Mike Gerwitz

Free Software Hacker+Activist

2019

GHCQ’s “Exceptional Access”, End-To-End Encryption, Decentralization, and Reproducible Builds

Late last November, Ian Levy and Crispin Robinson of the GHCQ (the British intelligence agency) published a proposal for intercepting end-to-end encrypted communications, entitled “Principles for a More Informed Exceptional Access Debate”. Since then, there have been a series of notable rebuttals to this proposal arguing why this system would fail in practice and why it should be rejected. Completely absent from these responses, however, is any mention of existing practices that would prohibit this attack outright—the combination of free/libre software, reproducible builds, and decentralized or distributed services.

Posted on 2019-02-18. Read more »

2018

Webmasters: Please, Don’t Block Tor

Tor is a privacy and anonymity tool that helps users to defend themselves against traffic analysis online. Some people, like me, use it as an important tool to help defend against various online threats to privacy. Others use it to avoid censorship, perhaps by the country in which they live. Others use it because their lives depend on it—they may live under an oppressive regime that forbids access to certain information or means of communication.

Unfortunately, some people also hide behind Tor to do bad things, like attack websites or commit fraud. Because of this, many website owners and network administrators see Tor as a security threat, and choose to block Tor users from accessing their website.

Posted on 2018-10-05. Read more »

When Talking About Mobile Tracking, Don’t Veil Bad Actors With Blanket Statements

It’s difficult to have useful conversations about mobile tracking when someone says “your phone / mobile device tracks you”; such statements don’t often lead to constructive conversation because they are too vague and therefore easily dismissed as sensationalism or paranoia. And they are all too often without substance because, while users do have legitimate concerns, they aren’t necessarily aware of the specific problems contributing to those concerns.

Posted on 2018-04-15. Read more »

Meltdown/Spectre and the Web

The recently-released Meltdown and Spectre CPU timing attacks affect virtually every user in some way; the consequences are profound. There are plenty of good write-ups on the topic, so I don’t feel the need to re-iterate the technical details here. (See an easily digestible one from the Raspberry Pi project, and an in-depth analysis from Project Zero.)

What I do want to draw attention to is that these attacks are exploitable via web browsers.

Posted on 2018-01-08. Read more »

The Ethics Void: Join Me at LibrePlanet 2018!

I got word today that I’ll be speaking again at this year’s LibrePlanet! I was going to attend even if I were not speaking, but I’m very excited to be able to continue to build off of last year’s talk and further my activism on these topics.

The title of this year’s talk is The Ethics Void. Here’s a rough abstract:

Posted on 2018-01-05. Read more »

2017

Russia wants to review source code of Western security software

Reuters released an article entitled “Under pressure, Western tech firms bow to Russian demands to share cyber secrets”. Should Russia be permitted to do so? Should companies “bow” to these demands?

I want to draw a parallel to another highly controversial case regarding access to source code: the Apple v. FBI case early last year. For those who don’t recall, one of the concerns was the government trying to compel Apple to make changes to iOS to permit brute forcing the San Bernardino attacker’s PIN; this is a violation of First Amendment rights (compelled speech), and this afforded Apple strong support from even communities that otherwise oppose them on nearly all other issues. The alternative was to have the FBI make changes to the software instead of compelling Apple to do so, which would require access to the source code of iOS.

Posted on 2017-06-24. Read more »

GNU is more than a collection of software

GNU is more than just a collection of software; it is an operating system:

https://www.gnu.org/gnu/thegnuproject.html

Many hackers and activists within the free software community don’t understand this well, and it’s a shame to see attacks on GNU’s relevance (as measured by programs written by GNU on a given system) going unchallenged. Software for GNU was written by the GNU Project when a suitable free program was not available. It wouldn’t have made sense to write everything from scratch if free programs already solved the problem.

Posted on 2017-06-03. Read more »

2016

NSO Group, Pegasus, Trident—iOS Exploits Targeting Human Rights Activist

Citizen Lab released a report describing the attempted use of iOS 0-days on human rights activist Ahmed Mansoor by the United Arab Emirates. They named this chain of exploits Trident, and with the help of Lookout Security, were able to analyze them.

It begins with arbitrary code execution (CVE-2016-4655) by exploiting a memory corruption vulnerability in WebKit, which downloads a payload unknown to the user. That payload is able to bypass KASLR and determine the kernel memory location (CVE-2016-4656), then allowing it to exploit a memory corruption vulnerability in the kernel itself (CVE-2016-4657); this “jailbreaks” the device and is a complete compromise of the system.

Posted on 2016-08-25. Read more »

“Election”

The past few days of the DNC have demanded pause. I am an Independent. I do not like Hillary Clinton. I am a Bernie supporter, and I was upset by his endorsement of Hillary. I had vowed not to vote for Hillary; I would instead vote for Jill Stein. The DNC, while very well done with a deeply compelling facade, has not changed my perspective on Clinton.

It is perhaps said best by Bernie himself: “It’s easy to boo, but it’s harder to look your kids in the face who would be living under a Donald Trump presidency”. The conflict here is between my deep ideologies and reality. It’s often said that a vote for Hillary is a vote against Trump; such a perspective would shallow and purposeless. But this isn’t an election for president—this is the most threatening assault on everything I stand for that I hope I will ever witness in my lifetime. To stand for ideological purity would be to stand atop a mountain while the world around me burns. This is why Bernie chose to unite.

Should Trump win, my ideals that seem within reach could be blown back decades. As a matter of strategy, I cannot justify not swallowing every ounce of my pride. Hillary’s presidency is an unfortunate but necessary consequence of the only permissible outcome. I am not electing a president of the United States. I am electing a United States.

Posted on 2016-07-29. Read more »

CFAA, “Authorized” Access, and Common Sense

There is little common sense to be had with the Computer Fraud and Abuse Act (CFAA) to begin with. To add to the confusion, the Ninth Circuit Court of Appeals last week held 2-1 in United States v. Nosal that accessing a service using someone else’s password—even if that person gave you permission to do so—violates the CFAA, stating that only the owner of a computer can give such authorization. This is absurd even with complete lack of understanding of what the law is: should your spouse be held criminally liable for paying your bills online using your account?

Common sense says no.

Posted on 2016-07-16. Read more »

Facebook will use software for the VR headset Occulus Rift to spy on you

Anything coming out of Facebook should be cause for concern. So, naturally, one might be concerned when they decide to get into the virtual reality (VR) scene by purchasing the startup Occulus VR, makers of the Occulus Rift VR headset. One can only imagine all the fun ways Facebook will be able to track, manipulate, spy on, and otherwise screw over users while they are immersed in a virtual reality.

Sure enough, we have our first peak: the software that Facebook has you install for the Occulus Rift is spyware, reporting on what unrelated software you use on your system, your location (including GPS data and nearby Wifi networks), the type of device you’re using, unique device identifiers, your movements while using the VR headset, and more.

Posted on 2016-04-03. Read more »

Join me at LibrePlanet 2016 for my talk “Restore Online Freedom!”

I will be speaking at LibrePlanet this year (2016) about freedom on the Web. Here’s the session description:

Imagine a world where surveillance is the default and users must opt-in to privacy. Imagine that your every action is logged and analyzed to learn how you behave, what your interests are, and what you might do next. Imagine that, even on your fully free operating system, proprietary software is automatically downloaded and run not only without your consent, but often without your knowledge. In this world, even free software cannot be easily modified, shared, or replaced. In many cases, you might not even be in control of your own computing – your actions and your data might be in control by a remote entity, and only they decide what you are and are not allowed to do.

This may sound dystopian, but this is the world you’re living in right now. The Web today is an increasingly hostile, freedom-denying place that propagates to nearly every aspect of the average users’ lives – from their PCs to their phones, to their TVs and beyond. But before we can stand up and demand back our freedoms, we must understand what we’re being robbed of, how it’s being done, and what can (or can’t) be done to stop it.

Posted on 2016-02-28. Read more »

Google Analytics Removed from GitLab.com Instance

This was originally written as a guest post for GitLab in November of 2015, but they decided not to publish it.

Back in May of of 2015, I announced GitLab’s liberation of their Enterprise Edition JavaScript and made some comments about GitLab’s course and approach to software freedom. In liberating GitLab EE’s JavaScript, all code served to the browser by GitLab.com’s GitLab instance was Free (as in freedom), except for one major offender: Google Analytics.

Since Google Analytics was not necessary for the site to function, users could simply block the script and continue to use GitLab.com ethically. However, encouraging users to visit a project on GitLab.com while knowing that it loads Google Analytics is a problem both for users’ freedoms, and for their privacy.

Posted on 2016-01-24. Read more »

2015

Now Hosting Personal GNU Social Instance

When I started writing this blog, my intent was to post notices more frequently and treat it more like a microblogging platform; but that’s not how it ended up. Instead, I use this site to write more detailed posts with solid references to back up my statements.

GNU Social is a federated social network—you can host your own instances and they all communicate with one-another. You can find mine at the top of this page under “Notices”, or at https://social.mikegerwitz.com/. I will be using this site to post much more frequent miscellaneous notices.

Posted on 2015-12-09. Read more »

Comcast injects JavaScript into web pages

It seems that Comcast has decided that it is a good idea to inject JavaScript into web pages visited by its customers in order to inform them of Copyright violations.

This is a huge violation of user privacy and trust. Further, it shows that an ISP (and probably others) feel that they have the authority to dictate what is served to the user on a free (as in speech) Internet. Why should we believe that they won’t start injecting other types of scripts that spy on the user or introduce advertising? What if a malicious actor compromises Comcast’s servers and serves exploits to users?

It is no surprise that Comcast is capable of doing this—they know the IP address of the customer, so they are able to intercept traffic and alter it in transit. But the fact that they can do this demonstrates something far more important: that they have spent the money on the infrastructure to do so!

Posted on 2015-11-20. Read more »

Gitlab, Gitorious, and Free Software

This article originally appeared as a guest post on the GitLab blog.

In early March of this year, it was announced that GitLab would acquire Gitorious and shut down gitorious.org by 1 June, 2015. Reactions from the community were mixed, and understandably so: while GitLab itself is a formidable alternative to wholly proprietary services, its acquisition of Gitorious strikes a chord with the free software community that gathered around Gitorious in the name of software freedom.

Posted on 2015-05-20. Read more »

2014

Please stop using SlideShare

There are many great presentations out there—many that I enjoy reading, or that I would enjoy to read. Unfortunately, many of them are hosted on SlideShare, which requires me to download proprietary JavaScript.

JavaScript programs require the same freedoms as any other software. While SlideShare does (sometimes/always?) provide a transcript in plain text—which is viewable without JavaScript—this is void of the important and sometimes semantic formatting/images that presenters put much time into; you know: the actual presentation bits. (I’m a fan of plain-text presentations, but they each have their own design elements).

There are ways around this. SlideShare’s interactive UI appears to simply be an image viewer, so it is possible to display all sides using a fairly simple hack:

Posted on 2014-11-30. Read more »

FSF Condemns Partnership Between Mozilla and Adobe to Support DRM

Two days ago, the Free Software Foundation published an announcement strongly condemning Mozilla’s partnership with Adobe to implement the controversial W3C Encrypted Media Extensions (EME) API. EME has been strongly criticized by a number of organizations, including the EFF and the FSF’s DefectiveByDesign campaign team (“Hollyweb”).

Digital Restrictions Management imposes artificial restrictions on users, telling them what they can and cannot do; it is a system that does not make sense and is harmful to society. Now, just about a week after the International Day Against DRM, Mozilla decides to cave into the pressure in an attempt to stay relevant to modern web users, instead of sticking to their core philosophy about “openness, innovation, and opportunity”.

John Sullivan requested in the [FSF’s announcement] that the community contact Mozilla CTO Andreas Gal in opposition of the decision. This is my message to him:

Posted on 2014-05-16. Read more »

Re: FreeBSD, Clang and GCC: Copyleft vs. Community

I recently received a comment via e-mail from a fellow GNU hacker Antonio Diaz, who is the author and maintainer of GNU Ocrad, a free (as in freedom) optical character recognition (OCR) program. His comment was in response to my article entitled FreeBSD, Clang and GCC: Copyleft vs. Community, which details the fundamental difference in philosophy between free software and “open source”.

I found Antonio’s perspective to be enlightening, so I asked for his permission to share it here.

Posted on 2014-03-20. Read more »

2013

Measuring Air Temperature With Phone Batteries

OpenSignal—a company responsible for mapping wireless signal strength by gathering data using mobile device software—noticed an interest correlation between battery temperature on devices and air temperature.

Aggregating daily battery temperature readings to city level revealed a strong correlation with historic outdoor air temperature. With a mathematical transformation, the average battery temperature across a group of phones gives the outdoor air temperature.

Posted on 2013-08-13. Read more »

FreeBSD, Clang and GCC: Copyleft vs. Community

A useful perspective explaining why FreeBSD is moving away from GCC in favor of Clang; indeed, they are moving away from GPL-licensed software in general. While this is not a perspective that I personally agree with, it is one that I will respect for the project. It is worth understanding the opinions of those who disagree with you to better understand and formulate your own perspective.

But I am still a free software activist.

Posted on 2013-08-13. Read more »

Windows 8.1 to display targeted advertisements on local system searches

It is very disturbing that Microsoft decided that it would be a good idea to display targeted ads on local searches—that is, if you search for a file on your PC named “finances”, you may get ads for finance software, taxes, etc. If you search for “porn”, well, you get the idea.

Bing Ads will be an integral part of this new Windows 8.1 Smart Search experience. Now, with a single campaign setup, advertisers can connect with consumers across Bing, Yahoo! and the new Windows Search with highly relevant ads for their search queries. In addition, Bing Ads will include Web previews of websites and the latest features like site links, location and call extensions, making it easier for consumers to complete tasks and for advertisers to drive qualified leads.[1]

Posted on 2013-08-12. Read more »

London Trashcan Spies

We’re not talking about kids hiding out in trashcans talking on walkie-talkies and giggling to each other.

Ars has reported on London trashcans rigged to collect the MAC addresses of mobile devices that pass by. Since we do not often see mobile devices carrying themselves around, we may as well rephrase this as “collect the MAC addresses of people that pass by”:

During a one-week period in June, just 12 cans, or about 10 percent of the company’s fleet, tracked more than 4 million devices and allowed company marketers to map the “footfall” of their owners within a 4-minute walking distance to various stores.

Posted on 2013-08-11. Read more »

Snowden Statement at Moscow Airport; Accepts Asylum Offers

See Also: National Uproar: A Comprehensive Overview of the NSA Leaks and Revelations; I have not yet had the time to devote to writing a thorough follow-up of recent events and will likely wait until further information and leaks are presented.

Edward Snowden—the whistleblower responsible for exposing various NSA dragnet spying programs, among other documents—has been stuck in the Moscow airport for quite some time while trying to figure out how he will travel to countries offering him asylum, which may involve traveling through territories that may cooperate with the United States’ extradition requests.

Posted on 2013-07-12. Read more »

All “Thoughts” and Site Text Now Licensed Under CC BY-SA

All “thoughts”—that is, my blog-like entries that are generated by the repository commit messages—and site text are hereby retroactively relicensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. This license shall not supersede any license that is explicitly put forth within a work; see the COPYING file within the thoughts repository—available on the “Projects” page—for more information.

Posted on 2013-06-16. Read more »

National Uproar: A Comprehensive Overview of the NSA Leaks and Revelations

I am finding it difficult to keep up with the flood of reports in my little free time, while still finding the time to brush up on relevant history. My hope is to provide a summary of recent events and additional background—along with a plethora of references—that will allow the reader to perform further research and to formulate educated, personal opinions on the topics. If you do not care for my commentary, simply scroll to the list of references at the bottom of this article.

Many individuals and organizations have long warned of digital privacy issues, but there has been one agency in particular that has been the subject of much scrutiny—the National Security Agency (NSA), which is a United States government agency that has a long history of controversial spying tactics on its country’s own citizens. It is a chilling topic—one that can easily make any person sound like they’ve latched onto an Orwellian conspiracy.

Posted on 2013-06-10. Read more »

Improved Website

The old WordPress website has been replaced entirely by the “thoughts” site (which was previously located at /thoughts). This website is generated from its git repository—available on the Projects page—which is freely licensed. There is some content that existed on the old site that is still useful; should that content be transferred to this site, a redirect will be set up (assuming that it hadn’t already been lost to the search engines).

Since all this content is static, there is no discussion system. I am still debating whether or not I will add this in the future. Until that time, feel free to contact me via e-mail.

Posted on 2013-06-06. Read more »

Defective By Design Campaign Against W3C DRM Standard

As I had mentioned late last week, RMS had mentioned that Defective By Design (DBD) would be campaigning against the introduction of DRM into the W3C HTML5 standards. (Please see my previous mention of this topic for a detailed explanation of the problem and a slew of references for additional information.) Well, this campaign is now live and looking for signatures—50,000 by May 3rd, which is the International Day Against DRM:

Hollywood is at it again. Its latest ploy to take over the Web? Use its influence at the World Wide Web Consortium (W3C) to weave Digital Restrictions Management (DRM) into HTML5 – in other words, into the very fabric of the Web.

[…]

Help us reach 50,000 signers by May 3rd, 2013, the International Day Against DRM. We will deliver the signatures to the W3C (they are right down the street from us!) and [make your voice heard[1.

Posted on 2013-03-23. Read more »

HTML5 DRM

Two acronyms that, until very recently, would seem entirely incompatible—HTML, which is associated with an unencumbered, free (as in freedom) representation of a document, and DRM, which exists for the sole purpose of restricting freedom.1 Unfortunately, Tim Berners-Lee—the man attributed to “inventing” the Internet—mentioned in a keynote talk at SXSW that he is not opposed to introducing DRM into the HTML5 standard:

[Tim Berners-Lee] did not, however, present himself as an opponent of digital locks. During a post-talk Q&A, he defended proposals to add support for “digital rights management” usage restrictions to HTML5 as necessary to get more content on the open Web: “If we don’t put the hooks for the use of DRM in, people will just go back to using Flash,” he claimed.

Posted on 2013-03-15. Read more »

Federal Judge Rules NSLs (National Security Letters) Unconstitutional

This news is huge and an incredible win for both the EFF and all U.S. citizens. Today, United States District Judge Susan Illston found the National Security Letters’ gag provisions unconstitutional and—since the review procedures violate the separation of powers and cannot be separated from the rest of the statute—has consequently ruled the NSLs themselves to be unconstitutional:

In today’s ruling, the court held that the gag order provisions of the statute violate the First Amendment and that the review procedures violate separation of powers. Because those provisions were not separable from the rest of the statute, the court declared the entire statute unconstitutional

Posted on 2013-03-15. Read more »

White House Supports Cell Phone Unlocking

Earlier this week, the starter of the White House petition to “Make Unlocking Cell Phones Legal” posted a thread on Hacker News stating that the White House had officially responded, stating:

The White House agrees with the 114,000+ of you who believe that consumers should be able to unlock their cell phones without risking criminal or other penalties. In fact, we believe the same principle should also apply to tablets, which are increasingly similar to smart phones. And if you have paid for your mobile device, and aren’t bound by a service agreement or other obligation, you should be able to use it on another network. It’s common sense, crucial for protecting consumer choice, and important for ensuring we continue to have the vibrant, competitive wireless market that delivers innovative products and solid service to meet consumers’ needs.

Posted on 2013-03-09. Read more »

Oxford University Blocks Google Docs

Oxford University decided to block Google Docs last month due to phishing attacks against its users. To quote the blog post:

Almost all the recent attacks have used Google Docs URLs, and in some cases the phishing emails have been sent from an already-compromised University account to large numbers of other Oxford users. Seeing multiple such incidents the other afternoon tipped things over the edge. We considered these to be exceptional circumstances and felt that the impact on legitimate University business by temporarily suspending access to Google Docs was outweighed by the risks to University business by not taking such action.

Posted on 2013-03-09. Read more »

Google Says the FBI Is Secretly Spying on Some of Its Customers

A Wired article mentions figures released from Google regarding National Security Letters issued by the NSA under the Patriot Act. It is too early to comment in much detail on this matter (I would like to wait for commentary from the EFF), but, as the article mentions:

Google said the number of accounts connected to National Security letters ranged between “1000-1999″ for each of the reported years other than 2010. In that year, the range was “2000-2999.”

Posted on 2013-03-06. Read more »

DMR: “Very early C compilers and language”

An interesting article by Dennis Ritchie discussing early C compilers recovered from old DECtapes. The source code and history are fascinating reads. The quality of the code (the “kludgery”1, as he puts it) to me just brings smiles—I appreciate seeing the code in its original glory.

It is also saddening reading the words of such a great man who is no longer with us; perhaps it helps to better appreciate his legacy.

Posted on 2013-03-01. Read more »

Re: Who Does Skype Let Spy?

Today, Bruce Schneier brought attention to privacy concerns surrounding Skype, a very popular (over 600 million users) VoIP service that has since been acquired by Microsoft. In particular, users are concerned over what entities may be able to gain access to their “private” conversations through the service—Microsoft has refused to answer those kinds of questions. While the specific example of Skype is indeed concerning, it raises a more general issue that I wish to discuss: The role of free software and SaaS (software as a service).

Posted on 2013-01-30. Read more »

Re: FSF Wastes Away Another “High Priority” Project

A couple days ago, my attention was drawn to an article on Phoronix that criticized the FSF for its decision to stick with GPLv3 over GPLv2 on LibreDWG due to the number of projects that make use of it—licensed under the GPLv2—under a now incompatible license. This article is very negative and essentially boils down to this point (the last paragraph):

Unless the Free Software Foundation becomes more accomodating [sic] of these open-source developers – who should all share a common goal of wanting to expand free/open-source software – LibreDWG is likely another project that will ultimately waste away and go without seeing any major adoption due to not working with the GPLv2.

It worth mentioning why this view is misguided (though understandable for those who adopt the “open source” philosophy over that of software freedom).

Posted on 2013-01-26. Read more »

LuLu Says Goodbye to DRM

On January 8th, LuLu announced that they would be dropping DRM for users who “[download] eBooks directly from Lulu.com to the device of their choice”. This is a wise move (for those of us who oppose DRM), but unfortunately, as John Sullivan of the Free Software Foundation noted on the fsf-community-team mailing list, the comments on LuLu’s website are not all positive:

This is a positive development, but unfortunately there has been a lot of negative reaction in the comments on their announcement.

It’d be great if people could chime in and support them their move away from DRM.

Posted on 2013-01-14. Read more »

DNA Collection

Consider a recent article from the EFF regarding “Rapid DNA Analyzers”. The article poses the potetial issues involved, but also consider that any DNA collected (if not destroyed) would violate not just your privacy, but your entire blood line. What if DNA from immigrants were collected? Much of that information is inherited, so generations down the line, your privacy is still violated.

Posted on 2013-01-07. Read more »

Happy New Year

The greatest excitement in moving into a new year is the prospect of quantified growth.

Of course, it also means another year to look forward to the health of those you care for.

Posted on 2013-01-01. Read more »

2012

Privacy In Light of the Petraeus Scandal

I’m not usually one for scandals (in fact, I couldn’t care less who government employees are sleeping with). However, it did bring up deep privacy concerns—how exactly did the government get a hold of the e-mails?

The EFF had released an article answering some questions about the scandal, which is worth a read. In particular, you should take a look at the EFF’s Surveillance Self-Defense website for an in-depth summary of the laws surrounding government surveillance and tips on how to protect against it.

I’d like to touch upon a couple things. In particular, the article mentions:

Posted on 2012-11-19. Read more »

VLC’s Move to LGPL

Jean-Baptiste Kempf of the VLC project explains that “most of the code of VLC” has been relicensed under the LGPL, moving away from the GPL. Some of the reasons for the move include “competition, necessity to have more professional developers around VLC and AppStores”.1 (With the “AppStore” comment, Jean-Baptiste is likely referring to issues regarding free software in Apple’s App Store, which the FSF has discussed on their website.)

This is unfortunate; using the LGPL in place of the GPL is not encouraged for free software projects because, while it ensures the freedom of the project itself, it does not encourage the development of free software that uses the project—the LGPL allows linking with proprietary software. Let’s explore the aforementioned reasons in a bit more detail.

Posted on 2012-11-17. Read more »

OpenWireless.org

The EFF announces the launch of openwireless.org, which encourages users to share their network connections to create a global network of freely available wireless internet access.

This is a noble movement. This reminds me of a point in history when MIT began password protecting their accounts, which were previously open to anyone. Stallman, disagreeing with such a practice, encouraged users to create empty passwords. Stallman would even give out his account information so that remote users may log into MIT’s systems, all with good intent.

Posted on 2012-10-30. Read more »

Abolishing Patents

My issue with patents exceeds the obvious case against software patents; indeed, I have long pondered the problems with patents in other fields. When I hear the phrase “patent pending” or “patented technology” touted in ads, I have never thought positive thoughts; instead, I have thought “you are damning this otherwise excellent work to stagnation”. What if someone has an excellent idea to improve upon that particular product? Well, they’d better be prepared to jump through some hoops or shell out some hefty licensing fees. Or maybe it’s just easier to abandon the idea entirely and forget that it had never happened.

Posted on 2012-10-30. Read more »

GNU Trick-Or-Treat—FSF Crashes Windows 8 Launch

The FSF decided to crash the Windows 8 launch even in New York City, complete with Trisquel DVDs, FSF stickers and information about their pledge to upgrade to GNU/Linux instead of Windows 8.

I find this to be a fun, excellent alternative to blatant protesting that is likely to be better received by those who would otherwise be turned off to negativity. At the very least, the walking gnu would surely turn heads and demand curiosity.

Posted on 2012-10-27. Read more »

Stingrays: Cell Phone Privacy and Warrantless Surveillance

How would you feel if law enforcement showed up in your living room, demanded your cell phone, and started writing down your call history and text messages? How would you feel if you didn’t even know that they were in your home to begin with, let alone stealing private data? This is precisely what is happening when law enforcement uses “Stingrays” to locate individuals, collecting data of every other individual within range of the device in the process. Even if you are the subject of surveillance, this is still an astonishing violation of privacy. (Of course, law enforcement could always demand such records from your service provider, but such an act at the very least has a paper trail.)

Posted on 2012-10-24. Read more »

Another crack at medical device cracking

My previous post mentioned the dangers of running non-free software on implanted medical devices. While reading over RMS’ policital notes0, I came across an article mentioning how viruses are rampant on medical equipment.

“It’s not unusual for those devices, for reasons we don’t fully understand, to become compromised to the point where they can’t record and track the data,” Olson said during the meeting, referring to high-risk pregnancy monitors.

The devices often run old, unpatches versions of Microsoft’s Windoze operating system. The article also mentions how the maleware often attempts to include its host as part of a botnet.

Posted on 2012-10-18. Read more »

Crackers capable of causing pacemaker deaths

This article demonstrates why medical devices must contain free software: crackers are able to, with this particular type of pacemaker, exploit the device to trigger a fatal electric shock to its host from as far as 30 feet away (the article also mentions rewriting the firmware, which could of course be used to schedule a deadly shock at a predetermined time). These issues would not exist with free software, as the user and the community would be able to study the source code and fix any defects (or hire someone who can) before placing it in their bodies.

Posted on 2012-10-17. Read more »

Verizon router backdoors

A very disturbing article makes mention of a Verizon TOS update for its Internet service customers:

Section 10.4 was updated to clarify that Verizon may in limited instances modify administrative passwords for home routers in order to safeguard Internet security and our network, the security and privacy of subscriber information, to comply with the law, and/or to provide, upgrade and maintain service.

Posted on 2012-10-16. Read more »

NYC Master Keys

Bruce Schneier summarizes in a blog post a disturbing topic regarding a New York City locksmith selling “master keys” on eBay, providing access to various services such as elevators and subway entrances.

A discussion about this blog post on Hacker News yielded some interesting conversation, including an even more disturbing article describing how simple it may be to create master keys for a set of locks given only the lock, its key and a number of attempts.

Posted on 2012-10-16. Read more »

“Day changed to S”

Whatever “S” may be (in this case, “13 Oct 2012”), there is always a sense of peace and gratification that comes with witnessing that line appear in any type of log; it shows a dedication to an art, should your days contain daylight.

Posted on 2012-10-13. Read more »

Why no kid (or kid at heart) should write an iPhone game

I saw this post appear on HackerNews, talking about how building a game for iOS is “fun” and “cool”. The poster lures the reader in with talk of making money and talks of a “unique sense of fulfillment” that comes with development of these games, and then goes on to invite kids to learn how to develop games for the iPhone (and presumably other iOS devices).

This is a terrible idea.

Posted on 2012-10-09. Read more »

Always use -t with ssh-add (and always set passwords on your ssh keys)

Many people use SSH keys for the sole purpose of avoiding password entry when logging into remote boxes. That is legtimate, especially if you frequently run remote commands or wish to take advantage of remote tab complation, but creating a key with an empty password is certainly the wrong approach—if an attacker gets a hold of the key, then they have access to all of your boxes before you have the chance to notice and revoke the key.

Posted on 2012-10-09. Read more »

All these election attack ads are utterly useless

There have been a lot of elections going on lately—local, state and national. The majority of those ads are attack ads: immature and disrespectful; if you want my vote, give me something positive to vote for instead of spending all of your time and money attacking your candidate. If my vote is to go to the “least horrible” candidate, then there is no point in voting at all.

Posted on 2012-10-09. Read more »

Trademarks in Free Software

The use of trademarks in free software has always been a curious and unclear concept to me, primarily due to my ignorance on the topic.

Trademarks, unless abused, are intended to protect consumers’ interests—are they getting the brand that they think they’re getting? If you download Firefox, are you getting Firefox, or a derivative?

Posted on 2012-10-06. Read more »

Who needs “microblogging”?

I don’t. This is just some place safe to store random thoughts that people probably don’t care about (like most comments on most social networking services), with the added benefit of distributed backup, a simple system and no character limit.

Posted on 2012-10-05. Read more »

Getting too tired to hack? At 23:00?

This has been normal since becoming a father. I can’t complain—I love being a father. Of course, I also love hacking. I also love sleep. Knowing that my son is going to wake me up a 6:00 in the morning has a slight influence in a situation like this.

Posted on 2012-10-05. Read more »

A Git Horror Story: Repository Integrity With Signed Commits

(Note: This article was written at the end of 2012 and is out of date. I will update it at some point, but until then, please keep that in perspective.)

It’s 2:00 AM. The house is quiet, the kid is in bed and your significant other has long since fallen asleep on the couch waiting for you, the light of the TV flashing out of the corner of your eye. Your mind and body are exhausted. Satisfied with your progress for the night, you commit the code you’ve been hacking for hours: "[master 2e4fd96] Fixed security vulnerability CVE-123". You push your changes to your host so that others can view and comment on your progress before tomorrow’s critical release, suspend your PC and struggle to wake your significant other to get him/her in bed. You turn off the lights, trip over a toy on your way to the bedroom and sigh as you realize you’re going to have to make a bottle for the child who just heard his/her favorite toy jingle.

Fast forward four sleep-deprived hours. You are woken to the sound of your phone vibrating incessantly. You smack it a few times, thinking it’s your alarm clock, then fumble half-blind as you try to to dig it out from under the bed after you knock it off the nightstand. (Oops, you just woke the kid up again.) You pick up the phone and are greeted by a frantic colleague. “I merged in our changes. We need to tag and get this fix out there.” Ah, damnit. You wake up your significant other, asking him/her to deal with the crying child (yeah, that went well) and stumble off to your PC, failing your first attempt to enter your password. You rub your eyes and pull the changes.

Still squinting, you glance at the flood of changes presented to you. Your child is screaming in the background, not amused by your partner’s feeble attempts to console him/her. git log --pretty=short…everything looks good—just a bunch of commits from you and your colleague that were merged in. You run the test suite—everything passes. Looks like you’re ready to go. git tag -s 1.2.3 -m 'Various bugfixes, including critical CVE-123' && git push --tags. After struggling to enter the password to your private key, slowly standing up from your chair as you type, you run off to help with the baby (damnit, where do they keep the source code for these things). Your CI system will handle the rest.

Fast forward two months.

CVE-123 has long been fixed and successfully deployed. However, you receive an angry call from your colleague. It seems that one of your most prominent users has had a massive security breach. After researching the problem, your colleague found that, according to the history, the breach exploited a back door that you created! What? You would never do such a thing. To make matters worse, 1.2.3 was signed off by you, using your GPG key—you affirmed that this tag was good and ready to go. “3-b-c-4-2-b, asshole”, scorns your colleague. “Thanks a lot.”

No—that doesn’t make sense. You quickly check the history. git log --patch 3bc42b. “Added missing docblocks for X, Y and Z.” You form a puzzled expression, raising your hands from the keyboard slightly before tapping the space bar a few times with few expectations. Sure enough, in with a few minor docblock changes, there was one very inconspicuous line change that added the back door to the authentication system. The commit message is fairly clear and does not raise any red flags—why would you check it? Furthermore, the author of the commit was indeed you!

Thoughts race through your mind. How could this have happened? That commit has your name, but you do not recall ever having made those changes. Furthermore, you would have never made that line change; it simply does not make sense. Did your colleague frame you by committing as you? Was your colleague’s system compromised? Was your host compromised? It couldn’t have been your local repository; that commit was clearly part of the merge and did not exist in your local repository until your pull on that morning two months ago.

Regardless of what happened, one thing is horrifically clear: right now, you are the one being blamed.

Posted on 2012-05-22. Read more »