Fellowship Interview with Hugo Roy

Hugo Roy

Hugo Roy is a Free Software hacktivist and FSFE’s French Team coordinator. He currently lives between Berlin and Paris, and is a law student at Sciences Po University. He began life with FSFE in 2009, assisting FSFE president Karsten Gerloff on policy issues, and is also co-founder of the Digital Freedoms association. He is a member of April and of French Data Network.

Chris Woolfrey:Tell me what you’ve been working on recently.

Hugo Roy: Since 2010 I’ve been representing FSFE in France. This involves getting involved in events and conferences, and occasionally acting as an interface between various organisations and FSFE — some very local, and some national. There is a very strong and organised Free Software community in France — for instance with the yearly conference RMLL (Rencontres Mondiales du Logiciel Libre) — so one of my ongoing jobs is to show a face for FSFE, make a personal connection and explain what we do and why we exist. Then on further levels, it sometimes gets into collaboration on campaigns or issues. For instance, one of my main area of activities in Free Software is legal and public affairs.

At the moment I’m mainly working on setting up our Free Your Android campaign in France, with phone liberation workshops. I really believe in this project: I think mobile devices are becoming more and more important, and having control over them, and more importantly over the services that we run them with, is becoming more important too.

CW: You’re studying copyright law at the moment. Did you become interested in the study of copyright law as a result of an involvement with Free Software?

HR: Yes. I discovered Free Software as a movement around 2004, when I was in Collège. I was already using almost exclusively Free Software at the time, I just didn’t know it! Then a couple of years later I decided to install GNU/Linux, and have stuck with it since then.

But the writings of Richard Stallman, and also his involvement with the creation of one of the most interesting legal tools ever, the GNU GPL, has definitely influenced my interest in copyright and law in general. And I have to say it’s been very interesting to discuss this topic in class, with professors who have showed interest on Stallman’s work. The whole concept of “property” is turned upside down!

“The GPL turns the whole concept of property upside down”

CW: Can you explain what you mean by that?

HR: Well, if you look at copyright, it’s an exclusive right, it’s a power given to someone to exclude others. Now, if you look at the GNU GPL, it’s essentially a copyright license. But what the GNU GPL does, what we call copyleft, is make sure that all contributions by others will be included for the community to benefit. So the GNU GPL uses exclusive rights to create inclusivity.

What’s also interesting is that exclusive rights such as those relating to private property are often put forward as necessary to increase the common good. Whether you take the utilitarian point of view or the natural rights point of view, property as an exclusive right is seen as a necessity to create value. Now if we apply this to software, let’s just compare proprietary software and Free Software. Which one do you think creates more value? With Free Software, everyone benefits from the value that’s created, so everyone’s empowered to create more value, and with copyleft, we’re even encouraged to do so by publishing our modifications under an inclusive license.

CW:Can this model apply to other products as well? More tangible things?

HR: If it works, why not? When I read all these articles about 3D printers, it’s mind-blowing. We could all share designs for physical things under copyleft-type licenses, and then all manufacture the objects ourselves in a completely different way.

“Free Software movement has always had wider implications”

Of course, we’re a long way before it happens and before we see the full consequences, but sharing in this way could help solve a huge problem. Our economies currently create a lot of waste. Think about all the objects we throw away, all the refuse. This might count for economic “growth” but is it really created value, or is it created waste? Currently there’s a big incentive for companies to produce waste in tangible goods, especially regarding planned obsolescence. But I think this could change; if the production of objects were changed, for instance if design plans were shared, and the production distributed.

CW: Are you expected in your role as French Team Coordinator to draw attention to the wider implications of Free Software to society?

HR: I think the role of the coordinator really depends on the mission the coordinator has. For instance in France, what matters is team building, raising awareness about FSFE and coordination with teams. That’s obviously a very different task in Germany where FSFE is very well known.

But I’d like to say something about the wider implications and drawing those connections. There’s a French website about Free Software called Framablog, where they talk about a lot of related issues, and their motto is “It would be unfortunate if Free Software did nothing else than liberating code”. Free software is about liberating people.

The movement always has wider implications. For instance since June I’ve put a lot of my energy into Terms of Service; Didn’t Read, for which we recently ran a successful crowd-funding campaign. This project is not strictly about Free Software, but it’s about software as a service, and about user freedoms and rights.

“We should have more rights online; we shouldn’t accept a regression of our rights”

It’s important that people understand, in the same way that some of us have understood what’s proprietary software and why it’s not good for our autonomy, that using services on the web has a direct effect on our freedom. For instance if you use a service that restricts your freedom of expression, or might suspend your account at any time, or a service that even forbids you to use a pseudonym to express yourself, then you ought to know about it, so that you can fight against it. We should have more rights online; we shouldn’t accept a regression of our rights. That’s the paradox of our time: as technology increases our possibilities, big companies are restricting our rights with that very technology: DRM, proprietary software etc., and also through legal schemes like restrictive terms of service, and pushing through laws that restrict our freedom, like ACTA, the HADOPI law, and so on.

Services that use Free Software (e.g. AGPL licensed software) have an incentive not to screw their users. Ultimately let’s hope that there will be more AGPL software-based services, and software applications offered as services become more distributed. In all these things, Free Software is a common denominator, it’s as simple as that: without Free Software, freedom is at risk.

CW: How aware are French people of their rights online, and issues concerning software freedom?

HR: That’s a really difficult question to answer. We’ve sure had some debate in the last few years – what with the HADOPI law being passed, but also to a lesser extent with ACTA. But the debate around HADOPI and the copyright on internet-based creative works is mostly a diversion of the real issues, in my opinion.

CW: What are the real problems?

HR: The public domain is dying. Let’s take one example:  George Méliès” movie, Trip to the Moon. It’s in the public domain, and it is a beautiful 20-minute movie. In the last few years they rediscovered some parts that were lost, and so were able to restore the movie to almost the exact work done by Méliès on the original, in which every clip had been hand painted -this was in the days before colour film. It’s beautiful.

“The public domain is dying”

This restored version, which was funded by a French foundation, has been published recently with a new soundtrack added to it -so they’ve now been able re-enclose a work which was once in the public domain. Because of the new soundtrack they can make the argument that it’s a new work, which can be copyrighted; even though under copyright law restoration doesn’t count as a new creation, meaning it shouldn’t be entitled to a new copyright. So if I shared this film, which should really be in the public domain, with you, I’d be infringing on copyright.

Another example: libraries, obviously, have a lot of old books which are in the public domain. Now that they’re scanning and digitizing them, they’re adding restrictions to them, or they’re licensing out to private companies the task of scanning the documents, and then giving those companies exclusive rights to exploit the scans, sometimes not even with public access.

CW: How does that tie back into the Free Software movement for you? Through the GPL?

HR: It’s about what rights and freedom we have. The GPL is a fair contract. Copyright as it is today, is not fair at all.

Fellowship interview with Simon Josefsson

Simon Josefsson is a Fellow and GNU hacker with a special interest in security. His contributions to the Free Software world include such ubiquitous projects as GnuTLS and Libssh2, and he was recently presented with the Nordic Free Software Award[1]. I sat down for a jabber session with Simon, asking him about his projects and other security matters.

Stian Rødven Eide: While proprietary software vendors often tout security by obscurity as an advantage, you are involved in several Free Software projects that are regarded as among the most secure software there is. Can you explain how Free Software can provide better security?

Simon Josefsson
Simon Josefsson

Simon Josefsson: To answer that, one should study the history of security incidents in software. Once you do, it becomes evident that no matter how much effort is put into an implementation or specification, or even how much effort you put into analyzing it, sooner or later someone will figure out a way around it. This means that security really is a process rather than anything absolute. And here Free Software has many advantages, some technical, but even more important ones are the social aspects. For example, Free Software is open for people to scrutinize, and people help each other by scrutinize software they use, and the result is that widely used software is better analayzed. In comparison, security by obscurity does not invite people to review the system, so there are much fewer improvements to the system, and only those inclined to attack the system will analyze it. And, as we’ve seen, no software security is absolute.

SRE: One point that you have stressed in several talks is that security should be treated as a process. This affects both how the community should be involved and how businesses should treat potential security issues. Can you tell us a bit about the background for this notion and how it would work in practice?

SJ: The background is witnessing really complicated designs by smart people be cracked relatively quickly. This reflects older software design principles, where you spend a lot of time on design stages, whereas Free Software is typically engineered in an iterative process — you add one small feature, release it quickly, people start to use it, starts thinking about it, and some may realize that there is something wrong with the feature, and it gets reported back. The small feature can then be re-designed, or even removed because it was a bad idea. The point is that if every addition is done in this somewhat modular and piecemeal way, you are less likely to make major design issues. Free Software is good at making frequent releases that correct minor things, and users have adapted to that habit. If you only do one major release every 5 years, you are more likely to break some things heavily that require a lot of work for people. So I tend to recommend businesses to work in an iterative way and involve the users early on to avoid embarassment.

SRE: You are maintaining quite a few security libraries such as GnuTLS, GNU SASL, GSS and more. Which ones do you find yourself spending the most time on improving, and which ones receives the most attention and/or help from other people?

SJ: I have spent quite a lot of time during the development cycle on my own projects, but after that it becomes more of a maintainer’s work. The most development time I’ve spent is probably on Shishi, which is my Kerberos V5 implementation. But as a maintainer, my time is more directed on what people use, and right now that tends to be GnuTLS. There is also a factor of maturity; the Libidn project is used in critical places (including glibc) but I rarely spend any time on it these days because it is mostly feature-complete. On some projects, like Libssh2, I also get paid for doing certain things, which naturally make me spend more time on that project. Lately I have found myself working a lot on Gnulib because it contains re-usable components used by all my other projects.

SRE: You have provided security services for a range of various clients, including hospitals, wireless providers and web applications. Are the concerns of these very different or should the same security standards more or less be applied in all cases?

SJ: There are some places where my contributions haven’t been as successful as in others, which could be due to many reasons, but I think generally that where I’ve failed to get my point across are the places where people don’t understand (or agree) that security is a process — they want something that is Absolutely Secure, and then never touch that piece of component again. It then becomes difficult for me to have any effective discussion. Also, some organizations have established traditions about how to deal with security incidents — obscurity rather than openness, including the bank world, some parts of governments, and so on. I think having a process-like view of security would help many places, but I also understand that some companies have business reasons why they cannot use an open community process. The Free Software world has been learning from this, and we now follow something called responsible disclosure, which I think is one example of where Free Software has been improved by learning from the “old” way of handling security.

SRE: Your Master’s Thesis dealt with the concept of storing personal encryption certificates in DNS. While still not a common practice, you wrote in a recent blogpost that some work has begun to happen in the area. How do you currently regard the promise of this way of distributing keys? Have keyservers in general improved since your thesis was written?

SJ: The problem is not so much about technology here, but social matters. The person responsible for managing DNS for an organization is typically not the same person responsible for managing user certificates for an organization, and people have been reluctant to change their habits here. After all, DNS is a pretty critical piece of any company’s infrastructure. So I haven’t seen much uptake in this, even if it continues to be a interesting possibility, especially for the OpenPGP world. One part of my thesis was about the privacy issues around the then-current DNSSEC standard, the so called NXT record. I identified and explained that it will lead to problems when people can enumerate entire DNS zones, and even wrote a IETF draft on how to solve the problem using hashing of the names instead of storing the names directly. People in the IETF felt that the threat didn’t exist, and thought they were ready to roll out DNSSEC quite soon anyway (this was in 2001/2002!) so they didn’t want to change DNSSEC. I gave up on the draft, but years later people who were actually deploying this identified the same problem, and ended up re-inventing my solution, which is now standardized (the NSEC3 record). So at least some of it ended up being used, although not in the form or way I anticipated.

SRE: Another project you have worked on is the YubiKey, a physical USB device that aims to make secure communication simpler. Has the YubiKey been successful so far? Do you think that this approach could end up being adopted by computer manufacturers as well?

SJ: The YubiKey popularity is growing, and given the amazing number of community contributions we’ve received I’d say it has been a success. Technically we are now changing to support new standards like OATH HOTP which will make it even more relevant. The difference between the YubiKey and other authentication devices like smart cards is that it is based on a process-oriented and cost-efficient way of working with security. Rather than purchasing smart cards, readers, and spending a fortune on device driver installation and user education, we focused on getting something that was good enough security (one-time passwords based on AES) but pushed strongly on ease of use (no device drivers or software!), and to support the kind of compromises people do. For example it also supports a mode where it outputs a static password, which is not a good idea in general but many people were asking for it and are now using it. We are open for it to be used by anyone, including manufacturers, but as there is no integration required on computer manufacturer side (in contrast to smart card readers or fingerprint readers), the solution isn’t depending on support from computer manufacturers.

SRE: During the GNU Hackers Meeting in Göteborg, you had a presentation on Code Quality Assurance. What is, in your opinion, the best way of aquiring quality assurance and how will this be implemented in the GNU project?

SJ: I believe it is important that quality assurance isn’t something done by a separate set of people, and after the product is otherwise finished, but rather that it is integrated into how hackers work daily. So my goal is to setup a GNU QA site where people can help a project by setting up a build server, either from version controlled sources (to build daily snapshots) or from a daily snapshot to see if it works on their favorite architecture. It has to be a opt-in system, so that people don’t feel it is a burden. The goal is to be able to present Code Coverage reports (based on GCOV/LCOV), provide Cyclomatic Code Complexity charts, GIT/CVS statistics, and so on. All of it should be done in a distributed way, so people feel involved in the effort, but also to reduce the work-load on me and other people who run the servers.

A big thanks to Simon for sharing his valuable insight into these matters. You can learn more about him and his projects at josefsson.org.

[1] The award was split between Simon Josefsson and Daniel Stenberg.