social.gl-como.it

Cerca

Elementi taggati con: security

How used cars became a security nightmare



"Application security for connected cars is far less mature than anyone should be comfortable with. This was clear at the RSA information security conference last week in San Francisco, where two presentations demonstrated different ways cars can be remotely controlled or even stolen by non-owners. All because the people designing connected car apps literally didn't think things through and consider the possibility of second owners -- or hackers."

https://www.engadget.com/2017/02/24/how-used-cars-became-a-security-nightmare/

#security, #car

How used cars became a security nightmare

Hack an app, win a free car!
 

How used cars became a security nightmare



"Application security for connected cars is far less mature than anyone should be comfortable with. This was clear at the RSA information security conference last week in San Francisco, where two presentations demonstrated different ways cars can be remotely controlled or even stolen by non-owners. All because the people designing connected car apps literally didn't think things through and consider the possibility of second owners -- or hackers."

https://www.engadget.com/2017/02/24/how-used-cars-became-a-security-nightmare/

#security, #car

How used cars became a security nightmare

Hack an app, win a free car!
 
#SHA1 and #Mercurial #security: Why you shouldn't panic yet

mpm/SHA1 - Mercurial

mpm/SHA1 - Mercurial
 
#dropbox opensources #Securitybot https://blogs.dropbox.com/tech/2017/02/meet-securitybot-open-sourcing-automated-security-at-scale/ #security

Meet Securitybot: Open Sourcing Automated Security at Scale

Security incidents happen. And when they do, they need to be dealt with—quickly. That’s where detection comes into play. The faster incidents are detected, the faster they can be handed off to the security team and resolved.
 

Riseup confirms it received two FBI warrants and gagging order


Riseup users had warned on social media that the group's "warrant canary" - a statement confirming that an organisation has not been issued with a court order to compromise users' details - had not been updated for the Winter 2016 quarter, a sign that the group may have been served with a gagging order preventing it from notifying its users of a warrant.

#riseup #fbi #gagorder #gag #gagging #security #anarchy #canaray #surveilllance

Riseup confirms it received two FBI warrants and gagging order | TheINQUIRER

Users have their suspicions confirmed,Security ,encryption,privacy,Privacy ,cloud computing
 

Riseup confirms it received two FBI warrants and gagging order


Riseup users had warned on social media that the group's "warrant canary" - a statement confirming that an organisation has not been issued with a court order to compromise users' details - had not been updated for the Winter 2016 quarter, a sign that the group may have been served with a gagging order preventing it from notifying its users of a warrant.

#riseup #fbi #gagorder #gag #gagging #security #anarchy #canaray #surveilllance

Riseup confirms it received two FBI warrants and gagging order | TheINQUIRER

Users have their suspicions confirmed,Security ,encryption,privacy,Privacy ,cloud computing
 



You broke the Internet



Now let's build a GNU one



Details: Yellow is for projects in development while green is for those that are available. Red illustrates brands that lose their monopoly condition once the respective layers are fully operational whereas light red indicates faulty technologies that we must replace.

Strongly recommend checking out the source website: http://youbroketheinternet.org/

Some related tags: #internet #surveillance #freesoftware #gnu #linux #security #netsec #crypto #ipfs #gpg #pgp #encryption #cryptocat #mumble #GNS #guix #nix #bittorrent #faceboogle #tor #I2P #otr #librecmc #libreboot #fsf #eff #ccc #pirateparty #pirates #ricochet #gnunet #freenet #android #replicant #grothoff #signal #libresignal #taler #gnutaler #youbroketheinternet #selfhosting #decentralization #selfhosted #tox #xmpp #jitsi #pond #PSYC #Tahoe-LAFS #retroshare #cjdns #onionshare #cryptocat #briar #maidsafe #coreboot #tribler #axolotl #zeroqm #bitmessage #cloud #skype #twitter #microsoft #rhizome #rina #netsukuku #tails #debian #freedombox #freedombone #ethos #qubes #whonix #guixSD #gentoo #zyre #reproduciblebuilds #openwrt #BMX7 #net2o #ethereum #copperheadOS #federation #dns #smtp #dane #blackadder #globaleaks #redphone #2020 #mesh #pulse #heartbeat

#youbroketheinternet

#youbroketheinternet
 
#aslr #security #linux

Hackaday: ASLR^CACHE Attack Defeats Address Space Layout Randomization (Pedro Umbelino)

Researchers from VUSec found a way to break ASLR via an MMU sidechannel attack that even works in JavaScript. Does this matter? Yes, it matters. A lot. The discovery of this security flaw along with...
 
| Translate | Gitter

Why we don't publish at the Play Store



We got some requests recently, asking, why we do not publish #dandelion at the #GooglePlay.So here are our main reasons, why we don't plan to uploadthe app there currently.

First of all, we do not comply with Googles terms of service. Having to pay ~25€ to Google who did not write the app and does not respect your freedom nor your privacy on its platforms (Youtube, GMail...) just doesn't feel right. We believe, that our userbase is well aware of the privacy concerns that come with using Google's Services, so many diaspora* users actually get their apps through F-Droid (which is great). Second, if a user that does not know about F-Droid yet wants to use dandelion* and searches for it, they'll hopefully find out about the F-Droid project and may get in touch with free software that way. So by not publishing to Google Play, we hope to get more people to understand, use and appreciate free and open source software.

If you find dandelion* on the Play Store, please be aware, that you likely just found a version built by someone else. We can not guarantee that such a version has not been tampered with in terms of #malware, so we highly discourage you to use it. It should be clear, that we'll never charge you any money for using, downloading, sharing or modifying the app. Note also, that we won't support those versions.

If you want to dontate to the project to support the developers, and keep them motivated, please feel free to contact us :D As always, you can help us by submitting bug reports, code and/or translations on github and crowdin.
PS: We maintainers (@gsantner and @vanitasvitae) will soon have more time again to actively work on the app. The last weeks we were distracted with educational work, so here is some background information:

@gsantner was working on another FLOSS app called Froody, which lets you share (naturally growing) food and other things with others. He hopes to enable people to live a more sustainable life. The main idea is to share to and help other people by e.g. sharing pears, which would rot anyway if unused.Everything is built with international use in mind. The app is available at https://github.com/froodyapp/froody-android, and is currently available in #English, #German and #Japanese. Also translatable on Crowdin. He also writes his bachlor thesis about Open Source and Android, which will be completed in summer and likely to be released in an appropiate free license.

@vanitasvitae is writing his bachelor thesis about an #OMEMO module for #Smack, a #XMPP library used by many free messengers like #Jitsi or #Kontalk.
He hopes to enable those messengers to #encrypt your communication end-to-end using the OMEMO protocol introduced by #conversations.
He'll also attend #FOSDEM in #brussels by the way, so if you are there you might meet him and chat a little ;)

Sharing welcome!



Immagine/foto

Tags: #dandelion #dandeliondev #diaspora #diasporaforandroid #diasporaandroid #diasporaapp #app #fdroid #freesoftware #opensource #google #play #store #app #android-dev #foss #freie-software #freesoftware #opensource #translation #translator #release #mobile #froody #froodyapp #omemo #security #sustainability #sustainable #thesis

Diaspora-for-Android/dandelion

dandelion* - unofficial diaspora* android client
 
#aslr #security #linux

Hackaday: ASLR^CACHE Attack Defeats Address Space Layout Randomization (Pedro Umbelino)

Researchers from VUSec found a way to break ASLR via an MMU sidechannel attack that even works in JavaScript. Does this matter? Yes, it matters. A lot. The discovery of this security flaw along with...
 

Spyware’s Odd Targets: Backers of #Mexico’s Soda Tax



source: https://www.nytimes.com/2017/02/11/technology/hack-mexico-soda-tax-advocates.html
The discovery of NSO’s #spyware on the phones of Mexican nutrition policy makers, activists and even #government employees, like Dr. Barquera, raises new questions about whether NSO’s tools are being used to advance the soda industry’s commercial interests in Mexico.

#security #surveillance #humanrights #news #fail #crime #politics #ethics #moral #privacy #democracy #freedom

Log In - New York Times

Log In - New York Times
 

Spyware’s Odd Targets: Backers of #Mexico’s Soda Tax



source: https://www.nytimes.com/2017/02/11/technology/hack-mexico-soda-tax-advocates.html
The discovery of NSO’s #spyware on the phones of Mexican nutrition policy makers, activists and even #government employees, like Dr. Barquera, raises new questions about whether NSO’s tools are being used to advance the soda industry’s commercial interests in Mexico.

#security #surveillance #humanrights #news #fail #crime #politics #ethics #moral #privacy #democracy #freedom

Log In - New York Times

Log In - New York Times
 

Installing Signal on a Google free phone



I tried to install Singal on my Google free Android phone one year ago and I was shocked when I found out that I had to install Google Play services to use Signal and there was not much info out there how to do it without it.
So now I gave it another try and after almost a whole day I finally did it.
Here is what I did:
I have rooted CyanogenMod 13 on my phone, no Google apps.
- Go to https://microg.org/ (A free-as-in-freedom re-implementation of Google’s proprietary Android user space apps and libraries.)
- Download and install GmsCore.apk, GsfProxy.apk, FakeStore.apk in this order
- Open the microG Settings and tick both checkboxes for background services
- Reboot your device
- Disable Battery Optimization for microG Services Core in System Settings > Battery > Menu > Battery optimization.
- Go to https://www.apkmirror.com and get an old version of Signal - e.g. v3.20 (you won't be able to sign up with the newest version)
- Install Signal and sign up.
- Now if everything works just download the newest version of Signal and install it.

I hope this helps others.

#android #signal #messaging #encryption #privacy #security #floss #opensource

Open Whisper Systems >> Home

Open Whisper Systems >> Home
 

Installing Signal on a Google free phone



I tried to install Singal on my Google free Android phone one year ago and I was shocked when I found out that I had to install Google Play services to use Signal and there was not much info out there how to do it without it.
So now I gave it another try and after almost a whole day I finally did it.
Here is what I did:
I have rooted CyanogenMod 13 on my phone, no Google apps.
- Go to https://microg.org/ (A free-as-in-freedom re-implementation of Google’s proprietary Android user space apps and libraries.)
- Download and install GmsCore.apk, GsfProxy.apk, FakeStore.apk in this order
- Open the microG Settings and tick both checkboxes for background services
- Reboot your device
- Disable Battery Optimization for microG Services Core in System Settings > Battery > Menu > Battery optimization.
- Go to https://www.apkmirror.com and get an old version of Signal - e.g. v3.20 (you won't be able to sign up with the newest version)
- Install Signal and sign up.
- Now if everything works just download the newest version of Signal and install it.

I hope this helps others.

#android #signal #messaging #encryption #privacy #security #floss #opensource

Open Whisper Systems >> Home

Open Whisper Systems >> Home
 

Dear friends of #privacy, here are the best add-ons for your #Firefox to increase #security and #anonymity ...



* Privacy Settings - https://addons.mozilla.org/en-US/firefox/addon/privacy-settings/
* uBlock Origin - ad blocker - https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
* HTTPS Everywhere - security - https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/
* Disconnect - anti tracking - https://addons.mozilla.org/en-US/firefox/addon/disconnect/
* Self-Destructing Cookies - anti tracking - https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/
* RefControl - anti tracking - https://addons.mozilla.org/en-US/firefox/addon/refcontrol/
* PassSec+ - security - https://addons.mozilla.org/en-US/firefox/addon/passsec/

Thank you for your attention

Do you have more tips what we can do to increase our privacy?

-------

please see also:

* https://www.joindiaspora.com/posts/2967813
* https://www.joindiaspora.com/posts/2762327

----

#freedom #internet #browser #www #surveillance #nsa

Privacy Settings

Alter Firefox's built-in privacy settings easily with a toolbar panel.
 
#privacy vs #security #insecurity #police #police-state #panopticon

This is a very, very good documentary on what is been going on for over a decade now. If you are interested in the topic of privacy I highly recommend this one. It's a pre-Snowden doc, which makes it even more surprising and to the point.



http://www.imdb.com/title/tt2486744/

Isn't it ironic I give you the link for it and it directs you to youtube? It certainly is but I have not managed to find an alternative. No torrent out there for this one :/
Oh well, use youtube-dl or mpv..

https://www.youtube.com/embed/FUyB0Tsj6jE

http://www.imdb.com/title/tt2486744/
 
#privacy vs #security #insecurity #police #police-state #panopticon

This is a very, very good documentary on what is been going on for over a decade now. If you are interested in the topic of privacy I highly recommend this one. It's a pre-Snowden doc, which makes it even more surprising and to the point.



http://www.imdb.com/title/tt2486744/

Isn't it ironic I give you the link for it and it directs you to youtube? It certainly is but I have not managed to find an alternative. No torrent out there for this one :/
Oh well, use youtube-dl or mpv..

https://www.youtube.com/embed/FUyB0Tsj6jE

http://www.imdb.com/title/tt2486744/
 

Dear friends of #privacy, here are the best add-ons for your #Firefox to increase #security and #anonymity ...



* Privacy Settings - https://addons.mozilla.org/en-US/firefox/addon/privacy-settings/
* uBlock Origin - ad blocker - https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
* HTTPS Everywhere - security - https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/
* Disconnect - anti tracking - https://addons.mozilla.org/en-US/firefox/addon/disconnect/
* Self-Destructing Cookies - anti tracking - https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/
* RefControl - anti tracking - https://addons.mozilla.org/en-US/firefox/addon/refcontrol/
* PassSec+ - security - https://addons.mozilla.org/en-US/firefox/addon/passsec/

Thank you for your attention

Do you have more tips what we can do to increase our privacy?

-------

please see also:

* https://www.joindiaspora.com/posts/2967813
* https://www.joindiaspora.com/posts/2762327

----

#freedom #internet #browser #www #surveillance #nsa

Privacy Settings

Alter Firefox's built-in privacy settings easily with a toolbar panel.
 

Diaspora pod server failure



Diasp.eu server returns the following:

diasp.eu/notifications
Security unknown
The certificate has expired
Trust this website
‪diasp.eu/notifications
Error granting trust: Couldn't find a place to store the pinned certificate
pkcs11:library-manufacturer=GNOME%20Keyring , pkcs11:library-description=PKCS%2311%20Kit%20Trust%20Module
Please look at our FAQ, section "Security Features", to understand how you can solve this problem.
Trust this website

#diaspora #diasp.eu #diaspeu #podmin #bug #security #certificate
 
Smart TV Maker Fined $2.2 Million For Spying on Its 11 Million Users
https://thehackernews.com/2017/02/smart-tv-vizio-spying.html
Yes, you should also worry about your "smart" TV, as one of the world's biggest smart TV makers Vizio has been caught secretly collecting its consumers' data through over 11 Million smart TVs and then selling them to third-parties without the user's explicit consent.

According to FTC, the smart TV maker installed data tracking software to collect viewing habits of 11 million of its smart TVs without informing its customers or seeking their consent.
_____
#security #privacy #surveillance #Vizio #tv #smarttv #US #FTC #FederalTradeCommission
Vizio Fined $2.2 Million For Spying on Its 11 Million Smart TV Customers
 
The Fight Over Email Privacy Moves to the Senate
https://www.eff.org/deeplinks/2017/02/fight-over-email-privacy-moves-senate
_____
#security #privacy #surveillance #US #HouseofRepresentatives #HR387 #EmailPrivacyAct #Senate #USvWarshak #internet #users #digitalrights #humanrights #rights #Google #Facebook #Dropbox #ECPA #ElectronicCommunicationsPrivacyAct #CFAA #ComputerFraudandAbuseAct

The Fight Over Email Privacy Moves to the Senate

The House passed the Email Privacy Act (H.R. 387) yesterday, bringing us one step closer to requiring a warrant before law enforcement can access private communications and documents stored online with companies such as Google, Facebook, and Dropbox. But the fight is just beginning. We’ve long called for pro-privacy reforms to the 1986 Electronic Communications Privacy Act (ECPA), the outdated law that provides little protection for “cloud” content stored by third-party service providers. H.R. 387 would codify the Sixth Circuit’s ruling in U.S. v.
 
The Fight Over Email Privacy Moves to the Senate
https://www.eff.org/deeplinks/2017/02/fight-over-email-privacy-moves-senate
_____
#security #privacy #surveillance #US #HouseofRepresentatives #HR387 #EmailPrivacyAct #Senate #USvWarshak #internet #users #digitalrights #humanrights #rights #Google #Facebook #Dropbox #ECPA #ElectronicCommunicationsPrivacyAct #CFAA #ComputerFraudandAbuseAct

The Fight Over Email Privacy Moves to the Senate

The House passed the Email Privacy Act (H.R. 387) yesterday, bringing us one step closer to requiring a warrant before law enforcement can access private communications and documents stored online with companies such as Google, Facebook, and Dropbox. But the fight is just beginning. We’ve long called for pro-privacy reforms to the 1986 Electronic Communications Privacy Act (ECPA), the outdated law that provides little protection for “cloud” content stored by third-party service providers. H.R. 387 would codify the Sixth Circuit’s ruling in U.S. v.
 
Smart TV Maker Fined $2.2 Million For Spying on Its 11 Million Users
https://thehackernews.com/2017/02/smart-tv-vizio-spying.html
Yes, you should also worry about your "smart" TV, as one of the world's biggest smart TV makers Vizio has been caught secretly collecting its consumers' data through over 11 Million smart TVs and then selling them to third-parties without the user's explicit consent.

According to FTC, the smart TV maker installed data tracking software to collect viewing habits of 11 million of its smart TVs without informing its customers or seeking their consent.
_____
#security #privacy #surveillance #Vizio #tv #smarttv #US #FTC #FederalTradeCommission
Vizio Fined $2.2 Million For Spying on Its 11 Million Smart TV Customers
 
Immagine/foto
****#Pastilda: Open-source hardware password manager****
Pastilda is an open-source hardware #password #manager, designed to manage your credentials in a handy and secure way.
Pastilda works as a #middleman between your #computer and keyboard. It provides easy and safe auto-login to your #OS, bank accounts, mailboxes, corporate #network or social media. Pastilda stores #encrypted passwords in its memory. You can request a particular password at any time by pressing a special key combination on your keyboard.
Pastilda has two USB ports: one for your keyboard, one to connect to your #PC. Your OS will recognize Pastilda as a USB keyboard and a USB flash drive.
The flash drive component stores the encrypted #KeePass 2.x database (.kdbx file) and the KeePass 2.x portable #app as needed. Your real keyboard is now visible only to Pastilda, your PC won’t see it at all.
In normal working mode, all keystrokes from your keyboard are passed through Pastilda to your PC unchanged.
When you need to sign into an account, you switch to “Pastilda mode”. That’s done by placing your cursor inside the login text box and pressing the “Ctrl + ~” key combination. Pastilda will then ask you to enter the master password for your KeePass database, right in the current text box. If the password is entered correctly, Pastilda will decrypt and display your database. You can navigate through it with left, right, up, and down arrows or you can just start to input the name of the entry in your database and Pastilda will display matching variants. Once you find the entry you’re looking for, press Enter and Pastilda will automatically enter the corresponding login and password. If the password is incorrect, Pastilda gives you the option to try again or go back to regular mode by pressing the Esc key on your keyboard.

-----
Features & Specifications
- #Security:
- #Open-source #hardware and #software - you can trust Pastilda
- Never reveals the master key to the host
- Decrypted data stays on board, unreachable by malware
- Usability:
- List text heresummon Pastilda’s menu to any text field
- Compatibility:
- List text heresimulates a common keyboard, so it works with most systems by default, requiring no drivers or client software.
- List text hereworks with command line interfaces, BIOS, etc.
- MCU: STM32F415
- Connectivity: 2 x USB 2.0
- Memory: microSD card slot up to 32 GB
- Dimensions: 20 mm x 60 mm x 12 mm
- Weight: 50 g

https://www.crowdsupply.com/third-pin/pastilda



#FOSS #FLOSS #OpenHardware #HardwareLibre #Crowdsupply #Crowdfunding #Security #Privacy #Libre #Free #Freedom
 
Immagine/foto
****#Pastilda: Open-source hardware password manager****
Pastilda is an open-source hardware #password #manager, designed to manage your credentials in a handy and secure way.
Pastilda works as a #middleman between your #computer and keyboard. It provides easy and safe auto-login to your #OS, bank accounts, mailboxes, corporate #network or social media. Pastilda stores #encrypted passwords in its memory. You can request a particular password at any time by pressing a special key combination on your keyboard.
Pastilda has two USB ports: one for your keyboard, one to connect to your #PC. Your OS will recognize Pastilda as a USB keyboard and a USB flash drive.
The flash drive component stores the encrypted #KeePass 2.x database (.kdbx file) and the KeePass 2.x portable #app as needed. Your real keyboard is now visible only to Pastilda, your PC won’t see it at all.
In normal working mode, all keystrokes from your keyboard are passed through Pastilda to your PC unchanged.
When you need to sign into an account, you switch to “Pastilda mode”. That’s done by placing your cursor inside the login text box and pressing the “Ctrl + ~” key combination. Pastilda will then ask you to enter the master password for your KeePass database, right in the current text box. If the password is entered correctly, Pastilda will decrypt and display your database. You can navigate through it with left, right, up, and down arrows or you can just start to input the name of the entry in your database and Pastilda will display matching variants. Once you find the entry you’re looking for, press Enter and Pastilda will automatically enter the corresponding login and password. If the password is incorrect, Pastilda gives you the option to try again or go back to regular mode by pressing the Esc key on your keyboard.

-----
Features & Specifications
- #Security:
- #Open-source #hardware and #software - you can trust Pastilda
- Never reveals the master key to the host
- Decrypted data stays on board, unreachable by malware
- Usability:
- List text heresummon Pastilda’s menu to any text field
- Compatibility:
- List text heresimulates a common keyboard, so it works with most systems by default, requiring no drivers or client software.
- List text hereworks with command line interfaces, BIOS, etc.
- MCU: STM32F415
- Connectivity: 2 x USB 2.0
- Memory: microSD card slot up to 32 GB
- Dimensions: 20 mm x 60 mm x 12 mm
- Weight: 50 g

https://www.crowdsupply.com/third-pin/pastilda



#FOSS #FLOSS #OpenHardware #HardwareLibre #Crowdsupply #Crowdfunding #Security #Privacy #Libre #Free #Freedom
 
2017 is a Cyberpunk Dystopia - by Maki Naro https://thenib.com/cyberpunk-dystopia?t=recent

A #comic by Maki Naro about how we currently live in a #1990s #cyberpunk #dystopia.

#trump #surveillance #IoT #data #drones #socialnetworks #tech #security

2017 is a Cyberpunk Dystopia

2017 is straight out of a 1990's science fiction story
 

New security feature active




[Deutsch]Ich hab soeben eine neue Sicherheits-Funktion auf diesem Pod aktiviert. Es handelt sich dabei um einen Schutzmechanismus gegen Cross-Site Scripting Angriffe.


[English]I just activated a new security feature on this pod. It's a mechanism to prevent cross-site scripting attacks (xss) named Content-Security-Policy. So jons.gr is now one of the 0.3% Websites which use this feature.

#update #diaspora #jonsgr #xss #security

Content-Security-Policy

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).
 
#HTTPS adoption has reached the tipping point https://www.troyhunt.com/https-adoption-has-reached-the-tipping-point/ #web #security #ssl #certificate

HTTPS adoption has reached the tipping point

That's it - I'm calling it - HTTPS adoption has now reached the moment of critical mass where it's gathering enough momentum that it will very shortly become "the norm" rather than the exception it so frequently was in the past. In just the last few months, there's been some
 
Immagine/foto

Ubuntu Spyware: What to Do?



by Richard Stallman

_(The picture was taken from the collection of official Ubuntu's wallpapers)_

https://www.gnu.org/philosophy/ubuntu-spyware.html
Since Ubuntu version 16.04, the spyware search facility is now disabled by default. It appears that the campaign of pressure launched by this article has been partly successful. Nonetheless, offering the spyware search facility as an option is still a problem, as explained below. Ubuntu should make the network search a command users can execute from time to time, not a semipermanent option for users to enable (and probably forget).

Even though the factual situation described in the rest of this page has partly changed, the page is still important. This example should teach our community not to do such things again, but in order for that to happen, we must continue to talk about it.

One of the major advantages of free software is that the community protects users from malicious software. Now Ubuntu GNU/Linux has become a counterexample. What should we do?

Proprietary software is associated with malicious treatment of the user: surveillance code, digital handcuffs (DRM or Digital Restrictions Management) to restrict users, and back doors that can do nasty things under remote control. Programs that do any of these things are malware and should be treated as such. Widely used examples include Windows, the iThings, and the Amazon “Kindle” product for virtual book burning, which do all three; Macintosh and the Playstation III which impose DRM; most portable phones, which do spying and have back doors; Adobe Flash Player, which does spying and enforces DRM; and plenty of apps for iThings and Android, which are guilty of one or more of these nasty practices.

Free software gives users a chance to protect themselves from malicious software behaviors. Even better, usually the community protects everyone, and most users don't have to move a muscle. Here's how.

Once in a while, users who know programming find that a free program has malicious code. Generally the next thing they do is release a corrected version of the program; with the four freedoms that define free software (see http://www.gnu.org/philosophy/free-sw.html), they are free to do this. This is called a “fork” of the program. Soon the community switches to the corrected fork, and the malicious version is rejected. The prospect of ignominious rejection is not very tempting; thus, most of the time, even those who are not stopped by their consciences and social pressure refrain from putting malfeatures in free software.

But not always. Ubuntu, a widely used and influential GNU/Linux distribution, has installed surveillance code. When the user searches her own local files for a string using the Ubuntu desktop, Ubuntu sends that string to one of Canonical's servers. (Canonical is the company that develops Ubuntu.)

This is just like the first surveillance practice I learned about in Windows. My late friend Fravia told me that when he searched for a string in the files of his Windows system, it sent a packet to some server, which was detected by his firewall. Given that first example I paid attention and learned about the propensity of “reputable” proprietary software to be malware. Perhaps it is no coincidence that Ubuntu sends the same information.

Ubuntu uses the information about searches to show the user ads to buy various things from Amazon. Amazon commits many wrongs; by promoting Amazon, Canonical contributes to them. However, the ads are not the core of the problem. The main issue is the spying. Canonical says it does not tell Amazon who searched for what. However, it is just as bad for Canonical to collect your personal information as it would have been for Amazon to collect it. Ubuntu surveillance is not anonymous.

People will certainly make a modified version of Ubuntu without this surveillance. In fact, several GNU/Linux distros are modified versions of Ubuntu. When those update to the latest Ubuntu as a base, I expect they will remove this. Canonical surely expects that too.

Most free software developers would abandon such a plan given the prospect of a mass switch to someone else's corrected version. But Canonical has not abandoned the Ubuntu spyware. Perhaps Canonical figures that the name “Ubuntu” has so much momentum and influence that it can avoid the usual consequences and get away with surveillance.

Canonical says this feature searches the Internet in other ways. Depending on the details, that might or might not make the problem bigger, but not smaller.

Ubuntu allows users to switch the surveillance off. Clearly Canonical thinks that many Ubuntu users will leave this setting in the default state (on). And many may do so, because it doesn't occur to them to try to do anything about it. Thus, the existence of that switch does not make the surveillance feature ok.

Even if it were disabled by default, the feature would still be dangerous: “opt in, once and for all” for a risky practice, where the risk varies depending on details, invites carelessness. To protect users' privacy, systems should make prudence easy: when a local search program has a network search feature, it should be up to the user to choose network search explicitly each time. This is easy: all it takes is to have separate buttons for network searches and local searches, as earlier versions of Ubuntu did. A network search feature should also inform the user clearly and concretely about who will get what personal information of hers, if and when she uses the feature.

If a sufficient part of our community's opinion leaders view this issue in personal terms only, if they switch the surveillance off for themselves and continue to promote Ubuntu, Canonical might get away with it. That would be a great loss to the free software community.

We who present free software as a defense against malware do not say it is a perfect defense. No perfect defense is known. We don't say the community will deter malware without fail. Thus, strictly speaking, the Ubuntu spyware example doesn't mean we have to eat our words.

But there's more at stake here than whether some of us have to eat some words. What's at stake is whether our community can effectively use the argument based on proprietary spyware. If we can only say, “free software won't spy on you, unless it's Ubuntu,” that's much less powerful than saying, “free software won't spy on you.”

It behooves us to give Canonical whatever rebuff is needed to make it stop this. Any excuse Canonical offers is inadequate; even if it used all the money it gets from Amazon to develop free software, that can hardly overcome what free software will lose if it ceases to offer an effective way to avoid abuse of the users.

If you ever recommend or redistribute GNU/Linux, please remove Ubuntu from the distros you recommend or redistribute. If its practice of installing and recommending nonfree software didn't convince you to stop, let this convince you. In your install fests, in your Software Freedom Day events, in your FLISOL events, don't install or recommend Ubuntu. Instead, tell people that Ubuntu is shunned for spying.

While you're at it, you can also tell them that Ubuntu contains nonfree programs and suggests other nonfree programs. (See http://www.gnu.org/distros/common-distros.html.) That will counteract the other form of negative influence that Ubuntu exerts in the free software community: legitimizing nonfree software.

The presence of nonfree software in Ubuntu is a separate ethical issue. For Ubuntu to be ethical, that too must be fixed.

MORE:
Richard Stallman Talks About Ubuntu: https://dia.so/2bf
Richard Stallman Spyware on Ubuntu using Amazon: https://dia.so/2bg
Richard Stallman on Ubuntu Phones: https://dia.so/2bh

#rms #fsf #gnu #canonical #ubuntu #spyware #privacy #security
 
Immagine/foto

Ubuntu Spyware: What to Do?



by Richard Stallman

_(The picture was taken from the collection of official Ubuntu's wallpapers)_

https://www.gnu.org/philosophy/ubuntu-spyware.html
Since Ubuntu version 16.04, the spyware search facility is now disabled by default. It appears that the campaign of pressure launched by this article has been partly successful. Nonetheless, offering the spyware search facility as an option is still a problem, as explained below. Ubuntu should make the network search a command users can execute from time to time, not a semipermanent option for users to enable (and probably forget).

Even though the factual situation described in the rest of this page has partly changed, the page is still important. This example should teach our community not to do such things again, but in order for that to happen, we must continue to talk about it.

One of the major advantages of free software is that the community protects users from malicious software. Now Ubuntu GNU/Linux has become a counterexample. What should we do?

Proprietary software is associated with malicious treatment of the user: surveillance code, digital handcuffs (DRM or Digital Restrictions Management) to restrict users, and back doors that can do nasty things under remote control. Programs that do any of these things are malware and should be treated as such. Widely used examples include Windows, the iThings, and the Amazon “Kindle” product for virtual book burning, which do all three; Macintosh and the Playstation III which impose DRM; most portable phones, which do spying and have back doors; Adobe Flash Player, which does spying and enforces DRM; and plenty of apps for iThings and Android, which are guilty of one or more of these nasty practices.

Free software gives users a chance to protect themselves from malicious software behaviors. Even better, usually the community protects everyone, and most users don't have to move a muscle. Here's how.

Once in a while, users who know programming find that a free program has malicious code. Generally the next thing they do is release a corrected version of the program; with the four freedoms that define free software (see http://www.gnu.org/philosophy/free-sw.html), they are free to do this. This is called a “fork” of the program. Soon the community switches to the corrected fork, and the malicious version is rejected. The prospect of ignominious rejection is not very tempting; thus, most of the time, even those who are not stopped by their consciences and social pressure refrain from putting malfeatures in free software.

But not always. Ubuntu, a widely used and influential GNU/Linux distribution, has installed surveillance code. When the user searches her own local files for a string using the Ubuntu desktop, Ubuntu sends that string to one of Canonical's servers. (Canonical is the company that develops Ubuntu.)

This is just like the first surveillance practice I learned about in Windows. My late friend Fravia told me that when he searched for a string in the files of his Windows system, it sent a packet to some server, which was detected by his firewall. Given that first example I paid attention and learned about the propensity of “reputable” proprietary software to be malware. Perhaps it is no coincidence that Ubuntu sends the same information.

Ubuntu uses the information about searches to show the user ads to buy various things from Amazon. Amazon commits many wrongs; by promoting Amazon, Canonical contributes to them. However, the ads are not the core of the problem. The main issue is the spying. Canonical says it does not tell Amazon who searched for what. However, it is just as bad for Canonical to collect your personal information as it would have been for Amazon to collect it. Ubuntu surveillance is not anonymous.

People will certainly make a modified version of Ubuntu without this surveillance. In fact, several GNU/Linux distros are modified versions of Ubuntu. When those update to the latest Ubuntu as a base, I expect they will remove this. Canonical surely expects that too.

Most free software developers would abandon such a plan given the prospect of a mass switch to someone else's corrected version. But Canonical has not abandoned the Ubuntu spyware. Perhaps Canonical figures that the name “Ubuntu” has so much momentum and influence that it can avoid the usual consequences and get away with surveillance.

Canonical says this feature searches the Internet in other ways. Depending on the details, that might or might not make the problem bigger, but not smaller.

Ubuntu allows users to switch the surveillance off. Clearly Canonical thinks that many Ubuntu users will leave this setting in the default state (on). And many may do so, because it doesn't occur to them to try to do anything about it. Thus, the existence of that switch does not make the surveillance feature ok.

Even if it were disabled by default, the feature would still be dangerous: “opt in, once and for all” for a risky practice, where the risk varies depending on details, invites carelessness. To protect users' privacy, systems should make prudence easy: when a local search program has a network search feature, it should be up to the user to choose network search explicitly each time. This is easy: all it takes is to have separate buttons for network searches and local searches, as earlier versions of Ubuntu did. A network search feature should also inform the user clearly and concretely about who will get what personal information of hers, if and when she uses the feature.

If a sufficient part of our community's opinion leaders view this issue in personal terms only, if they switch the surveillance off for themselves and continue to promote Ubuntu, Canonical might get away with it. That would be a great loss to the free software community.

We who present free software as a defense against malware do not say it is a perfect defense. No perfect defense is known. We don't say the community will deter malware without fail. Thus, strictly speaking, the Ubuntu spyware example doesn't mean we have to eat our words.

But there's more at stake here than whether some of us have to eat some words. What's at stake is whether our community can effectively use the argument based on proprietary spyware. If we can only say, “free software won't spy on you, unless it's Ubuntu,” that's much less powerful than saying, “free software won't spy on you.”

It behooves us to give Canonical whatever rebuff is needed to make it stop this. Any excuse Canonical offers is inadequate; even if it used all the money it gets from Amazon to develop free software, that can hardly overcome what free software will lose if it ceases to offer an effective way to avoid abuse of the users.

If you ever recommend or redistribute GNU/Linux, please remove Ubuntu from the distros you recommend or redistribute. If its practice of installing and recommending nonfree software didn't convince you to stop, let this convince you. In your install fests, in your Software Freedom Day events, in your FLISOL events, don't install or recommend Ubuntu. Instead, tell people that Ubuntu is shunned for spying.

While you're at it, you can also tell them that Ubuntu contains nonfree programs and suggests other nonfree programs. (See http://www.gnu.org/distros/common-distros.html.) That will counteract the other form of negative influence that Ubuntu exerts in the free software community: legitimizing nonfree software.

The presence of nonfree software in Ubuntu is a separate ethical issue. For Ubuntu to be ethical, that too must be fixed.

MORE:
Richard Stallman Talks About Ubuntu: https://dia.so/2bf
Richard Stallman Spyware on Ubuntu using Amazon: https://dia.so/2bg
Richard Stallman on Ubuntu Phones: https://dia.so/2bh

#rms #fsf #gnu #canonical #ubuntu #spyware #privacy #security
 
nuovi vecchi