by Mike Masnick
Tue, Nov 18th 2014 12:40pm
by Glyn Moody
Fri, Nov 7th 2014 12:22pm
from the and-what-can-they-do-about-it? dept
Microsoft, Apple and Mozilla among others, trust CNNIC (China Internet Network Information Center) to protect your communications on their platforms by default, regardless of whether or not you are in China. CNNIC has implemented (and tried to mask) internet censorship, produced malware and has very bad security practices. Tech-savvy users in China have been protesting the inclusion of CNNIC as a trusted certificate authority for years. In January 2013, after Github was attacked in China, we publicly called for the the revocation of the trust certificate for CNNIC. In light of the recent spate of man-in-the-middle (MITM) attacks in China, and in an effort to protect user privacy not just in China but everywhere, we again call for revocation of CNNIC Certificate Authority.Although the logic of revoking CNNIC as a trusted certificate authority might seem inarguable, the consequences of doing so are likely to be serious. For example, the Chinese government might decide to ban the use of any browser that did not include CNNIC. That's hard to police, but the threat alone would be enough to dissuade any software company from removing CNNIC's certificate from its browser.
Perhaps the best solution is simply making users aware of the issue, and explaining how they can remove any certificate authority they have doubts about. And not just for China: these problems can arise in any country where a local trusted certificate authority is under the direct -- or indirect -- control of the government.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
by Mike Masnick
Wed, May 14th 2014 1:20pm
from the a-broken-system dept
Today there's a lot of discussion because Mozilla, makers of the popular (and open source) Firefox browser, have posted two separate blog posts about how they feel forced to adopt this DRM even though they hate basically everything about it. Mozilla's argument is not crazy. They're worried that by not adopting these standards, while all other browsers do, people will just shift to those other browsers. And beyond just losing market share, Mozilla has a point in noting that the way other browsers implement EME will be less secure than the way that Mozilla is doing it.
We have designed an implementation of the W3C EME specification that satisfies the requirements of the content industry while attempting to give users as much control and transparency as possible. Due to the architecture of the W3C EME specification we are forced to utilize a proprietary closed-source CDM as well. Mozilla selected Adobe to supply this CDM for Firefox because Adobe has contracts with major content providers that will allow Firefox to play restricted content via the Adobe CDM.Mozilla is also making it opt-in -- so that everyone will have the choice to choose whether or not to activate the DRM implementation. Also, kudos to Mozilla for not taking the W3C path of pretending that EME isn't DRM. Mozilla is quite upfront that this is DRM and that they're uncomfortable with this. As Andreas Gal says:
Firefox does not load this module directly. Instead, we wrap it into an open-source sandbox. In our implementation, the CDM will have no access to the user's hard drive or the network. Instead, the sandbox will provide the CDM only with communication mechanism with Firefox for receiving encrypted data and for displaying the results.
Traditionally, to implement node-locking DRM systems collect identifiable information about the user's device and will refuse to play back the content if the content or the CDM are moved to a different device.
By contrast, in Firefox the sandbox prohibits the CDM from fingerprinting the user's device. Instead, the CDM asks the sandbox to supply a per-device unique identifier. This sandbox-generated unique identifier allows the CDM to bind content to a single device as the content industry insists on, but it does so without revealing additional information about the user or the user's device. In addition, we vary this unique identifier per site (each site is presented a different device identifier) to make it more difficult to track users across sites with this identifier.
we would much prefer a world and a Web without DRM...But, Mozilla feels that users "need it to access content they want." Mitchell Baker similarly notes:
The new version of DRM uses the acronyms “EME” and “CDM.” At Mozilla we think this new implementation contains the same deep flaws as the old system. It doesn’t strike the correct balance between protecting individual people and protecting digital content. The content providers require that a key part of the system be closed source, something that goes against Mozilla’s fundamental approach.Unfortunately, it appears that even though this is the case, Mozilla still believes that the internet needs Hollywood's locked up content more than Hollywood needs to adapt to the internet. That's too bad. Cory Doctorow has a very detailed discussion of why he thinks Mozilla made a mistake, while acknowledging all of the reasons why they did what they did. More importantly, he lists a number of additional things that Mozilla should do to improve the situation. I'll summarize those four things, because I agree wholeheartedly:
- Protect security researchers: Thanks to the anti-circumvention provision of the DMCA, any security research into Adobe's DRM may be a form of infringement. As Cory notes, Mozilla should demand that Adobe issue a covenant not to sue security researchers or developers who find vulnerabilities.
- Educate users: Teach everyone (including Hollywood, but mainly the public) why DRM is dangerous and harms security and privacy online. Personally, I'd add that Mozilla could also teach people why DRM is simply not necessary.
- Research and publish the case for DRM: This goes back to the question of who really needs it. Hollywood thinks they do, but I don't think that's really true. As Cory says, Mozilla should look at the actual data to see if there truly is a use case for DRM.
- Formulate and articulate a DRM policy: Basically don't make these kinds of decisions ad hoc -- but have a clear policy on how and when decisions like this get made.
by Mike Masnick
Tue, May 6th 2014 11:06am
from the have-you-thought-of-this? dept
Mozilla's plan is a somewhat crafty attempt to avoid the worst of the political mess that reclassification would cause, by arguing that there are two separate markets: the markets for broadband providers to end users (i.e., our own broadband bills) and then a separate market for the relationship between internet companies (what Mozilla is calling "edge providers") and the broadband providers. Mozilla is saying that since these are separate markets, the FCC could reclassify just the connection between internet companies and broadband providers as telco services, and leave the last mile setup unchanged as an information service. Thus, it's arguing that the transit market more accurately reflects a telco service, and thus would be much easier to reclassify. In a sense, this would also be a way to attack the interconnection problem, which is where the net neutrality debate has effectively shifted.
As Stacey Higginbotham notes, this is a way that Mozilla is more or less calling FCC boss Tom Wheeler's bluff concerning his willingness to use Title II reclassification -- opening up a way to do so with (just slightly) less political fallout (and probably a more legally defensible argument in court for why it's reclassifying). Karl Bode is reasonably skeptical that Wheeler or the FCC would ever actually go this route, given the general "lack of spine" the FCC has shown for years on these issues. On top of all that, Wheeler himself still doesn't seem willing to admit (publicly, at least) that the fights over interconnection and access are related to the net neutrality problem, so he'd have to make that leap before necessarily agreeing to try this path.
Still, that doesn't mean it's a bad idea. In fact, by making it just slightly more feasible both politically and (importantly) legally, there's a chance that maybe, just maybe, the FCC will seriously look at this option. I'll agree that the probability is still quite low, but it's not zero. There do appear to be folks in the FCC who have been desperately seeking alternatives to the current, unpalatable options on net neutrality, and Mozilla's suggestion offers a path that is less politically and legally fraught than full reclassification. It would still be a massive leap, and would require an FCC with a spine (which makes it unlikely), but it's just that much more likely than full reclassification to make things interesting.
by Karl Bode
Wed, Feb 19th 2014 9:09pm
from the you'll-take-this-improved-user-experience-and-like-it dept
A Mozilla blog post explains the new effort as such:
"Directory Tiles will...suggest pre-packaged content for first-time users. Some of these tile placements will be from the Mozilla ecosystem, some will be popular websites in a given geographic location, and some will be sponsored content from hand-picked partners to help support Mozilla’s pursuit of our mission. The sponsored tiles will be clearly labeled as such, while still leading to content we think users will enjoy."
The change isn't very exciting, it's not very major, and can be easily disabled. So why are a lot of Firefox users annoyed? It appears that a lot of the problems start with Mozilla being intent on refusing to call the ads what they are, while insisting the changes are somehow a great innovation in browsing. Mozilla's general counsel Denelle Dixon-Thayer, for example, tells CNET that the company is tired of being a "window into the web" -- insisting that these ads (without calling them ads) will bring more value to the end user:
"We wanted to get away from being this window into the web that doesn't bring value," to users, she said. "We looked at it from the perspective of how much value are we bringing to the user? We're not focused on bringing the most revenue into Mozilla," she said."Mozilla VP Darren Herman takes things a step further by insisting that previously Firefox was a "dumb window," and the practice of throwing a few ads on a page will somehow make for a completely improved and smarter browsing experience:
"Late last year it made a big hire in former kbs+ Ventures chief Darren Herman, who joined as VP, content services, who will lead Mozilla's ad and content efforts. "Mozilla is moving from a dumb window to the internet to a smart agent on behalf of the user, putting the user first," Mr. Herman said."Except you threw a few paid ads on a launch window, you didn't revolutionize recombinant gene technology. The kind of rhetoric Mozilla's using is the sort you'd expect from a cable company, which love to insist that the new $5 monthly fee on your bill isn't to make money, it's to "improve the customer experience." Mozilla is a nonprofit organization, and for more than seven years around 85% of their funding has come from Google for being the browser's default search engine. While most people wouldn't fault them for wanting to have a broader revenue stream, refusing to call a spade a spade clearly isn't helping the sales pitch.
by Mike Masnick
Thu, Jul 18th 2013 12:02pm
If 'Just Metadata' Isn't An Issue, Why Can't Tech Companies Reveal 'Just Metadata' About NSA Surveillance?
from the simple-questions dept
We the undersigned are writing to urge greater transparency around national security-related requests by the US government to Internet, telephone, and web-based service providers for information about their users and subscribers.This follows on a somewhat somewhat similar letter from Reps. Jim Sensenbrenner and Zoe Lofgren to Attorney General Holder and Director of National Intelligence Clapper, urging them "to authorize U.S. companies to release information regarding national security requests for user data."
First, the US government should ensure that those companies who are entrusted with the privacy and security of their users’ data are allowed to regularly report statistics reflecting:
Second, the government should also augment the annual reporting that is already required by statute by issuing its own regular “transparency report” providing the same information: the total number of requests under specific authorities for specific types of data, and the number of individuals affected by each.
- The number of government requests for information about their users made under specific legal authorities such as Section 215 of the USA PATRIOT Act, Section 702 of the FISA Amendments Act, the various National Security Letter (NSL) statutes, and others;
- The number of individuals, accounts, or devices for which information was requested under each authority; and
- The number of requests under each authority that sought communications content, basic subscriber information, and/or other information.
As an initial step, we request that the Department of Justice, on behalf of the relevant executive branch agencies, agree that Internet, telephone, and web-based service providers may publish specific numbers regarding government requests authorized under specific national security authorities, including the Foreign Intelligence Surveillance Act (FISA) and the NSL statutes. We further urge Congress to pass legislation requiring comprehensive transparency reporting by the federal government and clearly allowing for transparency reporting by companies without requiring companies to first seek permission from the government or the FISA Court.
Both letters point out that they're just looking for the ability to reveal specific numbers about orders received and user accounts impacted, but obviously not further information that might reveal the details of any investigations. Basically, they're asking for "just the metadata."
You may have spotted the irony, pointed out by Ashkan Soltani: Defenders of many of the government's surveillance programs have repeatedly trotted out the "just metadata" argument for why all of this surveillance is no problem, claiming that mere metadata doesn't reveal anything important. Yet, when it comes to their own metadata about their own surveillance programs, suddenly it will reveal all their secrets? (And I won't even get into the fact that only some of the surveillance programs are "just metadata").
So, which is it, feds? Is "just metadata" nothing too important, or does it reveal everything?
by Mike Masnick
Tue, Jun 11th 2013 12:00pm
from the enough-is-enough dept
- Enact reform this Congress to Section 215 of the USA PATRIOT Act, the state secrets privilege, and the FISA Amendments Act to make clear that blanket surveillance of the Internet activity and phone records of any person residing in the U.S. is prohibited by law and that violations can be reviewed in adversarial proceedings before a public court;
- Create a special committee to investigate, report, and reveal to the public the extent of this domestic spying. This committee should create specific recommendations for legal and regulatory reform to end unconstitutional surveillance;
- Hold accountable those public officials who are found to be responsible for this unconstitutional surveillance.
by Glyn Moody
Fri, May 3rd 2013 6:38pm
Mozilla Sends Cease And Desist Letter To Commercial Spyware Company For Using Firefox Trademark And Code To Trick Users
from the betraying-trust dept
Techdirt has written several times about the increasing tendency for governments around the world to turn to malware as a way of spying on people, without really thinking through the risks. One company that is starting to crop up more and more in this context is Gamma International, thanks to its FinFisher suite of spyware products, which includes FinSpy. A recent report by Citizenlab, entitled "For Their Eyes Only: The Commercialization of Digital Spying", has explored this field in some depth. Among its findings is the following:
We identify instances where FinSpy makes use of Mozilla's Trademark and Code. The latest Malay-language sample masquerades as Mozilla Firefox in both file properties and in manifest. This behavior is similar to samples discussed in some of our previous reports, including a demo copy of the product, and samples targeting Bahraini activists.
That's pretty serious: Mozilla's trademark is not only being abused, it's being used to trick people into installing malware that might well have serious consequences for them if their government disapproves of their activities. Quite rightly, then, Mozilla is taking legal action, as the organization's privacy and public policy lead, Alex Fowler, announced in a blog post:
A recent report by Citizen Lab uncovered that commercial spyware produced by Gamma International is designed to trick people into thinking it's Mozilla Firefox. We've sent Gamma a cease and desist letter today demanding that these illegal practices stop immediately.
Choosing Mozilla as the cover for this malware is cynical in the extreme, for reasons Fowler explains:
As an open source project trusted by hundreds of millions of people around the world, defending Mozilla's trademarks from this type of abuse is vital to our brand, our users and the continued success of our mission. Mozilla has a longstanding history of protecting users online and was named the Most Trusted Internet Company for Privacy in 2012 by the Ponemon Institute. We cannot abide a software company using our name to disguise online surveillance tools that can be -- and in several cases actually have been -- used by Gamma's customers to violate citizens' human rights and online privacy.
The only consolation regarding this move to create commercial spyware for sale to governments around the world is that it is possible to use conventional legal instruments like cease and desist letters against the companies behind them when they overstep the mark. Nonetheless, it's a deeply disturbing development that even countries like Germany now seem happy to use FinFisher in order to spy on their citizens by means of malware (original in German.)
by Glyn Moody
Tue, Dec 11th 2012 3:05am
from the must-be-important dept
The Web lets us speak out, share, and connect around the things that matter. It creates new opportunities, holds governments to account, breaks through barriers, and makes cats famous. This isn't a coincidence. It's because the Web belongs to all of us: We all get a say in how it's built.As you can see, the Mozilla Foundation isn't just moaning about WCIT, it's giving people tools to help them engage with it -- despite the best efforts of the ITU to shut out the public. As a blog post about Mozilla's position on WCIT explains:
Mozilla has made it our mission to keep the power of the web in people's hands. But all this could change on December 3.
Our governments are going to meet in Dubai to decide whether an old treaty, the International Telecommunication Union, can be expanded to regulate -- to control -- the Internet.
The issue isn't whether our governments, the UN, or even the ITU should play a role in shaping the Web. The problem is that they are trying to do it behind closed doors, in secret, without us.
We believe everyone should have a voice. And this site is to help you be heard in Dubai.
The resources we are making available today will give you everything you need to learn about the upcoming meeting and why it matters, craft an effective message to get your government to listen, and engage in the global conversation about how decisions about the future of the Web should be made.Aside from this very practical help, Mozilla's move is important for another reason. In the past, Mozilla has tended to avoid getting involved with issues that are as much political as technical. The big exception was SOPA, when it took part in the January 18 Blackout, with impressive results:
Approximately 30 million people in the US who use the default start page in Firefox received the blacked out page with our call to actionThe action that it is taking over WCIT isn't quite so drastic, and so is unlikely to have such a big impact. But the fact that Mozilla has once again cast aside it usual apolitical position to voice its concerns shows how great they are.
We sent messages out to almost 9 million people via Facebook, Twitter and our Firefox + You newsletter
Our messages were retweeted, shared and liked by over 20,000 people (not counting MC Hammer’s tweet to his 2.4 million followers!)
1.8 million people came to mozilla.org/sopa to learn more and take action on the issue
600,000 went on to visit the Strike Against Censorship page, hosted by the EFF
Ultimately, 360,000 emails were sent by Mozillians to members of Congress, contributing a third of all the emails generated by EFF’s campaign site.
by Mike Masnick
Thu, Jul 19th 2012 7:15am
from the defend-the-internet dept
Taking a page from Kickstarter, the IDL has set up various tiers to which you can donate to get your own personal mini-cat signal or a t-shirt or some other fun offerings.
Earlier this year, I wrote about the Hacking Society gathering, put on by Union Square Ventures. During that discussion, Clay Shirky brought up the idea of an "Internet Volunteer Fire Department" and Tiffiniy Cheng, from Fight for the Future, explained the IDL and how they were already working on it. You can watch that discussion to get a sense of the thinking behind this effort: