I think we need private and governmental bodies where people can submit complaints about security vulnerabilities.
Governmental body: Something like the CFPB but for security and privacy related concerns.
Private watchdog groups: We also need an org that exists that can be notified whenever a security or privacy vulnerability is reported to a company. Such a group could keep track of info, be designated as a proxy to be provided with updates/responses on when and if a security or privacy vulnerability is being responded to, etc. And also have the ability to disclose to the public information about the vulnerability if the company fails to respond in certain ways and according to some guidelines. It would probably be good to have laws that allow some federal agency to set guidelines, similar to how the USPTO does with DMCA take down notices.
So cool -- I want to know more. Is anybody is selling these preflashed? Please send them our way! I would love to find out if they are good candidate for Free Software Foundation's Respect Your Freedom (RYF) computer hardware certification. Full disclosure I work with the FSF's licensing team.
Josh
This story and the hackaday story are confusing two different things.
The U-NII rules have already been passed and adopted this summer.
'
Seperately, there is a new proposal (a Notice of Proposd Rule Making) that the FCC published and is accepting comments on until October 9th. These proposed rules will effect all virtually all computers (laptops, phones, routers, etc) that have software that controls or sets certain parameters on wireless devices like wifi, bluetooth, etc. So for example, if your device could possibly modified so that it spoofs the region code information in the linux kernel so that it will cause the wifi chip to operate as though you were in Japan (and thus in ways not allowed in the US), the propsed rules by the FCC would require that the linux kernel be locked down such that the user can not install their own modifed versions of the kernel.
Please join the mailing list and collaborate with us on preparing comments, doing research, and related work on the Save WiFi wiki. You can also email me (jgay AT fsf DOT org) if you don't feel like engaging publicly or if you have any questions.
Whatever it is, I think it will be inside a mountain. Maybe there should be an digital computer version of the 10,000 year clock (mechanical not electrical) or something like the Svalbard Global Seed Vault.
Simple rules like not touching dead people or sick people? Simple rules, like not touching dead or sick people, and washing your hands regularly would have helped a lot more than "databases" and "global warning and response systems.
It is not reasonable to expect people to not touch dead or sick people and it is absurd to think that proper hand washing would prevent the transmission of Ebola. Ebola is primarily a caregivers disease because the people most likely to get it are those caring for someone near the end of their life. A person walking around with Ebola is unlikely to spread it to another person. And a person who is near the end of life and severely sick with Ebola is unlikely to be walking around. In most places on Earth, a person with Ebola would go to a hospital when their symptoms were very strong. When there aren't hospitals, though, then it will be family members that will help care for a person who starts to spike a fever and is becoming dehydrated due to the explosive diarrhea or projectile vomiting (or both) that they are having. And, people should care for one another, because most of the time, the symptoms of Ebola are indistinguishable from other common ailments a person might have. For some patients, at the very end of life, there might be other signs that are peculiar to Ebola, such as lesions, but this isn't always the case. But in any case, even in a hospital setting, if a person is projectile vomiting or having explosive diarrhea, then often it is not just simply a matter of properly washing ones hands to prevent infection. Lastly, if when a person dies of such conditions, they are likely covered in their own vomit and excrement and may on occassion even have open lesions on their skin. Properly cleaning the area of a sick person and preparing their body for burial is something that trained professionals with proper equipment should do. But, again, such professional services do not exist throughout much of rural West Africa, and so the job of cleaning, preparing a body, and burying a body falls on shoulders of the members of the family and household.
As Paul Farmer said: "The only formula we’ve come up with is the following: you can’t stop Ebola without staff, stuff, space and systems. And these need to reach not only cities but also the rural areas in which most people in West Africa still live."
One way to be more agile is to have more hospitals, equipment, and trained acute care physicans and nurses available to respond. It is much easier to have digital record systems if you have properly equiped hospitals and clinics that are connected to each other. Every nation should have properly equiped hospitals and on-site training programs—facilities that can emergency and critical care type situations, as well as mortuaries. Here are a couple of quotes from a recent article by Paul Farmer, one of the founders of Partners in Health that explains a little about the health systems of countries in West Africa:
Both nurses and doctors are scarce in the regions most heavily affected by Ebola. Even before the current crisis killed many of Liberia’s health professionals, there were fewer than fifty doctors working in the public health system in a country of more than four million people, most of whom live far from the capital. That’s one physician per 100,000 population, compared to 240 per 100,000 in the United States or 670 in Cuba. Properly equipped hospitals are even scarcer than staff, and this is true across the regions most affected by Ebola. Also scarce is personal protective equipment (PPE): gowns, gloves, masks, face shields etc. In Liberia there isn’t the staff, the stuff or the space to stop infections transmitted through bodily fluids, including blood, urine, breast milk, sweat, semen, vomit and diarrhoea. Ebola virus is shed during clinical illness and after death: it remains viable and infectious long after its hosts have breathed their last. Preparing the dead for burial has turned hundreds of mourners into Ebola victims.
He concludes the article stating:
Fifth, formal training programmes should be set up for Liberians, Guineans and Sierra Leoneans. Vaccines and diagnostics and treatments will not be discovered or developed without linking research to clinical care; new developments won’t be delivered across West Africa without training the next generation of researchers, clinicians and managers. West Africa needs well-designed and well-resourced medical and nursing schools as well as laboratories able to conduct surveillance and to respond earlier and more effectively. Less palaver, more action.
I think those kinds of whimsical discussions of a post-scarcity society are the kind of thing you might expect to hear in the MIT AI lab in the 1980s, which is where RMS was working at the time he wrote the GNU Manifesto. I've been volunteering for or working with the FSF for over a decade now and I have never been part of serious convesations in which we discussed preparing for a post-scarcity society or repairing robots. I kind of wish we did. We are always focused on the short term and practical goals that matter today or this year. It is kind of grinding. So, it is refreshing to lighten up a bit and think in terms of how the work we are doing today might be helpful to the **very** long term goals of humanity, even if it is just whimiscal conjecture and for fun.
Except that the Intel Microcode on the CPU has been wiped no Intel Microcode patches or updates are applied to the CPU on the Libreboot X200. So "it is free software and it continues to be free software?"
Benjamin Mako Hill has discussed invisible technology and ubiquitous computing. Hill observes that "The reason most people don't understand the power of technology is that they don't realize technology exists." Put another way, it is easy to not notice (or even forget about) matters of power, control, and autonomy that come along with any technology that is, "quite explicitly, mitigating and mediating our lives", when we aren't even noticing the technology we are interacting with and relying upon in the first place. In this talk he quotes, Marc Wiesner, who was a director of Computer Science at Xerox PARC and wrote a paper seen as the birth of "Ubiquitous Computing" that made a call for invisible computing, stating:
"A good tool is an invisible tool. By invisible, I mean that the tool does not intrude on your consciousness; you focus on the task, not the tool. Eyeglasses are a good tool -- you look at the world, not the eyeglasses. The blind man tapping the cane feels the street, not the cane. Of course, tools are not invisible in themselves, but as part of a context of use. With enough practice we can make many apparently difficult things disappear: my fingers know vi editing commands that my conscious mind has long forgotten. But good tools enhance invisibility."
Hill points out that one of the times we actually do notice technology is when it breaks. He also has a rather clever blog, Revealing Errors, in which he and other contributors "reveal errors that reveal technologies" so as to learn how they affect our lives.
Google has cached all of the magnet links from the pirate bay that I have searched for so far. Google seems do a really good job of providing a working archive of the pirate bay. Not sure how long that will last though.
If the FSF really want to do something useful, they should start with something smaller.
Our first products to recieve Repsects Your Freedom (RYF) certification (i.e., use of the RYF certification mark on their product) was the LulzBot 3D printer made by Aleph Objects, Inc. (the latest model is the TAZ). The next products we certified were wireless chipsets sold by ThinkPenguin. The latest company we worked with, Gluglug, came forward and submitted these laptops to us for certification, so we reviewed the work they did and then awarded them use of the RYF certification mark.
The kind of approach you discuss makes sense. But, should the FSF really be building and selling hardware? From what you are saying it sounds like, perhaps, you understand hardware a lot better than I do. As such, I hope you will launch a business to do the kinds of things you discuss. If you do, and you aim to sell hardware that meets our certification criteria, I'd be happy to talk with you about what we can do to help in terms of promotion or endorsement.
Thanks for the feedback.
Joshua Gay
Licensing & Compliance Manager
Free Software Foundation
The version of Coreboot is used has been substantially modified so as to remove all optional firmware and microcode updates from the source code. The certified version of the source and binary can be found here, http://ryf.fsf.org/
In the words of Bishop Desmond Tutu: "If you are neutral in situations of injustice, you have chosen the side of the oppressor. If an elephant has its foot on the tail of a mouse and you say that you are neutral, the mouse will not appreciate your neutrality."
In the words of Elie Wiesel: "I swore never to be silent whenever human beings endure suffering and humiliation. We must always take sides. Neutrality helps the oppressor, never the victim. Silence encourages the tormentor, never the tormented. "
In the words of Dante Alighieri: "The darkest places in hell are reserved for those who maintain their neutrality in times of moral crisis."
Buy the way, any change you make would have to be certified by the FCC as being compliant and that can be expensive.
I'm pretty sure this is not true. I recently read a tech topic blog on the FCC site that states,
WLAN was originally designed and developed as a home networking technology for nomadic users to wirelessly extend an Ethernet equivalent local area network (LAN) using shared communications media among a group of users through a wireless connection that operates at relatively short distances. WLAN uses license-exempt spectrum bands regulated by FCC rules, 47 C.F.R. Part 15.2 The FCC originally conceived the license-exempt bands to provide a no-cost slice of public access spectrum with only two provisions. First, the transmitter could cause no harmful interference to any nearby licensed services, and secondly, any receiver in this band must be able to accept any interference that may be present. Subsequently, the first wireless LAN was developed by the IEEE 802.11 standards committee (widely known as Wireless Fidelity or 'Wi-Fi' and 'Radio LAN') in 1997. Interestingly, the Wi-Fi standards were a response on the part of industry to the relatively restriction free use of the license-exempt spectrum allocation and rules.
But, even if you were right, it's important to know that you don't have to hack alone. You can work with others. Let's say you are worried some change you want to make could lead to some malfunction which would boost the signal. You could file a feature request to the project and see if someone else will make the change and test it. Or, if you make the change in code and are worried about installing it yourself, submit the patch upstream and see if others can review the code and test it for you. Just because things could potentially go wrong doesn't mean we should live in fear and abstain from using, fixing, or customizing our software.
Control your hardware, don't let it control you. =]
The FSF decided to investigate this AR9271 part. I'm not sure why.
The reason is because RYF certification is not simply done on software for a given chipset. RYF certification works by us entering into a formal agreement with a company that sells hardware. The agreement states that the company can display the RYF certification mark on all products that pass our testing and certification process so long as that company agrees to meet various requirements; we agree to do a limited amount of promotion on the product (press release, listing the product on our site, etc). In this case, the agreement is with ThinkPenguin and the product we tested and certified is the TPE-N150USB.
Over time we will certify more products and enter into agreements with more companies. I hope that people will come to trust the RYF certification mark and seek it out when looking to purchase computers and other hardware products — thus making it valuable to both the buyer and seller.
If you know a company selling devices with these other chipsets that support free firmware, or really any company selling hardware that supports 100% free software, please email us to let us know, and maybe send that company a link to FSF.org/RYF and encourage them to consider applying for certification.
In other words, hand them a literal truckload of paper. And not only have you complied with what they were asking of you, you've done your absolute best to give them all information you have or could procure pertaining to the case.
Problem solved.
I did give them a fair number of documents as a result of this subpoena. When I arrived at the court for testimony they issued me a second subpoena for evidence that narrowed the scope to just a few requests. Although I handed over no new additional information, it was certainly a clever way for them to quickly "sort" through the material.
I too was subpoenaed (note I redacted two names) for evidence and to testify before the grand jury that indicted Aaron. They were certainly fishing for a lot of information relating to Guerrilla Open Access. I'm not sure there was much that either Quinn or I could do to prevent the indictment. Although, I can say that on an emotional level rationalizing about the situation doesn't make it suck any less knowing that the evidence and testimony I provided was probably bastardized and used against him. Maybe I'll write up more about the whole thing some time.
This post is a little misleading. We think Secure Boot is OK so long as computer makers implement it in a way that it still allows a user to control his or her own computer. What we don't want computer makers to do is implement UEFI in such a way that a user is unable to sign their own software (e.g. bootloader) AND they are unable to turn Secure Boot off -- we call such an implementation Restricted Boot (because we want to emphasize that it instead of providing security, it exists to restrict a user from controlling his or her own device). We hope that computer makers will choose to implement UEFI in a way that truly does provide security and control, and many are implementing Secure Boot in this way.
Joshua Gay
Licensing & Compliance Manager
Free Software Foundation
I am flattered. However, the reality is that it took me months of work to put together this certification program, get a contract in place, and to make the announcement. I began talking with Aleph Objects, Inc. in April and had hoped get it completed by early summer. When we were wrapping things up at the end of the summer we did aim for getting it out by Maker Faire and the 3D printer summit because that would be good timing... but, I even missed that deadline.
Well, it can't be dismissed so easily, because they got the indictment through a federal grand jury. So, there was a whole other layer of bullshit tactics by the prosecution. I was subpoened for evidence and to testify before the USA vs Swartz grand jury. It was absolute bullshit.
If we want more female hackers in the future, then we shouldn't present our ideas in a way that makes it seem like we assume all hackers in the future will be male. Also, I know a lot of openly gay hackers, so I find the title of the article dumb for that reason as well.
Slashdot Mirror
The greater the return!
I think we need private and governmental bodies where people can submit complaints about security vulnerabilities.
Governmental body: Something like the CFPB but for security and privacy related concerns.
Private watchdog groups: We also need an org that exists that can be notified whenever a security or privacy vulnerability is reported to a company. Such a group could keep track of info, be designated as a proxy to be provided with updates/responses on when and if a security or privacy vulnerability is being responded to, etc. And also have the ability to disclose to the public information about the vulnerability if the company fails to respond in certain ways and according to some guidelines. It would probably be good to have laws that allow some federal agency to set guidelines, similar to how the USPTO does with DMCA take down notices.
So cool -- I want to know more. Is anybody is selling these preflashed? Please send them our way! I would love to find out if they are good candidate for Free Software Foundation's Respect Your Freedom (RYF) computer hardware certification. Full disclosure I work with the FSF's licensing team. Josh
This story and the hackaday story are confusing two different things. The U-NII rules have already been passed and adopted this summer. ' Seperately, there is a new proposal (a Notice of Proposd Rule Making) that the FCC published and is accepting comments on until October 9th. These proposed rules will effect all virtually all computers (laptops, phones, routers, etc) that have software that controls or sets certain parameters on wireless devices like wifi, bluetooth, etc. So for example, if your device could possibly modified so that it spoofs the region code information in the linux kernel so that it will cause the wifi chip to operate as though you were in Japan (and thus in ways not allowed in the US), the propsed rules by the FCC would require that the linux kernel be locked down such that the user can not install their own modifed versions of the kernel. Please join the mailing list and collaborate with us on preparing comments, doing research, and related work on the Save WiFi wiki. You can also email me (jgay AT fsf DOT org) if you don't feel like engaging publicly or if you have any questions.
Whatever it is, I think it will be inside a mountain. Maybe there should be an digital computer version of the 10,000 year clock (mechanical not electrical) or something like the Svalbard Global Seed Vault.
It is not reasonable to expect people to not touch dead or sick people and it is absurd to think that proper hand washing would prevent the transmission of Ebola. Ebola is primarily a caregivers disease because the people most likely to get it are those caring for someone near the end of their life. A person walking around with Ebola is unlikely to spread it to another person. And a person who is near the end of life and severely sick with Ebola is unlikely to be walking around. In most places on Earth, a person with Ebola would go to a hospital when their symptoms were very strong. When there aren't hospitals, though, then it will be family members that will help care for a person who starts to spike a fever and is becoming dehydrated due to the explosive diarrhea or projectile vomiting (or both) that they are having. And, people should care for one another, because most of the time, the symptoms of Ebola are indistinguishable from other common ailments a person might have. For some patients, at the very end of life, there might be other signs that are peculiar to Ebola, such as lesions, but this isn't always the case. But in any case, even in a hospital setting, if a person is projectile vomiting or having explosive diarrhea, then often it is not just simply a matter of properly washing ones hands to prevent infection. Lastly, if when a person dies of such conditions, they are likely covered in their own vomit and excrement and may on occassion even have open lesions on their skin. Properly cleaning the area of a sick person and preparing their body for burial is something that trained professionals with proper equipment should do. But, again, such professional services do not exist throughout much of rural West Africa, and so the job of cleaning, preparing a body, and burying a body falls on shoulders of the members of the family and household.
As Paul Farmer said: "The only formula we’ve come up with is the following: you can’t stop Ebola without staff, stuff, space and systems. And these need to reach not only cities but also the rural areas in which most people in West Africa still live."
He concludes the article stating:
I think those kinds of whimsical discussions of a post-scarcity society are the kind of thing you might expect to hear in the MIT AI lab in the 1980s, which is where RMS was working at the time he wrote the GNU Manifesto. I've been volunteering for or working with the FSF for over a decade now and I have never been part of serious convesations in which we discussed preparing for a post-scarcity society or repairing robots. I kind of wish we did. We are always focused on the short term and practical goals that matter today or this year. It is kind of grinding. So, it is refreshing to lighten up a bit and think in terms of how the work we are doing today might be helpful to the **very** long term goals of humanity, even if it is just whimiscal conjecture and for fun.
Except that the Intel Microcode on the CPU has been wiped no Intel Microcode patches or updates are applied to the CPU on the Libreboot X200. So "it is free software and it continues to be free software?"
Hill points out that one of the times we actually do notice technology is when it breaks. He also has a rather clever blog, Revealing Errors , in which he and other contributors "reveal errors that reveal technologies" so as to learn how they affect our lives.
Google has cached all of the magnet links from the pirate bay that I have searched for so far. Google seems do a really good job of providing a working archive of the pirate bay. Not sure how long that will last though.
If the FSF really want to do something useful, they should start with something smaller.
Our first products to recieve Repsects Your Freedom (RYF) certification (i.e., use of the RYF certification mark on their product) was the LulzBot 3D printer made by Aleph Objects, Inc. (the latest model is the TAZ). The next products we certified were wireless chipsets sold by ThinkPenguin. The latest company we worked with, Gluglug, came forward and submitted these laptops to us for certification, so we reviewed the work they did and then awarded them use of the RYF certification mark.
The kind of approach you discuss makes sense. But, should the FSF really be building and selling hardware? From what you are saying it sounds like, perhaps, you understand hardware a lot better than I do. As such, I hope you will launch a business to do the kinds of things you discuss. If you do, and you aim to sell hardware that meets our certification criteria, I'd be happy to talk with you about what we can do to help in terms of promotion or endorsement.
Thanks for the feedback.
Joshua Gay
Licensing & Compliance Manager
Free Software Foundation
The version of Coreboot is used has been substantially modified so as to remove all optional firmware and microcode updates from the source code. The certified version of the source and binary can be found here, http://ryf.fsf.org/
In the words of Bishop Desmond Tutu: "If you are neutral in situations of injustice, you have chosen the side of the oppressor. If an elephant has its foot on the tail of a mouse and you say that you are neutral, the mouse will not appreciate your neutrality."
In the words of Elie Wiesel: "I swore never to be silent whenever human beings endure suffering and humiliation. We must always take sides. Neutrality helps the oppressor, never the victim. Silence encourages the tormentor, never the tormented. "
In the words of Dante Alighieri: "The darkest places in hell are reserved for those who maintain their neutrality in times of moral crisis."
Buy the way, any change you make would have to be certified by the FCC as being compliant and that can be expensive.
I'm pretty sure this is not true. I recently read a tech topic blog on the FCC site that states,
WLAN was originally designed and developed as a home networking technology for nomadic users to wirelessly extend an Ethernet equivalent local area network (LAN) using shared communications media among a group of users through a wireless connection that operates at relatively short distances. WLAN uses license-exempt spectrum bands regulated by FCC rules, 47 C.F.R. Part 15.2 The FCC originally conceived the license-exempt bands to provide a no-cost slice of public access spectrum with only two provisions. First, the transmitter could cause no harmful interference to any nearby licensed services, and secondly, any receiver in this band must be able to accept any interference that may be present. Subsequently, the first wireless LAN was developed by the IEEE 802.11 standards committee (widely known as Wireless Fidelity or 'Wi-Fi' and 'Radio LAN') in 1997. Interestingly, the Wi-Fi standards were a response on the part of industry to the relatively restriction free use of the license-exempt spectrum allocation and rules.
2: See http://www.access.gpo.gov/nara/cfr/waisidx_07/47cfr15_07.html for the Part 15 rules. Note that the letter versions of the standards are not chronologically consistent since version (b) actually came before (a)!
But, even if you were right, it's important to know that you don't have to hack alone. You can work with others. Let's say you are worried some change you want to make could lead to some malfunction which would boost the signal. You could file a feature request to the project and see if someone else will make the change and test it. Or, if you make the change in code and are worried about installing it yourself, submit the patch upstream and see if others can review the code and test it for you. Just because things could potentially go wrong doesn't mean we should live in fear and abstain from using, fixing, or customizing our software.
Control your hardware, don't let it control you. =]
The FSF decided to investigate this AR9271 part. I'm not sure why.
The reason is because RYF certification is not simply done on software for a given chipset. RYF certification works by us entering into a formal agreement with a company that sells hardware. The agreement states that the company can display the RYF certification mark on all products that pass our testing and certification process so long as that company agrees to meet various requirements; we agree to do a limited amount of promotion on the product (press release, listing the product on our site, etc). In this case, the agreement is with ThinkPenguin and the product we tested and certified is the TPE-N150USB.
Over time we will certify more products and enter into agreements with more companies. I hope that people will come to trust the RYF certification mark and seek it out when looking to purchase computers and other hardware products — thus making it valuable to both the buyer and seller.
If you know a company selling devices with these other chipsets that support free firmware, or really any company selling hardware that supports 100% free software, please email us to let us know, and maybe send that company a link to FSF.org/RYF and encourage them to consider applying for certification.
In other words, hand them a literal truckload of paper. And not only have you complied with what they were asking of you, you've done your absolute best to give them all information you have or could procure pertaining to the case.
Problem solved.
I did give them a fair number of documents as a result of this subpoena. When I arrived at the court for testimony they issued me a second subpoena for evidence that narrowed the scope to just a few requests. Although I handed over no new additional information, it was certainly a clever way for them to quickly "sort" through the material.
I too was subpoenaed (note I redacted two names) for evidence and to testify before the grand jury that indicted Aaron. They were certainly fishing for a lot of information relating to Guerrilla Open Access. I'm not sure there was much that either Quinn or I could do to prevent the indictment. Although, I can say that on an emotional level rationalizing about the situation doesn't make it suck any less knowing that the evidence and testimony I provided was probably bastardized and used against him. Maybe I'll write up more about the whole thing some time.
This post is a little misleading. We think Secure Boot is OK so long as computer makers implement it in a way that it still allows a user to control his or her own computer. What we don't want computer makers to do is implement UEFI in such a way that a user is unable to sign their own software (e.g. bootloader) AND they are unable to turn Secure Boot off -- we call such an implementation Restricted Boot (because we want to emphasize that it instead of providing security, it exists to restrict a user from controlling his or her own device). We hope that computer makers will choose to implement UEFI in a way that truly does provide security and control, and many are implementing Secure Boot in this way.
Joshua Gay
Licensing & Compliance Manager
Free Software Foundation
Your point is well taken, but please note that the FSFE is not the FSF, so the example does not apply.
The whole point is that lock picking is fun!
I am flattered. However, the reality is that it took me months of work to put together this certification program, get a contract in place, and to make the announcement. I began talking with Aleph Objects, Inc. in April and had hoped get it completed by early summer. When we were wrapping things up at the end of the summer we did aim for getting it out by Maker Faire and the 3D printer summit because that would be good timing ... but, I even missed that deadline.
Well, it can't be dismissed so easily, because they got the indictment through a federal grand jury. So, there was a whole other layer of bullshit tactics by the prosecution. I was subpoened for evidence and to testify before the USA vs Swartz grand jury. It was absolute bullshit.
If we want more female hackers in the future, then we shouldn't present our ideas in a way that makes it seem like we assume all hackers in the future will be male. Also, I know a lot of openly gay hackers, so I find the title of the article dumb for that reason as well.