FSFE Newsletter – May 2014 Heartbleed and economic incentives

You probably heard about the bug in the Free Software OpenSSL nicknamed "heartbleed". The FSFE already welcomed the industry initiative to fund critical Free Software projects, and the topic was discussed in several blog articles on the planet: Sam Tuke wrote about his impression, Hugo Roy shared an XKCD comic explaining how heartbleed works, and Martin Gollowitzer wrote about what the Heartbleed bug revealed to him about StartSSL certificate authority.

But your editor is convinced that the main problem is not OpenSSL. It is not Free Software. It is about companies not taking responsibilities and about missing economic incentives to ensure security. Security expert Bruce Schneier wrote in 2006:

"We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: The people who could protect a system are not the ones who suffer the costs of failure."

In a nutshell, if your private data is exposed because your health insurance, where it is stored, did not take care to secure it, you suffer to a much higher degree than the health insurance does! You are in no position to pressure the health insurance to change its level of security, and they have no economic incentive to do so. In the article Schneier further explains that the liability for attacks is diffuse and that "the economic considerations of security are more important than the technical considerations".

Following the argument, the important question we face is, how can we give the right economic incentives to ensure that: security relevant software has the proper funding; third parties are auditing code; more people are trained in computer security; programmers have time for maintenance and are not forced to just develop new features; we have a diversity of software for different special purposes and therefor prevent software monocultures; companies run secure software instead of just giving people a good feeling by performing a security theatre or by delegating responsibility to others (for example the government), so they can be blamed if there is a problem, and that also the security interest of private users is fulfilled and not just those of big cooperations.

In the FSFE we thought about how to give good economic incentives for Free Software development from the beginning, and now we have to think more about economic incentives to increase security. It is a difficult area, so we are looking forward to your comments on this topic and invite you to discuss it on our public mailing lists.

Internet Censorship and Open Standards

Local elections scheduled across the country for the following day, the government blocking both YouTube and Twitter, and the usage numbers of the Free Software anonymity software Tor doubling during the week. Is there a better time for the FSFE's President to go to this country? At the annual conference of the Turkish GNU/Linux Users Association in Istanbul Karsten Gerloff talked about the relationship between technology and power, and made it to the front page of a national newspaper by mentioning who sold the software to block the internet. Karsten wrote a summary of his talk and his journey in his blog.

The talk would not have happened without our Turkish volunteer Nermin Canik, who encouraged us to attend the conference. Nermin has been working steadily and reliably as a volunteer for a couple of years now. Together with other volunteers she organised Document Freedom Day (DFD) events in Turkey. This year, although as mentioned above it was a hard time for people in Turkey who care about freedom, they accomplished 7 events in Istanbul, Ankara, Çayırova, Denizli, and Adana.

Have a look at the Document Freedom Day 2014 Report to find out what happened in Turkey and around the world during that day. The report includes lots of pictures ranging from children celebrating DFD at school, the new leaflets, comic, and t-shirts, as well as the very delicious looking cakes. Thanks to our Turkish translator Tahir Emre and our leaving intern Matti Lammi the report and the whole DFD website are also available in Turkish and Finnish.

Something completely different The German association Teckids e.V. offers workshops for 10 to 16 year olds to build robots with different sensors (light, sound, or ultrasonic) and program them to do cool things by using Free Software. Your editor was delighted to see that in those workshops teenagers teach other teenagers how to tinker with Free Software. More news about education are covered by Guido Arnold in the Free Software education news. News from the public administration: The government of Galicia recommends use of Open Document Format and a school in Villmergen/Switzerland is satisfied with Free Software as they can now invest more money in education. 143 of the politicians newly elected in France's municipal elections have pledged their support for Free Software. They all signed the Free Software Pact by the French Free Software organisation April. The FSFE congratulates them for the good job. Please notice that this month's "Get Active" item, always at the end of the newsletter, is also about the Free Software Pact and how you can help us. From the planet aggregation: Ghostery is an browser extension supposed to help users against tracking and surveillance on the web. But as Hugo Roy reports, the problem is that Ghostery is not released as Free Software. Guido Günther reports from the 7th Debian groupware meeting at the Linuxhotel including why the participants, of whom all but one are FSFE Fellows, took the decision to remove iceowl (calendar) or what they did with icedove (e-mail). Our Fellow Number 1, wrote about KDE e.V., families at Free Software meetings, especially at the meetings in Randa Switzerland, and he made some proposals for future KDE releases. Karl Beecher explains why Programmers Start Counting at Zero. Carsten Agger gave a talk about Open Data and Hacktivism at the hackerspace in Aarhus. He also participated at the first International Festival for Technoshamanism. He explains what Technoshamanism is, what it has to do with Free Software, and reports from the first day. Hugo Roy takes a look at the GNU GPL in a javascript outliner: "GNU GPL, JS and BS" and he wrote about Innovation policy and Internet liability in courts–beyond advertising with the conclusion that "we need to take back control of innovation and technology policy to foster privacy and freedom; more than ever." Konstantinos Boukouvalas wrote about the OSCAL conference in Albania (3-4 May) which is supported by Albania's Ministry of Youth and Social Welfare. They keynote there was done by FSFE's Erik Albers. On a technical side: Guido Arnold explains the advantages of using caff for keysigning, which is part of the keysigning-party package on Debian based systems. Kevin Keijzer's new bedroom is now equipped with a new Free Software computer and he documented how to install Debian GNU/Linux on the Acer C720 Chromebook. Jens Leuchtenbörger explains how to do Certificate Pinning for GNU/Linux and Android. When Daniel Pocock upgraded an Android device he "found out that Android betrays the tethering data", after he received a lot of feedback he wrote a follow-up article because people justified the way mobile networks try to discriminate against tethering after his first blog entry. Also read Paul Boddie's comment about the second article. Furthermore Daniel wrote about problems with SMS logins, how his AirBNB hosts wanted to scan his identity documents and passports, and the best real-time communication (RTC / VoIP) softphone on the GNU/Linux desktop. Get active: Make the Free Software Pact a success!

As we wrote in March, candidates pledging for Free Software is a good way to take them at their word after an election. In Future we can contact them whenever there will be EU legislation to be passed that might endanger the existence or growth of Free Software.

After FSFE's volunteers did a lot of translations for the pact, April now published all necessary information on the Free Software pact website so you can get active.

In Italy our new intern Michele Marrali already contacted 51 candidates. He searched for the candidates, used Erik's template (also available in German) to contact them, and afterwards noted on our pad whom he already contacted. His goal is to contact every Italian candidate and get them to sign the pact. So how many can you contact?

In case you do not have time to participate in this "hobby lobby competition", consider to make a donation so we can offer the most active volunteers some rewards from our shop.

Thanks to all the volunteers, Fellows and corporate donors who enable our work, Matthias Kirschner - FSFE

Support FSFE, join the Fellowship
Make a one time donation

FSFE welcomes industry initiative to fund critical Free Software projects

Today the Linux Foundation announced the "Core Infrastructure Initiative" to fund and support Free Software projects that are critical to the security of Internet users. The first project to receive funding will be OpenSSL, which is used for secure data transportation by millions of websites. FSFE welcomes this initiative.

"Free Software is the foundation on which today's technology companies are built," says Karsten Gerloff, President of the Free Software Foundation Europe. "It is good to see these companies step up and contribute to improving the software on which they, and their users, depend for their security."

The crisis related to the recent "Heartbleed" bug in the OpenSSL program has made it clear that some widely used Free Software projects are not receiving support that was commensurate with their importance. The Core Infrastructure Initiative is a welcome step towards changing this.

"Technology companies are wise to treat these Free Software projects as important suppliers," says Gerloff. "This initiative highlights one of the great things about Free Software: It helps to align the particular interests of a limited number of actors with the public interest."

Besides OpenSSL, a number of other Free Software projects that are critical to the everyday security of Internet users and businesses would benefit from greater support. FSFE hopes that the Core Infrastructure Initiative will make a long-term contribution to improving the software that projects such as GnuPG provide to the public.

Support FSFE, join the Fellowship
Make a one time donation

FSFE Newsletter – Avril 2014 Journée de Libération des Documents : les Standards Ouverts expliqués à papi

Bien que de plus en plus d'entrepreneurs et de politiciens comprennent l'importance des Standards Ouverts, les gens ne voient pas le lien avec leur vie quotidienne. C'est pour ça que le 26 mars nous organisions la Journée de Libération des Documents -- Document Freedom Day (DFD). Cette année nous avions de nouveaux supports : de nouveaux tracts en différentes langues expliquant les Standards Ouverts et une nouvelle bande dessinée qui explique pourquoi il faut utiliser des Standards Ouverts si vous ne voulez pas avoir de problème avec vos fichiers en vieillissant.

Au moins 51 évènements ont eu lieu dans 22 pays organisés par de très nombreux groupes indépendants. Des volontaires de la FSFE aux Royaumes-Unis ont décernés un prix à la fondation OpenStreetMap à Birmingham, tandis que Werner Koch participe à un évènement sur les Standards Ouverts en Cryptographie au Parlement Européen. Notre groupe local de Linz a organisé un stand d'information dans le centre de la ville et, dans la soirée, une conférence sur les Standards Ouverts à l'université. Au stand de Vienne nos volontaires ont eu quelques problèmes avec l'artiste d'un monument, mais ils ont tout de même réussi à distribuer de très nombreux tracts et ont pu informer quatre policiers amicaux sur les Logiciels Libres et les Standards Ouverts. Notre équipe DFD est encore en train de recueillir les retours des différents évènements de la semaine de la Journée de Libération des Documents, elle publiera un rapport complet courant avril.

Les institutions européennes admettent être captives de Microsoft

Dans un récent courrier à la députée européenne Amelia Andersdotter (PDF), la commission européenne reconnait être dans un état de "captivité effective" envers Microsoft. Comme la FSFE avait pu l'indiquer à de nombreuses reprises, c'est un problème persistant de la commission, du conseil et du parlement. Pour la Journée de la Libération des Documents, la FSFE et l'Open Forum Europe ont envoyé une lettre ouverte au Parlement Européen et à la Commission Européenne qui souligne son enfermement par Microsoft.

L'utilisation des Logiciels Libres dans le secteur de l'éducation aux Pays-Bas

Les nouvelles du Logiciel Libre dans l'éducation pour février sont sorties avec une mise à jour de la campagne NLEdu : Kevin indique que le directeur commercial de SchoolMaster, le plus grand fournisseur Néerlandais de logiciel pour l'administration des étudiants, a confirmé qu'une version HTML5 indépendante serait lancée en avril. Elle remplacera la version Silverlight. Cela pourrait être le succès de la campagne NLEdu car cela permettrait aux utilisateurs de Logiciels Libres d'accéder aux supports de cours avec n'importe quel navigateur standard. Kevin Keijzer publie des informations détaillées sur cette question.

Par ailleurs... Pour les élections au Parlement Européen du 22 au 25 mai, la FSFE soutient le Pacte du Logiciel Libre de l'April et la campagne WePromise.Eu de l'EDRi. Nos volontaires travaillent sur des traductions et à la promotion de ces campagnes. Karsten Gerloff a participé aux premières rencontres de l'Asian Legal Network (réseau juridique asiatique) à Hong Kong. La plupart des personnes présentes étaient des représentants d'entreprises technologiques de Taiwan, de Chine, de Hong Kong et de Corée. Une série de tables rondes ont été organisées conjointement par la FSFE, l'Open Invention Network et la Linux Foundation. Inspiré par le réseau juridique que la FSFE accompagne depuis 2006, ce nouveau réseau à le même objectif : permettre aux experts juridiques de partager leurs connaissances du Logiciel Libre. La FSFE accueille son nouveau représentant de la Fellowship Stefan "Penny" Harmuth au sein de l'Assemblée Générale. PDFreaders : Heiki explique pourquoi nous avons dû retirer SumatraPDF de pdfreaders.org, en effet il comprend du code non libre. Réunion locales des Fellowship FSFE : Guido Arnold raconte la réunion à Francfort et indique les dates des futurs évènements de Wiesbaden, Bad Homburg et, bien sûr, de Francfort. Merci à Simon Wächter de notre groupe de Zürich d'avoir résumé les réunions mensuelles de la Fellowship après une période d'inactivité. Au bout de plusieurs années, notre coordinateur de l'équipe éducation Guido Arnold a finalement visité le Chemnitzer Linuxtage. Comme les années précédentes, la FSFE avait un stand et distribuait nos nouveaux tracts sur le Logiciel Libre pour les débutants qui ont été rédigés par notre Fellowship de Vienne pour un festival végétarien et qui maintenant disponible imprimé en anglais, en allemand, en français et pour impression en finlandais. De plus votre éditeur a donné une conférence sur les menaces sur l'ordinateur à usage général. Nous accueillons avec plaisir la publication de OSB Alliance d'un guide expliquant comment se procurer des Logiciels Libres dans l'administration publique allemande. Pendant LibrePlanet 2014 The Free Software Awards a été décerné au programme pour les femmes "Outreach Program" de la GNOME Foundation ainsi qu'à Matthew Garrett pour son travail de compatibilité sur les démarrages sécurisés (Secure Boot) avec les Logiciels Libres. Dan Fritzmartin documente comment faire une vidéo pour LibrePlanet en utilisant que des Logiciels Libres. Free Your Android : Paul Kocialkowski de Replicant a trouvé une porte dérobée dans le Samsung Galaxy. Pour faire simple, ces terminaux ont un programme propriétaire pour l'espace utilisateur qui accepte des requêtes du micro-logiciel (firmware) de la base de bande (bandbase) propriétaire pour modifier le système de fichier. En remplaçant le programme d'espace utilisateur par un libre, cette porte dérobée peut être fermée par Replicant, bien sûr le micro-logiciel propriétaire du modem pourra toujours avoir assez de contrôle sur le terminal pour faire beaucoup de mal. Le Tyrol du Sud va augmenter son utilisation de Logiciels Libres, a annoncé son gouverneur Arno Kompatscher. Le parlement européen souhaite que son département informatique réhabilite sa solution pilote GNU/Linux. Mardi, le comité de contrôle du budget du Parlement Européen a accepté la requête des eurodéputés Bart Staes et Amelia Andersdotter de relancer la solution pilote GNU/Linux qui avait été enterrée en 2012. Depuis la planète : Lancer un appel à articles, choisir quelques présentations, publier un programme, réserver un local, vendre quelques tickets - s'amuser : au fond c'est tout ce que ça demande d'organiser une conférence, n'est-ce pas ? En théorie peut-être, en pratique, pas vraiment. La Fellow Isabel Drost-Fromm partage son expérience que l'organisation d'évènement pour que les autres puissent en profiter, par exemple comment l'augmentation du prix du ticket est corrélée à votre temps de sommeil.. Hugo Roy se considère comme un utilisateur Turing complet. Il fait référence à un essai, que nous recommandons, d'Olia Lialina. Dans la même idée, si vous ne connaissez pas encore revealing errors de Benjamin Mako Hill, ça vaut le détour. Henrik Sandklef écrit sur ce qu'est l'éducation et cherche une stratégie pour apprendre la programmation aux débutants. Nikos Roussos écrit que faire les choses de manière distribué est difficile et explique pourquoi la centralisation arrive. Bien que cela demande des efforts et de la détermination, il soutient qu'il est possible de construire, tous ensemble, un internet distribué. Il a aussi documenté comment monter et maintenir Popcorn Time à partir des sources. Jens Lechtenbörger explique comment il épingle ses certificats dans GNU Emacs. Timo Jyrinki, de notre équipe finlandaise, nous décrit les problèmes de migration vers Qt 5.2.1 dans Ubuntu qui impliquent environ 130 sources de paquets. Franz Grazer a publié un article demandant : Avons nous besoin des DRM ? Celui-ci soutient que le Logiciel Libre ne devrait pas se mêler de DRM parce qu'ils sont là pour fermer les choses. Matija a documenté comment écrire votre blog propulsé par Pelican en utilisant OwnCloud et WebDAV et raconte ses premiers résultats de test de rasage à l'huile et lame de rasoir DE. Soyez actifs : Le droit de ne pas payer les logiciels non libres

Les révélations d'Edward Snowden sur la surveillance massive des communications démontre la nécessité pour chacun de pouvoir contrôler son ordinateur et son téléphone. Pourtant, les fabricants d'ordinateurs et de téléphones, ainsi que les revendeurs, imposent aux utilisateurs des programmes qui mettent en danger leur vie privée.

Chacun doit donc avoir la possibilité de refuser de payer pour les logiciels non-libres et pouvoir choisir les programmes qui tournent sur son téléphone ou son ordinateur, dans notre cas pouvoir choisir un système d'exploitation et des logiciels libres.

Nous avons rejoints des organisations de toute la planète dans leur demande d'un choix libre, sans entrave, du système d'exploitation sur téléphone, ordinateur ou tout autre terminal informatique.

Ce mois-ci nous vous demandons de signer la pétition internationale et de nous aider à en faire la promotion !

Merci aux volontaires, Fellows et donateurs qui rendent notre travail possible, Matthias Kirschner -FSFE

Support FSFE, join the Fellowship
Make a one time donation

CCC and FSFE: German Federal Network Agency must improve

After multiple public hearings and political debates, the German Federal Network Agency (BNetzA) presented a set of proposed regulations (German) that would eliminate compulsory use of particular routers and improve the transparency of telecommunication firms for customers. Compulsory routers tie customers to a device provided by the ISP. The Free Software Foundation Europe (FSFE), Chaos Computer Club (CCC), and the project leadership of IPFire and OpenWrt, as well as other experts, reviewed these regulations and gave comments to the BNetzA (German)

The ideas of the BNetzA, responsible for maintaining and promoting competition in the network marketplace, are welcome in principle. The ISP will need to collect fundamental information such as technical functions on a product datasheet, and end users can request the login credentials for the device. This should eliminate the compulsory use of particular routers.

It is not clear, however, why the BNetzA wants to leave the burden of requesting the access data on the user, instead of recording this on the proposed data sheet. Even the grand coalition (a coalition between the political parties CDU/CSU and SPD) has clearly demanded otherwise in its coalition agreement. Then, the end users would be in possession of the login credentials necesary to use an alternative router without explicitly asking.

"If the burden to request this information is on the user, the BNetzA hardly has the ability to check the ISP's responsiveness in providing it. Then delays could continue, supported by unrepresentative individual cases. The users would have even more complications that before", says Matthias Kirschner, vice-president of the FSFE. "To that end, the login credentials for all available services must be known to the customer, unrequested, from the beginning of the contract, as even the government coalition demanded."

Thus, unambiguous phrases must be added so that ISPs cannot find any loopholes. For example, the protocols used by the device must also be known for full interchangeability.

"Without requiring the ISP to provide the login credentials and to be transparent about services and protocols, ISP routers would still be de facto compulsory. Murky phrases and the requirement of requesting the information would reduce the customers to suppliants," says Frank Rieger, spokesperson for the CCC.

Even the definition of a network termination point is not well-defined, in spite of a hearing called for that purpose, at which the FSFE made a statement.

Additionally in the testing process, which ISPs have to offer in the future, there is need for improvement. According to the BNetzA's plans, the mechanism and details of the testing only need to be shared with the authorities, and not with individual customers. This artificially limits the intended transparency and prevents the process from being evaluated by users and independent specialists.

The regulations can only fulfill their purpose if the BNetzA improves the evaluation method for compulsory routers and transparency. Only then the demands of the coalition agreement will be met. Anything else would only open more loopholes, through which customers could be further coerced and discriminated against.

Support FSFE, join the Fellowship
Make a one time donation

Open Letter to EU institutions: Time to support Open Standards

In an open letter to the European Parliament and the European Commission, Free Software Foundation Europe and Open Forum Europe are asking the European institutions to improve their support for Open Standards. The letter is directed to Giancarlo Vilella, the president of the European Parliament's DG ITEC and chair of the Inter-Institutional Committee for Informatics.

In a recent letter to MEP Amelia Andersdotter, the EC acknowledges that is is in a state of "effective captivity" to Microsoft. As FSFE has pointed out repeatedly, this is a persistent problem for the Commission, the Council and the Parliament.

"Recognising a problem is always the first step towards solving it. We appreciate the Commission's newfound frankness on the subject," says FSFE's president Karsten Gerloff. "Along with Europe's citizens and the continent's software industry, we now expect the Commission to take action and free itself from this captivity."

The letter also raises the issue of video formats. Currently, it is difficult or impossible for Free Software users to follow the proceedings of the Parliament and the Council in real time, because the live video streams of these organisations rely on proprietary technology. This is a problem which OFE and FSFE have highlighted for many years.

"This would be a comparatively simple measure for the European institutions to improve the transparency of their work for ordinary citizens," says Gerloff. "We fail to understand why there has not been more progress on this issue over the past six years."

Support FSFE, join the Fellowship
Make a one time donation