Commit Graph

387 Commits (d1c9210491913ef6a984b2d8c301140044f5b33d)

Author SHA1 Message Date
Mike Gerwitz f6fecfa676
:Update FSF member footer graphic
This image displays the date I joined: exactly nine years ago to the
day.  That's just a coincidence, tbh; I happened upon it.

Oh how time flies...

Happy Halloween.
2016-10-31 00:07:37 -04:00
Mike Gerwitz 68ffd6fb4e
:Remove endsoftpatents link in footer
This site is no longer active; the last post was in 2014.
2016-10-31 00:00:44 -04:00
Mike Gerwitz da2b079f9a
: GPG key change and transition statement 2016-10-13 23:10:14 -04:00
Mike Gerwitz 34078c338b
: Add Restore Online Freedom! talk to resume 2016-10-13 23:10:08 -04:00
Mike Gerwitz d7ab852f43
:Prevent heading from overlapping page fold on articles
* style.css (h1.subject): Right margin to prevent overlap of page fold on
  smaller resolutions
2016-08-27 15:06:46 -04:00
Mike Gerwitz ce61b5c057
:Better fit headline images at lower resolutions
* style.css: Float headline images to right on lower resolution, reduce size
  of index headline.
2016-08-27 00:29:51 -04:00
Mike Gerwitz 81b2824128
:Correct self-links overlap of header on small displays
style.css: #self-links will no longer overlap header at any point.
2016-08-27 00:08:45 -04:00
Mike Gerwitz 55cb97ff35
:Wrap menu if needed to accomodate screen resolution
* style.css: Upper menu will now text wrap if needed.
2016-08-27 00:08:25 -04:00
Mike Gerwitz 57121a9c23
NSO Group, Pegasus, Trident---iOS Exploits Targeting Human Rights Activist
[Citizen Lab released a report][cl] describing the attempted use of iOS
  0-days on human rights activist [Ahmed Mansoor][] by the United Arab
  Emirates.
They named this chain of exploits _Trident_,
  and with the help of [Lookout Security][paper],
  were able to analyze them.

It begins with [arbitrary code execution (CVE-2016-4655)][4655] by
  exploiting a memory corruption vulnerability in WebKit,
  which downloads a payload unknown to the user.
That payload is able to bypass KASLR and [determine the kernel memory
  location (CVE-2016-4656)][4656],
  then allowing it to exploit a [memory corruption vulnerability in the
  kernel itself (CVE-2016-4657)][4657];
    this "jailbreaks" the device and is a complete compromise of the system.

This payload is [Pegasus][paper],
  a complex surveillance tool sold to governments,
  often used for espionage.
In this case,
  Monsoor received a suspicious text message and wisely [tipped off Citizen
  Lab][cl] rather than opening the presented link.
Had he done so,
  he would have unknowingly downloaded this spyware that could very well
  have put his life in extreme danger:
    it has the capability to track his location;
    record his calls and texts;
    record communications through software like WhatsApp and Skype;
    download his contact information;
    grab passwords and encryption keys from his keyring;
    and much more.

This malware was written by [NSO Group][],
  which is so poorly known that their [Wikipedia page didn't even exist
  until today][nso-wikipedia].
The software company is based in Israel,
  founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio.
They were purchased in 2014 by [Francisco Partners][],
  a private equity firm in the United States,
  for $110 million.
They exist to sell exploits to governments.

Anyone familiar with security research is aware of [responsible
  disclosure][]:
  it is a model whereby researchers who discover a vulnerability
    release their research publicly only _after_ they notify the authors
    of the software,
      and a patch mitigating the vulnerability has been released.
This is what Citizen Lab did---Apple [fixed the vulnerability][apple] in
  iOS 9.3.5.[^rms-apple]
This is not what NSO Group does:
  Instead, they horde their exploits[^0day] and sell them to governments as
    weapons for surveillance or espionage.
In this case,
  the United Arab Emirates (or so it seems).
This is not only unethical,
  but to sell to a government that is known for this type of abuse is
  inexcusable and negligent---the people behind NSO Group are absolute
  scum.[^scum]
They are empowering a foreign government known for their civil and human
  rights abuses.
I have trouble finding words.

There is much more that can be said on this topic with respect to security,
  civil and human rights,
  and various other topics.
But I don't want to distract from the topic at hand.
Let this sink in.
Read the [Citizen Lab][cl] report and the [paper by Lookout Security][paper].
Today I leave my soapbox be.

[cl]: https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
[Ahmed Mansoor]: https://en.wikipedia.org/wiki/Ahmed_Mansoor
[paper]: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf
[4655]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4655
[4656]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4656
[4657]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4657
[NSO Group]: https://en.wikipedia.org/wiki/NSO_Group
[nso-wikipedia]: https://en.wikipedia.org/w/index.php?title=NSO_Group&action=history
[Francisco Partners]: https://en.wikipedia.org/wiki/Francisco_Partners
[responsible disclosure]: https://en.wikipedia.org/wiki/Responsible_disclosure
[apple]: https://support.apple.com/en-us/HT207107

[^rms-apple]: I [can't recommend that you use Apple
              devices](https://stallman.org/apple.html), but if you do, you
              should upgrade immediately;
                you are vulnerable to exploitation by simply visiting a
                malicious webpage.

[^0day]: Called 0-days,
           because they haven't been disclosed and there has been no time to
           prepare or release a fix.

[^scum]: For other scum, see the organization behind [FinFisher][]; and the
           group [Hacking Team][].

[FinFisher]: https://en.wikipedia.org/wiki/FinFisher
[Hacking Team]: https://en.wikipedia.org/wiki/Hacking_Team
2016-08-26 00:05:24 -04:00
Mike Gerwitz ce0f049a9f
:Add TAME reference to Projects page
Today liberated the entire project as used in production.
2016-08-24 22:53:23 -04:00
Mike Gerwitz 61b8ae9e91
"Election"
The past few days of the DNC have demanded pause.  I am an Independent.  I
do not like Hillary Clinton. I am a Bernie supporter, and I was upset by his
endorsement of Hillary.  I had vowed not to vote for Hillary; I would
instead vote for Jill Stein.  The DNC, while very well done with a deeply
compelling facade, has not changed my perspective on Clinton.

It is perhaps said best by Bernie himself: "It's easy to boo, but it's
harder to look your kids in the face who would be living under a Donald
Trump presidency".  The conflict here is between my deep ideologies and
reality.  It's often said that a vote for Hillary is a vote against Trump;
such a perspective would shallow and purposeless.  But this isn't an
election for president---this is the most threatening assault on everything
I stand for that I hope I will ever witness in my lifetime.  To stand for
ideological purity would be to stand atop a mountain while the world around
me burns.  This is why Bernie chose to unite.

Should Trump win, my ideals that seem within reach could be blown back
decades.  As a matter of strategy, I cannot justify _not_ swallowing every
ounce of my pride.  Hillary's presidency is an unfortunate but necessary
consequence of the only permissible outcome.  I am not electing a president
of the United States.  I am electing _a United States_.

So I am doing what I never thought I would do: proposing that others too
factor this obscene equation and recognize how the very few remaining
variables affect the result.  My ideals continue to exist in part and in
spirit with Hillary as president.  With Trump, they are all but
vanquished.  Donald Trump must not be elected president of the United
States.  When (and if) you vote, think of it as a shot fired, not as a vote
cast.

"Election".

More information about my opinions on this topic can be found
[here][social-1] and [here][social-2].

[social-1]: https://social.mikegerwitz.com/conversation/21864
[social-2]: https://social.mikegerwitz.com/conversation/22026
2016-08-03 23:03:47 -04:00
Mike Gerwitz aa42e553ce
:Update hoxsl Savannah link to use plain HTTP
No TLS D:

* docs/hoxsl/index.md: http{s=>} src link
2016-07-21 23:26:11 -04:00
Mike Gerwitz 254a71d6ac
:Update hoxsl src link to Savannah
* docs/hoxsl/index.md: Update src link
2016-07-21 22:47:53 -04:00
Mike Gerwitz 9df57f8130
:GNU role update in About 2016-07-19 23:26:21 -04:00
Mike Gerwitz bf3c68728d
:Add hoxsl to project page 2016-07-19 23:20:37 -04:00
Mike Gerwitz 22a9489628
:Project page reorganization 2016-07-19 23:20:20 -04:00
Mike Gerwitz a482d2bfca
:Add hoxsl project page 2016-07-19 23:19:29 -04:00
Mike Gerwitz f141de9cce
:Update GNU Screen involvement on Projects page
* docs/20-projects.md: GNU Screen involvement update
2016-07-19 22:57:40 -04:00
Mike Gerwitz 0b6fa52735
CFAA, "Authorized" Access, and Common Sense
There is little common sense to be had with the [Computer Fraud and Abuse
  Act][cfaa] (CFAA) to begin with.
To add to the confusion,
  the Ninth Circuit Court of Appeals last week held 2-1 in [United States
  v. Nosal][uvn] that accessing a service using someone else's
  password---even if that person gave you permission to do so---[violates
  the CFAA][cfaa-passwd],
    stating that only the _owner_ of a computer can give such authorization.
This is absurd even with complete lack of understanding of what the law is:
  should your spouse be held criminally liable for paying your bills online
  using your account?

Common sense says no.
In another case this week---[Facebook v. Power Ventures][fvp]---the same
  court (though a different panel of judges) stepped back from the original
  decision and stated that computer _users_ can indeed provide
  authorization.
This authorization holds even if the service's Terms of Service say
  otherwise.
Yet: the computer owner (in this case, Facebook) can revoke authorization,
  which takes precedence over any authorization provided by a user of that
  system.
So with a seemingly magical incantation,
  a benign situation can be made into a federal crime,
  just like that.

These situations highlight dangerous confusion over the interpretation of an
  already dangerously vague law.
The CFAA is the law that was used to prosecute Aaron Swartz for federal
  "crimes"---with a punishment of up to thirty-five years in prison---for
  liberating documents hosted on JSTOR.
Because of this [draconian threat][eff-punish],
  [Aaron committed suicide][aaron] on January 11th, 2013.

The CFAA already has blood on its hands;
  it needs to be reined _in_,
    not be given further broad powers.
So don't take news of the decisions in US v. Nosal and Facebook v. Power
  Ventures as canceling one-another out;
    things may appear the same for now,
      but serious problems still need to be resolved.

[cfaa]: https://www.eff.org/issues/cfaa
[cfaa-passwd]: https://www.eff.org/deeplinks/2016/07/ever-use-someone-elses-password-go-jail-says-ninth-circuit
[cfaa-back]: https://www.eff.org/deeplinks/2016/07/ninth-circuit-panel-backs-away-dangerous-password-sharing-decision-creates-even
[uvn]: https://www.eff.org/cases/u-s-v-nosal
[fvp]: https://www.eff.org/cases/facebook-v-power-ventures
[eff-punish]: https://www.eff.org/deeplinks/2013/02/rebooting-computer-crime-part-3-punishment-should-fit-crime
[aaron]: https://www.eff.org/deeplinks/2013/01/farewell-aaron-swartz
2016-07-16 22:40:09 -04:00
Mike Gerwitz c6ca369ab8 :About page update to more accurately reflect activities 2016-07-07 23:41:14 -04:00
Mike Gerwitz 1f91f838c7
:Various About page changes
More concise, and some information changes.

Yes, those hacker and cracker links are supposed to be identical.
2016-06-18 13:39:52 -04:00
Mike Gerwitz 3f286d46ef
:Fiance=>wife
...this happened a while back.  I clearly don't read my About page.
2016-06-18 13:27:18 -04:00
Mike Gerwitz ad270eaf3c
:Round Rule 41 banner borders slightly 2016-06-18 13:21:15 -04:00
Mike Gerwitz 1468b968ee
:Add EFF Rule 41 campagin banner
Resized and hosted locally to protect visitors' privacy from 3rd-party
requests.
2016-06-18 13:19:24 -04:00
Mike Gerwitz 22f4af6586
:Add 'activist' to header description
This appears under my name at the top of the page.

* Makefile: Free Software Hacker{=> & Activist}
2016-06-18 12:57:31 -04:00
Mike Gerwitz 2f9701b681
:{Notices=>Social} heading
* tpl/.config: {Notices=>Social} link
2016-05-30 09:04:50 -04:00
Mike Gerwitz 793a8c6333
:Add LibrePlanet collection link
Useful for sharing with others without linking to mikegerwitz.com.

* docs/40-talks.md: Added LP collection for ROF talk.
2016-05-30 09:00:04 -04:00
Mike Gerwitz 4b75b82b4e
:Git Horror Story s/fourth/forth/
Thanks to Thien-Thi Nguyen <ttn@gnu.org> for pointing this out.
2016-05-28 20:36:31 -04:00
Mike Gerwitz 9858f6112c
:Add avatar and attribution to About
Received permission from Kori Feener to use the LibrePlanet 2016 photo of me
as an avatar.
2016-05-27 23:38:38 -04:00
Mike Gerwitz 23940080b9
International Day Against DRM 2016
Today is the [10th annual International Day Against DRM][day-drm]---a day
  where activists from around the world organize events in protest against
  [Digital Restrictions Management][drm].

DRM is a scheme by which tyrants use [antifeatures][] to lock down what
  users are able to do with their systems, often cryptographically.
For example,
  your media player might tell you how many times you can listen to a song,
    or watch a video, or read a book;
  it might [delete books][1984] that you thought you owned;
  it might require that you are [always online][always-on] when playing a
    game, and then stop working when you disconnect, or when they decide to
    stop supporting the game.
If you try to circumvent these locks,
  then you might be [called a pirate][pirate] and be thrown in prision under
  the ["anti-circumvention" privisons of the Digital Millenium Copyright Act
  (DMCA)][dmca].
These are all things [that have been long predicated][right-to-read], and
  are only expected to get worse with time.

That is, unless we take a stand and fight back.

I had the pleasure of participating in
  the [largest ever protest against the W3C][w3c-protest] and their attempts
  to introduce DRM as a _web standard_ via the [Encrypted Media Extensions
  (EME)][eme] proposal.[^photos]
This event was organized beautifully by Zak Rogoff of the [Free Software
  Foundation][fsf] and began just outside the Strata Center doors where the
  W3C was _actively meeting_,
    and then continued to stop outside the Google and Microsoft offices,
    both just blocks away.
We were [joined outside Microsoft][eff-protest] by Danny O'Brien,
  the EFF's International Director,
  who stepped out of the W3C meeting to address the protesters.

Afterward, most of us [traveled to the MIT Media Lab][media-lab] where
  Richard Stallman---who joined us in the protest---sat on a panel along
  with Danny O'Brien, Joi Ito of the MIT Media Lab, and Harry Halpin of the
  W3C.
The W3C was invited to participate in a discussion on EME, but they never
  showed.
As a demonstration of the severity of these issues,
  [Harry Halpin vowed to resign from the W3C][hh-resign] if the EME proposal
  ever became a W3C Recommendation.

I can say without hesitation that the protest and following discussion were
  some of the most powerful and memorable events of my life---there is no
  feeling like being a part of a group that shares such a fundamental
  passion (and distaste!) for something important.

And it _is_ very important.

[DRM is pervasive][dbd]---the Web is just one corner where it rears its ugly
  head.
The [International Day Against DRM][day-drm] gives you and others an
  excellent opportunity to hold your own protests, demonstrations, and events
  to raise these issues to others---and to do so as part of an
  _international group_;
  to send a strong, world-wide message:
  a message that it is _not_ acceptable to act as tyrants and treat users as
    slaves and puppets through use of digital handcuffs and [draconian
    punishments for circumventing them][dmca].

[^photos]: The EFF has some [great photots][eff-protest]; I'm the one in the
           hoodie between the giant GNU head and Zak Rogoff.

[day-drm]: https://www.defectivebydesign.org/dayagainstdrm
[drm]: https://www.defectivebydesign.org/what_is_drm_digital_restrictions_management
[antifeatures]: https://www.fsf.org/bulletin/2007/fall/antifeatures/
[lp2016]: https://libreplanet.org/2016/
[w3c-protest]: https://www.defectivebydesign.org/from-the-web-to-the-streets-protesting-drm
[eme]: https://w3c.github.io/encrypted-media/
[eff-protest]: https://w3c.github.io/encrypted-media/
[w3c]: https://www.w3.org/
[fsf]: https://fsf.org/
[media-lab]: https://motherboard.vice.com/read/we-marched-with-richard-stallman-at-a-drm-protest-last-night-w3-consortium-MIT-joi-ito
[hh-resign]: https://www.defectivebydesign.org/blog/w3c_staff_member_pledges_resignation_if_drm_added_web_standards
[dmca]: https://www.eff.org/issues/dmca
[dbd]: https://www.defectivebydesign.org/
[1984]: https://www.defectivebydesign.org/amazon-kindle-swindle
[always-on]: https://en.wikipedia.org/wiki/Always-on_DRM
[right-to-read]: https://www.gnu.org/philosophy/right-to-read.en.html
[pirate]: https://www.eff.org/deeplinks/2015/02/go-prison-sharing-files-thats-what-hollywood-wants-secret-tpp-deal
2016-05-03 00:04:09 -04:00
Mike Gerwitz 4e30c20830
:Remove LibrePlanet header on each page
It is now available on the Talk page.

* tpl/.config: Remove LP header
2016-04-19 23:18:05 -04:00
Mike Gerwitz 846bc0cfd6
:Add talks page
* docs/40-talks.md: Added
2016-04-19 23:17:55 -04:00
Mike Gerwitz b7b5212496
:Add GNU/kWindows article to papers list 2016-04-09 14:00:57 -04:00
Mike Gerwitz 36504cbb10
GNU/kWindows
There has been a lot of talk lately about a most unique combination:
  [GNU][gnu]---the [fully free/libre][free-sw] operating system---and
  Microsoft Windows---the [freedom-denying, user-controlling,
  surveillance system][woe].
There has also been a great deal of misinformation.
I'd like to share my thoughts.

Before we can discuss this subject,
  we need to clarify some terminology:
We have a [free/libre][free-sw] operating system called [GNU][gnu].
Usually, it's used with the kernel Linux, and is together called the
  [GNU/Linux (or GNU+Linux) operating system][gnulinux].
But that's not always the case.
For example, GNU can be run with its own kernel, [The GNU Hurd][hurd]
  (GNU/Hurd).
It might be run on a system with a BSD kernel (e.g. GNU/kFreeBSD).
But now, we have a situation where we're taking GNU/Linux, removing Linux,
  and adding in its place a Windows kernel.
This combination is referred to as GNU/kWindows (GNU with the Windows kernel
  added).[^kwindows]

GNU values users' freedoms.
Windows [does exactly the opposite][woe].

When users talk about the operating system "Linux", what they are referring
  to is the [GNU operating system][gnu] with the kernel Linux added.
If you are using the GNU operating system in some form, then many of the
  programs you are familiar with on the command line are GNU programs:
    `bash`, `(g)awk`, `grep`, `ls`, `cat`, `bc`, `tr`, `gcc`, `emacs`, and
    so on.
But GNU is a fully free/libre Unix replacement, [not just a collection of GNU
  programs][gnu].
Linux is the kernel that supports what the operating system is trying to do;
  it provides what are called system calls to direct the kernel to perform
  certain actions, like fork new processes or allocate memory.
This is an important distinction---not only is calling all of this software
  "Linux" incorrect, but it discredits the project that created a fully
  free/libre Unix replacement---[GNU][gnu].

This naming issue is so widespread that
  [most users would not recognize what GNU is][gnu-noheard], even if they
  are _using_ a [GNU/Linux][gnulinux] operating system.
I recently read an article that referred to GNU Bash as "Linux's Bash";
  this is simply a slap in the face to all the hackers that have for the
  past 26 years been writing what is one of today's most widely used
  shells on Unix-like systems (including on [Apple's][apple] proprietary
  Mac OSX), and all the other GNU hackers.

Microsoft and Canonical have apparently been working together to write a
  subsystem that translates Linux system calls into something Windows will
  understand---a compatibility layer.
So, software compiled to run on a system with the kernel Linux will work on
  Windows through system call translation.
Many articles are calling this "Linux on Windows".
This is a fallacy: the kernel Linux is not at all involved!
What we are witnessing is the [_GNU_ operating system][gnu] running with
  a Windows kernel _instead_ of Linux.

This is undoubtedly a technical advantage for Microsoft---Windows users want
  to do their computing in a superior environment that they might be
  familiar with on [GNU/Linux][gnulinux] or other Unix-like operating
  systems, like [Apple's][apple] freedom-denying Mac OSX.
But thinking about it like this is missing an essential concept:

When users talk about "Linux" as the name of the operating system, they
  avoid talking about [GNU][gnu].
And by avoiding mention of GNU,
  they are also avoiding discussion of the core principles upon which GNU is
  founded---the belief that all users deserve
  [software granting _four essential freedoms_][free-sw]:
    the freedom to use the program for any purpose;
    the freedom to study the program and modify it to suit your needs (or
      have someone do it on your behalf);
    the freedom to share the program with others;
    and the freedom to share your changes with others.
We call software that respects these four freedoms
  [_free/libre software_][free-sw].

Free software is absolutely essential:
  it ensures that _users_,
    who are the most vulnerable,
    are in control of their computing---not software developers or
    corporations.
Any program that denies users any one of their [four freedoms][free-sw] is
  _non-free_ (or _proprietary_)---that is, freedom-denying software.
This means that any non-free software, no matter its features or
  performance, will [_always_ be inferior to free software][oss] that
  performs a similar task.

Not everyone likes talking about freedom or the
  [free software philosophy][free-sw].
This disagreement resulted in the
  ["open source" development methodology][oss],
  which exists to sell the benefits of free software to businesses *without*
  discussing the essential ideological considerations.
Under the "open source" philosophy,
  if a non-free program provides better features or performance,
  then surely it must be "better",
  because they have outperformed the "open source" development methodology;
    non-free software isn't always considered to be a bad thing.

So why would users want to use GNU/kWindows?
Well, probably for the same reason that they want GNU tools on Mac OSX:
  they want to use software they want to use, but they also want the
  technical benefits of GNU that they like.
What we have here is the ["open source" philosophy][oss]---because if the
  user truly valued her freedom, she would use a
  [fully free operating system like GNU/Linux][gnulinux-distros].
If a user is _already_ using Windows (that is, before considering
  GNU/kWindows), then she does gain some freedom by installing GNU:
    she has more software on her system that respects her freedoms,
    and she is better off because of that.

But what if you're using GNU/Linux today?
In that case,
  it is a major downgrade to switch to a GNU/kWindows system;
    by doing so, you are [surrendering your freedom to Microsoft][woe].
It does not matter how many shiny features Microsoft might introduce into
  its [freedom-denying surveillance system][woe];
    an [operating system that respects your freedoms][gnulinux-distros] will
    _always_ be a superior choice.
We would do our best to dissuade users from switching to a GNU/kWindows
  system for the technical benefits that GNU provides.

So we have a couple different issues---some factual, some philosophical:

Firstly,
  please don't refer to GNU/kWindows as "Linux on Windows", or any variant
  thereof;
    doing so simply propagates misinformation that not only confounds the
    situation, but discredits the thousands of hackers working on the
    [GNU operating system][gnu].
It would also be best if you avoid calling it "Ubuntu on Windows";
  it isn't a factually incorrect statement---you are running Ubuntu's
  distribution of GNU---but it still avoids mentioning the
  [GNU Project][gnu].  If you want to give Ubuntu credit for working with
  Microsoft, please call it "Ubuntu GNU/kWindows" instead of "Ubuntu".
By mentioning GNU,
  users will ask questions about the project,
  and might look it up on their own.
They will read about [the free software philosophy][free-sw],
  and will hopefully begin to understand these issues---issues that they
  might not have even been aware of to begin with.

Secondly,
  when you see someone using a GNU/kWindows system,
  politely ask them why.
Tell them that there is a _better_ operating system out there---the
  [GNU/Linux operating system][gnu]---that not only provides those technical
  features,
  but also provides the feature of _freedom_!
Tell them what [free software][free-sw] is,
  and try to relate it to them so that they understand why it is important,
  and even practical.

It's good to see more people benefiting from GNU;
  but we can't be happy when it is being sold as a means to draw users into
    an otherwise [proprietary surveillance system][woe],
    without so much as a mention of our name,
    or [what it is that we stand for][gnu].

[^kwindows]: This name comes from [Richard Stallman][rms], founder of the
             [GNU Project][gnu].

[gnu]: https://gnu.org/gnu/gnu.html
[free-sw]: https://gnu.org/philosophy/free-sw.html
[woe]: https://www.gnu.org/proprietary/malware-microsoft.en.html
[hurd]: https://gnu.org/software/hurd/
[oss]: http://www.gnu.org/philosophy/open-source-misses-the-point.html
[gnulinux]: https://www.gnu.org/gnu/linux-and-gnu.html
[gnulinux-distros]: https://www.gnu.org/distros/free-distros.html
[apple]: https://stallman.org/apple.html
[rms]: https://www.fsf.org/about/staff-and-board
[gnu-noheard]: https://gnu.org/gnu/gnu-users-never-heard-of-gnu.html
2016-04-09 13:57:25 -04:00
Mike Gerwitz af6937a0dc
Facebook will use software for the VR headset Occulus Rift to spy on you
Anything coming out of Facebook should be [cause for concern][rms-fb].  So,
naturally, one might be concerned when they decide to get into the virtual
reality (VR) scene by [purchasing the startup Occulus VR][fb-vr], makers of
the Occulus Rift VR headset.  One can only imagine all the fun ways Facebook
will be able to track, manipulate, spy on, and otherwise screw over users
while they are immersed in a virtual reality.

Sure enough, we have our first peak: [the software that Facebook has you
install for the Occulus Rift is spyware][fb-spy], reporting on what
*unrelated* software you use on your system, your location (including GPS
data and nearby Wifi networks), the type of device you're using, unique
device identifiers, your movements while using the VR headset, and more.

This is absurd.  Do not play into Facebook's games through temptation of
cool new technology; reject their terms and see if there's other ways you
can use the headset without their proprietary spyware.  If not, perhaps you
should ask for a refund, and tell them why.

[rms-fb]: https://stallman.org/facebook.html#privacy
[fb-vr]: http://www.theguardian.com/technology/2014/jul/22/facebook-oculus-rift-acquisition-virtual-reality
[fb-spy]: http://uploadvr.com/facebook-oculus-privacy/
2016-04-03 13:22:29 -04:00
Mike Gerwitz 212fd59e20
:About page mention most pages can be modified
* docs/10-about.md: Most pages can now be modified under CC BY-SA
2016-04-02 13:34:32 -04:00
Mike Gerwitz 804527a056
:About page update for maintainers team
* docs/10-about.md: Mention of maintainers team
2016-04-02 13:33:19 -04:00
Mike Gerwitz 6396ead4ca
Reddit suspected to have been served with an NSL
It is suspected that Reddit has been [served with an NSL][schneier].
[National Security Letters (NSLs)][nsl] are subpoena served by the United
States federal government and often come with a gag order that prevents the
recipient from even stating that they received the letter.

[Warrant canaries][canary] are used to circumvent gag orders by stating
that requests have *not* been received, under the [legal theory][court]
that, while courts can compel persons not to speak, they can't compel them
to lie.  [Reddit's canary has died][reddit-report]---the canary is absent
from their most recent 2015 transparency report, where it was [present in
the 2014 report][reddit-report-2014].

Does this mean that you should stop using Reddit?  No; canaries are an
important transparency method.  If you are worried about your privacy, you
shouldn't disclose the information to a third party to begin with.  Note
that this includes metadata that are gathered about you when you, for
example, browse subreddits while logged in.  You can help mitigate that by
[browsing anonymously using Tor][donot], being sure never to log in during
the same session.

The website [Canary Watch][cw] is a website that tracks warrant canaries.

I'm awaiting further analysis after the weekend.

[schneier]: https://www.schneier.com/blog/archives/2016/04/reddits_warrant.html
[nsl]: https://en.wikipedia.org/wiki/National_Security_Letter
[canary]: https://en.wikipedia.org/wiki/Warrant_canary
[cw]: https://www.canarywatch.org/
[court]: https://gigaom.com/2014/10/10/are-warrant-canaries-legal-twitter-wants-to-save-techs-warning-signal-of-government-spying/
[reddit-report]: https://web.archive.org/web/20160331210850/https://www.reddit.com/wiki/transparency/2015
[reddit-report-2014]: https://web.archive.org/web/20160331204815/https://www.reddit.com/wiki/transparency/2014
[donot]: https://www.whonix.org/wiki/DoNot
2016-04-02 13:23:06 -04:00
Mike Gerwitz 88f85a9a54
:Anchor link to LibrePlanet talk 2016-03-08 23:24:20 -05:00
Mike Gerwitz 810fd1a07b
:LibrePlanet header typo correction 2016-03-01 22:28:25 -05:00
Mike Gerwitz e838dc9a99
:About page update e-mail address 2016-02-28 13:46:34 -05:00
Mike Gerwitz 44580f4cea
Join me at LibrePlanet 2016 for my talk "Restore Online Freedom!"
I will be [speaking at LibrePlanet this year][lp2016] (2016) about freedom
on the Web.  Here's the session description:

> Imagine a world where surveillance is the default and users must opt-in to
> privacy. Imagine that your every action is logged and analyzed to learn
> how you behave, what your interests are, and what you might do next.
> Imagine that, even on your fully free operating system, proprietary
> software is automatically downloaded and run not only without your
> consent, but often without your knowledge. In this world, even free
> software cannot be easily modified, shared, or replaced. In many cases,
> you might not even be in control of your own computing -- your actions and
> your data might be in control by a remote entity, and only they decide
> what you are and are not allowed to do.
>
> This may sound dystopian, but this is the world you're living in right
> now. The Web today is an increasingly hostile, freedom-denying place that
> propagates to nearly every aspect of the average users' lives -- from
> their PCs to their phones, to their TVs and beyond. But before we can
> stand up and demand back our freedoms, we must understand what we're being
> robbed of, how it's being done, and what can (or can't) be done to stop
> it.

There are a number of other [great sessions][lp2016] this year from a
[number of speakers][lp2016s], many well-known.  We also have an opening
keynote from Edward Snowden!

All [FSF associate members get free entry][fsfmember].  If you can't join
us, the conference will be streamed live.  You can also see [videos of past
talks][lpvideos] on the FSF's self-hosted [GNU MediaGoblin][goblin]
instance.

Special thanks to the FSF for covering a large portion of my travel
expenses; I otherwise might not have been able to attend.  Thank you to all
who donated to the conference scholarship fund.

[lp2016]: https://www.libreplanet.org/2016/program/
[lp2016s]: https://www.libreplanet.org/2016/program/speakers.html
[fsfmember]: https://crm.fsf.org/join
[lpvideos]: https://media.libreplanet.org/
[goblin]: http://mediagoblin.org/
2016-02-28 13:41:17 -05:00
Mike Gerwitz cb1be6f2d4
:Index headline for talk at LibrePlanet 2016 2016-02-28 13:24:36 -05:00
Mike Gerwitz 452e8061c6 Google Analytics Removed from GitLab.com Instance
*This was originally written as a guest post for GitLab in November of 2015,
but they [decided not to publish it][gitlab-merge].*

Back in May of of 2015, I [announced GitLab's liberation of their Enterprise
Edition JavaScript][ggfs] and made some comments about GitLab's course and
approach to software freedom.  In liberating GitLab EE's JavaScript, all
code served to the browser by GitLab.com's GitLab instance was [Free (as in
freedom)][free-sw], except for one major offender: Google Analytics.

Since Google Analytics was not necessary for the site to function, users
could simply block the script and continue to use GitLab.com
[ethically][free-sw].  However, encouraging users to visit a project on
GitLab.com while knowing that it loads Google Analytics is a problem both
for users' freedoms, and for their privacy.

GitLab is more than service and front-end to host Git repositories; it has a
number of other useful features as well.  Using those features, however,
would mean that GitLab.com is no longer just a mirror for a project---it
would be endorsed by the project's author, requiring that users visit the
project on GitLab.com in order to collaborate.  For example, if an author
were to use the GitLab issue tracker on GitLab.com, then she would be
actively inviting users to the website by telling them to report issues and
feature requests there.

We cannot realistically expect that anything more than a minority of
visitors will know how to block Google Analytics (or even understand that it
is a problem).  Therefore, if concerned authors wanted to use those features
of GitLab, they had to use another hosted instance of GitLab, or host their
own.  But the better option was to encourage GitLab.com to remove Google
Analytics entirely, so that _all_ JavaScript code served to the users is
[Free][free-sw].

GitLab has chosen to actively
[work with the Free Software movement][ggfs]---enough so that they are now
considered an [acceptable host for GNU projects][gitlab-gnu-criteria]
according to [GNU's ethical repository criteria][gnu-repo-criteria].  And
they have chosen to do so again---headed by Sytse Sijbrandij (GitLab
Inc. CEO), Google Analytics has been removed from the GitLab.com instance
and replaced with [Piwik][piwik].

## More Than Just Freedom
This change is more than a commitment to users' freedoms---it's also a
commitment to users' privacy that cannot be understated.  By downloading and
running Google Analytics, users are being infected with some of the most
[sophisticated examples of modern spyware][ga-wikipedia]: vast amounts of
[personal and behavioral data][ga-google] are sent to Google for them to use
and share as they wish.  Google Analytics also tracks users across [many
different websites][ga-popularity], allowing them to discover your interests
and behaviors in ways that users themselves may not even know.

GitLab.com has committed to using [Piwik][piwik] on their GitLab instance,
which [protects users' privacy][piwik-privacy] in a number of very important
ways: it allows users to opt out of tracking, anonymizes IP addresses,
retains logs for limited time periods, respects [DoNotTrack][eff-dnt], and
more.  Further, all logs _will be kept on GitLab.com's own servers_, and is
therefore governed solely by
[GitLab.com's Privacy Policy][gitlab-privacy]; this means that other
services will not be able to use these data to analyze users' behavior on
other websites, and advertisers and others will know less about them.

Users should not have to try to [anonymize themselves][eff-ssd] in
order to maintain their privacy---privacy should be a default, and a
respected one at that.  GitLab has taken a strong step in the right
direction; I hope that others will take notice and do the same.

*Are you interested in helping other websites liberate their JavaScript?
 Consider [joining the FSF's campaign][freejs], and
 [please liberate your own][whyfreejs]!*

[gitlab-merge]: https://gitlab.com/gitlab-com/www-gitlab-com/merge_requests/1094
[eff-dnt]: https://www.eff.org/dnt-policy
[eff-ssd]: http://ssd.eff.org/
[freejs]: https://fsf.org/campaigns/freejs
[free-sw]: https://www.gnu.org/philosophy/free-sw.html
[ga-google]: https://www.google.com/analytics/standard/features/
[ga-popularity]: http://w3techs.com/technologies/overview/traffic_analysis/all
[ga-wikipedia]: https://en.wikipedia.org/wiki/Google_Analytics
[ggfs]: https://about.gitlab.com/2015/05/20/gitlab-gitorious-free-software/
[gitlab-featurse]: https://about.gitlab.com/features/
[gitlab-gnu-criteria]: https://lists.gnu.org/archive/html/repo-criteria-discuss/2015-11/msg00012.html
[gitlab-privacy]: https://about.gitlab.com/privacy/
[gnu-repo-criteria]: https://www.gnu.org/software/repo-criteria.html
[mtg]: http://mikegerwitz.com/
[piwik]: https://piwik.org/
[piwik-privacy]: https://piwik.org/privacy/
[whyfreejs]: https://www.gnu.org/software/easejs/whyfreejs.html
2016-01-24 14:38:43 -05:00
Mike Gerwitz c7db70c927 :Git horror story author date notice
This article is a bit aged and out of date.
2016-01-14 19:46:12 -05:00
Mike Gerwitz 045dedc70a
Now Hosting Personal GNU Social Instance
When I started writing this blog, my intent was to post notices more
frequently and treat it more like a microblogging platform; but that's not
how it ended up.  Instead, I use this site to write more detailed posts with
solid references to back up my statements.

[GNU Social](https://gnu.org/software/social/) is a federated social
network---you can host your own instances and they all communicate with
one-another.  You can find mine at the top of this page under "Notices", or
at [https://social.mikegerwitz.com/](https://social.mikegerwitz.com/).  I
will be using this site to post much more frequent miscellaneous notices.
2015-12-09 23:34:43 -05:00
Mike Gerwitz 228cbfd5cd
:Link to GNU Social instance in menu 2015-12-09 23:31:08 -05:00
Mike Gerwitz 3a7bc02263
:Update About page with gnueval 2015-11-20 23:27:13 -05:00
Mike Gerwitz 06dfbdbd10
:CC BY-SA {3.0=>4.0} 2015-11-20 23:22:41 -05:00
Mike Gerwitz 38081104ef
Comcast injects JavaScript into web pages
It seems that Comcast has decided that it is a good idea to [inject
JavaScript into web pages][js] visited by its customers in order to inform
them of Copyright violations.

This is a huge violation of user privacy and trust.  Further, it shows that
an ISP (and probably others) feel that they have the authority to dictate
what is served to the user on a free (as in speech) Internet.  Why should we
believe that they won't start injecting other types of scripts that spy on
the user or introduce advertising?  What if a malicious actor compromises
Comcast's servers and serves exploits to users?

It is no surprise that Comcast is capable of doing this---they know the IP
address of the customer, so they are able to intercept traffic and alter it
in transit.  But the fact that they _can_ do this demonstrates something far
more important: _that they have spent the money on the infrastructure to do
so_!

Comcast isn't the only ISP to have betrayed users by injecting data.  One
year ago, it was discovered that [Verizon was injecting "perma-cookies" into
requests to track users][verizon].  This is only one example of the
insidious abuses that unchecked ISPs can take.

So what can you do to protect yourself?

What Comcast is doing is called a [man-in-the-middle (MITM) attack][mitm]:
Comcast sits in the middle of you and your connection to the website that
you are visiting, proxying your request.  Before relaying the website's
response to you, it modifies it.

In order to do this, Comcast needs to be able to read your communications,
and must be able to modify them: the request must be read in order to
determine how the JavaScript should be injected and what request it should
be injected into; and it must be modified to perform the injection.  It
cannot (given a properly configured web server) do so if your connection is
encrypted.  In the case of web traffic, `https` URLs with the little lock
icon in your web browser generally indicates that your communications are
encrypted, making MITM attacks
unlikely.

(We're assuming that Comcast won't ask you to install a root CA so that they
can decrypt your traffic!  But that would certainly be noticed, if they did
so on a large enough scale.)

Not all websites use SSL.  Another method is to use encrypted proxies, VPNs,
or services like like [Tor][tor].  This way, Comcast will not be able to
read or modify the communications.

See also: [HackerNews discussion][hn]; [original Reddit discussion][reddit].

[js]: https://gist.github.com/Jarred-Sumner/90362639f96807b8315b
[verizon]: https://www.eff.org/deeplinks/2014/11/verizon-x-uidh
[mitm]: https://en.wikipedia.org/wiki/Man-in-the-middle_attack
[hn]: https://news.ycombinator.com/item?id=10592775
[reddit]: https://www.reddit.com/r/HuntsvilleAlabama/comments/35v4sn/comcast_is_injecting_bad_javascript_to_your/
[tor]: https://tor.org/
2015-11-20 23:11:58 -05:00