Posts tagged ·

Privacy

·...

Expanding police and surveillance powers across Europe

Comments Off

In January, two interesting and thorough reports on expanding police and surveillance powers across Europe were published: Amnesty International published a 70 page report which summarizes its research into expanding police laws across EU and the troubling consequences to innocent citizens. It was followed up by an opinion piece in The Guardian by one of its authors, John Dalhuisen.

The second report was by Privacy International (original), and analysed the expanded surveillance and data retention powers in UK, Germany and France.

Each report paints a grim picture of the state of human rights and privacy across the EU. Overall a somber picture emerges: The liberty and freedom we have enjoyed over the last quarter of a century is eroding. Add to that the sweeping wind of right-wing nationalist politics across the continent, and the alarm bells should be ringing.

Too often, the counter-argument in this debate is “if you’ve got nothing to hide, you’ve got nothing to fear”, or the corollary “I’m too boring for the state to be interested in”. Glenn Greenwald does a good job of dispelling that argument in his book “No Place to Hide”. He points out that surveillance stifles self-expression, creativity and experimentation. On a state level, its very purpose is to hinder deviant and radical thought and action. As such, surveillance and lack of privacy is an obstacle to political and cultural progress.

Given that mass state surveillance harms us all, our individual relation with the state authority, and whether we personally feel we have anything to hide or not, is nonessential to the debate. It is irrelevant if you yourself is involved in politics, opposition groups, and protests. Surveillance harms everybody, depriving us of freedom, and hindering political, cultural, and human progress. It makes us complacent, unable or unwilling to question authority.

Dangerously disproportionate

In their report, titled “Dangerously disproportionate”, Amnesty International analyses events and laws passed in 2015 and 2016 in multiple EU member countries, including UK, Germany, France, Holland, Spain, Poland, Hungary and Austria. They look at new emergency powers; legality of laws and powers; the right to privacy; freedom of expression; right to liberty; freedom of movement; and stripping of nationality. In each section, Amnesty International specifically calls on EU member states to respect established Human Rights and the rule of law. They provide multiple examples from the various states where it is questionable whether the police and the executive branches have acted legally, against their countries laws or against basic human rights.

The report is well written, and comes with several insightful and well placed warnings. Amnesty International is ringing the alarm bells, and points out that the governments of Europe are now the biggest threats to their own nations and freedom of their people:

“Ultimately, however, the threat to the life of a nation – to social cohesion, to the functioning of democratic institutions, to respect for human rights and the rule of law – does not come from the isolated acts of a violent criminal fringe (…), but from governments and societies that are prepared to abandon their own values in confronting them.”

Terms like “the enemy” and “terrorism” have always been deliberately vague. This is now causing real problems when such vague and undefined terms are used as part of laws:

Because there is no universally agreed definition of “terrorism” under international law, states and international bodies have created their own. In that process, over the years, definitions of terrorism have become ever more vague and overly broad. This lack of clarity in many counter-terrorism laws has led, in turn, to a lack of certainty regarding what precisely constitutes an act of terrorism. If people can’t tell whether their conduct would amount to a crime, they cannot adjust their behaviour to avoid criminality. The consequences can be significant, ranging from the profiling of members of certain groups thought to be more inclined toward “radicalization”, “extremism”, or criminality based on stereotypes – i.e. guilt by association – to the outright misuse by states of laws that define terrorism loosely to deliberately target political opponents, human rights defenders, journalists, environmental activists, artists, and labour leaders.

Mass surveillance is still illegal and against Human Rights:

Any communications surveillance measure used must be strictly necessary and, to the extent that it interferes with people’s rights, must be proportionate in the particular circumstances of each case. The cornerstone of lawful communications surveillance is that it is individualized and based on reasonable suspicion of wrongdoing.

Indiscriminate mass surveillance, in effect a fishing expedition and “just-in-case” retention of people’s communications and data, is the antithesis of this. States may refer to indiscriminate mass surveillance practices by other names – “bulk” rather than “mass”, “collection” or “interception” rather than “surveillance” – but linguistic gymnastics do not make the practices conform to human rights standards.

When laws are vaguely defined and the state can monitor everybody all the time, this is causing a chilling effect on freedom of speech, thought and expression. Simply clicking on the wrong link can be enough to land somebody in trouble. The report points out how musicians and other artists have already been the target of discrimination and “terrorist” laws.

The right to freedom of expression has been under direct and sustained assault across Europe in recent years. Measures that seek to curb speech and other forms of expression, taken cumulatively, reflect a landscape where freedom to access information, offer opinions, exchange ideas, and engage in robust and challenging debate – publicly or online – is in rapid decline. The risk that a person could be labelled a security threat or “extremist” has had very real consequences for some people as the examples below illustrate, while the “chilling effect” that such measures creates has left the public space for free expression smaller and more impoverished than it has been in decades.

Finally, the report discusses freedom of movement, and the dangerous trend towards “preventive measures” and “pre-crime” initiatives without the rule of law:

Indeed the extent of the remove can be seen from the fact that states are criminalizing not just the preparatory act of travelling abroad with the purpose of committing a terrorist offence, but also acts preparatory to the preparatory act of travelling abroad with this purpose. The problem here is that acts such as browsing “extremist” websites and looking up the price of flights to Istanbul can all render people liable to prosecution, long before individuals may have made up their minds to commit a terrorist offence, or without their ever even having contemplated it in the first place.

Mass Surveillance in Europe

The Privacy International report is shorter, but just as interesting and worrying. It covers the British “Snoopers Charter” or Investigatory Powers Act (IPA); the German Communications Intelligence Gathering Act (“Ausland-Fernmeldeaufklärung des Bundes-nachrichtendienstes”); and the French International Electronic Communications Law (“mesures de surveillance des communications électroniques internationales”). For each law, the authorized powers, oversight, and power over privileged communication is examined.

Although the terrorist attacks in these countries over the last years are driving forces, many of the laws being passed now seems to have at least some relation to the EU Data Retention Directive, issued a decade ago, in 2006. Although that was annulled by the EU Court of Justice in 2014 for “violating fundamental rights”. Still, similar and broader laws are now in place in many EU member states.

The report concludes:

The leaders of Germany, France and the UK are setting a dangerous precedent which echoes within the European Community and far beyond it: Mass surveillance by governments has become the new normal.

No sanctuary in Switzerland

Upon till recently, Switzerland was a sanctuary of privacy and secrecy of private information and financial information. The latter was shattered a few years back, when the US threatened to throw out the Swiss banks if they did not disclose account details on what US citizens held. The former came under attack in 2015 and 2016 when two separate data retention and surveillance laws were enacted and passed. The BÜPF – “Überwachung des Post und Fernmeldeverkehrs” (“Monitoring of post and telecommunications”) and the NDG – “Nachrichtendienstgesetz”, an extension to the existing national intelligence law. There’s an discussion of both here, and more details by ProtonMail.

The laws calls for all communication channels and services to retain certain metadata about the communication for a year, which includes any open wifi hotspots; IRC chat rooms; email and chat services; message boards and so on. Again, similar laws which were declared illegal for violating fundamental rights by EU Court of Justice in 2014 have become national law. Furthermore, the laws makes state hacking and wiretapping legal.

Even though Switzerland is neutral, they maintain close ties to the US, including data sharing agreements through the Privacy Shield Framework, like the other EU countries. (The double-speak has really gone far when “privacy shield” is a name for business and government information sharing). Furthermore, regarding financial details, Switzerland is taking part in the Automatic exchange of information (AEOI) program, under the guise of detecting tax evasion.

An interesting note about the “Nachrichtendienstgesetz” extension is that it meet strong resistance, and ProtonMail were amongst activists who gathered enough signatures for the 2015 proposal to go through a national referendum, as is required in Switzerland. The only problem: they lost. On 25 September 2016, the vast majority at 65.5% voted in favour of the law. Although only about 43% of eligible voters cast their vote, the outcome was similar across all cantons, and therefore we must assume representative of the opinion of the population as a whole. It goes to show, that even in Switzerland when the choice stands between privacy and security, people will give up their privacy.

Comments Off

Privacy attacks and government surveillance continue

Comments Off

At the Symantec Government Symposium on Tuesday, FBI director James Comey said he “can’t resist talking about encryption and going dark”, and will continue an “adult” discussion into 2017. What’s stopping him now, seems to be the media attention on the presidential election. He continued “The challenge we face is that the advent of default, ubiquitous strong encryption is making more and more of the room we are charged to investigate dark”. Referring to device encryption on iPhones and Android phones, as well as Whatsapp, etc.

Meanwhile in Europe, French and German politicians have seized on the recent fear of violence to push similar rhetoric. Last week French Interior Minister Bernard Cazeneuve and German Interior Minister Thomas de Maizière said that “they will push for a Europe-wide law requiring tech companies to provide law enforcement agencies with access to encrypted messages when necessary”. Cazeneuve said, “We propose that the EU Commission studies the possibility of a legislative act introducing rights and obligations for operators to force them to remove illicit content or decrypt messages as part of investigations, whether or not they are based in Europe”. The “our law” should universal thinking, in other words.

The “crypto wars” are as hot as ever, and even though the latest communication technology offerings have made it easier for everybody to stay private, it is clear that the Western surveillance states will not give up without a fight.

Comments Off

Let’s Encrypt TLS certificate setup for Apache on Debian 7

Comments Off

Through Let’s Encrypt, anybody can now easily obtain and install a free TSL (or SSL) certificate on their web site. The basic use case for a single host is very simple and straight forward to set up as seen here. For multiple virtual hosts, it is simply a case of rinse and repeat.

On older distributions, a bit more effort is required. E.g. on Debian 7 (Wheezy), the required version of the Augeas library (libaugeas0, augeas-lenses) is not available, so the edits to the Apache config files have to be managed by hand. Furthermore, for transitioning from an old HTTP based server, you need to configure the redirects for any old links which still might hard code “http” in the URL. Finally, there’s some security decisions to consider when selecting which encryption protocols and ciphers to support.

Installation and setup

Because the installer has only been packaged for newer distributions so far, a manual download is required. The initial execution of the letsencrypt-auto binary will install further dependencies.

sudo apt-get install git
git clone https://github.com/letsencrypt/letsencrypt /usr/local/letsencrypt
 
cd /usr/local/letsencrypt
./letsencrypt-auto --help

To acquire the certificates independently of the running Apache web server, first shut it down, and use the stand-alone option for letsencrypt-auto. Replace the email and domain name options with the correct values.

apache2ctl stop
 
./letsencrypt-auto certonly --standalone --email johndoe@example.com -d example.com -d www.example.com

Unless specified on the command line as above, there will be a prompt to enter a contact email, and to agree to the terms of service. Afterwards, four new files will be created:

/etc/letsencrypt/live/example.com/cert.pem
/etc/letsencrypt/live/example.com/chain.pem
/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com/privkey.pem

If you don’t have automated regular backup of /etc, now is a good time to at least backup /etc/letsencrypt and /etc/apache2.

In the Apache config for the virtual host, add a new section (or a new file) for the TSL/SSL port 443. The important new lines in the HTTPS section use the files created above. Please note, this example is for an older Apache version, typically available on Debian 7 Wheezy. See these notes for newer versions.

# This will change when Apache is upgraded to >2.4.8
# See https://letsencrypt.readthedocs.org/en/latest/using.html#where-are-my-certificates
 
SSLEngine on
 
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

To automatically redirect links which have hard coded http, add something like this to the old port *.80 section.

#Redirrect from http to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

While editing the virtual site configuration, it can be useful to watch out for the logging format string. Typically the logging formatter “combined” is used. However, this does not indicate which protocol was used to serve the page. To show the port number used (which implies the protocol), change to “vhost_combined” instead. For example:

CustomLog ${APACHE_LOG_DIR}/example_com-access.log vhost_combined

To finish, optionally edit /etc/apache2/ports.conf, and add the following line to the SSL section. It enables multiple named virtual hosts over SSL, but will not work on old Windows XP systems. Tough luck.

<IfModule mod_ssl.c>
  NameVirtualHost *:443
  Listen 443
</IfModule>

Finally, restart Apache to activate all the changes.

apache2ctl restart

Verification and encryption ciphers

SSL Labs has an excellent and comprehensive online tool to verify your certificate setup. Fill in the domain name field there, or replace your site name in the following URL, and wait a couple of minutes for the report to generate. It will give you a detailed overview of your setup, what works, and what is recommended to change.

https://www.ssllabs.com/ssltest/analyze.html?d=example.com

Ideally, you’ll get a grade A as shown in the image below. However, a few more adjustments might be required to get there. It typically has to do with the protocols and ciphers the web server is configured to accept and use. This is of course a moving target as security and cryptography research and attacks evolve. Right now, there are two main considerations to make: All the old SSL protocol versions are broken and obsolete, so should be disabled. Secondly, there’s an attack on the RC4 cipher, but disabling that is a compromise, albeit old, between its insecurity and the “BEAST” attack. Thus, disabling RC4 now seems to be preferred.

Taking all this into account, the recommended configuration for Apache and OpenSSL as it stands excludes all SSL versions, as well as RC4 versions. This should result in a forward secrecy configuration. Again, this is a moving target, so this will have to be updated in the future.

To make these changes, edit the Apache SSL mod file /etc/apache2/mods-available/ssl.conf directly, or update the relevant virtual host site config file with the following lines.


SSLHonorCipherOrder on
 
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !ECDHE-RSA-RC4-SHA"
 
SSLProtocol all -SSLv2 -SSLv3

Restart Apache, and regenerate the SSL Labs report. Hopefully, it will give you a grade A.


 
 

Final considerations

Even with all the configuration above in place, the all-green TSL/SSL security lock icon in the browser URL bar, as seen below right, might be elusive. Instead a yellow warning like the on in the image to left might show. This could stem from legacy URLs which have hard coded the http protocol, both to the internal site and external resources like images, scripts. It’s a matter of either using relative links, excluding the protocol and host altogether, absolute site links, inferring the protocol by not specifying it, or hard coding it. Examples:

<img src="blog_pics/ssl_secure.png">
 
<img src="/blog_pics/ssl_secure.png">
 
<img src="//i.creativecommons.org/l/by-sa/3.0/88x31.png">
 
<img src="https://i.creativecommons.org/l/by-sa/3.0/88x31.png">

On a blog like this, it certainly makes sense to put in some effort to update static pages, and make sure that new articles are formatted correctly. However, going through all the hundreds of old articles might not be worth it. When they roll off the main page, the green icon will also show here.

 
 

Comments Off

Review: No Place to Hide, Glenn Greenwald

Comments Off

In his latest book, No Place to Hide, Glenn Greenwald gives a brief summary of the events since Edwards Snowden first contacted him 1 December 2012, up until UK government’s harassment of David Miranda at London Heathrow airport on 18 August 2014. He gives an overview of some of the released NSA documents, showing the scope and detail of the illegal surveillance.

It is however the last two chapters of the book which makes this a must-read. Here, Greenwald examines why ubiquitous surveillance is so dangerous and damaging to all of society, and why the “nothing to hide – nothing to fear” argument is misguided and naive.

In the final chapter, Greenwald describes the toxic climate of modern journalisms, and how challenging state power is the exception rather than the norm in many newspapers.

Besieged by state surveillance

Glenn Greenwald’s examination of the harms of mass state surveillance is an indispensable read for anybody debating the topic. He explains why privacy is essential to all humans, on an individual level, as well as for society as a whole. Without privacy, we automatically conform to written and unwritten rules and expectations of behaviour and and thought.

Surveillance stifles self-expression, creativity and experimentation. On a state level, its very purpose is to hinder deviant and radical thought and action. As such, surveillance and lack of privacy is an obstacle to political and cultural progress. The goal is to freeze the status quo with its current power structure and current authority.

Herein lies the rebut of the “nothing to hide – nothing to fear” argument. Rather than grasping for fringe groups and special circumstances, Greenwald shows that this argument is narrow minded, egoistical and hypocritical. Given that mass state surveillance harms us all, our individual relation with the state authority is nonessential to the debate. It is irrelevant if you yourself is involved in politics, opposition groups, and protests. In many ways, surveillance harms everybody, depriving us of freedom, and hindering political, cultural, and human progress. It makes us complacent, unable or unwilling to question authority.

Furthermore, Greenwald points out that state surveillance is masked in secrecy, often with little oversight. It makes the surveillance a one-way mirror: They can see you, but you cannot see them. This is by design, and Greenwald examines multiple examples of why this works so well in controlling the population. He shows why it is important to break this one-way mirror; to shine light on government activities so its power cannot be used for harassment and control.

News as state propaganda

In the last chapter, Greenwald gives an introspective look into the failures of US media. Journalists and newspapers are nicknamed the Fourth Estate, because they were supposed to challenge the other three branches of government. However, many have become mere propaganda outlets for those in power.

What’s worse, Greenwald was attacked by fellow journalists across the political spectrum for publishing his stories based on the NSA documents. UK in particular has gone very far in attacking anybody working with these documents. There is no Forth Amendment or similar law protecting free speech in the UK. As a result, the Guardian was threatened with lawsuits and shutdown by GCHQ (Government Communications Headquarters) agents. Through an ultimatum, they destroyed the computers belonging to the newspaper which they believed contained copies the NSA documents.

Later, Greenwald’s partner, David Miranda, was detained using an anti-terrorist law while in transit through London Heathrow airport. As Greenwald put it, UK agents grabbed him out of non-British neutral territory. Lacking anything to charge him with, the UK police later acknowledged that this was an harassment tactic, to send a message to anybody working with Snowden or Greenwald.

Read it now!

If you haven’t kept an eye on the Snowden and NSA story, Gleen Greenwald’s latest book is an excellent and brief overview of the important events and facts. Still, even if you have followed the details of the NSA documents, the last half of the book is refreshing and worth the read.

State propaganda with its excuses to justify surveillance is as prevalent as ever. It is essential that we all know how to refute those arguments. Also, putting an end to the “nothing to hide & fear” argument will be important if we want to repel mass state surveillance.

Comments Off

anonabox : a Tor hardware router

Comments Off

Update: This project turned out to be too good too be true, at least for now. Wired has a brief article on the problems of the project, and why it was canceled by Kickstarter.

However, as the developer Germar says: “This would have been a success even if we’d raised $10,000. – This is a place to start.” (The project went above $600.000 before it was canceled).

 
 
I just backed the KickStarter project “anonabox”. It’s a drop-in Tor hardware router, which makes all outgoing traffic anonymous without any user configuration. As seen in the picture, it connects between your incoming ISP point, and your laptop. Or, the other way around, where the box itself pickup up a foreign Wifi signal, and give you a wired hotspot. Or where the laptop in the picture is connected over wifi instead of wired.

At the price of $50, I ordered two, to be delivered beginning of next year. The Kickstarter has already gone almost 100x above their set goal of $7500, so they might have some extra work to backfill orders. The project looks promising though, with the device to be shipped already in its fourth generation of development.

Order yours now! There’s still 26 days to go.

Comments Off

Another assault on privacy by GCHQ

Comments Off

Recently, it was revealed by IT Security Guru that the British intelligence agency GCHQ had demand a backdoor into the secure email service PrivateSky by CertiVox. At the end of 2012, GCHQ made the request, but CertiVox chose to close the service instead of betraying their customers. This is preceding the similar heavy-handed threats by NSA which caused US based Lavabit and Canadian based Silent Circle to shut down their secure email services.

It is clear then, that it is not possible to operate secure email or communication services within these countries. In that light, it’s interesting to see Swiss hosting companies picking up business. “Business for Switzerland’s 55 data centres is booming”, claims the article. It will be interesting to see how it plays out. Will they be pressured by US as was the case with the banks? Or will they also sell out, as was the case with the Swiss based Crypto AG and their machines?

As many have pointed out, the physical security of a data centre is often less of an issue than its network and system security. Furthermore, it’s a question of how it is used and what is offered. PrivateSky is for example still operational, but only for its owners. If somebody offered a secure communication service from within the Tor network, it would be both hard to detect, so it might fly under the radar for a while, and hard to take down if hosted in Switzerland. That’s a business idea right, up for grabs for anybody with a bit of spare time and money.

Comments Off

Trends: Snowden didn’t change public’s behaviour

Comments Off

For all the NSA documents revealed by Snowden, and for all the news headlines stressing the gravity of the situation, it seems the general public has not changed their behaviour much. At least that would be the conclusion if looking at the worldwide trends of a few Google search terms: As can be seen in the first chart, the terms Snowden and NSA quickly rose to prominence when the story broke in the second half of 2013. However, interest quickly declined. If we look at the two next charts, comparing terms privacy, surveillance, encryption there seem to be no correlation with the former terms at all. Maybe there is an ever so faint increase in the term encryption, but nothing of significance.

The two last charts compare the terms encryption, surveillance in Germany. Here there is a small blip for the former term, while interest in the later, surveillance, seems to have increased significantly. This is possibly driven by the news stories there about NSA spying on Chancellor Angela Merkel.

These trends are rather disappointing to see. One would have hoped for at least a blip on the radar when it comes to public awareness of these issues. Instead, the distraction campaigns by most of the mainstream media seems to have been successful: The headlines have been focusing on Snowden, his girlfriend, his father, and whether he is a hero or traitor. Masking and excusing the abuse of power by NSA, GCHQ and the politicians who support these organizations have been successful. In fact, in Britain the story has taken the bizarre turn where the government is investigating The Guardian and editor Alan Rusbridger for publishing the leaked documents. What other clue do you need to see that the so called democracies and free countries of the West is nothing but a mirage for a powerful and abusive elite?

Swedish politician Rickard Falkvinge put it nicely in his post about the coming of the Swedish police-state:

A key difference between a functioning democracy and a police state is, that in a functioning democracy, the Police don’t get everything they point at.

 
 
 

Comments Off

30 years of GNU

Comments Off

It’s been 30 years since Richard Stallman announced his project to create a free alternative to Unix. The world has changed a lot since then, the Internet had changed and grown enormously, and Free Software has become a success that not even Stallman might have dared to dream of. Of course, some things didn’t work out quite the way Stallman had intended: The GNU Hurd kernel is still just a curiosity, and most likely will never see widespread adoption. Instead, Linus Torvalds came along with his kernel, and licensed it under Stallman’s GPL, thus making it free for everybody to use, distribute and contribute to. Today the GNU tools and core utilities, and the Linux kernel is used by millions of people every day. Whole businesses, like Google and Amazon, are built around these Free systems. It’d be hard to imagine the world today without Linux and GNU.

Below is the message which started it all. And today Stallman is looking forward, explaining why free software is more important than ever. His main theme and message has not changed much over the years: The freedom to run, study, distribute and modify computer programs is vital to a democracy which relies on technology and computers to function. Without these freedoms, we get exactly the kind of crippled products Stallman warns about: Sony removing features from its products over-night; Amazon deleting books you have bought; mobile phones and computers which only accept software from certain authorities (e.g. iPhone, gaming consoles).

However, the dangers of proprietary software and lock-in are even more sever: NSA has been shown to require back-doors and security holes to be implemented in proprietary software like Microsoft Windows so that they more easily can spy on their targets. Furthermore, centralization and lock-in to services like Facebook and others has led them to be prime targets for dragnet surveillance. This is part of why Free software is more important than before.
 
 
 

Free Unix!

Starting this Thanksgiving I am going to write a complete
Unix-compatible software system called GNU (for Gnu’s Not Unix), and
give it away free to everyone who can use it. Contributions of time,
money, programs and equipment are greatly needed.

To begin with, GNU will be a kernel plus all the utilities needed to
write and run C programs: editor, shell, C compiler, linker,
assembler, and a few other things. After this we will add a text
formatter, a YACC, an Empire game, a spreadsheet, and hundreds of
other things. We hope to supply, eventually, everything useful that
normally comes with a Unix system, and anything else useful, including
on-line and hardcopy documentation.

GNU will be able to run Unix programs, but will not be identical
to Unix. We will make all improvements that are convenient, based
on our experience with other operating systems. In particular,
we plan to have longer filenames, file version numbers, a crashproof
file system, filename completion perhaps, terminal-independent
display support, and eventually a Lisp-based window system through
which several Lisp programs and ordinary Unix programs can share a screen.
Both C and Lisp will be available as system programming languages.
We will have network software based on MIT’s chaosnet protocol,
far superior to UUCP. We may also have something compatible
with UUCP.

Who Am I?

I am Richard Stallman, inventor of the original much-imitated EMACS
editor, now at the Artificial Intelligence Lab at MIT. I have worked
extensively on compilers, editors, debuggers, command interpreters, the
Incompatible Timesharing System and the Lisp Machine operating system.
I pioneered terminal-independent display support in ITS. In addition I
have implemented one crashproof file system and two window systems for
Lisp machines.

Why I Must Write GNU

I consider that the golden rule requires that if I like a program I
must share it with other people who like it. I cannot in good
conscience sign a nondisclosure agreement or a software license
agreement.

So that I can continue to use computers without violating my principles,
I have decided to put together a sufficient body of free software so that
I will be able to get along without any software that is not free.

How You Can Contribute

I am asking computer manufacturers for donations of machines and money.
I’m asking individuals for donations of programs and work.

One computer manufacturer has already offered to provide a machine. But
we could use more. One consequence you can expect if you donate
machines is that GNU will run on them at an early date. The machine had
better be able to operate in a residential area, and not require
sophisticated cooling or power.

Individual programmers can contribute by writing a compatible duplicate
of some Unix utility and giving it to me. For most projects, such
part-time distributed work would be very hard to coordinate; the
independently-written parts would not work together. But for the
particular task of replacing Unix, this problem is absent. Most
interface specifications are fixed by Unix compatibility. If each
contribution works with the rest of Unix, it will probably work
with the rest of GNU.

If I get donations of money, I may be able to hire a few people full or
part time. The salary won’t be high, but I’m looking for people for
whom knowing they are helping humanity is as important as money. I view
this as a way of enabling dedicated people to devote their full energies to
working on GNU by sparing them the need to make a living in another way.

For more information, contact me.
Arpanet mail:
RMS@MIT-MC.ARPA

Usenet:
…!mit-eddie!RMS@OZ
…!mit-vax!RMS@OZ

US Snail:
Richard Stallman
166 Prospect St
Cambridge, MA 02139

Comments Off

PRISM – the effect

Comments Off

Another week with NSA and PRISM news has gone by, and now the reactions and comments start to take on more substance and show that people have had to the time to reflect on the various issues, rather than just posting knee-jerk headlines.

John Naughton had an interesting comment in the Guardian, where he points out that you can check out, but never leave: We are simply too used to, too entangled with, maybe even addicted to the services provided by the big Internet actors. Between the companies mentioned in the NSA slide, pretty much everybody are somehow covered. (Maybe Richard Stallman has managed to escape, however, he is probably encrypting his e-mails, and thus is up for extra scrutiny).

Another interesting article, by James Risen and Nick Wingfield of New York Times, points out the revolving door between Silicon Valley tech companies and the surveillance industry. They give the example of Max Kelly, the chief security officer for Facebook, who got recruited by NSA, and also several Silicon Valley startups which are either funded by or selling to NSA/CIA.

Finally, and most welcome, is the Anti-PRISM campaign, a joint effort by the several European Pirate Parties. They clearly and concisely point out the dangers posed to privacy and democracy by government surveillance. The language and demands contain a certain irony towards the US, noting that Europe should be become “a worldwide beacon for digital rights and privacy protection, government transparency and whistleblower protection” (referencing America’s 19th century goal of becoming “a beacon to the world”).

Their demands are clear political and regulative goals. It’s a great opportunity for these parties to grow beyond the copyright infringement fight, show that they have a broader political agenda, and gain more mainstream support. I’m guessing the two main points to watch are: First the “uncovering of the facts”, which gives a concrete proposal to form a European Parliament committee to investigate the details of the PRISM program, and how it relates to EU states. Secondly, the point about repealing of the Data Retention Directive is interesting. It mentions that three countries have already rejected this 2006 directive in national courts. It will be interesting to see if the latest news and politics will have an effect on other EU countries as well.

Comments Off

Privacy – A great opertunity for Free software, and funny news

Comments Off

It has been an entertaining week in the privacy and security headlines. Since the NSA stories broke last week, protecting ourselves from state surveillance suddenly became mainstream. We’ll see if that lasts, but at the very least the topic is on the table now. Security and privacy is no longer the domain of conspiracy theorist, but one of many points in a cost/benefit analysis of which service or software to use.

Perhaps the best to come out of this story is the raised awareness of alternative software and services which put users Freedoms first. A critical part of that is Free software, which allows users to inspect the software which run on their device and control who is given access to what. Taking that to the Internet, there are many solutions which give users greater control, security and privacy than do central providers.

The site prism-break.org has been set up to list some of these alternatives. However, it seems it has become so popular, that it often fails to load. Other privacy centric services has also seen significant user increase, like the search engine DuckDuckGo, which promises not to track user’s search queries.

Other headlines have been more on the funny or cute side: As expected, somebody called for impeachment of Obama (at least he didn’t smoke cigars). Then there was the Mozilla letter which asks congress to “stop watching us”. It is of course a valid request, but it might have been taken a bit more seriously if it wasn’t for the teenage troll-board 4chan listing as its first signer (due to alphabetically listing the organizations, and numbers listing before letters). Finally, there’s the hero at the centre, a 29-year old with the cool name Snowden. He was the NSA contractor who revealed the awfully designed PowerPoint presentations, and has now fled to Hong Kong. As somebody pointed out: Never had I believed I would live to see that day when an American citizen would seek political asylum in China.

Comments Off

NSA surveillance – business as usual

1 comment

This week saw two interesting, and supposedly shocking, stories about the scale of the US government’s Internet surveillance. Starting Thursday with the news that the phone operator Verizon had been ordered to hand over all meta-data on its customers’ communications to the NSA. The following day, a different program was revealed, leaked by the means of a terribly amateurishly looking PowerPoint slide deck, which showed that the NSA had direct access to all customer data and content from all the major Internet service providers, including Google, Facebook, Microsoft, and more.

The reaction to the first story is interesting in that it involves only meta-data. The same type of data collection was enacted in law by the EU in the 2006 Data Retention Directive. This directive was no secret at the time, and the scrimmage in individual member countries which started to implement it a few years back was mostly around who would pay for it; the Internet and phone providers or the government. At any rate, by now any EU citizen should expect this kind of system to be in place. It is therefore somewhat ironic when the US press pretends that there are stronger privacy protections in place on their side. The last decade has for the most shown the opposite to be true.

The second story, around the full content access, should be no big surprise either. A similar story broke seven years ago, although it was and still is considered “warrantless”. Another example from the post-911 area is the Information Awareness Office, which despite heavy criticisms in 2002, still lives on. And even before that, it has always been speculated that the US government, through CIA, NSA, FBI or other TLAs, was listening in on phone and Internet communication. Take for example the ECHELON project, which probably has been around since the cold war area. It was investigated by a committee of the European Parliament, which amongst other things concluded: “the existence of a global system for intercepting communications, operating by means of cooperation proportionate to their capabilities among the USA, the UK, Canada, Australia and New Zealand under the UKUSA Agreement, is no longer in doubt”.

So why the outrage just now? We don’t have to look further than The Guardian’s summary: “Obama defends secret NSA surveillance programs – Insists surveillance is essential for national security.” In that light, it no longer seems like a coincidence that two completely separate NSA programs were leaked on two consecutive days. As a political cheap shot, it seems to have worked very well. What’s more, Obama took the bait, and swallowed it hook, line and sinker.

So even though these stories are akin to declaring water wet, from a privacy and security point of view, it is useful that more people are made aware of and start to ponder the risks of the information systems we surround ourselves with. We just have to make sure that the outrage is directed towards the right institutions, and that any change is implemented where users need it. Voting, joining a political party, and working for change within that system is definitely a noble goal, however, it will unfortunately not protect your data any time soon. Asking the various ISP and service providers to improve their security, encrypt our data, and not hand it over to the government is also appropriate. It’s just that they are required by law to hand over data, so we cannot trust that to not happen.

The only way to make sure your own data is secure from government hands, and be aware of any requests that might be made against it, is to store it yourself. If you are storing something they are after, that will of course not stop them from knocking on your door, but at the very least you will know.

The right response to these stories is not blind rage, resignation, or declaring defeat. Rather it should be to decentralize: Avoid large scale, single point of failure, services. Build and maintain your own systems, based on free and open source software, so you can be confident that no warrantless access is granted. Make sure data is encrypted, communication is encrypted and signed, and nothing flies in plain-text over the Internet. If you are dealing with sensitive information, maybe as a lawyer, as a doctor, or a secret business deal, anything else is simply incompetent, or possibly gross neglect.

Police “decrypts” your phone

Comments Off

CNET has an interesting article about how warrants to access suspects mobile phones are handled by two of the big mobile OS providers; Apple and Google. Focusing on Apple, the article mentions cases where the police has to wait for Apple to perform the unlocking, while Google “resets the password and further provides the reset password to law enforcement”.

From a technical perspective, it is not clear what kind of unlocking is performed; whether it is the SIM code, screen lock, or account password. It is interesting that the article mentions decryption, but it is probably a misunderstanding, or wrong wording: Android phones do not use encrypted storage by default, and in fact, if you have a model with a removable memory card, you can read that in any SD card reader. Accessing the embedded phone storage is also easy if it already unlocked (using fastboot / adb). iPhones does not use encrypted storage by default either, to be best of my knowledge. The article does indeed state that “It’s not clear whether that means Apple has created a backdoor for police [...] , or whether it simply is more skilled at using the same procedures available to the government.”.

From a privacy and security point of view, it is clear that it is irrelevant what the default security setting is. It can simply not be trusted to perform the task a user would expect. Rather, one should use take matters into own hands, and use software that has been proven to not contain backdoors for police or others. The only option is free and open source software, which has been vetted by security experts and the community.

Comments Off

Cell phone privacy guide for Android

1 comment

The Pirate Party of Canada has a nice list of applications and add-ons for Android phones which enhance security and privacy. It boils down to