The maintainers of the security-conscious FreeBSD operating system have declared that they will no longer rely on the random number generators in Intel and Via's chips, on the grounds that the NSA likely has weakened these opaque hardware systems in order to ease surveillance. The decision is tied to the revelations of the BULLRUN/EDGEHILL programs, wherein the NSA and GCHQ spend $250M/year sabotaging security in standards, operating systems, software, and networks.
Read the rest
James writes, "Following on Eben Moglen's mind-warping series of talks about life after Snowden
, the Software Freedom Law Center
has invited Bruce Schneier to join Eben for a conversation informed by Bruce's own analysis of the leaked documents
. Bruce is one of the smartest thinkers around when it comes to understanding how security and surveillance operate in the real world. And he is unsurpassed at presenting complicated security concepts even to people who lack his expertise. Between Moglen's sophisticated thoughts and Bruce's grounded approach, we're sure to learn a lot about where we stand and what we can do next!"
The latest (unstable) build of Cyanogenmod (a free/open version of Android) incorporates a secure, encrypted SMS program called TextSecure, which was created by Open WhisperSystems. Open WhisperSystems's chief engineer is the respected cryptographer and privacy advocate Moxie Marlinspike, and the source for the Cyanogenmod integration is open and available for inspection and scrutiny. The new encrypted SMS is designed to be integrated with whatever SMS app you use on your phone, and allows for extremely private, interception- and surveillance-resistant messaging over the normally insecure SMS. It requires that both parties be using TextSecure, of course -- if you send a TextSecure message to someone without secure messaging, the message will fall back to unencrypted text.
Read the rest
K sez, "Many holiday gifts are trojan horses that will spy on their recipients, prevent them from doing what they want with their device, or maybe even block access to their favorite books or music. Thankfully, the Free Software Foundation is proud to introduce a map through this minefield: the 2013 Giving Guide
. The Giving Guide features gifts that will not only make your recipients jump for joy; these gifts will also protect their freedom."
Elizabeth Stark writes, "We're pleased to announce the Device Freedom Prize: a crowdfunded reward for the first developer(s) who release an open source iOS 7 jailbreak. Providing users the ability to control their devices is crucial in an age where we're increasingly dependent on our mobile phones. An open source jailbreak provides users the capability to install what they want on their own devices, the ability to audit the code they're using to do so, and enables disabled users to more easily use their devices."
"We've assembled a judging panel of awesome folks that care a lot about these issues, including Boing Boing's own Cory Doctorow; Kyle Wiens, CEO of iFixit; Biella Coleman, Professor and Author of Coding Freedom, and Chris Maury, Accessibility Advocate. Contribute to the prize to help make an open source iOS jailbreak a reality."
Is iOS7 jailbroken yet?
Metabrainz is the charity that oversees Musicbrainz, a free/open music metadata service that has gained in popularity since Gracenote took all the audio metadata its users keyed in by hand and enclosed it, denying all but the top bidders access to it. Musicbrainz is free to use, but has a premium, higher-availability service for commercial operators, like Amazon.
For three years now, Metabrainz has been chasing an unpaid invoice at Amazon. Metabrainz is a tiny, charitable nonprofit that relies on grants and donations for the majority of its operating capital, but commercial operators are also key to its survival. And Musicbrainz is an integral part of the plumbing of the Internet at this point, a powerful check against one player achieving dominance through a chokehold on a key resource.
So Metabrainz sent Amazon Headquarters a birthday cake, celebrating the third birthday of good ol' invoice #144. As a volunteer board member for the charity, I'd mightily appreciate it if someone at Amazon would take the time to nudge this invoice through the system.
We just delivered this to @amazon HQ in honor of a 3 year overdue invoice. Can we please get this mess fixed? --ruaok
Nicole writes, "The Tides Foundation is pleased to announce the 2014 Antonio Pizzigati Prize for Software in the Public Interest. The prize annually awards a $10,000 cash grant to an individual who has created or led an effort to create an open-source software product of significant value to the nonprofit sector and movements for social change."
Those nominated for the prize should have developed a software product that is open-source, as defined by the Open Source Initiative, and easily and widely available, and has already demonstrated its value to at least one nonprofit organization. Better still, it should be a product that can be a value to multiple nonprofit organizations.
The Pizzigati Prize honors the brief life of Tony Pizzigati, an early advocate of open source computing and seeks software developers who create, for free public distribution, open source applications and tools that nonprofit and advocacy groups can put to good use. We welcome both applications from and nominations for single individuals. Applicants will be evaluated on a range of criteria by an advisory panel that includes past winners of the Prize. Please visit our website for more information: http://www.tides.org/impact/awards-prizes/pizzigati-prize/. The deadline for applications or nominations is Friday, December 6, 2013.
Antonio Pizzigati Prize for Software in the Public Interest
Bryan Cantrill from Joyent explains
why the company expects engineers not to use gendered pronouns in documentation: "empathy is a core engineering value—and that an engineer that has so little empathy as to not understand why the use of gendered pronouns is a concern almost certainly makes poor technical decisions as well."
A Symantec researcher has discovered a worm that runs on embedded Linux systems, like those found in set-top boxes and routers. It's common for owners of these devices to forget about them, letting them run in the background for so long as they don't misbehave -- and as a result, they are often out of date. The worm, called Linux.Darlloz, attacks out-of-date Linux installations running on Intel hardware (a small minority in the embedded systems world), but it would not be hard to modify it to attack embedded linuces on other chips.
In addition to being out-of-date, many of these systems have "forever day" bugs that will never be patched by their vendors, making them especially hard to secure. The anonymously authored "Internet Census 2012: Port scanning /0 using insecure embedded devices" showed that a dedicated attacker could compromise well over a million devices without much work, recruiting them to run unprecedented denial of service attacks (I wonder if anyone's thought of using this method for mining Bitcoins?).
As the researcher Ang Cui has demonstrated, embedded systems attacks are especially pernicious because it's difficult to boot them from known-good sources. Once an attacker compromises your router, printer, or set-top box, she can reprogram it to give the appearance of accepting updates without actually installing them, meaning that the system can never be provably restored to your control.
The details of the Linux.Darlloz show a much more primitive and unambitious attack, but it hints at a pretty frightening future for the compromised Internet-of-Things (I wrote a short story about this, called "The Brave Little Toaster").
Read the rest
Two weeks ago, the one-click Cyanogenmod installer hit the Google Play store, making it possible to switch from the stock Android operating system to a more free, more open version without any special expertise. Yesterday, Google asked Cyanogenmod to remove the installer, because using it voids your device's warranty. I've downloaded other apps from the Play Store that root your device and void the warranty, so this seems like a very selective enforcement to me.
In any event, Cyanogenmod's installer can be "sideloaded" into your device without having to go through the Play Store (one of the advantages of Android is that it doesn't attempt to prevent you from installing unapproved software). Hundreds of thousands of people used the Play Store version, and we can hope that it remains in use, even without Google's official support.
Read the rest
In the New Yorker, James Surowiecki looks to Erik Brynjolfsson and Andrew McAfee's forthcoming book The Second Machine Age: Work, Progress, and Prosperity in a Time of Brilliant Technologies for a discussion of one of the major problems with using GDP as a means of assessing the economic health of a nation. Because GDP uses the dollar-value of all transactions as a proxy for economic vibrancy, it discounts to zero any productivity improvements that result in expensive things becoming free. For example, if every technology company has to license a Microsoft operating system for every one of its servers and products, that's great for GDP: it adds billions to the national bottom line. But when GNU/Linux comes along and zeros out the cost of operating systems for your data-center and embedded systems, GDP drops.
But the impact on the nation is a net positive: first, because existing products get cheaper as they no longer include a Microsoft tax; second, because new products and services emerge that would not have been profitable/possible with the Microsoft tax included. It's not great for Microsoft, its employees, suppliers, and shareholders, but their pain -- which is real and terrible -- is dwarfed by the wider benefit.
Read the rest
Rogue archivist Carl Malamud writes, "Something pretty rare happened last week. City officials of Chicago got together with hackers from around the country to unveil a vastly better new online version of the Chicago City Code. Public.Resource.Org worked with the City to make bulk data available, the folks at the OpenGov Foundation turned that into the popular States Decoded format that folks are using in DC, Virginia, San Francisco, and other locations around the country. The code, the data, and the formats are all open source and we were there to celebrate the unveiling and encourage volunteers in Chicago to take it even further."
Read the rest
Jonathan Worth sez, "Four years ago when I first opened my photography classes online the big issue was 'free' - if you 'give your classes away for free then no one will pay for them'. My answer to those people was that the classes weren't what people paid for - they paid for the learning experience, of being in the room - this online version - this open and connected version just meant that the room they paid to be in now sat at the middle of a network. And that network is now significant. Yesterday it trended on Twitter - I don't know many classes that do that.
Read the rest
Cyanogenmod Installer is a one-click Android app that unlocks your bootloader, roots your device, and flashes Cyanogenmod's OS onto it. Cyanogenmod is a free/open fork of Android, where much of the proprietary Google elements have been replaced by open equivalents, giving you lots more customizability and privacy in your device. For example, the Cyanogenmod device locating feature lets you find your phone, but makes it much harder for third parties to track you using the same feature. The company raised $7M in venture capital in September, and this is the first serious change the the OS since then, and it's a huge improvement. Previously, installing Cyanogenmod was pretty tricky and arcane, and was a huge barrier to adoption. Now you can download an app from the Play Store, and install with one click.
Read the rest
Tristan from OpenPixel sez, "You might have heard that bees are dropping like flies.
When we realised the implications of this (which everyone should look into, because it's serious) we borrowed some ideas from the WikiHouse project and applied them to bees - ie. low cost, distributed, open source manufacturing."
Read the rest