NSA: Please Turn off the Lights When You Leave. Nothing to See Here.

Linux Advocate Dietrich Schmitz shows how the general public can take action to truly protect their privacy using GnuPG with Evolution email. Read the details.

Mailvelope for Chrome: PGP Encrypted Email Made Easy

Linux Advocate Dietrich Schmitz officially endorses what he deems is a truly secure, easy to use PGP email encryption program. Read the details.

Step off Microsoft's License Treadmill to FOSS Linux

Linux Advocate Dietrich Schmitz reminds CIOs that XP Desktops destined for MS end of life support can be reprovisioned with FOSS Linux to run like brand new. Read how.

Bitcoin is NOT Money -- it's a Commodity

Linux Advocate shares news that the U.S. Treasury will treat Bitcoin as a Commodity 'Investment'. Read the details.

Google Drive Gets a Failing Grade on Privacy Protection

Linux Advocate Dietrich Schmitz puts out a public service privacy warning. Google Drive gets a failing grade on protecting your privacy.

Email: A Fundamentally Broken System

Email needs an overhaul. Privacy must be integrated.

Opinion

Cookie Cutter Distros Don't Cut It

Opinion

The 'Linux Inside' Stigma - It's real and it's a problem.

U.S. Patent and Trademark Office Turn a Deaf Ear

Linux Advocate Dietrich Schmitz reminds readers of a long ago failed petition by Mathematician Prof. Donald Knuth for stopping issuance of Software Patents.

Tuesday, December 30, 2014

Fedora Does Real World Work. Debian is for Hobbyists



It's interesting to watch the pace of change with Linux on the Desktop.

Want technology on the leading edge?  Fedora is here today with best of breed solutions, all of which merge to Red Hat Enterprise Linux, the largest commercial Linux Distribution in the World.

Fedora was first to implement systemd.

Fedora is first with a robust implementation of state of the art technologies including rpm-ostree and Docker on their Project Atomic platform.  And, Cockpit eases the process of managing servers and containers in the cloud via a unified web management interface.

You see, at release 21, Fedora split into server, workstation, and cloud divisions.

The transition was amazingly uneventful, due to Red Hat's senior guidance and the incredibly hard work done by the Fedora Team coordinated with upstream GNOME Project.

Fedora takes what they do very seriously and when it comes to meeting target milestones, they galvanize into action and meet them in a timely business-like fashion. 

Every time Debian runs into delays, that pushes back Canonical's Ubuntu milestones who hitched their wagon to Debian and delays get passed in turn down the line to the rest of the Ubuntu derivatives who hitched their wagons to Ubuntu.  It's a serious problem, particularly for Canonical Ltd. who are trying to run a business.

No, the real work is done by Red Hat/Fedora in the business world.  No messing around.  No divisiveness, stalling, stonewalling.  Tasks move along with rhythm and cadence, all oarsmen stroking to a beat, following directions and executing them as ordered in synchronous precision.


Debian is the proverbial speed-bump on the road to innovation and with an 18 month release cycle nothing gets done in a hurry.

Debian devotees won't like to read this but, Debian isn't behaving like a professional Distro should.  They allow themselves the luxury of procrastination and all the while 'make pretend' some highly technical issue must be considered before embarking on any kind of work.  I call it 'work avoidance'.  Because, that is really what it is under a veil of techno-speak designed to obfuscate what is or isn't really happening in their hallowed organization.  If they are to survive, a radical change must be made to their release management policy.

The real world can't afford to behave like 'hobbyists'.  The real world won't wait.  Debian is falling farther behind, but that's okay as far as they are concerned.

The work will get done.  Eventually.  


Fedora does the real-world work.  Debian is for hobbyists.  -- Dietrich

Wednesday, December 24, 2014

Merry Christmas

Currier and Ives Winter (Image credit: familychristmasonline.com)

Merry Christmas Folks.  -- Dietrich


Sunday, December 21, 2014

What Difference Does it Make if I Use Chrome vs. Firefox?

Free Mozilla Firefox Open Source Web Browser


What difference does it make if I use Chrome vs. Firefox?

Transparency:

Transparency, as used in science, engineering, business, the humanities and in a social context more generally, implies openness, communication, and accountability. Transparency is operating in such a way that it is easy for others to see what actions are performed. It has been defined simply as "the perceived quality of intentionally shared information from a sender". For example, a cashier making change after a point of sale transaction by offering a record of the items purchased (e.g., a receipt) as well as counting out the customer's change on the counter demonstrates transparency.

Google chose to make Chrome, as distinguished from its open source counterpart Chromium, proprietary, non-open source.  Their decision to exclude public access to the software's code was intentional and designed to place the end-user at a 'disadvantage'.

Should the public have a right to participate in oversight of software's source code that runs on their personal computers?  The answer is an emphatic yes.

If an end-user chooses proprietary solutions, they leave themselves open to exploitation in some fashion.  The licensing terms restrict, the true functionality of the software cannot be vetted as being devoid of 'rogue code' or having hidden unmaintained software defects which, if unpatched, could leave said software in a vulnerable state.



Global Crime Rings find defects and then sell exploit kits on the black market for as yet unpatched 'Zero Day Exploits'.  The likelihood that an unpatched software defect will remain unnoticed increases when using proprietary software.


Most often Linux open source is updated with a downloadable patch within a matter of hours of discovery.  If on the other hand the end-user is running Microsoft Windows Legacy, a patch may never come if the vulnerability remains hidden, unnoticed by Microsoft programming staff, or, at best will be corrected on 'Patch Tuesday', once a month by Microsoft.


The point I hope readers get from this post is this:  

With open source code maintenance, it is difficult at best for an exploitable software 'bug' to go unnoticed for an extended period of time, and it is near-impossible to merge 'rogue code' into a developer team's git repo tree which gets reviewed by many peers around the globe.

The World can and will thrive if we all share, each and every one of us.  It is our human nature to do so.  Without sharing, we will continue to see great exploitation by proprietary business and government which results in human inequality and suffering.

Make a statement which is powerful.  Demand openness.

Insist on and be selective by using only open source software.

Open Source and free Firefox can be downloaded here.  -- Dietrich


Friday, December 19, 2014

Using Extensible Blockchain to Sign Digital Documents and Copyrighted Materials



It should be apparent to anyone who has watched the progress of Bitcoin that it behaves as a virtual commodity.  It also is fungible in that one Bitcoin can be exchanged for an equal quantity anywhere in the World.

The success of bitcoin comes from its Blockchain software design.

Every Bitcoin has a unique signature that follows it through its travels from one Wallet to another.  That 'fingerprint' never goes away and remains an indelible  and essential property.

The bitcoin's ownership cannot be transferred from one owner more than once, much as a Dollar with a unique serial number is physically exchanged on a transaction.  The serial number follows the life of that dollar and is always associated with it at any point in time.

So, we see clearly that bitcoin does indeed work, and we see indirectly that the underlying extensible blockchain can be applied to other scenarios.

Digital Legal documents, copyrighted documents, books, images, videos, audio files all can benefit from using the blockchain technology.

Imagine if the MPAA and RIAA dispensed with their legal campaign to protect copyrighted works and turned to blockchain technology.

In a blockchain server for music for example, each discrete copy of an 'album' or 'song' would contain an embedded fingerprint to live with the copyrighted material for its entire life in the music equivalent of a bitcoin 'ledger'.

That discrete quantity would then become protected by its identity in the global ledger as is the case for bitcoin.  And that music could not be dispensed twice or its in-built encrypted ledger cross-check would return an error to stop the work from being used in more than one instance.

Music might be a blockchain with attributes only for transfer of ownership of just once.

Other kinds of documents might lend to having ownership transferrable multiple times, such as works of art.

This is my thought process and I hope that we as a global society move in this direction.  It affords solutions to reduce and eliminate much of the current costs imposed on businesses which need to protect their copyrighted and Legal materials and eliminate theft of said materials entirely.

-- Dietrich

Do Smartwatches Make You Stupid?

Smartwatches (Image credit: theregister.co.uk)

The implied advertisement subliminal message:  "You need this.  You can't live without it."

The newest wave of technology apparatus has reached American soil.  Among the many offerings now comes Smartwatches.

Yes, they not only look smart, but, they are smart in the sense of having none other than a built in computer -- literally.

I don't know about you, but when I come home, at night I take my analog Timex watch off and leave it on the dresser where it stays until the next day.

Yet, I too am the same person who in the 70's was the first to buy an LED watch.  I have always been a 'sucker' for technology.  Was then.  Am now.

So, how important is it to have a smartwatch?  Will it change my life for the better?  Is it a fad?  And if so, what will it be replaced by in the next technology wave?

These are things I think about.  I haven't had a bad case of techno-lust for quite some time.  Not since 2007 CES did I experience a bad case of it.

That was the year of Nokia's N95 smartphone.  It was also the year for the introduction of Apple's first smartphone, the iPhone.

I didn't hesitate to buy the N95.  It was (and still is in many respects) the best technology I'd ever seen or wanted.

The price $800 wasn't an obstacle.  It's all about want vs. need.  I wanted it.

Do I feel anything akin to that today?  Nope.  In fact, I don't like most smartphones.  I'd rather have a phone with buttons personally.  I miss that aspect of the N95.

But time marches on.  Here come the smartwatches.  And now a new young generation swells with lust to have.  Their focus diverts from the smartphone.

Will the smartphone get left behind?  I don't think so.

But I am not convinced smartwatches will be anything as large a market as smartphones is.

So, is using a Smartwatch stupid?  I argue for the point that it is, unless someone can convince me otherwise.

If I need to carry any form of computing on my person, it will remain the smartphone if I can locate a decent one that lives up to my expectations.

Smartwatches isn't something that represents a life changer like the smartphone.  It's just proof that we can put silicon wafer chips into smaller and smaller form factors, that's all.  And I don't need to prove that by wearing one.

-- Dietrich


Thursday, December 18, 2014

Your Browser: A General Purpose Remote Code Execution Tool

Google Chrome web browser security warning message


I've been reviewing the current state of Internet Privacy.

It's still a mixed bag and my conclusion is that it will remain so for quite some time.

Efforts to provide Internet Privacy are varied, depending on which ISP is employed.

The primary means for conveyance to a target website to do any kind of task is the web browser.

To put security risk into context, the web browser is a remote code execution tool.

Yep.  Let that sink in for a minute.

Where ever the user goes, the browser is set to 'trust' a remote stream of bytes which get 'interpreted' as program instructions on your PC by the web engine.

Sounds quite troubling when you think about it really.

I mean, your browser is one big catcher's mit and absorbs everything it sees in an attempt to execute instructions sent from a remote web server.

So, this catcher's mit is by default a 'security risk'.

Different software vendors take different approaches to the responsibility of writing their software in a manner that ensures it should always operate securely.

For example, Internet Explorer on Microsoft Windows, is written by Microsoft and employs 'protected mode', something akin to a software sandbox, but, technically isn't.

Google Chrome for Windows is designed with a quasi-sandbox by Google Engineers.  But they have publicly stated it cannot stop certain kinds of exploits (Javascript DLL injection) from successfully executing and gaining administrative control on Legacy Windows.  This is a fact.

But, that isn't really my point.  In each software project some 'defensive' coding has or has not taken place.

I've reported in the past that, where Fedora Linux is concerned, users running Firefox, the default installed browser, are placed in a 'real' sandbox, called Linux Security Modules (LSM) and the particular module used by Fedora is SELinux.

From a security standpoint, this is a prime differentiator between Linux and Windows.

An exploit may propagate on Windows running Chrome.  It will never propagate using Linux with SELinux.

The word 'never' comes with a catch.  You see the browser's memory space is up for 'fair game' and various code, Java, Javascript can execute remotely exposing certain parts of your running PC.

In theory, nothing bad should happen and it is assumed that code in the browser PID will never escalate to the Admin level.

But what it is doing in its own memory space is an open question.  The issue of cross site scripting remains an unsolved problem.

In this context, if a user chooses to employ a browser-based security tool designed to protect their local PC, this sets up the conditions  -- a 'fictional' exploit may, for example, attempt to steal a local browser's in-memory private keys for encryption.

So, you see, I am revising my thinking.  I'm not sure any more about using the browser for any kind of security.  It's that risky.

Using compiled, well maintained free standing open source security applications is entirely a different matter.

For example, I have Gmail.  But I don't use the browser client to access it.
I use GNOME Shell's integrated Evolution Email client, which is also used to prepare outgoing mail using GnuPG (OpenPGP) encryption.

The PID for decoding/encoding gmail runs in Evolutions local memory space, not in a browser.  Once the email is encrypted, signed, it is then and only then sent and a copy gets stored (IMAP) on the Gmail web server, in PGP encrypted form.

That's a routine process I feel confident in completely.

The notion that other software vendors can fork GnuPG and refactor it in Javascript troubles me.  This is precisely what Google is doing in their End-to-End encryption project, currently in Alpha.

The whole end to end encryption runs as javascript in the browser.
That puts the whole premise of security in the hands of the browser.

It's not acceptable.  Even now, I am rethinking how MEGA works.  Again, here, there is secureboot.js code running in your browser.

I believe there has to be a total segregation from the browser for any kind of security tool client application.  It must be compiled.  It must be open source and it must employ upstream industry standard GnuPG OpenPGP.

The browser will always be a target for attack.  Always.  Letting it also run your security is a fundamental mistake.  -- Dietrich

Saturday, December 13, 2014

Kim DotCom Facing Down a Death Sentence Without a Trial

Kim Schmitz aka Kim DotCom


Many of the readers of this story know of Kim Schmitz aka Kim DotCom.  It's a mix of either great respect or contempt depending on what is understood about him.

There is an untold story about him that needs to be recorded as to what happened to his MegaUpload website.

MegaUpload was a popular file sharing website up to a few years ago when it was summarily ordered to be taken down by the U.S. Federal Government.

As Kim recently said the MegaUpload case is "a death sentence without a trial".

He has managed to remain out of jail in New Zealand up to now but his financial resources have dwindled.  In the time spent since MegaUpload's take down, Mr. Schmitz formed Mega, the technological embodiment of change necessary to avoid MegaUpload ever happening again.

Mega is now in full production offering 50 gigabytes of free cloud storage space.

What sets it apart from other cloud ISPs?

MEGA employs Zero Knowledge end-to-end encryption (ZKE) and a MEGAsync graphical drag/drop files client to 100% guarantee privacy.

What the technology also affords is something which took down MegaUpload in the first place.  Plausible Deniability.  ZKE ensures Mega knows nothing about your data.  It is just an encrypted block of data.

Mr. Schmitz was assumed guilty of being complicit with illicit file sharing activities, alleged to have occurred on MegaUpload.  Today, he still maintains his innocence but a legal case is pending.

Despite his adversities, he has somehow managed to achieve what few others have.  Cloud storage can and should be a safe choice.  Your data and meta data on the Internet are presumed to be yours and only yours.  They belong to no one else.  Mega, the fruit of Mr. Schmitz' labors, is a resounding success.

In reality, few ISPs offer such guarantees.

Mr. Schmitz just put up on his personal website a Whitepaper which is a 'must read'.  It tells the untold story of what happened to MegaUpload.

Kim DotCom Twitters a message to let the public know about his just published whitepaper


Here is part of the whitepaper's opening Executive Summary:

The criminal prosecution of Megaupload and Kim Dotcom is purportedly the “largest copyright case in history,” involving tens of millions of users around the world, and yet it is founded on highly dubious legal principles and apparently propelled by the White House’s desire to mollify the motion picture industry in exchange for campaign contributions and political support.
The U.S. government’s attack on the popular cloud storage service Megaupload and the dramatized arrest of Kim Dotcom, the company’s principal founder – together with the seizure of all their worldwide assets – represents one of the clearest examples of prosecutorial overreach in recent history. One day after the U.S. Congress failed to enact the controversial Stop Online Piracy Act (SOPA), the executive branch of the U.S. government commandeered Megaupload in a coordinated global take-down, and drew battle lines between digital rights advocates, technology innovators and ordinary information consumers on the one side, and Hollywood and the rest of the Copyright Lobby on the other.
Megaupload operated for seven years as a successful cloud storage business that enabled tens of millions of users around the world to upload and download content of the users’ own choosing and initiative. The spectrum of content ran from (to name just a few) family photos, artistic designs, business archives, academic ourse work, legitimately purchased files, videos and music, and – as with any other cloud storage service – some potentially infringing material. Despite Megaupload’s lawful uses, the U.S. government has charged the company and its executives under the Racketeer Influenced and Corrupt Organizations (RICO) Act, and has branded the company, its personnel and its tens of millions of users a “criminal enterprise” dedicated solely to infringing U.S. copyright laws.
The U.S. government’s case against Megaupload is grounded in a theory of criminal secondarycopyright infringement. In other words, the prosecution seeks to hold Megaupload and its executives criminally responsible for alleged infringement by the company’s third-party cloud storage users.  The problem with the theory, however, is that secondary copyright infringement is not – nor has it ever been – a crime in the United States. The federal courts lack any power to criminalize secondary copyright infringement; the U.S. Congress alone has such authority, and it has not done so.
As such, the Megaupload prosecution is not only baseless, it is unprecedented. Although the U.S. government has previously shut down foreign websites engaged in direct infringement, such as the sale or distribution of infringing material, never before has it brought criminal charges against a cloud file storage service because of the conduct of its users. Thus, the Megaupload case is the first time the government has taken down a foreign website – destroying the company and seizing all of the assets of its owners (and the data of its users), without so much as a hearing – based on a crime that does not exist.

Clearly, there was a baseless rush to judgment without any legal due process of law.  In fact, there was total disregard for protective mechanisms in our U.S. Constitution that should have resulted in Mr. Schmitz being presumed "innocent until proven guilty".

Dear Reader, we live in very troubled times and I would dare say at this time we don't have much in the way of Constitutional rights which are negated by special Supreme Court Judicial powers that ignore the Constitution, the continuing presence of the Patriot Act, and the NDAA.

Thus, I feel obligated to share this developing story with you in order to shine the light on a 'wrong' dealt to a Man who has shown himself to be of great integrity and willing to stand up for his and your rights and fight back.

Please help Kim Schmitz by reading and sharing his whitepaper with Friends and Family, your state Senator and Congressman.  -- Dietrich

Tuesday, December 9, 2014

Linux Turla Malware Infection? Not Going to Happen.

cdoor.c - packet coded backdoor (credit: phenolit.de)
C'mon.  Here is yet another sensational report 'wishing' that Linux is infection prone.  It isn't okay?

The SecureList authors imply that there is a Linux version of a known Windows malware, called Turla.  Conveniently, they call it a variant.

Where is the documentation for a Linux 'vector of infection'?  Oops, somehow, they forgot to include it.

Including the source code doesn't count as documentation for vector of infection.  It merely documents the program's purpose, not how it lands on a Linux PC.

On the other hand, one can visit Kaspersky to see it is well-documented for Windows.

This code simply isn't in any Linux repository.

That means one must intentionally deviate and go outside of the keyring-protected repo of applications 'into the wild' to obtain this rogue software.

By definition, a trojan, requires one to install the application and then explicitly run it to have its 'payload' execute.

In the conclusion of the SecureList story, the authors wrote:

"Although Linux variants from the Turla framework were known to exist, we haven't seen any in the wild yet."
Paleeze.  This sensational reporting has got to stop.

Known to exist?  Based on what exactly?  Again, no details.

Folks, Fedora Linux is the safest operating system on the Planet.

I stake my reputation on it.  -- Dietrich


Sunday, December 7, 2014

Linux Distro Survey 2014

Final Results of Linux Distro Survey 2014

[Edit: Linux Distro Survey 2014 is closed.  See summary above. Details can be obtained by clicking the the 'View results' link below.]

So, okay, it's been a while since I did a survey.  You know the drill.  Time to pick your brain.  


What is your favorite Linux Distribution?  [View results]


Friday, December 5, 2014

ALERT: A Software Security Transparency Breach Warning

(Image credit:  Wikipedia.org)

We've witnessed what happens when changes in source code to intentionally insert rogue code go unnoticed.

The example of how the NSA intentionally inserted weakened string constants into Elliptic Curve Cryptography lay hidden for several years, in fact, and was only exposed by a languishing open Red Hat trouble ticket.  What was odd was how given the potential seriousness of the incident, no action was being taken to look at the source code and change it.  As more comments appended to the ticket, the level of suspicion grew to the point of where NIST was forced to open up an investigation.

It was a potential public relations disaster in the making for them, as they pleaded being unaware of what the NSA had done.  Immediately, the code base was opened up for public comment.  The code has since received a thorough going over, particularly those merged diffs that sourced from the NSA and corrective action was taken.

But, this was a roadside billboard that should have alerted everyone in the FOSS Community to the realization that every corner of FOSS should be revisited for a thorough security review and vetting.

Code obfuscation should be a 'red flag' to anyone who has seen it.  The first concern should be:  Why is this code obfuscated?  If there isn't good documentation giving a reason for doing so, then, it's time to dig in and find out what the code is or isn't doing, at the very least.

It is believed, however, relative to all FOSS code, little obfuscated code exists.

It would be most difficult to secret rogue code otherwise, as it must pass several levels of code review to reach final merge.

This is why it is an imperative that the FOSS Community become rigid and not deviate on the issue of Security Transparency.

Security Transparency assurance can only be guaranteed if and only if ALL source code is vetted independently by more than one project maintainer.  Oversight must be maintained and all Linux Distribution binaries which don't provide accompanying Gnu General Public Licensed (GPL) source code should be rejected out of hand as not just a license violation but also a breach of Security Transparency.

That being the case, Linux Advocates is taking a position against the following software vendor sources of 'semi-open' code bases.  They are:

  • Google ChromeOS
  • Google Chrome Browser
  • Opera Browser

Linux Advocates categorically does not support using the above-listed products which include a mix of open source and proprietary code.  There is an attendant heightened risk of exposure to cyber attack and exploitation when using any non-FOSS proprietary stack implementation on your computing device.

Enforce Security Transparency by insisting on using Linux with GPL open source code only.  -- Dietrich

December 9, 2014: The Day Desktop Computing Got Fun Again



Remember when Desktop Computing was fun?

The early days of Ubuntu were a time when GNOME really had things going for it.  Then, one Mark Shuttleworth took the product in another direction.  Unity.

Unity was initially interesting but didn't fit usability and that began the period of when I didn't like what I saw happening to Ubuntu.

During that period, The GNOME Foundation was undergoing its own change.  GNOME 2.x was determined at end of life and GNOME Shell, a concept GUI was established.

As with any GUI paradigm change comes a period of 'growing pains'.  I was really resistant to what GNOME was doing.  And so, I spent a long period in search of a good alternative GUI.  Ultimately, I found myself liking LXDE, and dwelled in Lubuntu.

Then, I tried Fedora 18 LXDE spin.  I concluded it was from a technical standpoint as good as Lubuntu.

Philosophically, I didn't like what Debian and Ubuntu were doing.

When it became apparent that Mark Shuttleworth was running his own railroad and broke ties with The GNOME Project, I thought he was trying to control delays in upstream decision making.  That made good business sense.

But in the process, he flip-flopped on putting full support behind Wayland turning to creating his 'own' Display driver, Mir.

To make it short and to the point, there is no other Distro which uses Unity.  NONE.

Today, Unity is on an island all by itself.

During the period of 'transition' The GNOME Project came out with initial revisions with GNOME Classic 'fall-back' to keep the malcontents happy.  In each iteration, GNOME made feature enhancements in an effort to continually refine the 3.x shell.

Each major revision, I gave it a try and turned away giving it a 'thumbs down' on usability.

Until 3.12, I didn't like Shell.  It was at that level it became truly usable and ready for prime time.  That was a year ago.

Today, GNOME Shell has reached 3.14 and I have been using it for several months on Fedora 21 Alpha/Beta/RC Workstation.

Even with Alpha, I found myself smiling and laughing at just how well the interface meshed.  It is polished, professional and just fun to use.

Yes, it is fun to use.  I really haven't felt that way in a very long time and I look forward to turning on my PC every day because Fedora 21 Workstation with GNOME Shell 3.14 is just that good.  I would add, Red Hat is the largest supporter of The GNOME Foundation and has worked closely in the design of GNOME Shell.  Red Hat also provides web infrastructure for The GNOME Project.  The relationship is close knit.  The end result is what you see and use.

December 9, 2014, has been promised by the Fedora Team as a 'Go' for Fedora 21 Workstation.  The day will be remembered as when Desktop Computing got fun again.  -- Dietrich

Tuesday, December 2, 2014

Lions, Tigers, Bears, and FBI Warnings, Oh My!

Wizard of Oz Movie (Image credit: prairiecloudware.com)


Seriously, do you tire of seeing major news plastered with warnings about cyber attacks, malware and viruses?

It really has grown to a fever pitch lately.

What stuck in my craw today was a Bloomberg report Exclusive: FBI warns of 'destructive' malware attack in the wake of the SONY attack.

Like, I should be mortified maybe?  Do these 'brainiacs' remember StuxNet?

Would it help to revisit the topic?  I'd rather not, thank you very much.  Please feel free to read the Wikipedia link on the subject.

It was the perfect road-side billboard if there ever was for why Microsoft Legacy (x86) Windows should be abandoned on grounds of National Security.

Sadly, the software industry hasn't changed and quite frankly isn't going to as long as 'big business' is married to a security-flawed 'by design' operating system.

What do I mean by 'by design'?  Microsoft provides undocumented APIs through their Trusted Platform to domestic and foreign governmental agencies (the FBI included) to have unfettered access to any Windows PC without the user's expressed permission.  (Insert sound of crickets here.)

That seems to me to be a major violation of public privacy.  And that's what the public get using proprietary software.  Transparency is non-existent.

Could writing code that facilitates having 'back doors' on to computers exist in the Open Source World?  I should think not!

Well, so far, we haven't seen any.

Of course there have been recent documented attempts by the NSA to weaken string constants in Elliptic Curve Cryptography used by Secure Sockets Layer, but it is a different kettle of fish to write a bank of code, spanning perhaps thousands of lines, dedicated to the specific purpose of providing 'backdoors' without going noticed under the Gnu General Public License for Open Source.  That kind of exploitative code cannot exist in FOSS projects.  Transparency is in full force with 'many eyes' providing the much-needed oversight.  As it should be.

Edward Snowden is correct:


“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on." 

Unlike Open Source, the Proprietary Software Anti-Virus Business gets a boost every time one of these 'sensational' stories comes out.  It's a stimulus to obtain a desired result: the masses run out to buy AV Tools which get immediately installed.  End users fire up their AV tools, then passively watch a pretty widget on screen scanning, despite for foregoing 'backdoor' api.  The asthetic is dispensed  as the user receives a 'false sense of security'.   AV software vendors make billions of dollars in sales annually.  The partnership between Microsoft and AV Vendors is entrenched and the myth lives on.

None of this would have been mentioned if I didn't know better -- it insults my intelligence.

I know full well that if every Windows PC were to switch to Fedora Linux, all of the security issues would be gone.  Zero.  None.

So, please.  Spare me the FUD.  -- Dietrich


Monday, December 1, 2014

MegaSync Your Cloud Data for True Internet Privacy

MegaSync Client for Linux with GNOME Nautilus 'Drag Drop' Support shown on my Fedora 21 Workstation Desktop

Strong Encryption is the only choice to secure the Public's Internet Privacy against unwarranted access.

I really don't know how to make that message any more clear.

You see, ISPs are going to 'feather their own nests' as we bear witness to changing Terms of Service with Google and most recently at Facebook.

Personally, I could not care less about their Terms of Service.

Because, as far as I am concerned, anything put on their sites becomes theirs.  Period.  They can claim otherwise.  It doesn't matter.

Google doesn't want to encrypt your Gmail, or Drive.  Why?  Because 'they claim' it's parsed for Advertising revenue purposes.  Does that seem legitimate to you?

Let me lay it bare for you.

The truth of the matter and what Google won't say is, they profit also from intelligence gathering by parsing keyword triggers that get forwarded to domestic and foreign governmental agencies. That is not Transparency. No, it is outright lying by omission.

Your Gmail and Drive get scrutinized every time you use it.

I've written on how to manage your Gmail using OpenPGP Encrypted Evolution Email on Linux Advocates.

The technique I illustrated renders any third-party's ability to parse clear text useless.

As for Google Drive?  Avoid it 'like the plague'.  MegaSync employs 'zero knowledge' end-to-end encryption and gives 50GB of free space by default.

Mega's strong encryption makes your personal folders and files just streams of block data totally unintelligible, so that Mega doesn't know what is getting stored.

You may recall, the take down of Kim Dot Com's MegaUpload by the U.S. Government.  Kim Dot Com said it was "a death sentence without a trial".

Mega with MegaSync client changes all that.

Now, Mega can reliably claim what is legally termed 'plausible deniability' for what clients store on their site, by virtue of how this method of encryption works.

And, isn't that the way it should have been all along?  Really.  It's nobody's business what a law abiding Netizen stores on the Internet.  It's personal.  It's private.  And Mega fills this gaping unmet need.

In the final analysis, if the government wants to know what is stored in the cloud of an account holder, they need to take out a search warrant issued by a Judge.  Then and only then, should a 'Good Netizen' comply by unlocking their encrypted files.

With MegaSync strong encryption, nobody can see your data without your expressed consent.

MegaSync your cloud data for true Internet Privacy.

-- Dietrich