Notices by Mike Gerwitz (mikegerwitz@social.mikegerwitz.com), page 4
-
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Wednesday, 28-Jun-2017 03:30:53 UTC 
Mike Gerwitz
A reminder that this latest ransomware attack (#Petya) is made possible by #NSA-developed exploits #ETERNALBLUE and #ETERNALROMANCE (the former used in #WannaCry)---exploits that the government decided to hoard as 0days instead of notifying Microsoft to fix the issues. Instead of helping to protect the United States and its allies, it has made us far less safe. Petya and WannaCry are products of its negligence.
This issue goes back to the #VEP (the Vulnerabilities Equities Process)---the supposed process that is used by the government to determine whether to disclose to weaponize exploits. If WannaCry didn't spur enough discussion, let's hope this does.
https://social.mikegerwitz.com/url/7904 -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Tuesday, 06-Jun-2017 17:44:42 UTC
Mike Gerwitz
@moshpirit I'm probably missing part of this thread---I'm not sure where the iPhone came into this.
I could never recommend buying the iPhone---it is proprietary and aggressively works against users' interests; they're notorious for user puppetry and lockin. They do express interest in user privacy, and it looks great and draws a lot of praise on the surface, but it's shallow---it doesn't erase all the other problems with iOS and Apple.
Do I think they do better by user privacy and security than, say, Microsoft? Certainly. But we're still comparing two rotten apples.
Some resources are here:
https://www.gnu.org/proprietary/malware-apple.html
@vinzv -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Tuesday, 06-Jun-2017 03:07:45 UTC
Mike Gerwitz
#GnuPG fundraising campaign:
https://gnupg.org/donate
It is disappointing how some of the world's most essential and widely used programs struggle to get funds. GPG was even worse off a couple years ago before the ProPublica article. For those who don't remember:
https://social.mikegerwitz.com/url/23794 -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Saturday, 03-Jun-2017 05:02:30 UTC
Mike Gerwitz
#GNU is more than just a collection of software; it is an operating system:
https://www.gnu.org/gnu/thegnuproject.html
Many hackers and activists within the free software community don't understand this well, and it's a shame to see attacks on GNU's relevance (as measured by programs written by GNU on a given system) going unchallenged. Software for GNU was written by the GNU Project when a suitable free program was not available. It wouldn't have made sense to write everything from scratch if free programs already solved the problem.
When we say GNU/Linux, we really are referring to the GNU operating system that just happens to be using Linux. It could be using the FreeBSD kernel (GNU/FreeBSD). It could be using a Windows kernel with a Linux API (GNU/kWindows). It could be using the Hurd (GNU/Hurd). The disambiguation is important, but the end result is pretty much the same.
There are many systems that use Linux that are not GNU. Android is not GNU, for example. We shouldn't attempt to call those systems "GNU/Linux" blindly. (Also note how it's called "Android", not "Android/Linux", or just "Linux". Somehow GNU is controversial, though.)
So if you see someone challenging GNU's relevance because GNU/Linux contains so much software that isn't part of a GNU package, then please provide the above link, and kindly explain to them that their observation is correct, because GNU is an operating system, not a collection of programs. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Thursday, 18-May-2017 03:17:33 UTC
Mike Gerwitz
@fsf I caution against that argument, as it hinges entirely on a legitimate (bug) security vulnerability---it could have happened with GNU/Linux systems as well. It made use of ETERNALBLUE which exploits a Samba flaw (now known as CVE-2017-0144). It's unfortunate, but the conversation would naturally degrade to Linus's Law, which itself is a faulty open source argument---one could use Heartbleed and Shellshock to counter (where the single points of failure are two of the most widely used free software projects in the world).
Microsoft had even released a fix, but people didn't upgrade. That's a problem regardless of whether software is free.
While it's tempting to poke holes in our enemies, I can't find a good excuse to attack Windows for being exploited by ETERNALBLUE or WannaCry. But I'd be more than happy to attack it for many of the other points your link mentions (https://www.fsf.org/windows). One big difference between exploiting Windows vs. GNU/Linux is that Windows already is a virus---it didn't need WannaCry to hold its users for ransom. ;) -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Thursday, 04-May-2017 03:16:15 UTC
Mike Gerwitz
Want to help #Doxygen implement #LibreJS-compatable license information in documentation output? Or what about help out the US Copyright Office for part of their online DMCA designated agent registration system?
https://lists.gnu.org/mailman/private/js-devs-task-force/2017-May/thread.html -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Thursday, 20-Apr-2017 06:47:07 UTC
Mike Gerwitz
Hmm...my GNU/Linux system doesn't exfiltrate _any_ of this stuff; I fear that my system must not be "secure" and may not be "operating properly"!
https://technet.microsoft.com/itpro/windows/configure/windows-diagnostic-data
(But in all seriousness, what the FUCK!)
#WindowsWasMyIdea #privacy #security -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Wednesday, 29-Mar-2017 02:14:37 UTC
Mike Gerwitz
The @FSF has already posted some of the #LibrePlanet 2017 talks! I have some watching to do. Here's mine:
https://social.mikegerwitz.com/url/17200
Re-reading the description, I regret that I wasn't able to really touch on a topic in the description directly---"policy and the crypto wars"; specifically, the modern government concern of "going dark". I did touch on it indirectly, but I didn't have the time to include much more. I'll be sure to provide resources once I upload everything. Again, I avoided all but mentions of crypto in the talk. (There would have been interesting ones; the Stingray, for example, is able to MitM GSM connections for wiretapping using a downgrade attack to crack in real-time.) -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Sunday, 26-Mar-2017 00:02:46 UTC
Mike Gerwitz
Yesterday at the @fsf's office I met a fine gentleman who was helping me prepare name tags / lanyards for the conference. He was modest enough that I feel like I only got information out of him by asking the right questions, and because I inquired about how close he and rms were (Richard had come into the office and asked him to do lunch/dinner some time).
That person was Alexandre Oliva, and tonight rms presented him with the annual award for the Advancement of Free Software. He was brought to tears, and expressed that he was glad to know that he made a difference. I wish I remembered his words directly---he stated that he wasn't sure if he _had_ made a difference. It was hard not to share emotion with him. Richard had to ask the audience to stop their standing ovation so that Alex could continue talking.
Yesterday I mentioned that one of the biggest things missing with online communities is small talk---those random encounters that might only last moments, but yield relationships that are otherwise unlikely. This is an excellent example; I may have otherwise never gotten to know him. I've gotten to know many others here well, and everyone has had interesting stories to tell, big or small, free software hacker or not.
#LibrePlanet -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Tuesday, 28-Feb-2017 05:05:42 UTC
Mike Gerwitz
#OrgMode is amazing.
We already knew that, but it's worth repeating. No context needed. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Saturday, 04-Feb-2017 05:02:01 UTC
Mike Gerwitz
Ah, a Replicant 6.0 status update!
http://blog.replicant.us/2017/02/replicant-6-0-development-updates/
Exciting! -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Wednesday, 01-Feb-2017 05:21:22 UTC
Mike Gerwitz
@arunisaac It serves a static CAPTCHA in an iframe, which returns a token when submitted (if correct). You manually copy and paste that token into a textarea below the iframe, and submit that.
At least that's how it used to work---it's hard to tell now what CAPTCHAs I'm being served. I'm usually dealing with CloudFlare now, which uses some sort of Google CAPTCHA, and does the same thing. This is usually a grid of images and you check whichever ones it asks for.
[Aside: I used someone else's computer recently and saw what happens when JavaScript is enabled (I had never seen it before). It asked me to click to verify that I'm not a robot or w/e, but then asked me to select from a grid of images. But it was _harder_ to solve than the non-JS, static version: you'd select images and they'd disappear and new ones would show. So rather than 3 or 4 images, I was selecting what must have been closed to 10. I guess sometimes it just works without asking the user to select images.] -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Sunday, 01-Jan-2017 05:18:47 UTC
Mike Gerwitz
I'm used to !privacy. I'm used to evading tracking online. If there are data I want to provide to someone, I'm used to explicitly choosing to provide it, or choosing not to prevent certain data from being collected.
I clicked on a link in an e-mail today on my mobile device (only very select, unimportant messages are sent to that device) having forgotten to first look at the link to see if it included a tracking identifier. It did. I felt betrayed and upset. I still do half a day later. And all they learned was that I read the e-mail and clicked on that particular link.
This is such a basic tracking mechanism that is so mundane compared to what users unknowingly go through every day. If average users knew what I did, would they even care? I get upset over deanonymization for a e-mail and link. Would they get upset over their entire lives being tracked, analyzed, and sold?
Maybe. And shame on you, Intercept---you should know better. Presumably it's their e-mail service (MailChimp). I'll be letting them know. That makes it worse, actually, since now MailChimp has gathered a statistic on me, and every other Intercept newsletter subscriber. My e-mail address was more than enough for them to know about (I think it's obvious from my linking of articles that I read The Intercept).
If you care about your users, don't use any tracking features provided by your email campaign service, and make sure they don't include any behind your back. If they do, don't use them. -
Klaus Jónsson Zimmermann (kzimmermann@quitter.se)'s status on Wednesday, 30-Nov-2016 17:11:29 UTC 
Klaus Jónsson Zimmermann
!Privacy erosion and the culture of !surveillance have made me go from hating #cash to aggressively using it anywhere I can. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Sunday, 02-Oct-2016 00:18:23 UTC
Mike Gerwitz
CloudFlare proposing a browser addon to bypass CAPTCHAs for TOR users:
https://social.mikegerwitz.com/url/8140
(Without studying the spec in too much detail): It uses a blind signature protocol allowing the client to generate bypass tokens without future correlation. That's good.
Unfortunately, because it requires that the user use a plugin, this creates two groups of Tor users: those that are using this protocol and those that aren't. This more information that can be used---with other information---to aid in de-anonymizing users.
CloudFlare stores cookies today, yes, but they can be ephemeral with good client cookie policies. A browser plugin usually persists sessions---even if the tokens don't, the fact that it is _installed_ does. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Friday, 30-Sep-2016 02:12:27 UTC
Mike Gerwitz
@davexunit And don't forget wobbly windows; painting fire; raindrops; inside cube---I spent far too much of my life trying to get that working back in the day.
And now I use a tiling wm and almost exclusively a terminal... -
David Thompson (davexunit@quitter.se)'s status on Thursday, 29-Sep-2016 16:48:50 UTC 
David Thompson
remember when having your gnome workspaces on a 3D spinning cube was cool? #ThrowbackThursday -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Saturday, 10-Sep-2016 16:15:52 UTC
Mike Gerwitz
@strypey @clacke I hadn't given too much thought to search, but it seems like indexing federated systems wouldn't be something too difficult to implement, provided that an indexer deduplicates records and points the user to the authoritative source of the record. If I search for something in i.e. Google, that's one of the major issues: same text on so many separate instances.
P2P/Mesh is more interesting, but could be reduced to a federated search problem if enough data propagates to nodes persistent enough to be discovered by other indexers (e.g. Google). But then the user might be directed to a node that's not online, so what would the fallback be? A cache? Would that cache be centralized? Federated? What should be trusted with such authority? If it's cryptographically signed by the originating node, maybe it won't matter, provided a proper trust model.
If anyone has experience thinking about these things, I'd be curious to know; I haven't done research myself. -
Mike Gerwitz (mikegerwitz@social.mikegerwitz.com)'s status on Thursday, 04-Aug-2016 04:21:53 UTC
Mike Gerwitz
https://social.mikegerwitz.com/url/6600
Just the fact that they're considering such a thing demonstrates that you should treat your #ISP as an adversary. Make #TOR a default, even if you aren't expecting anonymity from the sites you're visiting.
All Bobinas P4G content and data are available under the