NSA: Please Turn off the Lights When You Leave. Nothing to See Here.

Linux Advocate Dietrich Schmitz shows how the general public can take action to truly protect their privacy using GnuPG with Evolution email. Read the details.

Mailvelope for Chrome: PGP Encrypted Email Made Easy

Linux Advocate Dietrich Schmitz officially endorses what he deems is a truly secure, easy to use PGP email encryption program. Read the details.

Step off Microsoft's License Treadmill to FOSS Linux

Linux Advocate Dietrich Schmitz reminds CIOs that XP Desktops destined for MS end of life support can be reprovisioned with FOSS Linux to run like brand new. Read how.

Bitcoin is NOT Money -- it's a Commodity

Linux Advocate shares news that the U.S. Treasury will treat Bitcoin as a Commodity 'Investment'. Read the details.

Google Drive Gets a Failing Grade on Privacy Protection

Linux Advocate Dietrich Schmitz puts out a public service privacy warning. Google Drive gets a failing grade on protecting your privacy.

Email: A Fundamentally Broken System

Email needs an overhaul. Privacy must be integrated.

Opinion

Cookie Cutter Distros Don't Cut It

Opinion

The 'Linux Inside' Stigma - It's real and it's a problem.

U.S. Patent and Trademark Office Turn a Deaf Ear

Linux Advocate Dietrich Schmitz reminds readers of a long ago failed petition by Mathematician Prof. Donald Knuth for stopping issuance of Software Patents.

Wednesday, January 7, 2015

Goodbye Linux Advocates. Hello World.



I've decided to close Linux Advocates.  It started out fun but turned into something else.

People matter to me.  There's a Big World out there and Linux is one small facet of my life.

I'll continue to hang out on Google Plus and, if the spirit moves me, write something on my personal website.

Thanks to all the LA Contributors.

So, Goodbye Linux Advocates.  Hello World. -- Dietrich


Monday, January 5, 2015

Comments Pre-Moderation is Now Off. Let the Cage Fight Begin.



It's 2015, last I checked.  I have set comments to post without pre-moderation.  Which is to say, you can write whatever you wish and it will post directly to DISQUS.

If you are well behaved, things will be fine.  Otherwise, I will 'shoot and ask questions later'. ;)

Let the Cage Fight begin! -- Dietrich


P.S.
I am looking for writers.  If you have the chops, send an email to:
dietrich@linuxadvocates.com

Tuesday, December 30, 2014

Fedora Does Real World Work. Debian is for Hobbyists



It's interesting to watch the pace of change with Linux on the Desktop.

Want technology on the leading edge?  Fedora is here today with best of breed solutions, all of which merge to Red Hat Enterprise Linux, the largest commercial Linux Distribution in the World.

Fedora was first to implement systemd.

Fedora is first with a robust implementation of state of the art technologies including rpm-ostree and Docker on their Project Atomic platform.  And, Cockpit eases the process of managing servers and containers in the cloud via a unified web management interface.

You see, at release 21, Fedora split into server, workstation, and cloud divisions.

The transition was amazingly uneventful, due to Red Hat's senior guidance and the incredibly hard work done by the Fedora Team coordinated with upstream GNOME Project.

Fedora takes what they do very seriously and when it comes to meeting target milestones, they galvanize into action and meet them in a timely business-like fashion. 

Every time Debian runs into delays, that pushes back Canonical's Ubuntu milestones who hitched their wagon to Debian and delays get passed in turn down the line to the rest of the Ubuntu derivatives who hitched their wagons to Ubuntu.  It's a serious problem, particularly for Canonical Ltd. who are trying to run a business.

No, the real work is done by Red Hat/Fedora in the business world.  No messing around.  No divisiveness, stalling, stonewalling.  Tasks move along with rhythm and cadence, all oarsmen stroking to a beat, following directions and executing them as ordered in synchronous precision.


Debian is the proverbial speed-bump on the road to innovation and with an 18 month release cycle nothing gets done in a hurry.

Debian devotees won't like to read this but, Debian isn't behaving like a professional Distro should.  They allow themselves the luxury of procrastination and all the while 'make pretend' some highly technical issue must be considered before embarking on any kind of work.  I call it 'work avoidance'.  Because, that is really what it is under a veil of techno-speak designed to obfuscate what is or isn't really happening in their hallowed organization.  If they are to survive, a radical change must be made to their release management policy.

The real world can't afford to behave like 'hobbyists'.  The real world won't wait.  Debian is falling farther behind, but that's okay as far as they are concerned.

The work will get done.  Eventually.  


Fedora does the real-world work.  Debian is for hobbyists.  -- Dietrich

Wednesday, December 24, 2014

Merry Christmas

Currier and Ives Winter (Image credit: familychristmasonline.com)

Merry Christmas Folks.  -- Dietrich


Sunday, December 21, 2014

What Difference Does it Make if I Use Chrome vs. Firefox?

Free Mozilla Firefox Open Source Web Browser


What difference does it make if I use Chrome vs. Firefox?

Transparency:

Transparency, as used in science, engineering, business, the humanities and in a social context more generally, implies openness, communication, and accountability. Transparency is operating in such a way that it is easy for others to see what actions are performed. It has been defined simply as "the perceived quality of intentionally shared information from a sender". For example, a cashier making change after a point of sale transaction by offering a record of the items purchased (e.g., a receipt) as well as counting out the customer's change on the counter demonstrates transparency.

Google chose to make Chrome, as distinguished from its open source counterpart Chromium, proprietary, non-open source.  Their decision to exclude public access to the software's code was intentional and designed to place the end-user at a 'disadvantage'.

Should the public have a right to participate in oversight of software's source code that runs on their personal computers?  The answer is an emphatic yes.

If an end-user chooses proprietary solutions, they leave themselves open to exploitation in some fashion.  The licensing terms restrict, the true functionality of the software cannot be vetted as being devoid of 'rogue code' or having hidden unmaintained software defects which, if unpatched, could leave said software in a vulnerable state.



Global Crime Rings find defects and then sell exploit kits on the black market for as yet unpatched 'Zero Day Exploits'.  The likelihood that an unpatched software defect will remain unnoticed increases when using proprietary software.


Most often Linux open source is updated with a downloadable patch within a matter of hours of discovery.  If on the other hand the end-user is running Microsoft Windows Legacy, a patch may never come if the vulnerability remains hidden, unnoticed by Microsoft programming staff, or, at best will be corrected on 'Patch Tuesday', once a month by Microsoft.


The point I hope readers get from this post is this:  

With open source code maintenance, it is difficult at best for an exploitable software 'bug' to go unnoticed for an extended period of time, and it is near-impossible to merge 'rogue code' into a developer team's git repo tree which gets reviewed by many peers around the globe.

The World can and will thrive if we all share, each and every one of us.  It is our human nature to do so.  Without sharing, we will continue to see great exploitation by proprietary business and government which results in human inequality and suffering.

Make a statement which is powerful.  Demand openness.

Insist on and be selective by using only open source software.

Open Source and free Firefox can be downloaded here.  -- Dietrich


Friday, December 19, 2014

Using Extensible Blockchain to Sign Digital Documents and Copyrighted Materials



It should be apparent to anyone who has watched the progress of Bitcoin that it behaves as a virtual commodity.  It also is fungible in that one Bitcoin can be exchanged for an equal quantity anywhere in the World.

The success of bitcoin comes from its Blockchain software design.

Every Bitcoin has a unique signature that follows it through its travels from one Wallet to another.  That 'fingerprint' never goes away and remains an indelible  and essential property.

The bitcoin's ownership cannot be transferred from one owner more than once, much as a Dollar with a unique serial number is physically exchanged on a transaction.  The serial number follows the life of that dollar and is always associated with it at any point in time.

So, we see clearly that bitcoin does indeed work, and we see indirectly that the underlying extensible blockchain can be applied to other scenarios.

Digital Legal documents, copyrighted documents, books, images, videos, audio files all can benefit from using the blockchain technology.

Imagine if the MPAA and RIAA dispensed with their legal campaign to protect copyrighted works and turned to blockchain technology.

In a blockchain server for music for example, each discrete copy of an 'album' or 'song' would contain an embedded fingerprint to live with the copyrighted material for its entire life in the music equivalent of a bitcoin 'ledger'.

That discrete quantity would then become protected by its identity in the global ledger as is the case for bitcoin.  And that music could not be dispensed twice or its in-built encrypted ledger cross-check would return an error to stop the work from being used in more than one instance.

Music might be a blockchain with attributes only for transfer of ownership of just once.

Other kinds of documents might lend to having ownership transferrable multiple times, such as works of art.

This is my thought process and I hope that we as a global society move in this direction.  It affords solutions to reduce and eliminate much of the current costs imposed on businesses which need to protect their copyrighted and Legal materials and eliminate theft of said materials entirely.

-- Dietrich

Do Smartwatches Make You Stupid?

Smartwatches (Image credit: theregister.co.uk)

The implied advertisement subliminal message:  "You need this.  You can't live without it."

The newest wave of technology apparatus has reached American soil.  Among the many offerings now comes Smartwatches.

Yes, they not only look smart, but, they are smart in the sense of having none other than a built in computer -- literally.

I don't know about you, but when I come home, at night I take my analog Timex watch off and leave it on the dresser where it stays until the next day.

Yet, I too am the same person who in the 70's was the first to buy an LED watch.  I have always been a 'sucker' for technology.  Was then.  Am now.

So, how important is it to have a smartwatch?  Will it change my life for the better?  Is it a fad?  And if so, what will it be replaced by in the next technology wave?

These are things I think about.  I haven't had a bad case of techno-lust for quite some time.  Not since 2007 CES did I experience a bad case of it.

That was the year of Nokia's N95 smartphone.  It was also the year for the introduction of Apple's first smartphone, the iPhone.

I didn't hesitate to buy the N95.  It was (and still is in many respects) the best technology I'd ever seen or wanted.

The price $800 wasn't an obstacle.  It's all about want vs. need.  I wanted it.

Do I feel anything akin to that today?  Nope.  In fact, I don't like most smartphones.  I'd rather have a phone with buttons personally.  I miss that aspect of the N95.

But time marches on.  Here come the smartwatches.  And now a new young generation swells with lust to have.  Their focus diverts from the smartphone.

Will the smartphone get left behind?  I don't think so.

But I am not convinced smartwatches will be anything as large a market as smartphones is.

So, is using a Smartwatch stupid?  I argue for the point that it is, unless someone can convince me otherwise.

If I need to carry any form of computing on my person, it will remain the smartphone if I can locate a decent one that lives up to my expectations.

Smartwatches isn't something that represents a life changer like the smartphone.  It's just proof that we can put silicon wafer chips into smaller and smaller form factors, that's all.  And I don't need to prove that by wearing one.

-- Dietrich


Thursday, December 18, 2014

Your Browser: A General Purpose Remote Code Execution Tool

Google Chrome web browser security warning message


I've been reviewing the current state of Internet Privacy.

It's still a mixed bag and my conclusion is that it will remain so for quite some time.

Efforts to provide Internet Privacy are varied, depending on which ISP is employed.

The primary means for conveyance to a target website to do any kind of task is the web browser.

To put security risk into context, the web browser is a remote code execution tool.

Yep.  Let that sink in for a minute.

Where ever the user goes, the browser is set to 'trust' a remote stream of bytes which get 'interpreted' as program instructions on your PC by the web engine.

Sounds quite troubling when you think about it really.

I mean, your browser is one big catcher's mit and absorbs everything it sees in an attempt to execute instructions sent from a remote web server.

So, this catcher's mit is by default a 'security risk'.

Different software vendors take different approaches to the responsibility of writing their software in a manner that ensures it should always operate securely.

For example, Internet Explorer on Microsoft Windows, is written by Microsoft and employs 'protected mode', something akin to a software sandbox, but, technically isn't.

Google Chrome for Windows is designed with a quasi-sandbox by Google Engineers.  But they have publicly stated it cannot stop certain kinds of exploits (Javascript DLL injection) from successfully executing and gaining administrative control on Legacy Windows.  This is a fact.

But, that isn't really my point.  In each software project some 'defensive' coding has or has not taken place.

I've reported in the past that, where Fedora Linux is concerned, users running Firefox, the default installed browser, are placed in a 'real' sandbox, called Linux Security Modules (LSM) and the particular module used by Fedora is SELinux.

From a security standpoint, this is a prime differentiator between Linux and Windows.

An exploit may propagate on Windows running Chrome.  It will never propagate using Linux with SELinux.

The word 'never' comes with a catch.  You see the browser's memory space is up for 'fair game' and various code, Java, Javascript can execute remotely exposing certain parts of your running PC.

In theory, nothing bad should happen and it is assumed that code in the browser PID will never escalate to the Admin level.

But what it is doing in its own memory space is an open question.  The issue of cross site scripting remains an unsolved problem.

In this context, if a user chooses to employ a browser-based security tool designed to protect their local PC, this sets up the conditions  -- a 'fictional' exploit may, for example, attempt to steal a local browser's in-memory private keys for encryption.

So, you see, I am revising my thinking.  I'm not sure any more about using the browser for any kind of security.  It's that risky.

Using compiled, well maintained free standing open source security applications is entirely a different matter.

For example, I have Gmail.  But I don't use the browser client to access it.
I use GNOME Shell's integrated Evolution Email client, which is also used to prepare outgoing mail using GnuPG (OpenPGP) encryption.

The PID for decoding/encoding gmail runs in Evolutions local memory space, not in a browser.  Once the email is encrypted, signed, it is then and only then sent and a copy gets stored (IMAP) on the Gmail web server, in PGP encrypted form.

That's a routine process I feel confident in completely.

The notion that other software vendors can fork GnuPG and refactor it in Javascript troubles me.  This is precisely what Google is doing in their End-to-End encryption project, currently in Alpha.

The whole end to end encryption runs as javascript in the browser.
That puts the whole premise of security in the hands of the browser.

It's not acceptable.  Even now, I am rethinking how MEGA works.  Again, here, there is secureboot.js code running in your browser.

I believe there has to be a total segregation from the browser for any kind of security tool client application.  It must be compiled.  It must be open source and it must employ upstream industry standard GnuPG OpenPGP.

The browser will always be a target for attack.  Always.  Letting it also run your security is a fundamental mistake.  -- Dietrich

Saturday, December 13, 2014

Kim DotCom Facing Down a Death Sentence Without a Trial

Kim Schmitz aka Kim DotCom


Many of the readers of this story know of Kim Schmitz aka Kim DotCom.  It's a mix of either great respect or contempt depending on what is understood about him.

There is an untold story about him that needs to be recorded as to what happened to his MegaUpload website.

MegaUpload was a popular file sharing website up to a few years ago when it was summarily ordered to be taken down by the U.S. Federal Government.

As Kim recently said the MegaUpload case is "a death sentence without a trial".

He has managed to remain out of jail in New Zealand up to now but his financial resources have dwindled.  In the time spent since MegaUpload's take down, Mr. Schmitz formed Mega, the technological embodiment of change necessary to avoid MegaUpload ever happening again.

Mega is now in full production offering 50 gigabytes of free cloud storage space.

What sets it apart from other cloud ISPs?

MEGA employs Zero Knowledge end-to-end encryption (ZKE) and a MEGAsync graphical drag/drop files client to 100% guarantee privacy.

What the technology also affords is something which took down MegaUpload in the first place.  Plausible Deniability.  ZKE ensures Mega knows nothing about your data.  It is just an encrypted block of data.

Mr. Schmitz was assumed guilty of being complicit with illicit file sharing activities, alleged to have occurred on MegaUpload.  Today, he still maintains his innocence but a legal case is pending.

Despite his adversities, he has somehow managed to achieve what few others have.  Cloud storage can and should be a safe choice.  Your data and meta data on the Internet are presumed to be yours and only yours.  They belong to no one else.  Mega, the fruit of Mr. Schmitz' labors, is a resounding success.

In reality, few ISPs offer such guarantees.

Mr. Schmitz just put up on his personal website a Whitepaper which is a 'must read'.  It tells the untold story of what happened to MegaUpload.

Kim DotCom Twitters a message to let the public know about his just published whitepaper


Here is part of the whitepaper's opening Executive Summary:

The criminal prosecution of Megaupload and Kim Dotcom is purportedly the “largest copyright case in history,” involving tens of millions of users around the world, and yet it is founded on highly dubious legal principles and apparently propelled by the White House’s desire to mollify the motion picture industry in exchange for campaign contributions and political support.
The U.S. government’s attack on the popular cloud storage service Megaupload and the dramatized arrest of Kim Dotcom, the company’s principal founder – together with the seizure of all their worldwide assets – represents one of the clearest examples of prosecutorial overreach in recent history. One day after the U.S. Congress failed to enact the controversial Stop Online Piracy Act (SOPA), the executive branch of the U.S. government commandeered Megaupload in a coordinated global take-down, and drew battle lines between digital rights advocates, technology innovators and ordinary information consumers on the one side, and Hollywood and the rest of the Copyright Lobby on the other.
Megaupload operated for seven years as a successful cloud storage business that enabled tens of millions of users around the world to upload and download content of the users’ own choosing and initiative. The spectrum of content ran from (to name just a few) family photos, artistic designs, business archives, academic ourse work, legitimately purchased files, videos and music, and – as with any other cloud storage service – some potentially infringing material. Despite Megaupload’s lawful uses, the U.S. government has charged the company and its executives under the Racketeer Influenced and Corrupt Organizations (RICO) Act, and has branded the company, its personnel and its tens of millions of users a “criminal enterprise” dedicated solely to infringing U.S. copyright laws.
The U.S. government’s case against Megaupload is grounded in a theory of criminal secondarycopyright infringement. In other words, the prosecution seeks to hold Megaupload and its executives criminally responsible for alleged infringement by the company’s third-party cloud storage users.  The problem with the theory, however, is that secondary copyright infringement is not – nor has it ever been – a crime in the United States. The federal courts lack any power to criminalize secondary copyright infringement; the U.S. Congress alone has such authority, and it has not done so.
As such, the Megaupload prosecution is not only baseless, it is unprecedented. Although the U.S. government has previously shut down foreign websites engaged in direct infringement, such as the sale or distribution of infringing material, never before has it brought criminal charges against a cloud file storage service because of the conduct of its users. Thus, the Megaupload case is the first time the government has taken down a foreign website – destroying the company and seizing all of the assets of its owners (and the data of its users), without so much as a hearing – based on a crime that does not exist.

Clearly, there was a baseless rush to judgment without any legal due process of law.  In fact, there was total disregard for protective mechanisms in our U.S. Constitution that should have resulted in Mr. Schmitz being presumed "innocent until proven guilty".

Dear Reader, we live in very troubled times and I would dare say at this time we don't have much in the way of Constitutional rights which are negated by special Supreme Court Judicial powers that ignore the Constitution, the continuing presence of the Patriot Act, and the NDAA.

Thus, I feel obligated to share this developing story with you in order to shine the light on a 'wrong' dealt to a Man who has shown himself to be of great integrity and willing to stand up for his and your rights and fight back.

Please help Kim Schmitz by reading and sharing his whitepaper with Friends and Family, your state Senator and Congressman.  -- Dietrich

Tuesday, December 9, 2014

Linux Turla Malware Infection? Not Going to Happen.

cdoor.c - packet coded backdoor (credit: phenolit.de)
C'mon.  Here is yet another sensational report 'wishing' that Linux is infection prone.  It isn't okay?

The SecureList authors imply that there is a Linux version of a known Windows malware, called Turla.  Conveniently, they call it a variant.

Where is the documentation for a Linux 'vector of infection'?  Oops, somehow, they forgot to include it.

Including the source code doesn't count as documentation for vector of infection.  It merely documents the program's purpose, not how it lands on a Linux PC.

On the other hand, one can visit Kaspersky to see it is well-documented for Windows.

This code simply isn't in any Linux repository.

That means one must intentionally deviate and go outside of the keyring-protected repo of applications 'into the wild' to obtain this rogue software.

By definition, a trojan, requires one to install the application and then explicitly run it to have its 'payload' execute.

In the conclusion of the SecureList story, the authors wrote:

"Although Linux variants from the Turla framework were known to exist, we haven't seen any in the wild yet."
Paleeze.  This sensational reporting has got to stop.

Known to exist?  Based on what exactly?  Again, no details.

Folks, Fedora Linux is the safest operating system on the Planet.

I stake my reputation on it.  -- Dietrich


Sunday, December 7, 2014

Linux Distro Survey 2014

Final Results of Linux Distro Survey 2014

[Edit: Linux Distro Survey 2014 is closed.  See summary above. Details can be obtained by clicking the the 'View results' link below.]

So, okay, it's been a while since I did a survey.  You know the drill.  Time to pick your brain.  


What is your favorite Linux Distribution?  [View results]