NSA: Please Turn off the Lights When You Leave. Nothing to See Here.

Linux Advocate Dietrich Schmitz shows how the general public can take action to truly protect their privacy using GnuPG with Evolution email. Read the details.

Mailvelope for Chrome: PGP Encrypted Email Made Easy

Linux Advocate Dietrich Schmitz officially endorses what he deems is a truly secure, easy to use PGP email encryption program. Read the details.

Step off Microsoft's License Treadmill to FOSS Linux

Linux Advocate Dietrich Schmitz reminds CIOs that XP Desktops destined for MS end of life support can be reprovisioned with FOSS Linux to run like brand new. Read how.

Bitcoin is NOT Money -- it's a Commodity

Linux Advocate shares news that the U.S. Treasury will treat Bitcoin as a Commodity 'Investment'. Read the details.

Google Drive Gets a Failing Grade on Privacy Protection

Linux Advocate Dietrich Schmitz puts out a public service privacy warning. Google Drive gets a failing grade on protecting your privacy.

Email: A Fundamentally Broken System

Email needs an overhaul. Privacy must be integrated.

Opinion

Cookie Cutter Distros Don't Cut It

Opinion

The 'Linux Inside' Stigma - It's real and it's a problem.

U.S. Patent and Trademark Office Turn a Deaf Ear

Linux Advocate Dietrich Schmitz reminds readers of a long ago failed petition by Mathematician Prof. Donald Knuth for stopping issuance of Software Patents.

Tuesday, June 24, 2014

Extensible Blockchain for a New Digital Rights Management Standard



When I was younger and had a true passion for music as most kids do, I went out and bought the traditional Long Playing (LP) record, brought it home, tore off the shrink wrap, and mounted the LP on the platter of my hi-fi system, kicked up and enjoyed listening usually with a beer in hand. (Image credit: Wikipedia.org)

Nobody was trying to steal music at the time.  There was really no way to copy an LP without expensive reel-to-reel stereo playback systems and the price of such equipment was a barrier to even trying to dub a copy. (Image right credit: Wikipedia.org)


The music industry enjoyed a long period of profitability through the 70's until the advent of compact cassette tapes. (Image credit: Wikipedia.org)

The music industry naturally began producing music on cassettes, first 8 track, then mini-cassettes which became more common.

When the first integrated chip solid-state stereo system came out, I had to have it.  I even went into debt, maxing out my credit card, the American Way.  Nobody knew what integrated chips were in the late 70's, but I did.  I even got a matching cassette deck from the same manufacturer with magneto actuated drives.  It was convenient to take the LPs I had purchased and dub them onto a blank cassette so I could listen to them on my new cassette stereo car radio.  That was fun and it seemed 'reasonable' to me and I never felt I was stealing anything.


Of course, the music industry caught onto the fact that some were 'abusing' the privilege of dubbing in an effort to steal copyrighted material.  The abuse was there waiting to happen and only needed a 'technology' to happen.  That was cassettes and the beginning of Digital Rights Management (DRM) began to form in the minds of the MPAA RIAA industry giants. (Image Credit: Wikipedia.org)


During the early 80's SONY introduced BetaMAX cassettes for video recording along side a competing VHS cassette format.  The latter won out as the 'de facto' format for video entertainment and became ubiquitous overnight.  In America,  everyone had a VHS player and the video rental industry exploded.  Soon, the MPAA began releasing movies on VHS cassette.  There was money to be made.  But the potential for 'black market' boot leg copies of cassettes was there.  It grew because it was relatively easy to dub one cassette to another in mass production style once the criminals got their hands on the same production equipment used by the MPAA.  Something had to be done.  Enter the CD-ROM. (Image credit: Wikipedia.org)


During the 90's both the MPAA and RIAA dropped LP and cassettes in favor of CD-ROM.
Putting music albums and movies on CDs was exceedingly profitable.  Of course, as the personal computer became cheaper, inclusion of a CD drive became standard equipment.

So, the urge to copy music and videos never really went away with the death of cassettes.  The momentum might have slowed, but a rebound during the 90's was seen in an overnight explosion of a new multimedia music format: mp3.  It was a compact, lossy format, which made audio files relatively small and thus convenient for download before broadband became prevalent.  In these days, 56k modems were as much bandwidth as one could get.  In the absence of broadband, there was no practical way to download very large CD iso image files.  So, that curbed copying CDs over the Internet.  But mp3 websites flourished.

If you wanted to find a copy of any song, it only took a few minutes to locate an mp3 on the Internet.  It was free for the download.  But that didn't last more than a year or so before aggressive Congressional legal action was taken against websites distributing pirated music.

In the end, the RIAA won out.  Then, in subsequent years, came along formats which allowed copying videos from CD.  Windows Media Format (wmv), Audio Video Format (avi) were perhaps the most popular until a superior format MPEG/4 came along.  As computer hardware and software became more sophisticated and the n'er-do-wells found ways around standard CD copyright protection, it became child's play to rip a copy of any CD or newer higher capacity Digital Video Disc (DVD) using decoder software utilities.

Very quickly, the criminals learned that they could set up servers 'off shore' shielded from legal action since there weren't treaties (yet) in place that would allow an MPAA or RIAA to legally pursue individuals internationally.


Websites like The Pirate Bay soon became dominant players (facilitators, accessories to the crime) in the theft of music, video and other copyrighted materials.

Theft of licensed music and movies was rampant.  It became a veritable 'free-for-all' where one could easily find any music, any video in minutes, simply download and consume without legal recourse. (Image credit: Wikipedia.org)


It has only been during the last five years or so that the RIAA/MPAA have been successful in introducing new laws on the books that make such theft illegal with severe fines.  They have enjoined ISPs to act as 'police' on the Internet gateways using deep packet inspection technology to detect when a theft is taking place.  The coordinated actions have been effective, but a costly deterrent.

Yet, as pirate websites relocate to avoid the long hand of the law and new technologies like Tor and BitTorrent decentralized Peer-to-Peer (P2P) with Distributed Hash Tables (DHT) are now coming into play, shielded by Secure Sockets Layer (SSL) tunnel encryption, it has become all the more difficult for the music and video industry to track down copyright violators who are learning and applying these new avoidance mechanisms.

The high cost to protect electronic copyrighted materials, i.e., music, video, ebooks, and the like, is being now being passed onto both distributors (like Pandora, Spotify, iTunes, Google Play) and legitimate consumers who want their music but must pay 'the pirate tax' reflected in higher prices.

An intricate web of Licensing and Cross-Licensing agreements made with distributing ISPs is mind-boggling and exacts a huge burden of operational overhead legal costs.

The MPAA/RIAA are not keeping pace with changes in technology.
DRM doesn't work.  It never will.

Let's go back to the LP.  Why did it work?  Because, by and large, nobody could dub a copy from the media, a vinyl record etched with wavy grooves.  It was effective and discouraged theft for many years.


A New DRM Solution


I read an interesting story a few months back in the Financial Times which really makes a lot of sense.

As many readers may know, Bitcoin is a relatively new technology and is classified as a cryptocurrency.  The technology essentially allows an electronic format (Wallet) to uniquely track, on a global basis, a quantity of value, with its own unique, secure fingerprint, guaranteed to never be duplicated.

I am an advocate of Bitcoin and have written about it here on LA and why it will grow explosively in the next year or so.  Bitcoin essentially behaves as a store of value, or, to be more precise, a commodity.  Oil, Corn, Copper, Wheat, Aluminum, Gold, Silver, Soybeans, all are commodities and 'trade' with a store of value brokered daily in their respective regulated trading markets.  Everyone is happy as the system works.  A quantity of said commodity is traded, bought, sold, in exchange for the respective country denominated
currency that represents its intrinsic fungible value at the point of trade.  It's fungible because a quantity of commodity can be moved and sold anywhere for its current value.


Bitcoin behaves this way because of its wallet properties.  Specifically, the underlying software uses something called a blockchain ledger which when embedded with a quantity of bitcoin guarantees that store of value uniquely and the owner of bitcoin stores a private encryption key to that bitcoin until they are ready to 'spend' it or, to be more technically correct, trade it.


Best of breed companies like Coinbase are positioning themselves as the 'middle-man', if you will, on the Internet, providing the needed 'go-between' from the consumer who holds a quantity of bitcoin in their wallet to facilitate purchases of participating web merchants who offer goods that can be now purchased with bitcoin.

The catch is, Coinbase is the 'middle-man' acting transparently to bridge a trade of your bitcoin, which they convert to your respective country's denominated currency, say  U.S. Dollars, which Coinbase then pushes (a legal IRS designated 'Currency Emitter') to the participating merchant in payment on behalf of the purchaser (you).

Wikipedia's definition for Fungibility:


Fungibility is the property of a good or a commodity whose individual units are capable of mutual substitution. For example, since one ounce of gold is equivalent to any other ounce of gold, gold is fungible. Other fungible commodities include sweet crude oil, company shares, bonds, precious metals, and currencies. Fungibility refers only to the equivalence of each unit of a commodity with other units of the same commodity. Fungibility does not relate to the exchange of one commodity for another different commodity.

That quantity of value moves from your Coinbase bitcoin wallet to the transaction broker (Coinbase) who now own that quantity of bitcoin.  You cannot reuse that bitcoin.  (Being a broker, Coinbase takes a small 'transaction discount' on your trade of bitcoin to them and that's where they profit.)

The key here is, nobody questions the secure electronic transfer of ownership.  It left your wallet and as far as you are concerned, payment for goods was made.


Blockchain Extensibility


Here's a passage from the Financial Times article Bitcoin is far more than a currency for speculators (subscription required) for your consideration:


"...Old-fashioned financial services are thus an obvious target for Bitcoin-like networks. But there could be wider applications in the future, as the technology evolves. Nakamoto’s use of cryptography to assign and transfer ownership of online tokens creates possibilities that reach beyond payments. 

One is the idea of “smart contracts”, suggested by Nick Szabo, a computer scientist and former law professor (Mr Szabo is among those suspected of being Mr Nakamoto, which he denies). They would be completed with cryptography – for example, by giving a person who buys a car digital keys. 
Another is that people could gain ownership rights to digital goods similar to physical ones – lending or trading them as they want. At the moment companies tend to restrict digital rights to online goods because they are so simple to replicate – one item can be copied millions of times from the original source. 
Bitcoin solves this for currencies – it provides a method for the effective transfer of ownership. Once a Bitcoin is handed to someone else, the first holder cannot spend it again. If the same kind of transfer were achieved for other digital items, ownership would be meaningful." (...)

Conclusion

The idea of having music, videos, books, art, writings, etc. embedded with blockchain in such a way that 'Smart Licensing' could be guaranteed as much as Bitcoin ownership is currently guaranteed, is worthy of consideration.

Making a new standard that extends blockchain to incorporate the other attributes needed for tracking copyrighted works would open up new wide-spread markets for different products and services as well as copyrighted and patentable works for the world.

The extensibility of blockchain.info to facilitate such is key.

Once such a presumed technology 'plugin' extension is thoroughly field tested and production ready, certified by the International Standards Organization (ISO), every entity using the technology could rely on the underlying functionality to guarantee uniqueness and ownership of electronic media of all kinds.

It would remove all doubt as to whether or not an item is registered to its proper owner or not.  This is the central issue and blockchain ledger extensibility is the solution.  Music, Video, legal contracts, books, software, could all be treated the same, theft would be eliminated as well, and as important, the current tremendous costs exacted for Digital Rights Management would no longer be necessary.

-- Dietrich


Sunday, June 22, 2014

Is it Okay to Disable SELinux or AppArmor?


I am flabbergasted at what some so-called, self-anointed 'Linux Experts' offer in the way of sound technical advice.

Take Igor Ljubuncic (aka Dedoimedo) for example.  He seems to be a smart guy and many look to him for reviews of Linux Distributions.  But, I tend to disagree with him about as much as I agree.

His latest story, Linux Mint vs. Ubuntu Security, spurred me to write this post and as it is more than a bit problematic and misguided, I take exception here to disagree with his security recommendation.

As we, in the IT business, should know, security is a process, not a thing.  The effectiveness of one Distro's security implementation may or may not be as good as another's.  And, how each Distro's developers choose to configure security isn't necessarily guided by good decision making.  In fact, I have written, many cookie-cutter clones, or spins if you will, inherit the bad design decisions of their parent Distro, which is one of my pet peeves for why cloning is not necessarily good for Linux at large.



It was causing problems so we disabled it

A response to resolving Linux Security Modules (LSM) issues often heard is the advice given to disable the 'offending' module entirely, when such errors arise.

Igor writes:


Aha, I knew it. There you go. Linux Mint does not ship with AppArmor or any profiles. Well, interesting, not. The thing is, security tools like Apparmor or SELinux are much like HIPS software in Windows. In other words, not necessary. Moreover, they usually cause more harm than good by blocking legitimate software from running. What we like to call the false positive, or fail publicly (FP).


Here, Igor takes it upon himself, despite the considerable design efforts put forth by Canonical Ltd. to provide enhanced LSM sandboxing technology, to marginalize the importance of such technology.  I find that rather irresponsible, given today's situation, what with world-wide rampant security exploitation and surveillance on the Internet growing by leaps and bounds.

No, I am afraid Igor is giving bad advice and has no business telling readers to disable a service provided by software vendors, backed by good justification and years of experience.  

Igor goes on to say:

Indeed, if I look at the history of my involuntary use of Apparmor and SELinux in various distros, I have seen the former kick in only once, and the latter about three dozen times, and each example was a case of a legitimate program being mislabeled. In theory, yes, they might prevent exploits, but you're not running a commercial Web server, so relax.
So, on the one hand, he's admitting that LSMs do indeed prevent exploits, yet on the other he's suggesting (paraphrasing) there was a bug in mislabeling a legitimate application.

So, why, then, did Canonical choose to include LSM AppArmor with Ubuntu and Fedora choose to include LSM SELinux for their several Desktop spins?  

Evidence like Stuxnet, Identity Theft, Ransomware, Malware, Bots, Keyloggers ought to be good clues as to the gravity of the situation.  This clearly isn't sensational.  It is real and happening to the unwary every day.  Igor, strangely, minimizes the seriousness of the situation.

What should be done in the case of a reproducible LSM sandbox error?


If you are experiencing a reproducible error (verses a 'one-time' intermittent error)  using a signed application in your Distro's software repository, do open a software support call ticket on their website so that the vendor can take immediate corrective action.

Don't disable your LSM sandbox.  Go directly to your software vendor for support.  Your issues will be resolved expediently with revisions to your security software

-- Dietrich

Monday, June 16, 2014

Linux on the Desktop: It's Not Me. It's You.

by Dietrich Schmitz


Have you grown tired of Linux on the Desktop?

Does 'familiarity breed contempt'?

At times, I feel I have a 'relationship' and when it reaches the point of saturation, or, I don't see anything in the way of innovation going on, I feel the urge to say in parting, "Linux, It's not Me.  It's You."

Yes.  You.  I'm flipping that famous line, "It's not you, it's me intentionally to make a point.

What is my point?

I am a human from planet Earth.  I am really smart and Linux, you are doing a terrible job of keeping up with things.

So much so, I am just about to break up with you if you don't start shaping up.  I know you've been busy with Android and other embedded devices, but you really need to pay attention to me.  Over here, that's me sitting at a conventional keyboard, monitor, desktop unit (or Laptop).

And I keep hoping you'll begin paying attention to me.

But it seems like things are, well, boring, unchanging.  You've made a few attempts to sweeten things up.

Like Gnome Shell, for example.  Okay you worked hard on that, but, it's just that it is easy to use, but too simple.  Why is it so hard to innovate?

Unity?  You've really gone out of your way to be 'different' but again, the gui is not usable and limiting.

I've stuck with you this long only because of LXDE.  Now, after all of the upstream struggles to get Gnome 3.x to a point of 'usability', I have resorted to using lightweight LXDE.  Why?

Because, it doesn't reinvent the wheel.  Don't fix what isn't broken.

Panels, Desktop, Desktop folders, icons, menus, terminal windows, they all work in a classic intuitive way which is why I have always liked you Linux.

I think the problem is, you are trying to be different but no matter how hard you try, the technology just comes up short, deficient.

Maybe you should just be yourself again?  You know like when Ubuntu first came out?  Gnome 2.x worked so darned well.

Why did you change?  I don't like you as much anymore.

Please change.  I mean, innovate, in the truest sense of the word.
Let's not make new widgets that replicate existing functionality.  We already have in my estimation too much of that.

And please.  STOP cloning yourself.  You could go blind doing that.

How many of you do we really need?  I think you should just work on making one Distro better.  No, perfect.  That's right, perfect.

Make yourself sexy with a purpose, but let's stick to just the Linux Standard Base (LSB), one Filesystem Hiearchy Standard (FHS), one graphical API (like Windows GUI).  Yes?  Come to think of it, isn't that what makes Windows so successful?

Please.  Don't put on pretenses for me.  I know you.  I just want what's best for you and think you should really strive to simplify.  And, never mind what the other clones are doing.  They are just copy cats trying to emulate.  You are better than that.

Linux on the Desktop:  Be the best that you can be and I won't leave you.  Promise.

-- Dietrich

Friday, June 6, 2014

Google's End-to-End is Unacceptable

by Dietrich Schmitz



Regular readers will know that I have taken issue with Google since last year on how they manage Gmail and Drive.

For starters, should any governmental agency manage to break through Google's firewall (oops, the NSA did and pitched camp last year), they will have unfettered access to your meta data and direct access to your Gmail and Drive files. (Image right: Google's End-to-End Logo)

Why?  Because they are stored in clear text (unencrypted) format.

That's odd.  Google Cloud does just the opposite.  Hmmm.  I Wonder why.  (Taps fingers.....)  That's because Google Cloud is for the 'paying customers' who INSIST that their data meet critical mandated security thresholds (FIPS).  So, Google Cloud customers, in the interest of keeping them from leaving altogether, are being assured, by Google, their data is FIPS-compliant and cannot be viewed by third-parties.  How nice of them.

When it was determined last year that the Fox is in the Hen House, many corporations left en masse U.S. domestic cloud ISPs for Western- and Eastern-Europe ISPs to avoid the NSA.  This concern is quite understandable on many levels and still nothing has been done to impede, much less stop the NSA from continuing their global eavesdropping.

Gmail and Drive are considered part of Google's consumer-facing services which are, at present, offered for free.  Most everyone using Gmail likes the fact that they get it for free, but, were they to make the effort to read their 'Terms of Service' agreement, would discover that Google reserves the right to parse any and all meta and personal clear text data belonging to the respective account holder.

Principally, the main thrust of this stipulation is so that Google can use intelligent advertisements positioned in the account holder's Gmail gutter margins that reflect subjects which might be of potential interest to said account holder by virtue of the parsing logic applied to their data stream.  Very nice, yes?  No!!!!!!!!!!!!

This is fundamentally wrong.  Users may be stuck with the current terms of service for getting their free Gmail and Drive, but, do they have a recourse?

Certainly, one option would be to drop using Gmail and Drive entirely in favor of some other solution.

Another solution is being provided by Google who have been under great public pressure to do something to protect account holders' right to privacy.

The solution is being named End-to-End in an announcement posted on Google's website.  It's not even available yet and coding for the solution is being worked on and tested before it will ever reach production release to the general public.

While that may sound good, a cursory inspection of the Google Code website reveals a few issues which I feel make this solution unacceptable from the start.

1) Google is only offering 'the solution' as a Google Chrome browser extension.  Many use Chrome.  I don't because it is 'proprietary'.  That means it is not 100% open source and so violates one of the cornerstones of FOSS: Transparency.  We cannot and do not know what is or isn't in proprietary code and because of that, potential rogue code and abuses can be introduced without the general public's knowledge and/or approval.  That is what Transparency is all about.  So, Google wants you to have 'their' solution on 'their' terms, stipulating the use of 'their' browser which in and of itself has volumes of code nobody can claim to know or understand.

2) As if #1 wasn't bad enough, Google has chosen to 'reinvent the wheel'.  Namely, the long-standing, mature, fully-debugged gpg2 open source OpenPGP standard codebase is being rejected out of hand, again because they want to do things 'their' way by creating a duplicate, immature, bug-laden codebase port of gpg2 as an incomplete subset into slow, interpretive Javascript.  That's right.  Javascript.  gpg2 is fully compiled C/C++ code.

3) Google chooses to adopt a new Eliptical Curve cryptographic standard over the proven mature RSA standard.  Recall that NIST is now in a public relations dilemma having been exposed as consorting with the NSA in introducing 'weakened' cryptographic string constants into their ECC codebase last year.  In discovering the problem with ECC, the NIST insist they had no part or knowledge of the NSA's intentional introduction of weakened code and put the code out for public review and follow up action to correct any seen defects based on public comment.  That leaves a 'cloud' in my mind over any software dependent on EC.  In terms of severity, in comparison to items 1 and 2, a thorough audit of EC might restore confidence and make item 3 less an issue in the long-term.

But fundamentally, Google's developers, it would appear, are taking shortcuts and making fundamental flawed decisions by forcing a solution which requires proprietary Chrome (Transparency violation) and creating their own immature crypto codebase to 'emulate' a subset of gpg2 OpenPGP features.  EC will only be compatible with version 2.1 of gpg2.

I am giving this project a 'thumbs down'.  Unacceptable.  Back to the drawing board Google.

-- Dietrich
Enhanced by Zemanta

Tuesday, June 3, 2014

Linux and The Pitfalls of Tribalism

by Dietrich Schmitz



Wow.  What a title for a story eh?  

Well, sad to say, I've been thinking for a long time about this very topic and regret to report that Linux on the Desktop languishes and suffers at the hands of Tribalism to a large extent.

You see, it's really human nature at its best.  Spawned from the nucleus of base Distros (Distrowatch top 20) comes another 'newborn' clone and immediately a tribe forms around it.  The people in these tribes are assumed to conform to community principles,  sharing and working collaboratively.

The reality is often decidedly different.  In fact, I think it's accurate to say tribalism influences most everything we do.  I'm not just talking about Linux.  That may be a hard pill to swallow, but, Tribalism pervades our lives and society.

That's quite profound when you think about it.  And today, I read an excellent piece which zeroes in on this very subject and calls it what it is, How Tribalism Overrules Reason, and Makes Risky Times More Dangerous.

The author, David Ropeik, writes candidly:


Tribalism is pervasive, and it controls a lot of our behavior, readily overriding reason. Think of the inhuman things we do in the name of tribal unity. Wars are essentially, and often quite specifically, tribalism. Genocides are tribalism - wipe out the other group to keep our group safe – taken to madness. Racism that lets us feel that our tribe is better than theirs, parents who end contact with their own children when they dare marry someone of a different faith or color, denial of evolution or climate change or other basic scientific truths when they challenge tribal beliefs. What stunning evidence of the power of tribalism! (By the way, it wasn’t just geocentrist Catholics in the 16 adn 1700s who denied  evidence that the earth travels around the sun. Some Christian biblical literalists still do. So do a handful of ultra orthodox Jews and Muslims.) (...)


Yet another example is the polarized way we argue about so many issues, and the incredible irony that as we make these arguments we claim to be intelligent (smart, therefore right) yet we ignorantly close our minds to views that conflict with ours. Dan Kahan, principal researcher into the phenomenon of Cultural Cognition, has found that our views are powerfully shaped so they agree with beliefs of the groups with which we most strongly identify. His research, along with the work of others, has also found that the more challenged our views are, the more we defend them…the more dogmatic and closed-minded we become...an intellectual form of ‘circle-the-wagons, we’re under attack’ tribal unity. Talk about tribalism overruling reason
Paging the Linux Project/Community managers of the world, I reach out to them in sympathy and know how challenging their jobs can be:

Appeal to people's sensibilities: Exercise reasoned logic in setting forth your project's objectives.  Seek opinions and involvement at all levels and garner input from all participants.  Everyone's opinion is important, whatever it may be.

At times, conceptual differences may be unavoidable.  Major design changes often are a source of friction and outright opposition.  Things like systemd come to mind.  Avoid the 'us vs. them' mindset. 


There is no shortage of contentious debate centered around systemd coming from those 'Tribes' which may or may not offer sound reasons for not following in the path of the majority of Distributions to incorporate systemd.  Is your Team seeing things clearly?  Or is thinking clouded by other factors which may not have anything to do with the subject matter?  Examine what you do in these situations to avoid the pitfalls of Tribalism.

So, the next time you find yourself involved in a forum/relay chat group discussion, step back.  Take stock of the situation and have a good look at the dynamics and what is happening.  Hopefully, by making your own conscious effort in self-appraisal, you will stay within the bounds of courteous discourse and avoid thinking patterns that result in conflict and obstructions to advancing group goals.

Most importantly, be a thinker, an individualist, not a Tribalist.  Yet strive to cooperate and bridge differences.


-- Dietrich


Enhanced by Zemanta