Brian Krebs proposes that software vendors should be forced to pay a bounty on all newly discovered vulnerabilities
in their products at rates that exceed those paid by spy agencies and criminal gangs. He says that the bill for this would be substantially less than one percent of gross revenues, and that it would represent a massive overall savings when you factor in the cost to all the businesses and individuals who are harmed by security vulnerabilities. He doesn't explain what to do with popular, free/open software though.
Joly sez, "After Glenn Greenwald first received his stash of secret documents from Edward Snowden, one of the first people he consulted was security expert, cryptographer, and writer Bruce Schneier, who helped him review and digest the documents. A few weeks back we saw Bruce give a briefing on Capitol Hill in Washington DC, where he advised lawmakers to rein in the NSA, and the Internet community to pro-actively design countermeasures. On December 12 2013, as a follow up to his Snowden and the Future talk series Eben Moglen hosted A conversation with Bruce Schneier at Columbia Law School. They talked about what we can learn from the Snowden documents, the NSA's efforts to weaken global cryptography, and how we can keep free software tools from being subverted."
Help transcribe on Amara
Android privacy just got a lot better. The 4.3 version of Google's mobile operating system now has hooks that allow you to override the permissions requested by the apps you install. So if you download a flashlight app that wants to harvest your location and phone ID, you can install it, and then use an app like AppOps Launcher to tell Android to withhold the information.
Peter Ecklersley, a staff technologist at the Electronic Frontier Foundation, has written up a good explanation of how this works, and he attributes the decision to competitive pressure from Ios, which allows users to deny location data to apps, even if they "require" it during the installation process.
I think that's right, but not the whole story: Android has also always labored under competitive pressure from its free/open forks, like Cyanogenmod.
Read the rest
The maintainers of the security-conscious FreeBSD operating system have declared that they will no longer rely on the random number generators in Intel and Via's chips, on the grounds that the NSA likely has weakened these opaque hardware systems in order to ease surveillance. The decision is tied to the revelations of the BULLRUN/EDGEHILL programs, wherein the NSA and GCHQ spend $250M/year sabotaging security in standards, operating systems, software, and networks.
Read the rest
James writes, "Following on Eben Moglen's mind-warping series of talks about life after Snowden
, the Software Freedom Law Center
has invited Bruce Schneier to join Eben for a conversation informed by Bruce's own analysis of the leaked documents
. Bruce is one of the smartest thinkers around when it comes to understanding how security and surveillance operate in the real world. And he is unsurpassed at presenting complicated security concepts even to people who lack his expertise. Between Moglen's sophisticated thoughts and Bruce's grounded approach, we're sure to learn a lot about where we stand and what we can do next!"
The latest (unstable) build of Cyanogenmod (a free/open version of Android) incorporates a secure, encrypted SMS program called TextSecure, which was created by Open WhisperSystems. Open WhisperSystems's chief engineer is the respected cryptographer and privacy advocate Moxie Marlinspike, and the source for the Cyanogenmod integration is open and available for inspection and scrutiny. The new encrypted SMS is designed to be integrated with whatever SMS app you use on your phone, and allows for extremely private, interception- and surveillance-resistant messaging over the normally insecure SMS. It requires that both parties be using TextSecure, of course -- if you send a TextSecure message to someone without secure messaging, the message will fall back to unencrypted text.
Read the rest
K sez, "Many holiday gifts are trojan horses that will spy on their recipients, prevent them from doing what they want with their device, or maybe even block access to their favorite books or music. Thankfully, the Free Software Foundation is proud to introduce a map through this minefield: the 2013 Giving Guide
. The Giving Guide features gifts that will not only make your recipients jump for joy; these gifts will also protect their freedom."
Elizabeth Stark writes, "We're pleased to announce the Device Freedom Prize: a crowdfunded reward for the first developer(s) who release an open source iOS 7 jailbreak. Providing users the ability to control their devices is crucial in an age where we're increasingly dependent on our mobile phones. An open source jailbreak provides users the capability to install what they want on their own devices, the ability to audit the code they're using to do so, and enables disabled users to more easily use their devices."
"We've assembled a judging panel of awesome folks that care a lot about these issues, including Boing Boing's own Cory Doctorow; Kyle Wiens, CEO of iFixit; Biella Coleman, Professor and Author of Coding Freedom, and Chris Maury, Accessibility Advocate. Contribute to the prize to help make an open source iOS jailbreak a reality."
Is iOS7 jailbroken yet?
Metabrainz is the charity that oversees Musicbrainz, a free/open music metadata service that has gained in popularity since Gracenote took all the audio metadata its users keyed in by hand and enclosed it, denying all but the top bidders access to it. Musicbrainz is free to use, but has a premium, higher-availability service for commercial operators, like Amazon.
For three years now, Metabrainz has been chasing an unpaid invoice at Amazon. Metabrainz is a tiny, charitable nonprofit that relies on grants and donations for the majority of its operating capital, but commercial operators are also key to its survival. And Musicbrainz is an integral part of the plumbing of the Internet at this point, a powerful check against one player achieving dominance through a chokehold on a key resource.
So Metabrainz sent Amazon Headquarters a birthday cake, celebrating the third birthday of good ol' invoice #144. As a volunteer board member for the charity, I'd mightily appreciate it if someone at Amazon would take the time to nudge this invoice through the system.
We just delivered this to @amazon HQ in honor of a 3 year overdue invoice. Can we please get this mess fixed? --ruaok
Nicole writes, "The Tides Foundation is pleased to announce the 2014 Antonio Pizzigati Prize for Software in the Public Interest. The prize annually awards a $10,000 cash grant to an individual who has created or led an effort to create an open-source software product of significant value to the nonprofit sector and movements for social change."
Those nominated for the prize should have developed a software product that is open-source, as defined by the Open Source Initiative, and easily and widely available, and has already demonstrated its value to at least one nonprofit organization. Better still, it should be a product that can be a value to multiple nonprofit organizations.
The Pizzigati Prize honors the brief life of Tony Pizzigati, an early advocate of open source computing and seeks software developers who create, for free public distribution, open source applications and tools that nonprofit and advocacy groups can put to good use. We welcome both applications from and nominations for single individuals. Applicants will be evaluated on a range of criteria by an advisory panel that includes past winners of the Prize. Please visit our website for more information: http://www.tides.org/impact/awards-prizes/pizzigati-prize/. The deadline for applications or nominations is Friday, December 6, 2013.
Antonio Pizzigati Prize for Software in the Public Interest
Bryan Cantrill from Joyent explains
why the company expects engineers not to use gendered pronouns in documentation: "empathy is a core engineering value—and that an engineer that has so little empathy as to not understand why the use of gendered pronouns is a concern almost certainly makes poor technical decisions as well."
A Symantec researcher has discovered a worm that runs on embedded Linux systems, like those found in set-top boxes and routers. It's common for owners of these devices to forget about them, letting them run in the background for so long as they don't misbehave -- and as a result, they are often out of date. The worm, called Linux.Darlloz, attacks out-of-date Linux installations running on Intel hardware (a small minority in the embedded systems world), but it would not be hard to modify it to attack embedded linuces on other chips.
In addition to being out-of-date, many of these systems have "forever day" bugs that will never be patched by their vendors, making them especially hard to secure. The anonymously authored "Internet Census 2012: Port scanning /0 using insecure embedded devices" showed that a dedicated attacker could compromise well over a million devices without much work, recruiting them to run unprecedented denial of service attacks (I wonder if anyone's thought of using this method for mining Bitcoins?).
As the researcher Ang Cui has demonstrated, embedded systems attacks are especially pernicious because it's difficult to boot them from known-good sources. Once an attacker compromises your router, printer, or set-top box, she can reprogram it to give the appearance of accepting updates without actually installing them, meaning that the system can never be provably restored to your control.
The details of the Linux.Darlloz show a much more primitive and unambitious attack, but it hints at a pretty frightening future for the compromised Internet-of-Things (I wrote a short story about this, called "The Brave Little Toaster").
Read the rest
Two weeks ago, the one-click Cyanogenmod installer hit the Google Play store, making it possible to switch from the stock Android operating system to a more free, more open version without any special expertise. Yesterday, Google asked Cyanogenmod to remove the installer, because using it voids your device's warranty. I've downloaded other apps from the Play Store that root your device and void the warranty, so this seems like a very selective enforcement to me.
In any event, Cyanogenmod's installer can be "sideloaded" into your device without having to go through the Play Store (one of the advantages of Android is that it doesn't attempt to prevent you from installing unapproved software). Hundreds of thousands of people used the Play Store version, and we can hope that it remains in use, even without Google's official support.
Read the rest
In the New Yorker, James Surowiecki looks to Erik Brynjolfsson and Andrew McAfee's forthcoming book The Second Machine Age: Work, Progress, and Prosperity in a Time of Brilliant Technologies for a discussion of one of the major problems with using GDP as a means of assessing the economic health of a nation. Because GDP uses the dollar-value of all transactions as a proxy for economic vibrancy, it discounts to zero any productivity improvements that result in expensive things becoming free. For example, if every technology company has to license a Microsoft operating system for every one of its servers and products, that's great for GDP: it adds billions to the national bottom line. But when GNU/Linux comes along and zeros out the cost of operating systems for your data-center and embedded systems, GDP drops.
But the impact on the nation is a net positive: first, because existing products get cheaper as they no longer include a Microsoft tax; second, because new products and services emerge that would not have been profitable/possible with the Microsoft tax included. It's not great for Microsoft, its employees, suppliers, and shareholders, but their pain -- which is real and terrible -- is dwarfed by the wider benefit.
Read the rest
Rogue archivist Carl Malamud writes, "Something pretty rare happened last week. City officials of Chicago got together with hackers from around the country to unveil a vastly better new online version of the Chicago City Code. Public.Resource.Org worked with the City to make bulk data available, the folks at the OpenGov Foundation turned that into the popular States Decoded format that folks are using in DC, Virginia, San Francisco, and other locations around the country. The code, the data, and the formats are all open source and we were there to celebrate the unveiling and encourage volunteers in Chicago to take it even further."
Read the rest