Linux Advocate Dietrich Schmitz shows how the general public can take action to truly protect their privacy using GnuPG with Evolution email. Read the details.
Linux Advocate Dietrich Schmitz reminds CIOs that XP Desktops destined for MS end of life support can be reprovisioned with FOSS Linux to run like brand new. Read how.
Linux Advocate Dietrich Schmitz reminds readers of a long ago failed petition by Mathematician Prof. Donald Knuth for stopping issuance of Software Patents.
What happens when you use proprietary code? This story from The Register is quite representative.
Yes. Google Chrome is proprietary. Chromium is Open Source.
Open Source Chromium gets looked at by 'many eyes' and that is by Contributors across the Globe Folks.
Bugs get fixed quickly.
With any piece of proprietary code, including Chrome, only the employees who work as developers can make fixes to source code, no one else. Unlike Open Source, Proprietary source code is not made accessible to the general public. Only the binary executables get distributed.
It's a classic problem and has lent to a perpetual tread-mill of security issues for Microsoft Windows Legacy (x86) and the litany continues unabated to such an extent that Microsoft now wants to change the name of Internet Explorer to remove some of the legitimate stigma involved with user market perception. It ain't gonna work. The horse is out the barn door.
No, in fact, I made a policy decision some time ago not to use proprietary software whatsoever and wrote specifically about Google Chrome.
So, I strongly urge the readers to avoid Chrome like the plague and stick with Open Source developed software only, such as Chromium.
As for myself, I have Open Source dwb and Chromium installed, but use dwb 95% of the time. dwb is written in pure C with gtk2/3 bindings and a webkit back-end on steroids. It is understated, spartan, greased-lightning fast, and super lightweight with a 75MB startup RAM footprint. Highly recommended. Chromium is the easier of the two to install and use and will gobble up as much ram as it can find but, then, it has all the bells and whistles going for it. -- Dietrich
Regular readers will know that I have taken issue with Google since last year on how they manage Gmail and Drive. For starters, should any governmental agency manage to break through Google's firewall (oops, the NSA did and pitched camp last year), they will have unfettered access to your meta data and direct access to your Gmail and Drive files. (Image right: Google's End-to-End Logo) Why? Because they are stored in clear text (unencrypted) format. That's odd. Google Cloud does just the opposite. Hmmm. I Wonder why. (Taps fingers.....) That's because Google Cloud is for the 'paying customers' who INSIST that their data meet critical mandated security thresholds (FIPS). So, Google Cloud customers, in the interest of keeping them from leaving altogether, are being assured, by Google, their data is FIPS-compliant and cannot be viewed by third-parties. How nice of them. When it was determined last year that the Fox is in the Hen House, many corporations left en masse U.S. domestic cloud ISPs for Western- and Eastern-Europe ISPs to avoid the NSA. This concern is quite understandable on many levels and still nothing has been done to impede, much less stop the NSA from continuing their global eavesdropping. Gmail and Drive are considered part of Google's consumer-facing services which are, at present, offered for free. Most everyone using Gmail likes the fact that they get it for free, but, were they to make the effort to read their 'Terms of Service' agreement, would discover that Google reserves the right to parse any and all meta and personal clear text data belonging to the respective account holder. Principally, the main thrust of this stipulation is so that Google can use intelligent advertisements positioned in the account holder's Gmail gutter margins that reflect subjects which might be of potential interest to said account holder by virtue of the parsing logic applied to their data stream. Very nice, yes? No!!!!!!!!!!!! This is fundamentally wrong. Users may be stuck with the current terms of service for getting their free Gmail and Drive, but, do they have a recourse? Certainly, one option would be to drop using Gmail and Drive entirely in favor of some other solution. Another solution is being provided by Google who have been under great public pressure to do something to protect account holders' right to privacy. The solution is being named End-to-End in an announcement posted on Google's website. It's not even available yet and coding for the solution is being worked on and tested before it will ever reach production release to the general public. While that may sound good, a cursory inspection of the Google Code website reveals a few issues which I feel make this solution unacceptable from the start. 1) Google is only offering 'the solution' as a Google Chrome browser extension. Many use Chrome. I don't because it is 'proprietary'. That means it is not 100% open source and so violates one of the cornerstones of FOSS: Transparency. We cannot and do not know what is or isn't in proprietary code and because of that, potential rogue code and abuses can be introduced without the general public's knowledge and/or approval. That is what Transparency is all about. So, Google wants you to have 'their' solution on 'their' terms, stipulating the use of 'their' browser which in and of itself has volumes of code nobody can claim to know or understand. 2) As if #1 wasn't bad enough, Google has chosen to 'reinvent the wheel'. Namely, the long-standing, mature, fully-debugged gpg2 open source OpenPGP standard codebase is being rejected out of hand, again because they want to do things 'their' way by creating a duplicate, immature, bug-laden codebase port of gpg2 as an incomplete subset into slow, interpretive Javascript. That's right. Javascript. gpg2 is fully compiled C/C++ code. 3) Google chooses to adopt a new Eliptical Curve cryptographic standard over the proven mature RSA standard. Recall that NIST is now in a public relations dilemma having been exposed as consorting with the NSA in introducing 'weakened' cryptographic string constants into their ECC codebase last year. In discovering the problem with ECC, the NIST insist they had no part or knowledge of the NSA's intentional introduction of weakened code and put the code out for public review and follow up action to correct any seen defects based on public comment. That leaves a 'cloud' in my mind over any software dependent on EC. In terms of severity, in comparison to items 1 and 2, a thorough audit of EC might restore confidence and make item 3 less an issue in the long-term. But fundamentally, Google's developers, it would appear, are taking shortcuts and making fundamental flawed decisions by forcing a solution which requires proprietary Chrome (Transparency violation) and creating their own immature crypto codebase to 'emulate' a subset of gpg2 OpenPGP features. EC will only be compatible with version 2.1 of gpg2. I am giving this project a 'thumbs down'. Unacceptable. Back to the drawing board Google. -- Dietrich
You read that right. I deem Google's proprietary Chrome (Freeware License) browser UNSAFE FOR GENERAL USE .
I can't make it any clearer than that.
Why is Google's Chrome browser unsafe?
It's pretty simple. Google chose to not allow Chrome's code base to be shareable to the general public.
For your purposes, that means it doesn't operate under Open SourceGnu General Public License v2 (GPLv2) license terms which would allow the entire code base to be independently vetted by external audit for hidden vulnerabilities and exploits that may be resident much like HeartBleed in openSSL and NIST's Eliptical Curve Cryptography (ECC) which was discovered to have been weakened by the NSA. The aforementioned rogue bugs lay hidden for quite some time, exploitable to those who knew of their presence.
The only ray of sunshine is that their source code is open source, which allowed discovery and corrective action to be taken.
Sadly, one has to draw the line in today's world. We know the score with the NSA. The Fox is in the hen house and now it's time to take action.
Severe action is needed.
Accordingly, I am putting Google on notice and charging them with knowledge that their code base is 'closed' to the general public and must be 'opened' for independent external audit to assure no vulnerabilities exist of any kind (excluding discovered defects in Chrome's upstream dependencies).
It's no more Google Chrome for me. And I hope you will follow suit.
Take action. Switch to a 100% open source browser, like Mozilla's Firefox or Midori or Gnome's Web or KDE's Konqueror today.
I would remind the readers that despite assurances from Google to consumers that their privacy remains intact, it turns out last year that the NSA were able to drill through Google's SSL firewall and pitch camp on the inside for an unspecified period of time, unbeknownst to Google, as they sampled the clear text unencrypted Gmail and Drive meta data belonging to you. Of course, publicly Google expressed outrage for what the NSA had done.
But actions speak louder than words. You see, Google has had ample time to formally announce and roll out strong encryption for Gmail and Drive for their consumer-facing services. To date, they have done nothing.
Yet, on their commercial service side, they quickly reacted to the Fox in the Hen House last year and put in place FIPS governmental standard strong encryption.
Corporate America is 'big business'. Consumers play second fiddle, and because Google state in a revised language TOS agreement that they parse your clear text meta data to generate advertising revenue, the message to the consumer is that 'profit' takes precedence over their privacy.
That is simply unacceptable and quite worrisome despite the 'lip service' they have given on tightening up their SSL standard.
No, consumer data, yours, is still sitting in clear text drive storage medium in the Gmail / Drive cloud where it can be read at will if/as/when it suits Google and/or any other governmental agency.
And, with Chrome being closed source, there is no way to know for sure what is or isn't happening during your Internet browser sessions is there?
Dear Reader, switching to open source is the only way that Security through Transparency can be achieved. Do it today.
That's a screen shot (below) of the BitBucket repository for commits to ongoing development of dwb (dynamic web browser).
Oh, that's nice. What's my point?
dwb is 100% pure Gnu Public Licensed code. That means, you, anyone, developers, users, the world, can see it, change it, for free. That has always been the basis for GPLv2 and the primary reason for why I opt to use dwb. Want to know what's going on with their code? Help yourself -- look around. Only, don't forget to turn the lights out when you leave. ;)
dwb (dynamic web browser) BitBucket repository commits page
You don't get that with Google's Chrome. Nope. Sorry. They won't let you see their code base. Of course, they are within their legal rights to do so, but, that doesn't mean I have to use their browser if I cannot know what it is doing, do I?
Ask yourself this question: Notice lately how Google Plus will periodically 'freeze' with the cpu utilization at 100%?
What are they doing exactly? (Shrugs)
That's Chrome doing whatever it does. :/ Whatever has a big question mark hanging over it for me. My confidence in Google to 'Do No Evil' has fallen dramatically in the past 9 months since the Edward SnowdenNSA Prism and other revelations.
You see, 'proprietary code' (not open source) often leads to some level of exploitation for commercial or 'other' purposes. Because Chrome is 'closed source', we cannot know for certain 'if' Google cooperates in some capacity with governmental information collection and sharing. That's because there is no public access for review of their code base, unlike dwb.
Taking the overt step to use dwb is my personal choice. Yours may be different, but, if you truly believe in the power we (Humanity) hold over the "n'er-do-wells" of the world by embracing Open Source, then I urge you to make it your policy to not use proprietary software. Take a stand and fight back. Set an example for others to follow and use open source applications only such as dwb, Mozilla Firefox, for the sake of security through transparency.
I've been looking for browser alternatives to Chrome and Firefox.
Both are relatively bulky -- replete with features -- which is to be expected.
Chrome does things I don't like and I simply cannot account for why. At times it will remain quiet and at other times it will do whatever it decides to do and throttle up even pegging the cpu. My netbook strains to cooperate when that happens.
To a lesser extent that happens with Firefox, but really not nearly as often. I know from personal experience that opening a google plus tab will elicit periods of frenetic cpu activity which I watch in my LXDE cpu graph. Seconds can pass even minutes before Chrome settles down. That annoys me.
So, I know Google Chrome is not 100% open source like Chromium. What are they doing exactly with my bandwidth? There is no way to know for sure and there certainly isn't any transparency given one cannot see Google's Chrome source code. That is 'off limits'.
This goes against the grain with me. I hold in reverence open source standards; Gnu Public License v2 in particular ensures public oversight to any single piece of code used.
This is what transparency is all about. It's hard to create 'rogue' code in the open source world, when 'many eyes' can see what is or isn't being coded and if something is 'amiss', corrective action can be taken appropriately.
Still, one wonders, if Linux was not open source, how long would such exploits thrive before being noticed? That is an important question and a major distinction for readers to consider -- especially those who currently depend on proprietary and closed source Microsoft Legacy (x86) Windows. Transparency is not a given in the Windows world.
Alright, you get the point. So, I began looking for something which is more lightweight and open source and, as important, would run reasonably well on my Netbook without pegging the cpu like Chrome does. Luckily, after a few days of searching around with Google and testing various browsers, I came upon one obscure Lightweight browser called dwb (dynamic webkit browser). It struck me at how minimal the developer's web page appeared to be. That minimalist mindset fit with my programming philosophy and was just what I was looking for.
With that, initially, I installed a revision of dwb found in the Fedora 20 repo. It worked, but, for some unknown reason it was not recognizing the presence of Adobe'sFlash plugin. And, even after I reinstalled the newest 11.2.202 update, the error still persisted on youtube's website.
So, I uninstalled dwb with yum and then dispatched directly to the BitBucket dwb project site which supports git, downloaded a copy of the project, manually compiled and installed the newest version of dwb. That fixed the flash problem. That was yesterday and I've been puttering around using dwb exclusively ever since.
This is day two and I am here posting up my experience with dwb after several hours of use under my belt.
What a hoot. That's right. dwb is making me smile and I really think it is funny how straight up I was able to quickly adapt to using a 'keyboard-centric' minimalist browser and it got me to thinking about the general public.
People tend to be lazy and are reluctant to change habits.
But using dwb was not a radical change either.
In fact after a few minutes of googling dwb, I located some documentation at the BitBucket git project where dwb is developed and also some good material on the Arch wiki. (Is there ever anything but 'good' material on the Arch wiki?)
So, I admit being a computer geek does help getting up to speed. But I would bet some of the curious readers might be wondering if they should try dwb.
I say: "Why not?"
You stumble. You fall. You then pick yourself up, dust off and try again. It's like your first experience with a bicycle and training wheels as a child. After a while (hours) you start building up confidence as navigation becomes easier. Reading the Arch Wiki on dwb helped immensely and I don't think I have read for more than a half hour to find the keyboard shortcuts I use most often.
It's not that you can't use your mouse. Quite the opposite. A judicious amount of mouse use in combination with the keyboard will result in gained efficiency as you begin recalling which key does what.
I began to chuckle at how fast I was able to perform the same tasks on dwb verses Google Chrome. And I would add that I have yet to see an open tab to Google Plus peg the cpu -- not once has it happened. So, that makes me wonder even more -- what the heck is Chrome doing with my bandwidth?
As I continued using dwb, the thought occurred to me, it's not just that dwb is small, compact and arguably the fastest browser -- it's that the keyboard still provides major advantages when included in the design of any software. As the dwb home page says:
"dwb is a lightweight web browser based on the webkit web browser engine and the gtk toolkit. dwb is highly customizable and can be easily configured through a web interface. It intends to be mostly keyboard driven, inspired by firefox's vimperator plugin."
And that is the point: Keyboard optimization. The icing on the cake is, if you should happen to know how to use the vi editor, all the better, as many of dwb's shortcuts parallel with vi.
Watch the below video to help you to configure and use Mailvelope.
I am endorsing Mailvelope as the 'easiest' software, 'to date', and can assure you that if you create your PGP with a minimum of 2048-bit key length, the NSA will never be able to read your email. NEVER.
Please take control of your email privacy with Mailvelope.
Questions, concerns, do not hesitate to contact me.
You are reading this wondering what that means. Google Engineers have, in earnest, attempted to bolster Chrome for Windows by placing it in their own crafted (Not Microsoft -- they don't have one) security sandbox. Despite their best efforts, they have posted to their Chromium developer website that they cannot guarantee your security if you use Microsoft Windows. Here is their disclaimer:
Other caveats
The operating system might have bugs. Of interest are bugs in the Windows API that allow the bypass of the regular security checks. If such a bug exists, malware will be able to bypass the sandbox restrictions and broker policy and possibly compromise the computer. Under Windows, there is no practical way to prevent code in the sandbox from calling a system service.
In addition, third party software, particularly anti-malware solutions, can create new attack vectors. The most troublesome are applications that inject dlls in order to enable some (usually unwanted) capability. These dlls will also get injected in the sandbox process. In the best case they will malfunction, and in the worst case can create backdoors to other processes or to the file system itself, enabling specially crafted malware to escape the sandbox.
That's quite troublesome when you think about it. Google Engineers post up a 'caveat' -- their legal disclaimer, if you will. Simply put, Windows 8.1 legacy (x86) uses a legacy code base going all the way back to the Windows 2000 WinNT kernel. Microsoft cannot fix the security issues which are under eternal attack unless they completely rewrite the operating system from the ground up. Enterprise is 'married' to the operating system with applications which must run 24x7. Microsoft cannot rewrite the code which is heavily depended upon. They have a dilemma and they really don't want you to know about it. They just keep diverting your attention to 'the attackers' away from themselves as though they have no responsibility. This is the cost of using proprietary software. Unlike Open SourceLinux, no one can see the code of Microsoft Windows, review it, inspect it for defects -- FOR MICROSOFT EMPLOYEE EYES ONLY. This is the disadvantage that one accepts when agreeing to the Microsoft software licensing terms. Microsoft own the code -- the Licensee does not.
So, why not consider making a switch today to Gnu Public Licensed Linux and own the code? It's yours for free and it is so secure, I'll even say Fedora 20 Linux is the safest operating system on the Planet.
A few months ago, we saw the newest Pixel Chromebook arrive on the scene with superior display and other performance characteristics -- arguably as good as Apple's Retina MacBook line.
Now another adjustment to Chrome was announced in May for the official development of Google Chrome Packaged Apps. This page explains packaged apps in further detail and includes a video.
If you watch the video which tries to explain what Packaged Apps are, Google talk euphemistically in terms which won't say we're writing local Apps, but if you read between the lines, that's really what they are doing. Pay close attention Folks, these won't be half-baked Javscript Apps. No, they'll be running with Native Client (NaCl) C/C++ compiled executables which are the fastest compiled code one can have driving any application. Here's a brief text explaining what to expect when running a packaged app:
How they behave
Packaged app pages always load locally. This allows apps to be less dependent on the network. Once a user installs an app, they have full control over the app's lifecycle. Apps open and close quickly, and the system can shut apps down at any time to improve performance. Users can fully uninstall apps.
Without any effort on your part, your apps will launch offline. But you will need to put some effort into making sure user data is stored locally while offline and then synced back up to your data server once online (see Offline First).
You see, the Apps will be free-standing and so will run outside of the browser, but still use their fork of WebKit, called Blink, which is at the heart of Chrome. Blink won't be recognizable after they've finished refactoring and tearing out the parts they don't want--it has been reported they already have removed over 8.8 millions lines of code.
And that's another thing they did which is beginning to make more sense. They now can modify the WebKit code to their heart's content to satisfy both browser and packaged apps as they see fit without upstream hassles.
So, that leaves us where?
It leaves us with the proposition that Google know there is still a need for good local Desktop software, a la the days of Microsoft Windows past, only they aren't saying it. Microsoft still have a market for Windows-based legacy x86 software which have always had the performance characteristics and the gold standard applications which so many still rely upon today and Google know they can't capture this traditional buyer's market without local Apps. Local Apps still rule.
Initially, it seems they released a photography-driven app which comes pre-installed on the Pixel Chromebook.
And rest assured, there will be others to follow. Applications fuel sales. It's that simple.
With the recent disclosure of the NSA PRISM surveillance program, that leaves a major stigma attached to doing anything in the Cloud, which can potentially hinder sales of their Cloud-based Chromebook. How long that stigma stays around remains to be seen, but, Google isn't placing all of their eggs in one basket.
Realistically, Google can go in any direction after whatever market they choose--and they usually do. They have the know-how, cash, and have shown themselves to be quite capable at software development--innovative in fact, much to Microsoft's disliking and worry.
Can Google pull off writing a decent Office clone packaged App? If they did, that might really send sales through the roof. All they have to do is make up their minds to do it and it will happen, which should be one of the major concerns at One Microsoft Way.
So, watch the video above and see if you agree with my thinking.
Ah, Google Chrome packaged applications. I see. What?!
So maybe you are as confused as I am. Apparently, Google is, once again, on the move not sitting still, not complacent, innovating as they are wont to do and on Internet Time.
That means, a frenetic pace, which hasn't let up continues with more announcements that makes one's head spin.
The most recent is packages. Now, you are wondering, for what are packages needed?
After all, the Chromebook's raison d'etre has been that you don't need to install any software right?
Wrong. That appears to be changing. And, looking just this past weekend at a Walmart$199 Acer C710 in-store display, I thought, what is a Chromebook with 1TB of disk space going to be used for?
Acer C710 Chromebook sold in U.S. Walmart stores
[Update: It was pointed out on reddit that if one drills down on the website SKU shown above and behind in 'specifications', it shows 16GB SSD; still there are other SKUs being sold with large local hard drives, so the question stands: why a large HDD?]
It also includes a blue-ray drive which will keep the movie industry happy.
But, I digress. Packages. What are they all about? Well, it seems that Google Chrome is now offering packaged Apps for ChromeOS. At least they're available to those using the developer channel for now. And only show if you use Windows or Chromebook. That explains me not noticing. I usually skim through the Chrome Store once a week with my drag-net looking for trends. The announcement came quietly. I missed it. I suppose because there have been so many from Google, it becomes part of the ambient Internet background noise level.
I really don't know what this portends for the future of Chromebook. I suppose that the proof is in the pudding and those packaged Apps have yet to materialize in any major way.
Let's call it an escape hatch for Google. They won't or can't (or both) encrypt your data on Google Drive, but you sure can keep your data safe on a local drive--far better than in the Cloud (cough NSA). That might allay potential buyer concerns. Local storage good. Cloud bad.
And back to school is only a blink of an eye away in August, so, there is a yet unrealized explosion of sales to be exploited from the newest Walmart and Staples distribution channels.
The potential for sales is huge at Walmart and of course Google knows that. And, the potential for students to adopt Chromebook is also good, but is it good enough for many who still are wanting to install apps locally? That is Google's hedge with packages. Really, if Google made up their mind, they could simply package ChromeOS as a free-standing Linux Distribution. They just have to decide to do it. For now, you get ChromeOS only on Chromebook.
Packages is not going to fly if there aren't Apps--good ones. That will tell the tale in the long run.
Alright, Apple may have a head-start with their iPhoneSirivoice search system, but one of the neat things shown at the Google I/O 2013 conference last week is the new Conversational Search, which is now available in Chrome version 27 which was updated today.
If you've got that version of Google Chrome, you'll notice in the Google.com search field to right-most extent a 'Microphone' symbol. Clicking that symbol will activate voice search. I tried it by saying: "Open the pod bay doors HAL", hoping desperately to hear HAL come back with "I'm sorry Dave, I am afraid I can't do that".
But no....it dutifully complied by performing a Google search using that exact string of text and found the movie 2001 Space Odyssey at imdb.com. I am disappointed. (kidding):
Me, using Google trying to ask HAL to open the frickin' pod bay door.
Clearly, it's not a perfect science, and given HAL recognized voice quite a few years ago, I would suspect that there is some serious intellectual property infringed patents at issue here. Time to get the PAEs (cough trolls) on the horn, perhaps? Put me through to Dewey Cheatum and Howe right now.
Anyhow, if you really want to see how voice recognition works correctly, here's a short Youtube video from the 2001 Space Odyssey showing Dave's mastery of voice activated search:
Alright so I kid. But I couldn't help but think about this movie as I uttered my search in Google wondering if we are getting closer to doing what the fantasy of movie making did in spurring the imagination with wild and fanciful story telling mixed with surreal technology non-existent at the time of making this classic (1968). Pretty wild stuff then and I would add still pretty wild that I sit here, one with something called a Netbook, using something called wireless, magically connecting me to something called a router and cable modem and something even more bizarre called the Internet. Is this a dream? I hope not. It's a movie and it's getting better and better with each technology du jour announcement.
Okay enough of my carrying on, here's a video from the Google I/O conference demonstrating the use of this new Chrome technology for your viewing pleasure:
So, that's it, the hotkey ("Okay Google") didn't work for me. I suspect that will be worked out in due course. As is demonstrated, this technology appears to be on par with Siri. As I mentioned above, Voice Search is available as of today in Chrome 27 for Windows, Linux and Macs and is also available in all Chromebooks. Have fun.
