Award for the Advancement of Free Software

This award is presented annually by FSF president Richard Stallman to an individual who has made a great contribution to the progress and development of free software, through activities that accord with the spirit of free software.

Individuals who describe their projects as "open" instead of "free" are eligible nonetheless, provided the software is in fact free/libre.

Last year, Werner Koch was recognized with the Award for the Advancement of Free Software for his work on GnuPG, the de facto tool for encrypted communication. Koch joined a prestigious list of previous winners including Sébastien Jodogne, Matthew Garrett, Dr. Fernando Perez, Yukihiro Matsumoto, Rob Savoye, John Gilmore, Wietse Venema, Harald Welte, Ted Ts'o, Andrew Tridgell, Theo de Raadt, Alan Cox, Larry Lessig, Guido van Rossum, Brian Paul, Miguel de Icaza, and Larry Wall.

Award for Projects of Social Benefit

Nominations are also sought for the 2016 Award for Projects of Social Benefit.

This award is presented to the project or team responsible for applying free software, or the ideas of the free software movement, in a project that intentionally and significantly benefits society in other aspects of life.

The award recognizes projects or teams that encourage people to cooperate in freedom to accomplish tasks of great social benefit, and those that apply free software ideas and lessons outside the free software community. A long-term commitment to one's project (or the potential for a long-term commitment) is crucial to this end.

This award stresses the use of free software in the service of humanity. The FSF has deliberately chosen this broad criterion so that many different areas of activity can be considered. However, one area that is not included is that of free software itself. Projects with a primary goal of promoting or advancing free software are not eligible for this award (the FSF honors individuals working on those projects with its annual Award for the Advancement of Free Software).

The award committee will consider any project or team that uses free software or its philosophy to address a goal important to society. To qualify, a project must use free software, produce free documentation, or use the idea of free software as defined in the Free Software Definition. Projects that promote or depend on the use of non-free software are not eligible. Commercial projects are not excluded, but commercial success is not the metric for judging projects.

Last year, the Library Freedom Project received the award. A partnership among librarians, technologists, attorneys, and privacy advocates which aims to make real the promise of intellectual freedom in libraries, the Library Freedom Project teaches librarians about surveillance threats, privacy rights and responsibilities, and offers digital tools to stop surveillance, all with the aim of creating a privacy-centric paradigm shift in libraries and the local communities they serve. Notably, the project helps libraries launch Tor exit nodes.

Other previous winners have included Reglue, the GNOME Outreach Program for Women (now Outreachy), OpenMRS, GNU Health, Tor, the Internet Archive, Creative Commons, Groklaw, the Sahana project, and Wikipedia.

Eligibility

In the case of both awards, previous winners are not eligible for nomination, but renomination of other previous nominees is encouraged. Only individuals are eligible for nomination for the Advancement of Free Software Award (not projects), and only projects can be nominated for the Social Benefit Award (not individuals). For a list of previous winners, please visit https://www.fsf.org/awards.

Current FSF staff and board members, as well as award committee members, are not eligible.

Winners will be decided by a committee to be announced, including several previous winners. Last year's committee was:

• Suresh Ramasubramanian
• Rob Savoye
• Jonas Öberg
• Fernanda Weiden
• Wietse Venema
• Matthew Garrett
• Vernor Vinge
• Hong Feng
• Andrew Tridgell
• Marina Zhurakhinskaya
• Richard Stallman

Instructions

After reviewing the eligibility rules above, please click on the links below to submit your nominations. All nominations need to be submited before Sunday, November 6th, 2016 at 23:59 UTC.

• Nominations for the Award for Projects of Social Benefit

• Nominations for the Award for the Advancement of Free Software

Information about the previous awards can be found at https://www.fsf.org/awards. Winners will be announced at an awards ceremony at the LibrePlanet conference, March 25-26 2016, in the Boston area.

About the Free Software Foundation

The Free Software Foundation, founded in 1985, is dedicated to promoting computer users' right to use, study, copy, modify, and redistribute computer programs. The FSF promotes the development and use of free (as in freedom) software -- particularly the GNU operating system and its GNU/Linux variants -- and free documentation for free software. The FSF also helps to spread awareness of the ethical and political issues of freedom in the use of software, and its Web sites, located at fsf.org and gnu.org, are an important source of information about GNU/Linux. Donations to support the FSF's work can be made at https://donate.fsf.org. Its headquarters are in Boston, MA, USA.

More information about the FSF, as well as important information for journalists and publishers, is at https://www.fsf.org/press.

Media Contacts

Georgia Young Program Manager Free Software Foundation +1 (617) 542 5942 campaigns@fsf.org

LibrePlanet is an annual conference for free software enthusiasts. The conference brings together software developers, policy experts, activists and computer users to learn skills, share accomplishments and face challenges to software freedom. Newcomers are always welcome, and LibrePlanet 2017 will feature programming for all ages and experience levels.

This year, the theme of LibrePlanet is "The Roots of Freedom." This encompasses the historical "roots" of the free software movement -- the Four Freedoms, the GNU General Public License and copyleft, and a focus on strong security and privacy protections -- and the concept of roots as a strong foundation from which the movement grows.

"LibrePlanet is an impactful, exciting free software conference. Attendance has grown each year, yet the community-minded atmosphere has grown even stronger," said John Sullivan, executive director of the FSF.

Call for Sessions

"We are looking forward to session proposals from people around the world, at all levels of speaking and technical experience. LibrePlanet features developers, users, students, activists, policymakers, and others. The free software movement depends on them all, and LibrePlanet 2017 will highlight their contributions," said Georgia Young, program manager at the FSF.

Call for sessions applications are currently being accepted and are due by Wednesday, November 14th, 2016 at 18:59 EST (23:59 UTC).**

About LibrePlanet

LibrePlanet is the annual conference of the Free Software Foundation. What was once a small gathering of FSF members has grown into a larger event for anyone with an interest in the values of software freedom. LibrePlanet is always gratis for associate members of the FSF. To sign up for announcements about LibrePlanet 2017, visit https://www.libreplanet.org/2017.

LibrePlanet 2016 was held at MIT from March 19-20, 2016. Over 370 attendees from all over the world came together for conversations, demonstrations, and keynotes centered around the theme of "Fork the System." You can watch videos from last year's conference at https://media.libreplanet.org/u/libreplanet/tag/libreplanet-2016/, including the opening keynote, a conversation with NSA whistleblower Edward Snowden.

About the Free Software Foundation

The Free Software Foundation, founded in 1985, is dedicated to promoting computer users' right to use, study, copy, modify, and redistribute computer programs. The FSF promotes the development and use of free (as in freedom) software -- particularly the GNU operating system and its GNU/Linux variants -- and free documentation for free software. The FSF also helps to spread awareness of the ethical and political issues of freedom in the use of software, and its Web sites, located at fsf.org and gnu.org, are an important source of information about GNU/Linux. Donations to support the FSF's work can be made at https://donate.fsf.org. Its headquarters are in Boston, MA, USA.

More information about the FSF, as well as important information for journalists and publishers, is at https://www.fsf.org/press.

Media Contacts

Georgia Young
Program Manager
Free Software Foundation
+1 (617) 542-5942
campaigns@fsf.org

This position, reporting to the executive director and working closely with the president, is an opportunity to make key contributions to the organization that started the GNU Project, launched the free software movement, and authored the GNU General Public License. The position is part of a technical team including a counterpart Senior Systems Administrator, a Web Developer, and many volunteers, tasked with maintaining and improving the FSF's technology infrastructure.

The ideal candidate will be a well-rounded GNU/Linux systems administrator who thrives on constant broad-based learning and problem-solving. They will also be familiar with the free software community and how it works; the position includes frequent contact and collaboration with volunteers and many GNU developers. Together, the Senior Systems Administrators have a great deal of influence over technology decisions within the FSF, and do crucial work empowering thousands of others to develop free software.

Examples of job responsibilities include, but are not limited to:

• be a lead voice in the FSF's software system decision-making and policy positions in technical areas;

• install and maintain fully free GNU/Linux systems on servers, desktops, laptops, and embedded devices;

• support GNU developers and FSF representatives in their use of FSF-owned systems;

• monitor and improve system security and network infrastructure;

• spec, purchase, and maintain new equipment;

• coordinate and mentor interns and volunteer systems administrators both in the office and remotely;

• share in the on-call rotation to deal with core system emergencies;

• blog and speak about the technologies used at the FSF;

• run the tech at our annual LibrePlanet conference;

• pitch in to help with organization-wide projects like our major fundraising activities;

• fix bugs and submit patches upstream for the software we use, and

• occasionally help design, write, and release new software when existing software doesn't fit the bill.

Applicants should have an undergraduate degree in a related field, at least five years of experience as a GNU/Linux systems administrator, and highlight their familiarity with any of the following:

• apt-based GNU/Linux distributions;

• TCP/IP, BGP, DNS, FTP, NFS, DHCP, iptables;

• Libreboot and Coreboot;

• Xen, KVM, CFEngine, RAID;

• Drupal, Nginx, Apache2, CiviCRM, Plone, Zope, Mediawiki, Ikiwiki, Request Tracker, CAS, SQL, Squid;

• Python, Bash, Perl, PHP, JavaScript, Ruby;

• git, SVN, CVS;

• Exim, Spamassassin, GNU Mailman; and

• any physical hardware maintenance and hacking.

Because the FSF works globally and seeks to have our materials distributed in as many languages as possible, multilingual candidates will have an advantage. With our small staff of thirteen, each person makes a clear contribution. We work hard, but offer a humane and fun work environment at an office located in the heart of downtown Boston. The FSF is a mature but growing organization that provides great potential for advancement; existing staff get the first chance at any new job openings.

Benefits and Salary

This job is a union position that must be worked on-site at the FSF's downtown Boston office. The salary is fixed at $62,587/year and is non-negotiable. An on-site interview will be required with the executive director and other team members. Other benefits include:

• full family health coverage through Blue Cross/Blue Shield's HMO Blue program,
• subsidized dental plan,
• four weeks of paid vacation annually,
• seventeen paid holidays annually,
• public transit commuting cost reimbursement,
• 403(b) program through TIAA-CREF,
• yearly cost-of-living pay increases (based on government guidelines), and
• conference travel opportunities.

Application Instructions

Applications must be submitted via email to hiring@fsf.org. The email must contain the subject line "Senior Systems Administrator." A complete application should include:

• cover letter,
• resume, and
• links to any published free software work.

All materials must be in a free format. Email submissions that do not follow these instructions will probably be overlooked. No phone calls, please.

Applications will be reviewed on a rolling basis until the position is filled. To guarantee consideration, submit your application by Tuesday, October 11, 2016, 9:00am EDT.

The FSF is an equal opportunity employer and will not discriminate against any employee or application for employment on the basis of race, color, marital status, religion, age, sex, sexual orientation, national origin, handicap, or any other legally protected status recognized by federal, state or local law. We value diversity in our workplace.

About the Free Software Foundation

The Free Software Foundation, founded in 1985, is dedicated to promoting computer users' right to use, study, copy, modify, and redistribute computer programs. The FSF promotes the development and use of free (as in freedom) software -- particularly the GNU operating system and its GNU/Linux variants -- and free documentation for free software. The FSF also helps to spread awareness of the ethical and political issues of freedom in the use of software, and its Web sites, located at fsf.org and gnu.org, are an important source of information about GNU/Linux. Donations to support the FSF's work can be made at https://donate.fsf.org. We are based in Boston, MA, USA.

More information about the FSF, as well as important information for journalists and publishers, is at https://www.fsf.org/press.

This morning, an open email circulated in which the author said that the Free Software Foundation ended a relationship with one of our employees for discriminatory reasons.

Although it is our usual policy not to comment publicly on internal personnel matters for privacy reasons, we felt it necessary to state unequivocally that the allegations made in that email are untrue.

It is part of our job to celebrate and improve the diversity of the free software world. We have strong anti-discrimination and anti-harassment policies to help provide a safe and supportive working environment. We uphold a safe space policy at all FSF events, and we provide scholarships to help people of different identities, and from different regions, attend. The FSF's mission is to defend the freedom of all computer users.

While we understand that it is difficult whenever an employment relationship ends, the suggestion that the separation was a result of discriminatory animus is unfounded. In the interest of protecting the privacy of all involved, we expect this to be our last public statement on the matter. We wish our former employee the best in all future endeavors.

Most IoT systems consist of three components:

1) The "smart" device itself, capable of communicating via a protocol such as Z-Wave, Zigbee, Bluetooth or IEEE 802.11, running either a full operating system (commonly based on the kernel Linux) or an embedded OS designed for this purpose.

2) A remote service provided by the device manufacturer. The smart device communicates with this service in order to provide information about its current state and in order to provide an interface for users to control the device.

3) An application designed for mobile platforms which interacts with the remote service and allows control of the smart device regardless of whether the user is currently located near the device or not.

Devices that use the Zigbee or Z-Wave protocols also typically require a local "hub," a device running interface software that bridges the devices to the remote service.

There are multiple significant security concerns around this design pattern. The first is that either the smart devices themselves or the hub that they communicate with require Internet access. Depending on local network configuration, this may result in the devices being visible to the public Internet. These devices inherently provide a service of some description in order to permit their integration with the remote services, but frequently also provide additional services for directly local communication and often include further unnecessary services used for diagnostics during the design and production stage (such as MicroCell -- the same backdoor was present on a series of baby monitors shipped by a major manufacturer).

These devices are often locked down in such a way that it is impossible for the user to replace the software that they run. These devices are also often abandoned by their manufacturers after a short space of time due to them being either discontinued or replaced by newer devices. Users who continue using these devices are thus at significant risk, without any real chance of security updates being made available and frequently without any notification that any security issues have been identified. If any issues are identified, then without the permission of the manufacturer it is impossible for any third party to provide aid to said users.

This concern is frequently mitigated by typical home network setups that restrict external access to internal devices. But smart devices inherently require external access to be possible, and this functionality is provided by the remote service. The smart device connects to the remote service and awaits commands -- users in turn connect to the remote service and send commands.

These remote services are themselves frequently insecure. Authentication details are often sent in plaintext, allowing anyone who can observe network traffic to obtain credentials. Some systems involve no authentication at all (for instance). This makes it possible for a malicious individual to gain control over home devices, in some cases potentially even being able to execute arbitrary code on said devices and gain access to the internal network.

If vendors are unwilling or unable to fix these security issues, users are left in an unfortunate position. They can either retain the convenience provided by the smart devices they paid for, or they can remove them and attempt to obtain a refund. The worst case scenario is perhaps when the vendor unilaterally decides to shut down the remote service, rendering the devices useless.

Another consideration is the behavior of the manufacturer itself. Manufacturers may not always act in the interests of their customers, doing things ranging from invasive collection of personal data to intrusive advertising or even disabling device functionality remotely. Even if ostensibly permitted by terms of service, users should be able to protect themselves against such scenarios.

There is an alternative. Third-party free software alternatives to the pre-installed software are common in certain market segments, such as home routers (libreCMC, OpenWrt and DD-WRT, for instance). Security vulnerabilities can be mitigated by replacing the original software with a functional equivalent provided by a third party. Unfortunately, many IoT devices are designed such that the software can only be replaced by the manufacturer. The software will only communicate with the manufacturer's remote service -- no third party can provide a functional equivalent.

To ensure that users do not end up in a situation where they are left choosing between security and convenience, or left with no ability whatsoever to use the devices they bought, it is vital that these devices be ultimately under the control of the user. The user should be able to replace the software on the device in order to fix security vulnerabilities. The user should be able to modify the software on the device such that it communicates with a different remote service that provides strong security guarantees. The user should not be left with no option other than to discard the device and replace it with a new version.

In order for this to be possible, it is necessary to know how the devices communicate with the remote server. Unfortunately this is frequently in the form of a proprietary protocol that lacks any public documentation, and as such it is a significant engineering effort for anyone to implement a replacement service. Several well-known protocols exist for controlling remote devices (such as MQTT) and re-using these rather than proprietary protocols makes it easier to both identify whether any security issues exist (being forced to reverse engineer a protocol may result in missing subtle aspects that cause security issues) and provide alternative implementations in the event of significant security flaws being discovered or the vendor choosing to cease support of the remote services.

To that end, we encourage the adoption of practices that:

a) Ensure that documented and freely-implementable (rather than patent-encumbered) protocols be used for communication between smart devices and remote services, and

b) Ensure that owners of smart devices are able to replace their software with implementations provided by either themselves or third parties in order to prevent the vendor being a single point of failure in either service

c) Strongly encourage the use of free "as in freedom" software throughout the entire stack, making it easier for security researchers to identify issues, third parties to provide alternative implementations and users to retain as much control as possible over devices that will become increasingly integrated into their homes and lives.

Matthew Garret is a member of the FSF's board of directors.

This was submitted in response to the Commission on Enhancing National Cybersecurity request for information about current and future states of cybersecurity in the digital economy.