPLv2 on
LibreDWG][0] due to the number of projects that make use of it---licensed under
the GPLv2---under a now incompatible[1] license. This article is very negative
and essentially boils down to this point (the last paragraph):

    Unless the Free Software Foundation becomes more accomodating [sic] of these
    open-source developers -- who should all share a common goal of wanting to
    expand free/open-source software -- LibreDWG is likely another project that
    will ultimately waste away and go without seeing any major adoption due to
    not working with the GPLv2.

It it worth mentioning why this view is misguided (though understandable for
those who adopt the ``open source'' philosophy over that of software
freedom[2]). Let me start with this paragraph from the Phoronix article[0]:

  The Free Software Foundation was contacted about making LibreDWG GPLv2+
  instead (since the FSF is the copyright holder), but the FSF/Richard Stallman
  doesn't the DWG library on the earlier version of their own open-source
  license.

The FSF's founding principle is that of software freedom[3] (beginning with the
GNU project). Now, consider the reason for the creation of the GPLv3---the GPLv2
could not sufficiently protect against software patents and newer threats such
as ``tivoization''.[4] These goals further the FSF's mission of ensuring---in
this case---that free software *remains* free ([a concept that RMS coined
``copyleft''][5]). It would make sense, then, that the FSF (and RMS') position is
that [it is important that we adopt the GPLv3 for our software][6].

From this perspective, it does not make sense to ``downgrade'' LibreDWG's
license to the GPLv2, which contains various bugs that have since been patched
in GPLv3---it is not pursuant to the FSF's goals. (Of course, not all agree with
the GPLv3; one such notable disagreement (as well as issues
stemming from copyright assignment) leaves the kernel Linux perpetually licensed
under the GPLv2[7] since it does not contain the ``or later'' clause[8]).

That is not to say that the author's concern is not legitimate---a number of
projects are licensed under the GPLv2 and therefore cannot use the newer (and
improved) versions of LibreDWG that are licensed under the GPLv3 (unless they
were to upgrade to the GPLv3, of course). Whether or not upgrading is feasible
(e.g., in the case of the kernel Linux, it is not) is irrelevant---let us
instead focus on the issue of adoption under the assumption that the project is
either unwilling or unable to make use of a library licensed under the GPLv3.

As aforementioned, the author focuses on the issue of adoption[0]:

  LibreDWG is likely [...to] go without seeing any major adoption due to not
  working with the GPLv2

A focus on adoption is a focus of ``open source'', not free software,[2] the
latter of which the FSF represents. With a focus on software freedom, the goal
is to create software that respects the [users' four essential freedoms][9]; if
the software is adopted and used, great! However, freedom should never be
sacrificed in order to encourage adoption. One may argue that ``downgrading'' to
the GPLv2 is not sacrificing freedom because the software is still free (it is
even the GPL)---but it is important to again realize that the GPLv3 is ``more
free'' than the GPLv2 in the sense that it *protects* additional freedoms;[6]
so, while the GPLv2 isn't necessarily sacrificing users' freedoms directly, it
does have such an indirect effect through means of enforcement.

A reader familiar with GNU may then point out the LGPL---the Lesser General
Public License---under which popular (and very important) libraries such as
glibc are licensed.[10] In fact, one could extend this argument to any
library---why not have LibreDWG licensed under the LGPL to avoid this problem in
its entirety, while still preserving the users' freedoms for that library in
itself? This understanding requires a brief lesson in history---the rationale
under which the LGPL was born. To quote the GNU project:[11]

  Using the ordinary GPL is not advantageous for every library. There are
  reasons that can make it better to use the Lesser GPL in certain cases. The
  most common case is when a free library's features are readily available for
  proprietary software through other alternative libraries. In that case, the
  library cannot give free software any particular advantage, so it is better to
  use the Lesser GPL for that library.

It was for this reason that glibc was released under the LGPL---because it was
better to have the users adopt some sort of free software than none at all;
there were other alternatives that existed that users may flock to if they were
forced to liberate their own proprietary software (after all, the C API is also
standardized, so such a feat would be trivial). Now that glibc has since matured
greatly, it could be argued today that it has proved its usefulness and the LGPL
may no longer be necessary, but such a discussion is not necessarily relevant
for this conversation.

What is important is that [the FSF does not recommend the LGPL for most
libraries][11] because that would encourage proprietary software developers to
take advantage of both the hard work of the free software community and the
users of the software. Now, I cannot speak toward the alternatives to
LibreDWG---do there exist proprietary alternatives that are reasonable
alternatives to non-commercial projects? I do not have experience with the
library. However, I hope by this point the FSF's position has been rationalize
(even if you---the reader---do not agree with it).

Of course, this rationalization will still leave a sour taste in the mouth of
those ``open source'' developers (or perhaps even some free software developers)
that think in terms of what is ``lost'': these projects---which are themselves
free software and therefore beneficial to our community---cannot take advantage
of *other free software* due to this licensing issue. Since these projects had
already existed when LibreDWG was licensed under the GPLv2, the relicensing to
GPLv3 may seem unfair and, therefore, a ``loss''. It is difficult to counter
such an argument if the above rationale has not been sufficient; nor will I
argue that the situation is not unfortunate, should the projects be unable to
relicense. However, it must be understood that, to ensure the future of free
software, the FSF must adopt to combat today's threats and so too must other
free software projects.

The Phoronix article mentioned two projects in particular that suffer from
LibreDWG's relicensing: LibreCAD and FreeCAD.[0] LibreCAD omits the ``or later''
clause that was mentioned above, preventing them from easily migrating to the
GPLv2 (which is against the FSF's recommendation[12]). Unless the project
requires that contributors assign copyright to the project owner, then they
would have to get permission from each contributor (or rewrite the code) in
order to change the license (which is not unheard of; [VLC had done so recently
to migrate from the GPL to the LGPL][13]); this is a significant barrier for any
project with multiple contributors, especially when your project is a derivative
work (of QCad).

The other project mention was FreeCAD, and the author of the article mentions
that the project depends on Coin3D and Open CASCADE, ``both of which are
GPLv2'', so the project cannot migrate to GPLv3.[0] A quick look at Coin3D's
website shows that the software is actually licensed under the modified
(3-clause) BSD license, and so migrating to the GPLv3 is not an issue.[15] Open
CASCADE has its own ``public license'' that I do not have the time to evaluate
(nor am I lawyer, so I do not wish to give such advice), so I cannot speak to
its compatibility with the GPLv3. That said, I'm unsure if it would be a barrier
toward FreeCAD's adoption of the GPLv3.

Ultimately, the moral of the story is to plan for the *future*---if you use a
project licensed under the GPL, ensure that it has the ``or later'' clause that
allows it to be licensed under later version of the GPL, since you can be sure
that the FSF and many other free software developers will be quick to adopt the
license. Of course, many may not be comfortable with such a licensing decision:
you effectively are giving the FSF permission to relicense you work by simply
releasing a new version of the GPL. It is your decision whether you are willing
to place this kind of trust in the organization responsible for starting the
free software movement in the first place.

Readers may now assume that I am placing the entire blame and onus on the
implementors of LibreDWG. The onus, perhaps, but not the blame---this truly is
an unfortunate circumstance that takes away from hacking a free software
project. Unfortunately, the projects are stuck in a bad place, but the FSF is
not to blame for standing firm in their ideals. Instead, this can be thought of
as a maintenance issue---rather than a source code refactoring resulting from a
library API change, we instead require a ``legal code'' refactoring resulting
from a ``legal API'' change.

[0] http://www.phoronix.com/scan.php?page=news_item&px=MTI4Mjc
[1] http://www.gnu.org/licenses/gpl-faq.html#WhatDoesCompatMean
[2] http://www.gnu.org/philosophy/open-source-misses-the-point.html
[3] http://www.fsf.org/about/
[4] http://www.gnu.org/licenses/quick-guide-gplv3.html
[5] http://www.gnu.org/copyleft/
[6] http://www.gnu.org/licenses/rms-why-gplv3.html
[7] http://lwn.net/Articles/200422/
[8] http://www.gnu.org/licenses/gpl-faq.html#v2v3Compatibility
[9] http://www.gnu.org/philosophy/free-sw.html
[10] http://www.gnu.org/licenses/lgpl.html
[11] http://www.gnu.org/licenses/why-not-lgpl.html
[12] http://www.gnu.org/licenses/gpl-howto.html
[13] http://mikegerwitz.com/thoughts/2012/11/VLC-s-Move-to-LGPL.html
[14] https://bitbucket.org/Coin3D/coin/wiki/Home
[15] http://www.gnu.org/licenses/license-list.html#ModifiedBSD
[16] http://www.opencascade.org/getocc/license/
2013-01-27 09:34:56 -05:00
Mike Gerwitz 1ac60452f7
LuLu Says Goodbye to DRM
On January 8th, [LuLu announced that they would be dropping DRM][0] for users
who ``[download] eBooks directly from Lulu.com to the device of their choice''.
This is a wise move (for [those of us who oppose DRM][1]), but unfortunately, as
John Sullivan of the Free Software Foundation noted on the fsf-community-team
mailing list, the comments on LuLu's website[0] are not all positive:

    This is a positive development, but unfortunately there has been a lot
    of negative reaction in the comments on their announcement.

    It'd be great if people could chime in and support them their move away
    from DRM.

At first glance, certain authors seem to be concerned that the absense of DRM
will lead to ``more illegal file sharing''[0]:

  [...] I’ve got copies of my non-DRM ebooks all over the torrent sites and
  thousands of downloads registered, for which I haven’t received a cent. As
  soon as you push for them to be taken down, they’re posted up again.

While it is unfortunate that those authors are not receiving compensation for
their hard work, it should be noted that this problem exists even *with*
DRM, so it is not a valid argument toward keeping it.

I applaud this move by LuLu, though I'm disappointed to see this comment in the
original post[0]:

  Companies like Amazon, Apple and Barnes & Noble integrate a reader’s
  experience from purchasing to downloading and finally to reading. These
  companies do a fantastic job in this area, and eBooks published through Lulu
  and distributed through these retail sites will continue to have the same
  rights management applied as they do today.

They do not do it well; no DRM is good DRM.

[0] http://www.lulu.com/blog/2013/01/drm-update/
[1] http://defectivebydesign.org/
2013-01-14 20:34:30 -05:00
Mike Gerwitz d896ef5403
USPTO Wants To Hear From Software Community
The [USPTO wants to hear from the software community][0]. Interesting, but the
problem is that the ``software community'' includes more than just those who
find software patents to be an abomination.

I have [mentioned issues with software patents in a previous post][1], but one
resource that may be worth looking at direclty is [``The Case Against
Patents''][2] [pdf].

[0] http://www.groklaw.net/article.php?story=20130104012214868
[1] http://mikegerwitz.com/thoughts/2012/10/Abolishing-Patents.html
[2] http://research.stlouisfed.org/wp/2012/2012-035.pdf
2013-01-07 12:37:04 -05:00
Mike Gerwitz 1ca1153814
DNA Collection
Consider a recent article from the EFF [regarding ``Rapid DNA Analyzers''][0].
The article poses the potetial issues involved, but also consider that any DNA
collected (if not destroyed) would violate not just your privacy, but your
entire blood line. What if DNA from immigrants were collected? Much of that
information is inherited, so generations down the line, your privacy is still
violated.

I cannot comment intelligently on the matter since I haven't read deeply enough
into the proposed storage/hashing/etc policies, but those polices can be abused
and such data can be leaked. I highly oppose any sort of DNA collection outside
of personal at-home use (when the technology is available with free software)
and use by medical professionals for personal medical reasons so long as the
institution performing the test can provide stringent evidence of its
destruction. But even then, if law enforcement somehow got a hold of the DNA
before it were destroyed, then the problem still exists, so it would be best if
you had your own personal tools to analyze your own DNA and distribute only the
portions that were required (and encryption tools like [GPG][1] could be used
for distribution).

One day, but not now. Let's make those scanners affordable and run free
software.

[0] https://www.eff.org/deeplinks/2012/12/rapid-dna-analysis
[1] http://www.gnupg.org/
2013-01-07 12:24:08 -05:00
Mike Gerwitz a7a967d93a
Happy New Year
The greatest excitement in moving into a new year is the prospect of quantified
growth.

Of course, it also means another year to look forward to the health of those you
care for.
2013-01-01 00:24:30 -05:00
Mike Gerwitz b604fda5ee
Congress Approves FISA For Another 5 Years
At a [vote of 73-23][0], Congress has voted to [extend FISA warentless spying
bill by five more years[1], even shooting down [proposed amendments][2] to the
bill.[3]

Thank you to those senators that opposed the bill:[0]

  Akaka (D-HI)
  Baucus (D-MT)
  Begich (D-AK)
  Bingaman (D-NM)
  Brown (D-OH)
  Cantwell (D-WA)
  Coons (D-DE)
  Durbin (D-IL)
  Franken (D-MN)
  Harkin (D-IA)
  Leahy (D-VT)
  Lee (R-UT)
  Menendez (D-NJ)
  Merkley (D-OR)
  Murkowski (R-AK)
  Murray (D-WA)
  Paul (R-KY)
  Sanders (I-VT)
  Schatz (D-HI)
  Tester (D-MT)
  Udall (D-CO)
  Udall (D-NM)
  Wyden (D-OR)

Unfortunately, the two senators from my own state cannot join that list.

The [EFF has sumarized the surveillance issues of 2012][4] recently on their
website.

[0] https://www.senate.gov/legislative/LIS/roll_call_lists/roll_call_vote_cfm.cfm?congress=112&session=2&vote=00236
[1] https://www.eff.org/deeplinks/2012/12/congress-disgracefully-approves-fisa-warrantless-eavesdropping-bill-five-more
[2] https://www.eff.org/deeplinks/2012/12/why-we-should-all-care-about-senates-vote-fisa-amendments-act-warrantless-domestic
[3] http://arstechnica.com/tech-policy/2012/12/as-senate-votes-on-warrantless-wiretapping-opponents-offer-fixes/
[4] https://www.eff.org/deeplinks/2012/12/2012-review-effs-fight-against-secret-surveillance-law
2012-12-28 22:09:40 -05:00
Mike Gerwitz 1ec460ddeb
Copyright Assignment Of Free Software Projects
An [e-mail today from Paolo Bonzini][0], a maintainer of GNU sed, has prompted
additional discussion regarding copyright assignment to corporate entities; in
particular, the discussion focuses on copyright assignment to the FSF under the
GNU project.

An [article by Michael Kerrisk on LWN.net][1], posted a couple days earlier,
touches on the [same issue brought up by GnuTLS earlier in the month][2]. The
disagreements from the two aforementioned individuals of the GNU-maintained
projects prompt a thoughtful analysis of whether copyright assignment is
appropriate for your own free software project[1]. In contrast, consider the
[developer certificate of origin][3] policy adopted by the Linux project, under
which contributors maintain copyright for their contributions.

There are benefits and downsides to both models---if a project requires
copyright assignment (such as the GNU projects), then enforcement and license
modifications are simplified. As an example, if the Linux project wanted to move
to the GPLv3, they would have to contact each contributor (a similar move was
done recently [by the VLC project][4], except that they moved from the GPL to
the LGPL). However, the Linux project has a much smaller barrier to entry---they
need not [assign copyright of their contributions to the project (such as is the
case with GNU)][5], meaning that individuals may be more likely to contribute.

One of the major benefits touted by the FSF for copyright assignments from
contributors is [copyright enforcement][6]---another complication that would
arise from enforcing the GPL in a project such as Linux. That said, as the LWN
article mentions[2], what if [the FSF cannot find the time to enforce the
copyright on a project violation][7]? Then again, what of the flipside---do you
have the time or money to enforce violations on your own projects were they not
assigned to a corporation like the FSF?

These are interesting discussions and certainly things that should be considered
when determining how to handle both contributions and the copyright for your
entire project. Ultimately, that decision falls on you, the author/maintainer,
and your needs.

(Disclaimer: I am an associate member of the Free Software Foundation. This
article does not reflect any of my personal opinions; whether or not I would
assign copyright to the FSF for any of my projects would be determined based on
the goals and plan of that particular project.)

[0] http://article.gmane.org/gmane.comp.lang.smalltalk.gnu.general/7873
[1] http://lwn.net/SubscriberLink/529522/854aed3fb6398b79/
[2] http://lwn.net/Articles/529558/
[3] http://elinux.org/Developer_Certificate_Of_Origin
[4] http://mikegerwitz.com/thoughts/2012/11/VLC-s-Move-to-LGPL.html
[5] http://git.savannah.gnu.org/cgit/gnulib.git/tree/doc/Copyright/assign.changes.manual#n64
[6] http://www.gnu.org/licenses/why-assign.html
[7] http://lwn.net/Articles/529777/
2012-12-22 15:49:04 -05:00
Mike Gerwitz 7d734d9a80
Warrants For E-mails in the United States
The [Senate Judiciary Committee passed an amendment][0] that requires that they
receive a warrant before spying on our e-mails.

This is excellent; let us hope that it becomes law.

[0] https://www.eff.org/deeplinks/2012/12/deep-dive-updating-electronic-communications-privacy-act
2012-12-06 21:58:09 -05:00
Mike Gerwitz d5731f4a16
Tor exit node operator raided in Austria
[These things][0] mustn't be allowed to happen; they are an affront to privacy.
Tor exit node operators should not have to fear conviction for activities they
themselves did not perform.

[0] http://www.lowendtalk.com/discussion/6283/raided-for-running-a-tor-exit-accepting-donations-for-legal-expenses
2012-12-01 09:04:05 -05:00
Mike Gerwitz d6f2e02111
Privacy In Light of the Petraeus Scandal
I'm not usually one for scandals (in fact, I couldn't care less who government
employees are sleeping with). However, it did bring up deep privacy
concerns---how exactly did the government get a hold of the e-mails?

The [EFF had released an article answering some questions][0] about the scandal,
which is worth a read. In particular, you should take a look at the [EFF's
Surveillance Self-Defense website][1] for an in-depth summary of the laws
surrounding government surveillance and tips on how to protect against it.

I'd like to touch upon a couple things. In particular, the article mentions:[0]

  Broadwell apparently accessed the emails from hotels and other locations, not
  her home.  So the FBI cross-referenced the IP addresses of these Wi-Fi
  hotspots ¿against guest lists from other cities and hotels, looking for common
  names.¿

To stay anonymous in this situation, one should [consider using Tor][2] to mask
his/her IP address. Additionally, remove all cookies (or use your browser's
privacy mode if it will disable storing and sending of cookies for you) and
consider that your User Agent may be used to identify you, especially if
maleware has inserted its own unique identifiers.

Also according to the EFF article:[0]

  According to reports, Patraeus and Broadwell adopted a technique of drafting
  emails, and reading them in the draft folder rather than sending them.

That didn't work out so well. Consider [encrypting important communications][3]
using GPG/PGP so that (a) the e-mail cannot be deciphered in transit and (b) the
e-mail can only be read by the intended recipient. Of course, you are then at
risk of being asked to divulge your password, so to avoid the situation
entirely, it would be best to delete the e-mails after reading them.
Additionally, if you host your own services, it may be wise to host your own
e-mail (guides for doing this vary between operating system, but consider
looking at software like [Postfix][4] for mail delivery and maybe [Dovecot][5]
for retrieval).

Privacy isn't only for those individuals who are trying to be sneaky or cheat on
their spouses. Feel free joining the EFF in trying to reform the ECPA to respect
our privacy in this modern era; storing a document digitally shouldn't change
its fundamental properties under the law.

I'd also encourage you to read [Schneier's post on this topic][6], which
summarizes points from many articles that I did not cover here.

[0] https://www.eff.org/deeplinks/2012/11/when-will-our-email-betray-us-email-privacy-primer-light-petraeus-saga
[1] https://ssd.eff.org
[2] https://ssd.eff.org/tech/tor
[3] https://ssd.eff.org/tech/encryption
[4] http://www.postfix.org
[5] http://www.dovecot.org/
[6] http://www.schneier.com/blog/archives/2012/11/e-mail_security.html
2012-11-20 08:38:52 -05:00
Mike Gerwitz 0ef5eb8b88
Copyright Reform? You're silly.
Amazingly, the Republican Study Committee (RSC) had [released a report
suggesting copyright reform][0]. Of course, that's a silly thing to do when
you're in bed with organizations like the MPAA and RIAA; [the report was quickly
retracted][1].

It would have been a surprising step forward; maybe there's hope yet, assuming
the GOP can get a handle on itself.

(Disclaimer: I have no party affiliation.)

[0] http://www.techdirt.com/articles/20121116/16481921080/house-republicans-copyright-law-destroys-markets-its-time-real-reform.shtml
[1] http://www.techdirt.com/articles/20121117/16492521084/hollywood-lobbyists-have-busy-saturday-convince-gop-to-retract-copyright-reform-brief.shtml
2012-11-19 10:30:45 -05:00
Mike Gerwitz ae81509c0e
U.S. ``Copyright Alert System''
[The EFF warns][0] of [the ``Copyright Alert System''][1]---a government
endorsed spy system---that will launched shortly to monitor peer-to-peer
networks for so-called ``infringing'' activity.

[0] https://www.eff.org/deeplinks/2012/11/us-copyright-surveillance-machine-about-be-switched-on
[1] http://www.copyrightinformation.org/alerts
2012-11-17 14:11:45 -05:00
Mike Gerwitz 3c37140146
VLC's Move to LGPL
Jean-Baptiste Kempf of the VLC project explains that ``most of the code of VLC''
has been [relicensed under the LGPL][0], moving *away from* the GPL. Some of the
reasons for the move include ``competition, necessity to have more professional
developers around VLC and AppStores''.[1] (With the ``AppStore'' comment,
Jean-Baptiste is likely referring to issues regarding free software in Apple's
App Store, which [the FSF has discussed on their website][2].)

This is unfortunate; using the LGPL in place of the GPL is [not encouraged for
free software projects][3] because, while it ensures the freedom of the project
itself, it does not encourage the development of free software that *uses* the
project---the LGPL allows linking with proprietary software. Let's explore the
aforementioned reasons in a bit more detail.

Firstly, let us consider the issue of competition. In one of the [discussions on
Hacker News][4], I pointed out the distinction between ``open source'' and Free
Software:

  [...]
  It is important to understand the distinction between "open source" and "free
  software". Open source focuses on the benefits of "open" code and development
  and how it can create superior software. Free Software focuses on the ethical
  issues---while free software developers certainly want contributors, the
  emphasis is on the fact that the software respects your freedom and, for that,
  it's far superior to any other proprietary alternative; free software users
  constantly make sacrifices in functionality and usability, and we're okay with
  that.

  [http://www.gnu.org/philosophy/open-source-misses-the-point.html][5]
  [...]

In this sense, why should competition be considered for software freedom, unless
it is between two free software projects, encouraging innovation in conjunction
*with* freedom? In such a case, one wouldn't change the software license from
the GPL to the LGPL, because the LGPL is less pursuant toward those freedoms.
Therefore, VLC instead adopts the [``open source''][5] development model, as it
cares more for competition.

The next concern was to ``have more professional developers around VLC''.[1] Is
this to imply that free software hackers cannot be professional developers? I
certainly am. Consider projects like the kernel Linux---many companies have
contributed back to that project, which is licensed under the GPLv2. If the goal
is to have more people contributing to your project, then a license like the GPL
is certainly best, as it puts a legal obligation on the distributor to release
the source code, which the parent project may then incorporate. Now, the LGPL
also forces this (except for linked software); since the only [differences
between the GPL and the LGPL][6] deal with the linking exception, this means
that the author is either (a) mistaken in the concern or (b) wishes for more
*proprietary* development around VLC.  Alternatively, the author may be
concerned that the GPL introduces compatibility issues between whatever other
``open source'' license developers wish to use when linking VLC code, but
again---that means that VLC is devaluing freedom. Risky business, but this is
the model that BSD follows (permitting proprietary derivatives of the entire
software---not just linking---and receiving contributions back from proprietary
software makers.)

Finally, let us consider the issue of Apple's App Store. This is issue is
certainly of strong concern---Apple's products are very popular and yet they do
not even make an attempt to respect the users' freedoms either with their
software or with any of the software they allow on their ``App Store''.[2]
However, Jean-Baptiste has made a fatal mistake---we should not be changing our
licenses to suit Apple! In effect, that is giving Apple even more power over
free software by allowing them to exert control not only over their users, but
also over the developers of the users' favorite software! We should instead
express our condolences with those users and suggest instead that they adopt a
device or operating system that respects their freedom, or that they jailbreak
their devices (which is [still legal][7]).

I'll end this commentary with an additional response of mine from the
aforementioned Hacker News thread:[4]

    The freedoms represent an ethical issue---that software developers have
    unprecedented control over their users. Why should I, as a hacker, be able
    to tell you what you can and cannot do with your device? Furthermore, it
    raises deep privacy issues---what kind of data am I collecting and why
    should I have that data?

    I entered the free software movement slowly (I began software development on
    Windows as a young boy and was trained to think that bossing the user around
    was a good thing; I thought it was fun to write DRM system and
    anti-features). I began using GNU/Linux while still rationalizing my use of
    proprietary software through Wine or by dual-booting into Windows. I then
    saw the benefits of the "open source" development model. It wasn't until I
    spent the time researching the reasons behind the free software movement
    that things began to click. I was able to look back on everything I learned
    as a developer for Windows and see that I enjoyed the thought of controlling
    my users. I enjoyed the power I got from programming---programming was
    empowerment, and the only way to squeeze the money out of those unsuspecting
    users was to do it forcefully.

    People have fundamentally different philosophies when it comes to
    programming. Do all proprietary software developers do so out of greed? On
    some level, sure---they're not contributing that code so that others may
    benefit from it. But are they doing it for the purpose of controlling their
    users? Not necessarily, but they still are, even if they have the best of
    intentions. Is someone who creates proprietary educational software for
    children in third world companies "evil"? Certainly not. The problem is that
    they're denying them an additional right---the right to modify that
    software, learn from it and use their devices as they please.

    Of course, we often see proprietary software used unethically, often times
    for vendor lock-in or greed; corporations are worried that if they lighten
    their grip on their users, that the users may run, or worse, do something
    [il]legal. I don't believe that is the place of software developers. I
    remember, back when I used Windows, I was obsessed with magic/illusion. I
    purchased a ton of videos online teaching me various magic tricks, but the
    videos were laced with DRM (which, at the time, as a Windows developer, I
    applauded). The problem was, that I then upgraded my hardware. My videos no
    longer worked. I contacted them for a new key, and could view them again.
    Then I got a new PC. And now I use GNU/Linux. I can no longer watch those
    videos that I purchased because of this unnecessary, artificial restriction.
    Was I going to distribute those videos? No. Did that prevent others from
    stripping the restrictions and distributing it anyway? Certainly not. I was
    being punished for others' actions and the others weren't any worse off from
    the restrictions, because they understood how to defeat them.

    Of course, DRM's only one of the many issues (and DRM cannot exist in free
    software, because the community would simply remove the anti-feature). What
    if I were using some software---let's say Photoshop---and it crashed on me
    in the middle of my work. Crap. Well, if I were using GIMP, I would run gdb
    on the core dump (assuming a segfault) and inspect the problem. I would try
    to repeat it. I could, if I wanted to, get my hands on the source code, fix
    the problem and distribute that fix to others. If I didn't have the time or
    ability, others could fix the problem for me, and we have the right to share
    those changes. We have the right to benefit from those changes. With
    Photoshop, we'd better start waiting. What if I was able to magically come
    up with a fix, perhaps by modifying the machine code? Hold on---I'm not
    allowed to do that! And I'm certainly not allowed to distribute that fix to
    others. And I'm certainly not allowed to give my son a copy for his PC if he
    wanted to do an art project for school.

    The FSF provides a great deal of information on their philosophy:
    <http://www.gnu.org/philosophy/>. You could also gain a great deal of
    insight by reading up on the history:
    <http://shop.fsf.org/product/free-as-in-freedom-2/> or by reading RMS'
    essays: <http://shop.fsf.org/product/signed-fsfs/>.

    And ultimately, you may find that you do not agree with our
    philosophy---many don't. That's certainly your right, and I respect that.
    What I cannot respect, and will not respect, is when that philosophy is used
    to exert control over others.

    (As a final note: many say we control developers through our "viral"
    licenses. But keep in mind that we're trying to protect the users *from*
    developers. This means taking power away from developers. This is
    intentional.)

[0] http://www.jbkempf.com/blog/post/2012/I-did-it
[1] http://www.jbkempf.com/blog/post/2012/How-to-properly-relicense-a-large-open-source-project
[2] http://www.fsf.org/news/blogs/licensing/more-about-the-app-store-gpl-enforcement
[3] http://www.gnu.org/licenses/why-not-lgpl.html
[4] http://news.ycombinator.com/item?id=4787965
[5] http://www.gnu.org/philosophy/open-source-misses-the-point.html
[6] http://www.gnu.org/licenses/lgpl.html
[7] https://www.eff.org/press/releases/eff-wins-renewal-smartphone-jailbreaking-rights-plus-new-legal-protections-video
2012-11-17 13:27:58 -05:00
Mike Gerwitz 735516048e
OLPC Tablet in Ethiopia
A story mentions how [Ethiopian kids quickly learned to read and use tablet
PCs][0] provided by the [One Laptop Per Child][1] project. This is not only a
noble feat (as we would expect from OLPC), but also an impressive one,
considering that (as the article mentions) the children did not know how to
read, even in their own language.

Now, while the OLPC does have [its own tablet][2], the article mentions that the
[children were given Motorola Zoom tablets][0]; I would hope that they run free
software to encourage freedom in these developing countries and to encourage the
children to hack and explore their devices in even greater detail.

[0] http://dvice.com/archives/2012/10/ethiopian-kids.php
[1] http://one.laptop.org/
[2] http://one.laptop.org/about/xo-3
2012-11-14 20:37:12 -05:00
Mike Gerwitz 2385e43391
Video of 2012 Voting Machine Altering Votes
A Reddit user [posted video of a 2012 voting machine preventing him from
selecting Barak Obama][0]. Malfunction or not, this is the type of thing that
could have possibly been caught if the software were free. Furthermore, from
reading the source code, one would be able to clearly tell whether or not it was
a bug or an intentional ``feature''.

[0] http://thenextweb.com/shareables/2012/11/06/reddit-user-captures-video-of-2012-voting-machines-altering-votes/
2012-11-06 17:48:53 -05:00
Mike Gerwitz 8f097eae0c
MediaGoblin $10k Matching Grant
Congratulations to MediaGoblin for not only [meeting the $10k matching grant
from a generous anonymous donor][0], but also for raising $36k to date.

[MediaGoblin][1] is a ``free software media publishing platform that anyone can
run''; it is a distributed, free (as in freedom) alternative to services such as
YouTube, Flickr and others, and is part of the [GNU project][2].

[0] http://mediagoblin.org/news/we-made-10k-matching.html
[1] http://mediagoblin.org/
[2] http://gnu.org/
2012-11-05 22:15:04 -05:00
Mike Gerwitz 437ab17600
California Proposition 35 Concerns
The EFF [points out problems with California's Proposition 35][0], which would,
among other things, [require registered sex offenders to ``disclose Internet
activities and identities''][1]:

  [...] Proposition 35 would force individuals to provide law enforcement with
  information about online accounts that are wholly unrelated to criminal
  activity – such as political discussion groups, book review sites, or blogs.
  In today’s online world, users may set up accounts on websites to communicate
  with family members, discuss medical conditions, participate in political
  advocacy, or even listen to Internet radio. An individual on the registered
  sex offender list would be forced to report each of these accounts to law
  enforcement within 24 hours of setting it up – or find themselves in jail.
  This will have a powerful chilling effect on free speech rights of tens of
  thousands of Californians.

[0] https://www.eff.org/deeplinks/2012/11/eff-urges-no-vote-california-proposition-35
[1] http://voterguide.sos.ca.gov/propositions/35/
2012-11-05 22:00:31 -05:00
Mike Gerwitz 872ebf05b4
Another Useless, False-Sense-Of-Security NSA Security Tactic
A police officer [recalls a time he went through airport security][0] and
received a patdown from one of the security agents, which he found to be
absolutely useless.

[0] http://www.gizmodo.co.uk/2012/10/search-me/
2012-11-05 21:51:43 -05:00
Mike Gerwitz e96ccc28ad
EFF Elaborates On DCMA Ruling
In addition to my aforementioned links, the EFF has provided [a more detailed
analysis][0] of the decision.

[0] https://www.eff.org/deeplinks/2012/11/2012-dmca-rulemaking-what-we-got-what-we-didnt-and-how-to-improve
2012-11-03 23:44:08 -04:00
Mike Gerwitz 8c67f5177d
Ban On Public Rallying and Demonstrations in Bahrain
The government of Bahrain found that the best solution to preventing violent
protests was to [ban all public rallying and demonstrations][0].

[0] https://www.eff.org/deeplinks/2012/11/bahrain-goes-bad-worse
2012-11-03 23:24:56 -04:00
Mike Gerwitz 5133deccdd
OpenWireless.org
The EFF [announces the launch of openwireless.org][0], which encourages users to
[share their network connections][1] to create a global network of freely
available wireless internet access.

This is a noble movement. This reminds me of a point in history when MIT began
password protecting their accounts, which were previously open to anyone.
Stallman, disagreeing with such a practice, encouraged users to create empty
passwords.[2] Stallman would even give out his account information so that
remote users may log into MIT's systems, all with good intent.

Of course, with malice rampant in today's very different world, Stallman's
actions, although noble, would be both naive and a huge security risk.
Fortunately, [opening your wireless network isn't necessarily one of these
risks][3] and, if done properly, does not equate to opening your private network
to attack.

Consider using [DD-WRT][4] as your router's firmware, if supported by your
device, as it is itself [free software][5].

[0] https://www.eff.org/deeplinks/2012/10/why-we-have-open-wireless-movement
[1] https://www.openwireless.org/
[2] http://shop.fsf.org/product/free-as-in-freedom-2/
[3] https://openwireless.org/myths
[4] http://dd-wrt.com
[5] http://www.gnu.org/philosophy/free-sw.html
2012-10-30 23:40:27 -04:00
Mike Gerwitz 8db5dd66d2
``Trademark'' Bullying
There's two problems with this post from the EFF describing [The Village Voice
suing Yelp for ``Best of'' trademark infringement][0]: firstly, there's the
obvious observation that such a trademark should not have been permitted by the
USPTO to begin with. Secondly---why do entities insist on gaming the system in
such a terribly unethical manner? It takes a special breed of people to do such
a thing.

[0] https://www.eff.org/deeplinks/2012/10/stupid-lawyer-tricks-and-government-officials-who-are-helping-them
2012-10-30 23:25:59 -04:00
Mike Gerwitz e941cb92c5
Ubuntu 12.10 Privacy: Amazon Ads and Data Leaks
The EFF [cautions that Ubuntu 12.10 leaks user information to Amazon by
default][0] rather than requiring the user to opt *into* the system.

Of course, I cannot recommend that you use Ubuntu, as it encourages the
installation of non-free device drivers, readily enables non-free software
repositories and contains non-free components in its kernel.[1] Instead,
consider a [fully free GNU/Linux distribution like Trisquel][2].

[0] https://www.eff.org/deeplinks/2012/10/privacy-ubuntu-1210-amazon-ads-and-data-leaks
[1] http://www.fsfla.org/svnwiki/selibre/linux-libre/
[2] https://trisquel.info
2012-10-30 23:13:13 -04:00
Mike Gerwitz 84b0b19439
Abolishing Patents
My issue with patents exceeds the [obvious case against software patents][0];
indeed, I have long pondered the problems with patents in other fields. When I
hear the phrase ``patent pending'' or ``patented technology'' touted in ads, I
have never thought positive thoughts; instead, I have thought ``you are damning
this otherwise excellent work to stagnation''. What if someone has an excellent
idea to improve upon that particular product? Well, they'd better be prepared to
jump through some hoops or shell out some hefty licensing fees. Or maybe it's
just easier to abandon the idea entirely and forget that it had never happened.

However, I thought, it's not a simple case of ridding the world of patents.
How would that affect the incentive to innovate? How would people recoup
expensive R&D costs, especially in industries like pharmacy (both my parents are
pharmacists)? What about the incentive to describe your invention to the world?
Then again, nobody *has* to get a patent for their invention. It may be worth
keeping it secret if nobody can figure it out.

The answers to all of these questions appeared in one place: [The Case Against
Patents][1], which I found referenced in an article regarding the [Swedish Pirate
Party's opinions on patents, trademarks and copyright][2]. While it is still a
draft at the time of this writing, I encourage you to give it a read, as it is
very enlightening.

[0] http://patentabsurdity.com/
[1] http://research.stlouisfed.org/wp/2012/2012-035.pdf
[2] http://falkvinge.net/2012/10/13/what-the-swedish-pirate-party-wants-with-patents-trademarks-and-copyright/
2012-10-30 19:12:04 -04:00
Mike Gerwitz 1bd526cc3d
Jailbreaking and DCMA---EFF Touts Victory, FSF Warns Of Failure
While the [EFF is pleased to announce][0] that the Copyright Office has [renewed
DMCA exceptions upholding jailbreaking rights for cellphones][1], the FSF
cautions that [this right has not been extended to tablets, game consoles or
even PCs with restricted boot][2].

It should be noted that the EFF also successfully gained protection for the use
of short copyrighted clips in remixing,[0] and while this is a positive step
forward in its own, the implications of the first paragraph should not be
ignored.

[0] https://www.eff.org/press/releases/eff-wins-renewal-smartphone-jailbreaking-rights-plus-new-legal-protections-video
[1] http://www.copyright.gov/fedreg/2012/77fr65260.pdf
[2] http://www.fsf.org/blogs/licensing/copyright-office-fails-to-protect-users-from-dmca
2012-10-30 19:10:45 -04:00
Mike Gerwitz fd15b87857
GNU Trick-Or-Treat---FSF Crashes Windows 8 Launch
The FSF decided to [crash the Windows 8 launch even in New York City][0],
complete with [Trisquel][1] DVDs, FSF stickers and information about their
[pledge to upgrade to GNU/Linux instead of Windows 8][2].

I find this to be a fun, excellent alternative to blatant protesting that is
likely to be better received by those who would otherwise be turned off to
negativity. At the very least, the [walking gnu][3] would surely turn heads and
demand curiosity.

Here is the e-mail that was sent to the info at fsf.org mailing list:

    Happy (almost) Halloween, everybody,

    You've probably been noticing Microsoft's ads for their new operating
    system -- after all, they've spent more money on them than any other
    software launch campaign in history. In fact, everything about the
    campaign has been meticulously planned and optimized, so you can
    imagine journalists' surprise when an unexpected guest showed up at an
    invite-only launch event on Thursday.

    Our volunteer, Tristan Chambers, was there and caught the whole thing
    on camera! Pictures here:
    <http://www.fsf.org/blogs/community/gnus-trick-or-treat-at-windows-8-launch>.

    Reporters and security guards at the event weren't sure how to react
    when they were greeted by a real, live gnu. The gnu -- which, on
    closer inspection, was an activist in a gnu suit -- had come for some
    early trick-or-treating. But instead of candy, she had free software
    for the eager journalists. The gnu and the FSF campaigns team handed
    out dozens of copies of Trisquel, a fully free GNU/Linux distribution,
    along with press releases and stickers. Once they got over their
    confusion, the reporters were happy to see us and hear our message --
    that Windows 8 is a downgrade, not an upgrade, because it steals
    users' freedom, security and privacy.

    Free software operating systems are the real upgrade, and they don't
    need a zillion-dollar launch event to prove it. To show Microsoft that
    their ads won't change our minds, we're starting an upgrade pledge:
    switch to a free OS, or if you're already using one, help a friend
    switch. We can pay Microsoft a chunk of change for their new,
    proprietary OS, or we can stand up for our freedom. The choice isn't
    as hard as Microsoft wants you to think.

    Sign the pledge now! -- <http://www.fsf.org/windows8/pledge>.

    Thanks for making a commitment to free software.

    PS - If you'd like more details about the action, you can check out
    our press release here:
    <http://www.fsf.org/news/activists-trick-or-treat-for-free-software-at-windows-8-launch-event-1>.

    -Zak Rogoff
    Campaigns Manager

[0] http://www.fsf.org/news/activists-trick-or-treat-for-free-software-at-windows-8-launch-event-1
[1] http://trisquel.info/
[2] http://www.defectivebydesign.org/windows8
[3] http://www.fsf.org/blogs/community/gnus-trick-or-treat-at-windows-8-launch
2012-10-27 22:25:33 -04:00
Mike Gerwitz d554c17fd9
Stingrays: Cell Phone Privacy and Warrantless Surveillance
How would you feel if law enforcement showed up in your living room, demanded
your cell phone, and started writing down your call history and text messages?
How would you feel if you didn't even know that they were in your home to begin
with, let alone stealing private data? [This is precisely what is happening when
law enforcement uses ``Stingrays'' to locate individuals][0], collecting data of
every other individual within range of the device in the process. Even *if* you
are the subject of surveillance, this is still an astonishing violation of
privacy. (Of course, law enforcement could always demand such records from your
service provider, but such an act at the very least has a paper trail.)

[0] https://www.eff.org/deeplinks/2012/10/stingrays-biggest-unknown-technological-threat-cell-phone-privacy
2012-10-24 23:57:52 -04:00
Mike Gerwitz 5d50ce2f6a
Obama and Warrantless Wiretapping
The EFF has released an article with a [plethora of links describing warrantless
wiretapping under the Obama administration][0], spurred by Obama's response to
Jon Stewart's questioning on The Daily Show last Thursday. (Readers should also
be aware of the [NSA spy center][1] discussed earlier in the year, as is
mentioned in the EFF article.)

It is clear that the United States government has no intent on protecting the
freedoms of individuals and instead is actively resisting attempts to correct
the problems. While we can hope that this will change, and we can be confident
that organizations like the EFF will continue to fight for our liberties, one
immediate option is to limit as much as possible what the NSA and other agencies
can discover about you. Consider using [Tor][2] for all of your network traffic
(at the very least, use HTTPS connections to prevent agencies and ISPs from viewing
specific web pages on a particular domain; HTTPS is unnecessary if using Tor.)
PGP/GPG can be used to encrypt e-mail messages to the intended recipients. Etc.

It's unfortunate that such precautions are necessary. Privacy is important even
if you have nothing to hide; any suggestion to the contrary is absolutely
absurd.

[0] https://www.eff.org/deeplinks/2012/10/fact-check-obamas-misleading-answer-about-warrantless-wiretapping-daily-show
[1] http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/
[2] http://torproject.org
2012-10-24 23:57:12 -04:00
Mike Gerwitz b5846963d3
Digitizing Books Is Fair Use: Author's Guild v. HathiTrust
A New York court ruled that ``digitizing'' books for researched and disabled
individuals is lawful.[0]

[0] https://www.eff.org/deeplinks/2012/10/authors-guild-vhathitrustdecision
2012-10-19 22:41:44 -04:00
Mike Gerwitz 9627e2f539
Federal Appeals Court Declares ``Defense of Marriage Act'' Unconstitutional
A step in the [right direction.][0]

It should also be noted that New York State had also [legalized same sex
marriage back in July of 2011][1]---a move I was particularily proud of as a
resident of NY state.

[0] http://www.aclu.org/lgbt-rights/federal-appeals-court-declares-defense-marriage-act-unconstitutional
[1] http://en.wikipedia.org/wiki/Same-sex_marriage_in_New_York
2012-10-18 20:45:55 -04:00
Mike Gerwitz c875f2d4cd
Another crack at medical device cracking
My previous post mentioned the dangers of running non-free software on implanted
medical devices. While reading over RMS' policital notes[0], I came across [an
article mentioning how viruses are rampant on medical equipment][1].

  "It's not unusual for those devices, for reasons we don't fully understand, to
  become compromised to the point where they can't record and track the data,"
  Olson said during the meeting, referring to high-risk pregnancy monitors.

The devices often run old, unpatches versions of Microsoft's Windoze operating
system. The article also mentions how the maleware often attempts to include its
host as part of a botnet.

This is deeply concerning and incredibly dangerous. As non-free software is used
more and more in equipement that is responsible for our health and safety, we
are at increased risk for not only obvious software flaws, but also for crackers
with malicious intent; harming someone will become as easy as instructing your
botnet to locate and assassinate an individual while you go enjoy a warm (or
cold) beverage.

These problems are *less likely* (not impossible) to occur in free software
beacuse the users and community are able to inspect the source code and fix
problems that arise (or hire someone that can)[2]. In particular, in the case of
the hospitals mentioned in [the article][1], they would be free to hire someone
to fix the problems themselves rather than falling at the mercy of the
corporations who supplied the proprietary software.

[0] http://stallman.org/archives/2012-jul-oct.html#18_October_2012_%28Computerized_medical_devices_vulnerable_to_viruses%29
[1] http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices/
[2] http://www.gnu.org/philosophy/free-sw.html
2012-10-18 19:24:54 -04:00
Mike Gerwitz 643379d80f
Crackers capable of causing pacemaker deaths
[This article][0] demonstrates why medical devices must contain free software:
crackers are able to, with this particular type of pacemaker, exploit the device
to trigger a fatal electric shock to its host from as far as 30 feet away (the
article also mentions rewriting the firmware, which could of course be used to
schedule a deadly shock at a predetermined time). These issues would not exist
with free software, as the user and the community would be able to study the
source code and fix any defects (or hire someone who can) before placing it in
their bodies.

(Note that this article mistakenly uses the term ``hacker'' when they really
mean ``cracker''.)

The aforementioned article is an excellent supplement to [a discussion on free
software in pacemakers][1]. In particular, I had pointed out within this
discussion [a talk by Karen Sandler of the GNOME Foundation regarding this
issue][2] at OSCON 2011, in which she mentions potential issues of proprietary
software in pacemakers and the difficulty she faced in attempting to get the
source code for one that she was considering for herself.

The discussion on HackerNews also yielded [an article by the SFLC][3] detailing
this issue.

(Please do not use YouTube's proprietary video player to view the mentioned
YouTube video.)

[0] http://www.scmagazine.com.au/News/319508,hacked-terminals-capable-of-causing-pacemaker-mass-murder.aspx
[1] http://news.ycombinator.com/item?id=3959547
[2] https://www.youtube.com/watch?v=nFZGpES-St8
[3] https://www.softwarefreedom.org/news/2010/jul/21/software-defects-cardiac-medical-devices-are-life-/
2012-10-18 00:05:56 -04:00
Mike Gerwitz 9be5ce28d5
Verizon router backdoors
A [very disturbing article][0] makes mention of a Verizon TOS update for its
Internet service customers:

  Section 10.4 was updated to clarify that Verizon may in limited instances
  modify administrative passwords for home routers in order to safeguard
  Internet security and our network, the security and privacy of subscriber
  information, to comply with the law, and/or to provide, upgrade and maintain
  service.

...what? This is deeply disturbing, deeply perverted idea of security. Not only
is this a severe privacy concern (all internet traffic passes through your
router), but it's a deep *security* concern---what if a cracker is able to
figure out Verizon's password scheme, intercept the communication with your
router or otherwise?

I recommend that you (a) use your own router, (b) change its default password if
you have not yet done so and (c) disallow remote access. Furthermore, I
recommend using a free (as in freedom) firmware such as [DD-WRT][1] if supported
by your hardware.

[0] http://www.linuxbsdos.com/2012/10/04/is-that-a-backdoor-or-an-administrative-password-on-your-verizon-internet-router/
[1] http://dd-wrt.com/
2012-10-16 23:18:27 -04:00
Mike Gerwitz 357c4470d8
Free Speech in the Western World
An interesting opinion piece on [free speech in the western world.][0]

[0] http://www.washingtonpost.com/opinions/the-four-arguments-the-western-world-uses-to-limit-free-speech/2012/10/12/e0573bd4-116d-11e2-a16b-2c110031514a_print.html
2012-10-16 22:22:17 -04:00
Mike Gerwitz 1627f7e7e8
Branch Prediction
An enlightening discussion on branch prediction.[0]

[0] http://stackoverflow.com/questions/11227809/why-is-processing-a-sorted-array-faster-than-an-unsorted-array
2012-10-16 22:18:40 -04:00
Mike Gerwitz 91012750bb
NYC Master Keys
[Bruce Schneier summarizes in a blog post][0] a disturbing topic regarding a New
York City locksmith selling ``master keys'' on eBay, providing access to various
services such as elevators and subway entrances.

[A discussion about this blog post on Hacker News][1] yielded some interesting
conversation, including an [even more disturbing article describing how simple
it may be to create master keys][2] for a set of locks given only the lock, its
key and a number of attempts.

I'll let you ponder the implications of both of these topics. Here's something
to get you started: organized crime could use these keys to effectively evade
law enforcement or break into millions of ``locked'' homes. Crackers could gain
intimate access to various city systems whereby they may be able to further
obstruct or infect systems. A security system is only as strong as its weakest
link. Keeping citizens in the dark about these issues gives them a dangerous and
false sense of security.

[0] http://www.schneier.com/blog/archives/2012/10/master_keys.html
[1] http://news.ycombinator.com/item?id=4654777
[2] http://www.crypto.com/masterkey.html
2012-10-16 21:56:24 -04:00
Mike Gerwitz ea244631bc
``Day changed to S''
Whatever ``S'' may be (in this case, ``13 Oct 2012''), there is always a sense
of peace and gratification that comes with witnessing that line appear in any
type of log; it shows a dedication to an art, should your days contain daylight.
2012-10-13 00:38:06 -04:00
Mike Gerwitz 41754ae585
:Updated README with thoughts URL (HTML rendering) 2012-10-11 00:47:14 -04:00
Mike Gerwitz d371c5a1e5
Texas middle and high schools tracking student locations with RFID tags
[An article][0] describes how a school district in Texas is attempting to force
its students to wear RFID tags at all times in order to track their location to
``stem the rampant truancy devastating the school's funding''.

What?

This is deeply concerning. Not only does this raise serious security and privacy
concerns (as mentioned near the end of the article), but it also costed the
schools over a half a million dollars to implement. In order words: Texas
taxpayer money has been wasted in an effort to track our children.

Good thing they don't have anything better to spend that money on.[1]

[0] http://rt.com/usa/news/texas-school-id-hernandez-033/
[1] http://fedupwithlunch.com/
2012-10-10 22:37:37 -04:00
Mike Gerwitz a2fb569312
Why no kid (or kid at heart) should write an iPhone game
I saw [this post][0] appear on HackerNews, talking about how building a game for
iOS is ``fun'' and ``cool''. The poster lures the reader in with talk of making
money and talks of a ``unique sense of fulfillment'' that comes with development
of these games, and then goes on to invite kids to learn how to develop games
for the iPhone (and presumably other iOS devices).

This is a terrible idea.

Getting children involved with hacking is an excellent idea, but introducing
them to the evils of Apple and associating that with a feeling of pleasure does
a great disservice; all software developed for iOS must be ``purchased'' (even
if it's of zero cost) through a walled garden called the ``App Store''. The
problem with this is that [the App Store is hostile toward free
software][1]---its overly restrictive terms are incompatible with free software
licenses like the GPL. Teaching children to develop software for this crippled,
DRM-laden system is teaching them that it is good to prevent sharing, stifle
innovation and deny aid to your neighbor.

A better solution would be to suggest developing software for a completely free
mobile operating system instead of iOS, such as Replicant[2] (a fully free
Android distribution). Even if Replicant itself were not used, Android itself,
so long as proprietary implementations and ``stores'' are avoided[3], is much
more [compatible with education][4] than iOS, since the children are then able
to freely write and distribute the software without being controlled by
malicious entities like Apple. Furthermore, they would then be able to use a
fully free operating system such as GNU/Linux to *write* the software.

Do not let fun and wealth disguise this ugly issue. Even more importantly---do
not pass this practice and woeful acceptance down to our children. I receive a
``unique sense of fulfillment'' each and every day hacking free software far
away from Apple's grasp.

[0] http://blog.makegameswith.us/post/33263097029/call-to-arms
[1] http://www.fsf.org/news/blogs/licensing/more-about-the-app-store-gpl-enforcement
[2] http://replicant.us/
[3] http://www.gnu.org/philosophy/android-and-users-freedom.html
[4] http://www.gnu.org/education/edu-schools.html
2012-10-10 07:58:26 -04:00
Mike Gerwitz 756976077f
All these election attack ads are utterly useless
There have been a lot of elections going on lately---local, state and national.
The majority of those ads are attack ads: immature and disrespectful; if you
want my vote, give me something positive to vote for instead of spending all of
your time and money attacking your candidate. If my vote is to go to the "least
horrible" candidate, then there is no point in voting at all.

Even more frustrating is the deceptiveness of the ads---intentional
deceptiveness, nonetheless. And these are the ads that many in the United States
will be basing the majority of, if not all, of their vote on come election time
(how many will realistically research instead of sitting in front of the TV
absorbing all of the useless bullshit that they are spoonfed?).

Frightening.
2012-10-09 19:37:17 -04:00
Mike Gerwitz 0cce516f41
Always use -t with ssh-add (and always set passwords on your ssh keys)
Many people use SSH keys for the sole purpose of avoiding password entry when
logging into remote boxes. That is legtimate, especially if you frequently run
remote commands or wish to take advantage of remote tab complation, but creating
a key with an empty password is certainly the wrong approach---if an attacker
gets a hold of the key, then they have access to all of your boxes before you
have the chance to notice and revoke the key.

ssh-agent exists for this purpose. The problem is---creating an agent only to
place the key in memory indefinately is also a terrible idea. If your system
does become compromised and the attacker is either root access or access as your
user, then they can simply connect to the ssh-agent (unless it's password
protected) and start using your key. Also consider that, should you leave your
box unattended for even a moment without locking it (for whatever reason---shit
happens), an attacker could gain physical access to your PC (and an attacker may
just be a coworker looking to play a prank).

Every morning at work, I begin the day by typing ssh-add followed by an
appropriate lifetime (be it the duration of the work day, or the duration that I
think I will need the key). This way, your key is in memory when you are likely
to be physically present at the box and it is automatically removed from memory
after a given lifetime. Additionally, I like to add `ssh-add -D` to the script
that locks my PC when I walk away from my desk: that will immediately clear all
keys from memory, just in case.
2012-10-09 18:43:39 -04:00