First signs of how Mozilla implements DRM, continued signs of how Free Software benefits all its users

Today I came across a report in Trisquel GNU/Linux’s issue tracker describing a new bug in Mozilla Firefox which, Trisquel developer Rubén Rodríguez Pérez says “allows Mozilla to install any binary into the browser, through a dedicated system of updates”.

This situation is a clear indication of how Free Software underscores one’s security and how nonfree (or proprietary) software undermines one’s security.

Background

Trisquel is a fully-free GNU/Linux operating system. The software in this system is entirely free for users to run, share, and modify at any time for any reason. Mozilla Firefox is a web browser developed by the Mozilla organization, a proponent of the Open Source development methodology which distributes Firefox as Free Software. The Free Software Foundation is a non-profit organization dedicated to informing computer users about software freedom (the freedom to use, study, copy, modify, and redistribute computer programs).

One week after the International Day Against DRM, Mozilla announced a partnership with proprietary software company Adobe to implement support for Web-based Digital Restrictions Management (DRM) in its Firefox browser. Mozilla changed Firefox so Firefox would prompt the user to install a proprietary program to decode a certain kind of video, the kind of video some video distributors such as Netflix, wish to use. Firefox will do this by looking at a list of repositories from which Firefox can download the program, download a program to do this job, and then run the program from the user’s system.

Firefox’s current implementation

We now know that this alleged “feature” is implemented in such a way that it could allow Mozilla to get the user to run any program Mozilla wants to publish (as Pérez describes). This is troubling because if the repository ever comes under the control of someone untrustworthy, the repository could be used as a distribution point for malware.

Mozilla could have chosen not to implement this at all; they could have chosen to point out the unethical underpinnings of nonfree software. The Free Software Foundation condemned Mozilla’s decision partly on this basis. But because of Mozilla’s allegiance to the Open Source development methodology which aims to not bring a user’s software freedoms or the ethics of software freedom to anyone’s attention and because of a fear of losing popularity with users for which there is no evidence, Mozilla instead praised their relationship with Adobe, a known enemy of software freedom.

But couldn’t any browser do the same? Why is Firefox uniquely worthy of mention here?

Any browser could implement the same mechanism in the same way (and for all we know other nonfree browsers already do this). But since Firefox is Free Software users have the freedom to:

  • modify the browser to not load the externally-provided binaries in the first place thus avoiding the entire issue,
  • distribute the improved freedom-respecting variant to others to help one’s community avoid the nonfree software,
  • run the improved browser whenever they want and make it a part of a wholly Free Software operating system as Trisquel is doing. The power of a better example is compelling.

These freedoms allow programmers to deliver derivatives of Firefox such as “Abrowser” which respect a user’s software freedom by effectively disabling the malware-loading code and changing the browser so it won’t introduce users to nonfree add-ons by default.

Fortunately Firefox is not the only Free Software browser out there and users of other Free Software browsers have the same freedoms. Users of nonfree browsers don’t have these freedoms and are thus at the mercy of whatever the browser developers want to allow (and whatever the programs those browsers install allow).

So the big deal is freedom of choice, right?

No. Software freedom is not freedom of choice because freedom of choice is easily turned against the user. Imagine if all the browsers a user had to choose from were nonfree. That user would have to choose amongst a variety of browsers where none of the choices were safe from this malware distribution mechanism. If a user didn’t want malware they’d have no freedom to prevent malware from being distributed to them, posing as a program purporting to offer some benefit, and running that malware without having any opportunity to vet the software or reject it.

But I’m not a programmer! I can’t vet any software. Whether the browser is Free Software or not doesn’t matter to me, right?

Software freedom should matter to all computer users because we all need to make sure our computers are safe for us to use. There’s too much Free Software out there to vet all of it ourselves, we have to rely on someone to do some vetting for us. But if we don’t support software freedom for its own sake we can’t trust anyone to review software with our interests in mind. This leaves us at the mercy of those who will do us harm by getting our computers to run malware.

How bad can this get?

In 2008 Argentinian security researcher Francisco Amato notified Apple of a remotely-exploitable hole in iTunes. Apple iTunes users had no way to know that a bogus update wasn’t coming from Apple but was instead “FinFisher”, a trojan horse program designed “to permit surreptitious PC and mobile phone surveillance” according to Brian Krebs. Apple took over 3 years to distribute a patch fixing the security update mechanism.

We can’t know what other problems await iTunes users because iTunes was and is nonfree software. Users aren’t allowed to inspect, share, or modify the program. So even if users find another problem with iTunes they can’t legally prepare and distribute an improved version of iTunes that doesn’t have the flaw. The same problem applies to all nonfree programs.

Problems like this inevitably arise when one uses nonfree programs.

What can Mozilla do instead?

Mozilla can’t and shouldn’t control which websites one visits. But Mozilla can control what Firefox presents to the user as a reasonable addition to enable some desired functionality. And this situation gives Mozilla an opportunity to educate users about the problems with DRM and the tough choice they face in delivering a browser that respects user’s software freedom even when those freedoms mean doing without Netflix. Mozilla should not make it easier for users to run nonfree software.

Free software still creating more pressure to release more free software

In or around October 26, 2011, Apple released source code to their software (called “ALAC”) for compressing and decompressing audio without any loss of audio quality. Apple chose the Apache License version 2.0 for this code which includes a patent license. This was a good thing to do because it helps users with ALAC files use free software to maintain those files. But FLOSS users already had this functionality because on March 5, 2005 David Hammerton published a simple decoder written in C under a very permissive FLOSS license based on the reverse engineering Hammerton and Cody Brocious had completed without any documentation of how the codec worked.

Hammerton and Brocious’ decoder has long been incorporated into a widely-used audio/video library (libavcodec). This code has also helped to make an Apple Lossless encoder to make Apple Lossless files. So for years popular audio/video programs based on libavcodec could handle Apple Lossless files; standalone hardware devices one could purchase at electronic shops (like Plex, XBMC, and Boxee) and popular software players like VideoLAN Client and MPlayer all take advantage of libavcodec.

The FLOSS community had achieved a high degree of interoperability without sacrificing software freedom, and done so on its own terms years before Apple contributed anything. I don’t know why Apple chose to release its code as FLOSS but I believe this is another instance where free software created pressure to release proprietary software as free software.
Continue reading

Which VPN Providers Really Take Anonymity Seriously? You’ll never know.

TorrentFreak.com asks “Which VPN Providers Really Take Anonymity Seriously?” for good reasons: people who share files are being tracked down and sued for high sums of money, far in excess of the commercial value of a copy of the work they’re accused of illicitly sharing.

To avoid being found, some users use a VPN or “virtual private network” that can effectively mask a user’s identity by passing the user’s data through another computer before the data is fed to the file sharing network. VPNs are essentially intermediaries that sit between one network and another or different sets of computers.

So TorrentFreak.net posed some questions to some VPN service providers who ostensibly provide some anonymity for their customers, and TorrentFreak.net reported the answers. But there are a few things you should know when you interpret these answers (or any other claim of online anonymity):

  • All of their claims are unverifiable. No service provider verifiably gives all comers access to all of their logs. Some providers claims to log nothing. But how would you determine whether they’re telling you the truth? How much trust can you put in a service provider with no real information about them? We face this challenge all the time: how would you know if that restaurant’s dishes are clean enough to eat from? Will your therapist really keep the details of your session a secret? It’s another gamble you’ll have to decide on your own using whatever information you choose to trust.
  • One-time verification attempts are useless without complete source code under a free license. If a service provider attempts to prove their trustworthiness by releasing some of their alleged source code, there’s no way to know if they use that code at all. Even a one-time dump of complete corresponding source code under a non-free license (such as one that allows inspection but not making derivative works) is insufficient to prove anything because code rewrites are easy enough that one could put in new code not listed before.
  • Even if you get great service today, will the service provider deliver that level of service in the future? Terms of service change. Seemingly small obscure technical decisions made by system administrators have a dramatic effect on your service. People steal equipment: is sensitive information stored anywhere such that stealing the server hardware would reveal what’s really going on? Service providers can sound promising until there’s real pressure on them from bullying nations like the United States.

Also consider the problems you’ll face with intermediaries you don’t directly do business with: the Internet is a network of networks and your VPN is only one host in the chain of computers that route your data between your computer and your intended destination. What about all of those computers that aren’t run by your trusted VPN provider? Do they log information? If so, what is logged? Who would report data in those logs to others?

It’s not easy to securely anonymize data and determine whom to trust.

Civil liberties require software freedom

FreePress.net, a media reform organization, occasionally sends out emails and hosts feedback campaigns where they ask people to contact someone in an organization which is doing something wrong. In many situations their publicity efforts are right-minded and centered on drawing attention to policy changes that can be corrected by publicizing the wrongdoing—in 2003 the FCC said they’d listen to Americans give their views on media concentration but then FCC Chairman Michael Powell said he’d attend only one hearing in Richmond, Virginia (in order to save money on hotel rooms and airline tickets), the American public was outraged. The public understood that this issue had the potential to adversely affect most citizens (regardless of political position). A series of well-attended town hall style hearings followed but Chairman Powell was absent for most of these hearings, clearly displaying his disrespect for the public’s views. FreePress.net (which started in late 2002) had begun and helped formulate a principled message illustrating why media concentration is bad news for everyone but the media conglomerates consolidating their power.

FreePress.net’s most recent campaign targets Apple Computers’ Steve Jobs, calling him out for Apple’s control over iPhone cameras and a related process Apple seeks to patent. FreePress.net’s campaign letter begins “Apple wants to control the camera on your phone.” and goes on:

The maker of the iPhone wants to patent a sensor that would detect when people are using their phone cameras to do things like film concerts — and give corporations the power to shut them down.

This is a compound statement and therefore less than clear; there are two issues bundled together here, both of which a tech-savvy organization should oppose.
Continue reading

Don’t fight your own chosen license

Occasionally you come across an informative source for information and you want to republish what you find, but you look into the licensing terms and find that the copyright holder’s opinion of how to properly interpret the license is at odds with the license text.

Consider ProPublica; an investigative journal with interesting articles and research. Their FAQ for “Can I republish one of your stories?” says yes: “Unless otherwise noted, you can republish our articles and graphics (but not our photographs) for free” and that their articles are licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 US license. But their page entitled “Steal our Stories” attempts to add bizarre requirements not found in the CC license. Adding more confusion, this page isn’t in sync with their FAQ.
Continue reading

Want to learn more about audio and video?

Monty Montgomery at xiph.org gives us the first part of A Digital Media Primer for Geeks.

It’s licensed under a Creative Commons Attribution-NonCommercial-ShareAlike (BY-NC-SA) license and there’s a discussion wiki and the entire show was edited completely with free and open source software. You will not only learn a lot about digital media but you’ll get to see it demonstrated for you knowing that everything you see you can do (and more, of course, limited only by your own imagination and will).

Enjoy the freedom.

Download

Internet Archive

Local archive

Where open source philosophy goes wrong software freedom keeps us free to share and modify

Risto H. Kurppa recently posted about a bad experience with a free software hacker when Kurppa tried to get access to the most recent revisions of an unpublished program’s source code. We aren’t told what program this is, except that source code is published with certain versions (called “release” versions, ostensibly versions the developers believe are suitable for widespread use, as opposed to other versions of the code which are primarily intended for developers) and the program’s source code is licensed under the GNU GPL version 2.

Kurppa framed the issue in terms of the open source movement: a splinter movement founded in 1998 which maintains that developmental efficiency (chiefly to benefit business) is most critical because that’s when other programmers are able to help improve software. This movement specifically eschews the philosophy of the older free software movement. The free software movement is a social movement started in 1983 which campaigns for increased social solidarity by granting and protecting specific freedoms for all computer users—running, sharing, and modifying published computer software. The Free Software Foundation has published articles (1, 2) which describe the differences between these two movements including how the open source movement’s philosophy ironically leads to short- and long-term practical disadvantages. I highly recommend reading both essays for a more complete understanding of the ethical argument free software makes and how the open source philosophy falls short.

Kurppa tried to get more recent code from the project’s maintainers and was rejected. Kurppa wrote, “So, I thought.. There’s an author not sharing his code.”. This is where Kurppa first went wrong. Kurppa wrote that this project was sharing their code but they choose to do so only for release versions. They released their code all at once with each release version and never released developer code.

Kurppa revealed the crux of the real issue later on: “To me this sounds like that the the development isn’t as efficient as it could be and this means that the software is not as good as it could be, if only some things were done in a different way.”.

This view is a direct result of the open source philosophy. The ramifications of that philosophy are best understood when considering the differences between that philosophy and the older free software movement’s philosophy. Had Kurppa looked at this situation in terms of a user’s software freedom, developmental efficiency would be prioritized lower as a detail.

It may be inconvenient to not have access to the latest source code straight from the maintainer’s computer but (it’s reasonable to guess that) nobody is being denied their software freedom here. The critical issue, the issue to get upset over, is whether a user’s software freedoms are being respected. We don’t know exactly what program Kurppa is talking about so we can’t be sure that user’s freedoms are being respected. Sadly some programs with proprietary software in them are distributed under the GNU GPL (for example, Linus Torvalds’ variant of the Linux kernel contains proprietary software which allows Linux to communicate with various hardware. Other variants of Linux such as the kernel-libre project distribute a truly free Linux kernel). Such programs are a ruse for users seeking to use their computers in freedom. Fortunately this is not a widespread problem; most GPL’d programs respect user’s software freedoms so it is highly likely that the program Kurppa is talking about does too.

There are no obligations to share a program using a particular methodology, to share source code to programs one doesn’t distribute, or to accept someone’s patches into a program. It’s convenient and nice to distribute developmental versions of programs and to integrate patches from others so many hackers can help improve the program. But these are niceties, not requirements. The ethical obligations to distribute software that respects users freedoms are at the heart of the free software movement. Focusing on software freedom helps keep our priorities straight when considering the consequences of using and sharing computer software.

Free media and free software help keep you free to run your life

Dave Cross encourages the dependence upon proprietary software by complaining that the Free Software Foundation’s recent 25th birthday video should have been distributed in non-free formats so people could see the video.

A surface analysis would reveal that proprietors support their own video formats exclusively. A deeper more significant analysis would reveal what users are left with after installing free and non-free software.

MacOS X and Microsoft Windows don’t come with all the software needed to play Flash video, Java applet-driven video, Microsoft Video codecs, or Apple’s QuickTime codecs. So when Apple distributes movies in some codec wrapped in QuickTime, only MacOS users have the software to play it. Same for Microsoft Windows users with Microsoft Video codecs. One commonly has to get additional software to play movie files. Users who install these programs are installing proprietary patent-encumbered software. Given Cross’ complaints one can only assume that this kind of onesidedness is okay despite how it leaves users in a lurch unable to play anything they come across and, more importantly, how adding the non-free movie players leaves users with non-free software.

Proprietors leave users with non-free software—software users are not free to inspect, share, or modify. If that software does something that any user doesn’t want (various bugs, failing to run in the user’s native language, spy on the user’s activities, to name a few examples), users have no legal means to alter the software to keep the functionality they like and delete the functionality they don’t like. Proprietary software takes away users’ freedom to run their computers as they wish.

But when the FSF distributes their videos in Ogg Vorbis+Theora licensed to share at least verbatim (licensing which is better than Microsoft or Apple’s licensing) they encourage users to get software to play the videos. VideoLAN Client (VLC for short), and Miro are two such programs. VLC & Miro both run on all the major operating systems (GNU/Linux, Microsoft Windows, MacOS X), both are free software, and both play a lot of audio and video files (VLC also plays DVDs). The Java applet the FSF used is also free software (it’s the same applet Wikipedia uses), so if you have Java installed you can play the video directly on the website. You’re left with free software and a movie you have license to share. The PlayOgg.org campaign can help you if you need more help acquiring or playing free media.

Playing Ogg Vorbis+Theora movie files is about to become a lot easier. Testing versions of Mozilla Firefox come with an Ogg Vorbis+Theora player built-in. Websites using the <video> HTML element will show a movie box without the need to install anything beyond Firefox. Users eager to test that software can get the latest builds and test it out. In time, Firefox’s production release (the version most Firefox users use) will feature these improvements and Firefox will ask users to upgrade to this version. This move adds pressure on other web browser developers to support Ogg Vorbis+Theora, the <video> element, and supporting Ogg Vorbis+Theora increases the chances that we’ll all be able to build our culture around free media.

Cross asks “Java was proprietary (and therefore verboten) until very recently. What did they do before that?” Before Java became free software the FSF advocated for change to eliminate dependence on non-free software and to make a free Java. The FSF wrote an essay about what they called “The Java Trap“—free software programs with non-free software dependencies such as a Java program that relied on the formerly non-free Sun Java runtime. The FSF also encouraged the development of free software Java replacements and hackers had been working on just such a thing. I maintain that it is that hard work which resulted in increased competition for Sun, Sun’s shift in policy, and relicensing their Java software to become free software.

In other words, running proprietary software doesn’t result in the creation of more software freedom. When we run more proprietary software we start to think of the proprietor’s interests as an acceptable state of affairs no matter how much the proprietor restricts our work using our computers. We might even defend their onesidedness which leaves us dependent on their software and with no media to share. When we put in the work to fight for our software freedom we’re left with software that respects our freedom to share, modify, and use.

Finally, Cross notes that “The Free Software Foundation never ever use the term “Open Source Software” as it dilutes their brand.”. The FSF’s objection to the term “open source” stems from the difference in philosophy between the free software and open source movements. Richard Stallman has written two essays on this topic (I linked to the latter but the former is linked from there), spoken about these philosophies at virtually every talk or interview he gives, and answers emails about it any time it comes up. The FSF would like to get people to think of software freedom, not the small subset of programmatic efficiency issues the phrase “open source” was coined for.

RFID: Your privacy is up for grabs

Katherine Albrecht, co-author of “Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID“, has written an article for Scientific American explaining how we inadvertently consent to lose our privacy and what’s being done about it on a federal level in the US and EU.

If you live in a state bordering Canada or Mexico, you may soon be given an opportunity to carry a very high tech item: a remotely readable driver’s license. Designed to identify U.S. citizens as they approach the nation’s borders, the cards are being promoted by the Department of Homeland Security as a way to save time and simplify border crossings. But if you care about your safety and privacy as much as convenience, you might want to think twice before signing up.

The new licenses come equipped with radio-frequency identification (RFID) tags that can be read right through a wallet, pocket or purse from as far away as 30 feet. Each tag incorporates a tiny microchip encoded with a unique identification number. As the bearer approaches a border station, radio energy broadcast by a reader device is picked up by an antenna connected to the chip, causing it to emit the ID number. By the time the license holder reaches the border agent, the number has already been fed into a Homeland Security database, and the traveler’s photograph and other details are displayed on the agent’s screen.

Although such “enhanced” driver’s licenses remain voluntary in the states that offer them, privacy and security experts are concerned that those who sign up for the cards are unaware of the risk: anyone with a readily available reader device””unscrupulous marketers, government agents, stalkers, thieves and just plain snoops””can also access the data on the licenses to remotely track people without their knowledge or consent. What is more, once the tag’s ID number is associated with an individual’s identity””for example, when the person carrying the license makes a credit-card transaction””the radio tag becomes a proxy for that individual. And the driver’s licenses are just the latest addition to a growing array of “tagged” items that consumers might be wearing or carrying around, such as transit and toll passes, office key cards, school IDs, “contactless” credit cards, clothing, phones and even groceries.

Speaking of “contactless” credit cards, the Discovery cable TV channel recently scuttled an episode of “Mythbusters” (where a team of scientists explore the veracity of stories sent in by viewers) which exposes how insecure RFID tags are. Boing Boing describes the clip thusly, “Mythbusters’ Adam Savage told the folks at the HOPE hackercon about how the Discovery Channel was bullied by big credit-card companies out of airing a program about how crappy the security in RFID tags is.”.

Years ago a university research team exposed the same story showing that by merely sitting in close proximity to someone with a Mobil SpeedPass gas keychain fob you can copy the information encoded on that device through the air (the “R” in “RFID” stands for radio) and replay that information at a Mobil gas station to get gas by posing as the SpeedPass owner. It would appear that credit card companies’ lawyers are more sensitive to bad public perception than Mobil is.

Update (2008 September 8): Adam Savage now says that Discovery Channel didn’t kill the RFID episode of “Mythbusters”, the show’s production company did. CNet news quotes a statement from Savage:

“There’s been a lot of talk about this RFID thing, and I have to admit that I got some of my facts wrong, as I wasn’t on that story, and as I said on the video, I wasn’t actually in on the call,” Savage said in the statement. “Texas Instruments’ account of their call with Grant and our producer is factually correct. If I went into the detail of exactly why this story didn’t get filmed, it’s so bizarre and convoluted that no one would believe me, but suffice to say…the decision not to continue on with the RFID story was made by our production company, Beyond Productions, and had nothing to do with Discovery, or their ad sales department.”

But this doesn’t really change the story in a significant way; no matter what group of people decided to kill the RFID Mythbusters episode, it appears that that episode won’t air. Trying to keep the lid on bad decisions about how to deploy RFID technology is futile and in no way benefits the public. The public is no more secure for the silence from Mythbusters and RFID “contactless” credit cards are out there with more on the way. So ask yourself: who does benefit?

Ogg Theora+Vorbis as default for <video> scuttled in HTML5 spec. Who benefits?

Background

It’s needlessly hard to see a movie on the web because there are no widely-accepted standards for how movies should be encoded as data. Currently popular choices become unpopular later and none of them are well-documented (in a technical sense) or legally in the clear so that all browser programmers can implement them. We end up with a set of incompatible methods to do roughly the same thing.

Ogg Theora+Vorbis can change that but Apple and Nokia are fighting it. They want their preferred patent-encumbered formats to become the standard means for distributing video online. This is a real problem for anyone who can’t pay for the relevant patent licenses, which means all free software hackers.

“Ogg” is a wrapper that ties together “Theora” encoded video and “Vorbis” encoded sound. Together, Ogg Theora+Vorbis give users a way to see movies on your computer. Ogg Vorbis+Theora are not known to be encumbered by any patents (the only applicable patent on Theora’s predecessor, called “VP3″, was licensed for everyone to use in any way they want). Ogg Theora+Vorbis are implementable on nearly all modern computers. There is free software (zero-cost and freely to sharable and modifiable) to make and play Ogg Vorbis+Theora movies. Ogg Vorbis+Theora are a great basis for interoperability and a fine choice to recommend in any standard that uses multimedia files precisely because everyone can use Ogg Theora+Vorbis.

Ogg Theora+Vorbis was in the drafts for the next generation of HTML (the lingua franca of webpages) as a suggestion; nobody would have been required to implement support for Ogg Theora+Vorbis. But that didn’t stop the proprietors from complaining.

What’s the holdup?

Ian Hickson, speaking for the HTML5 working group, recently announced that he removed the suggested Ogg Theora+Vorbis language from the HTML5 specification. The replacement language says that there should be unencumbered common audio and video formats in HTML but it doesn’t suggest any specific means of accomplishing that.

How did this situation come to pass? What happened between the time this spec was drafted and now? Corporate influence, in a nutshell. Apple and Nokia’s complaints have found an ear with those working on HTML specs.

What can you do to stop this? Raise the issue far and wide with everyone, even non-technical computer users. It’s time that these issues no longer live exclusively in the realm where only geeks tread.

Continue reading