Freemors Blog

Musings of an East Coast Techie
Posts tagged as privacy

He who controls the server and software 'owns' the device

2016-04-05 by Freemor

With recent articles like this and this, I felt it was important to point out the golden thread running through these. Which boils down to one thing. "He who controls the software and/or server controls the device" at least in devices like these.

When buying a product that is Internet ready or Internet connected it is very important for people to ask the question "What happens if the Internet part goes away?"

For some products it's no biggie, like say a media player that downloads from a specific site, but also let you put your own music on. In this case the Internet part is more of a "Value added" piece then an mandatory one.

Then there are things like the Google Chromecast. If the Internet back end goes away because Google decides to move to ChromeCast V3.0 and not support earlier ones, then the device will become a brick. useless. And due to the lack of software freedom in these devices there is nothing the owner can do.

This same thing is true of an ever increasing number of products. Especially as we move into the whole "Internet of Things" (IoT) world. One of the reasons that businesses are so hot on the IoT idea is the reach it gives them over the product. This was seen with Kindle when amazon reached into thousands of devices and Erased the book 1984.

There are two separate issues at play here:

The "ownership" of the device hinges on these two things. Lets look at each of them.

Who controls the software

If you do not control the software on the device, then it controls you. You do not own that device. The person that controls the software owns it.

When I talk about control I am not talking about how "Usable" the software is. I'm talking about the users ability to Change, modify, study, etc. the software on the device.

If you can't change the software at all them you have absolutely no control.

If you can swap one opaque mass of software for another opaque mass of software you have the limited illusion of control

Only when you can Study the software to see how it works, Change it to work the way you want it to, Share the changes you've made and have the freedom to use the software in any way you choose do you truly control the device.

Sadly an ever decreasing number of devices fall into this category. Even many devices that appear free, like the Raspberry Pi, are actually Not truly so due to the fact that they can not work without some opaque bit of software. In the case of the Raspberry Pi it is impossible to boot the device without software that is not in your control.

Who controls the server

This question is either of slightly less or equal importance to the "ownership" of the device based on what the server bit does.

If the server bit is strictly "Value added", as in the device will continue to function completely without the server. Then the question is a minor one.

However increasingly, and by design, devices will not function if the server is gone.

Now if you have freedom in the software as mentioned above. It wouldn't be an issue. You or someone else could study the software, change it to use a different server or to not need the server and then share that change to the world. Problem solved.

Sadly as mentioned above it is a rare device where that can be done. Partly because most software licenses prevent you from doing any of those and thus from using the software any way you want

So lacking freedom in the software and being tied to a server that you don't control means that not only can you not fix, or modify the device, you are now entirely at the whim of the person that controls the server. What if the server says to delete all your stuff? Nothing you can do. The device wont work without the server so you can't prevent it from connecting and once it does bang your stuff is gone.

It goes well beyond just deleting your stuff. The server could push out an update that kills the device. Now it wont even turn on. Or they could just shut down the sever, Again you're stuck with a useless device. It is also important to remember that the connection to the server is a two way street and can be used to spy on anything you do with or near the device, as Windows 10 does and it looks like Occulus Rift will.

As the whole IoT thing takes off this is going to become a huge issue and one that customers need to pay attention to. An IoT fridge that you do not control could be remotely told to not keep food cold anymore when the manufacturer decides it is time for you to buy a new one.

Think that is far fetched? There have been printer out there for years now that decide to stop working based on a software counter in the printer. There is absolutely nothing mechanically wrong with them the software just decides "Sorry I'm done.. go buy a new printer". If manufacturers are willing to screw with you like this how much more so when they can reach over the network and do what ever they like to your device?

So the next time you buy an electronic device ask, Who controls the software? Is the server part "Value added" or mandatory? Can I change the software? Can I run my own server? And ultimately, Do I want to buy a device I will not "own or control".

A Phone is not a House

2016-04-01 by Freemor

With the ongoing debate about strong encryption on mobile devices, I'd like to take a moment to clear up a misconception that I've seen tossed around and sadly accepted by too many people.

To be clear anyone that reads my stuff will know that I fall well inside the "must have strong crypto" camp. So the views expressed here will clearly be coloured by that.

The point I want to clear up is this new comparison of cell phones to physical spaces. The argument tends to go like this: "Peoples homes are private but the government can get a warrant to search them. So the government should be able to do the same for Phones."

On the surface that may seems to make sense and I suspect that is why people are buying into it, but the truth is much closer to saying: "Peoples homes are private but the government can get a warrant to search them. So the government should be able to do the same for private conversations."

What the government is seeking is not access to a physical space but rather retroactive access to private conversations. The government has never had the ability in the past to compel you to divulge what you said to your friend last Tuesday. Especially if such might be incriminating.

By wanting all encryption breakable the government is trying to do an end run around your right to remain silent, or plead the 5th, or what ever the equivalent is in your country.

Cell phones are by definition communication devices, not dwellings, not safes, not a place of business. Cell phones store and transmit conversations, which is speech, which has special safe guards when talking privately with another individual.

Yes there are wiretaps and police can get a warrant to get a wiretap. But wiretaps have never been retroactive. Remember it's "You have the right to remain silent, anything you say may be used against you in a court..."

How safe do you feel knowing that by breaking into your phone and having retroactive access to your speech, "anything you say" now includes much of what you said for the last 2, 3, 5 years. Did you have an indiscretion that they can blackmail you with? Did you joke with a friend about robing a bank? Did you talk with someone about the possibility of fudging your taxes a bit? Did you get really drunk after a break-up and text something that could be considered a threat? And on, and on.

One of the reasons that speech is protected is because it is so easy to twist and use against someone. As the famous quote goes "If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."

We can not, we must not allow governments and police to have easy unfettered retroactive access to our speech going back years. It removes too many safeguards and tips the balance of power dangerously to the side of the already powerful.

Keep private conversations private. Say No to big brother.

The Ad-Blocking Lie

2015-03-31 by Freemor

I have heard it stated over and over that people shouldn't uses ad-blocking software because if they do websites wont be able to make money, and the entire Internet will implode into a cash vacuum. OK, I added the imploding part, but it is always the implied outcome.. Use ad-blockers and the Internet will go away.

As someone that has been "on-line" since before there was a public Internet I can tell you this is patently untrue and the people that are telling you this are lying to you, or misinformed.

First I'd like to point out that a huge number of sites and services on the Internet do not rely on advertising for their income. Do you really think amazon.com is going to disappear if everyone started using ad-blocking? I think not. Wikipedia.org does not and will not have ads. IRC servers have been around since the early days of the Internet and do not rely on ads. Same for most XMPP servers. Services that use a "Freemium" model like DropBox will still be around. Usenet providers switched years ago to being a paid service. Some torrent trackers may disappear but other wont, and besides there are other P2P file sharing options that do not rely on "tracker" sites. So the whole P2P thing won't go away.

E-mail might have a transition period but this is only because too many people have been conned into using big centralized E-mail servers who are in the business of selling all the information that they can harvest from peoples E-mail instead of just providing an E-mail service. Luckily there are many (currently less popular) E-mail providers that are solely in the business of providing E-mail and nothing else. If the ad-blocking apocalypse came to pass ISPs could easily go back to running their own E-mail servers like they did in the old days. Also I am sure many, many, non-advertising based mail servers would spring up to fill the void and make some cash while doing it.

The fact is that the things most at risk of disappearing if we hit peak ad-block would be exactly the services that are most hurtful to your privacy. To me this seems like a win.

The current layout of the Internet is far from what it's creators envisioned. They saw an Internet where every computer was a potential server, and many where. They envisioned an Internet that empowered people, not one that made people slaves to huge central servers especially not to huge central servers that were in the business of robbing people of their privacy.

The Internet is still based and run on the open architecture that the original creators put in place. Thus the Internet is what WE make it. I for one run my own mail, XMPP and other servers. You can to. It's not hard, it can even be fun. It is most definitely liberating.

So if Internet stores will still be around, and many,many, other Internet services will be around what are we really talking about losing in this supposed ad-blocking apocalypse? What would we loose? Twitter? (I doubt it, They have proven to be very agile and I'm sure they would adjust), Google, Facebook, and their lot? To that I say good riddance. To me and others these companies are a cancer on the Internet that we'll be glad to see the back of. Instant messaging? Nope. Many, Many, open, free and privacy respecting options that aren't based on advertising revenue. Plus it is trivial to set up an XMPP server these days and all XMPP servers can talk to other XMPP servers (if not messed up like FaceBook and Google did with theirs). So That'll still be around.

As far as I can see the only thing we would loose is services that are in the business of plundering your data to make money off of you. Would this really be a loss? I say no. I personally think everyone should run ad-blocking software, for two reasons. The current onslaught of advertising on the Internet makes many web pages close to unusable. And second, since the advertisers have all decided to ignore the "Do Not Track" header standard why the hell shouldn't I ignore them. Blocking ads protects my privacy and yours. If you decide to use ad-blocking, it will make websites load faster and browsers crash less often. It will save you bandwidth, and other computer resources. (which actually makes it a greener option). Why shouldn't you reclaim you privacy, your screen, your speed, your sanity? Because of some non-existant threat that the Internet will go away? I think not.

To help you get started here is a list of ad-blocking options. Find the ones that are right for you and start enjoying your privacy and browsing again.

UBlock - A faster more advanced blocker. Released under the GPLv3 License. It can use blocklist from Adblock Plus/Adblock Edge. AdBlock Plus - A GPL'd (freedom respecting, Copyleft ) plug-in for Firefox, Chrome and an Android app. It allows "acceptable" ads by default but you can easily turn that off.
Privoxy - A GPL'd, highly configurable http proxy that you can use to protect all devices in your home. A little more technical to set up then the plug-in but once up and running all you have to do is set all your devices to use it as their proxy and they are protected.
AdAway for Android - GPL'd, Requires a rooted device. I prefer it to Adblock Plus on my Android devices.
How To Block Ads via your HOSTS file - Technique works for Linux, Windows, Mac, Android, Etc. The page is geared towards windows users but the principal is the same on almost all platforms. There are links towards the bottom of the page for Linux,Mac, etc. Also there are many tools available that use this method. (AdAway above is one) So you can just DuckDuckGo around to find one you like.