If you’re suspecting that the European Commission isn’t entirely serious about using and supporting the Open Document Format, you might be on to something. Responding to questions from the European Parliament about whether the EC’s Microsoft addiction might have lead it into being locked into the Redmond giant’s products, the Commission basically says “move on, nothing to see here.”
Read on for the gory details.
The French website Mediapart reports that at the European Parliament in Strasbourg, a technically skilled person managed to intercept 14 Members of the European Parliament and their staffers using trivial tools. (Original article behind paywall, English version, report by Der Spiegel in German.)
[Update: I’ve changed “hacked” to “crack” in the title. As you’ll be aware, “hack” refers to a clever solution to a problem, while “crack” refers to a malicious attack.]
Based on the information in the article, it appears that the attacker set up a basic man-in-the-middle attack, using a laptop to act as a network connection point for the email client software on the victims’ mobile phones. In this scenario, the victims’ phones probably displayed a certificate warning, which they ignored.
This incident highlights just how shoddy the Parliament’s IT infrastructure is. It’s up to the Parliament’s IT administration to fix this, and it’s up to the MEPs to demand change. Der Spiegel says that MEPs who wanted to use encryption were actually kept from doing so by the Parliament’s IT services. If true, that would be rather discouraging, to put it mildly.
Educating people not to ignore certificate warnings might help. But it’s hardly a solution. To actually improve the situation, MEPs should demand that the Parliament’s IT services give them reliable, secure end-to-end encryption on their devices.
It goes without saying that in order to be secure, such encryption technology needs to be fully auditable, and thus needs to be Free Software. The Parliament’s IT services should take a look at GnuPG and the clients that use it, for a start.
Mutt is a great little email client. I’ve been using it on a daily basis since ca. 2007, and have never looked back.
Somehow every time I talk about Mutt with someone who doesn’t know the program, we end up discussing the things it doesn’t do. Many things that people expect from an “email program”, Mutt simply leaves to external programs of the user’s choice. Which happens to be how I like it. This leaves Mutt to concentrate on what really counts: Processing large amounts of email quickly, effectively and with a minimum of pain.
One of the many things Mutt doesn’t do is looking up addresses of your contacts. You can have an external program do that via the query_command variable.The default keybinding for the query command in Mutt is “Q”.
I have just started to use the mu mail indexer (as part of a project to better integrate Mutt with org-mode, of which more some other time.) It has a great little command called “mu cfind”, which returns contacts matching a string. Getting Mutt to use this is really easy. Just put this in your .muttrc:
# looking up addresses with mu cfind
set query_command=”mu cfind ‘%s'”UPDATE: This sometimes causes problems, see comments. This below works:
# looking up addresses with mu cfind
set query_command=”mu cfind –format=mutt-ab ‘%s'”
Reload the config (or just restart Mutt), and you’re done. Now you can press Q to search for addresses.
For a long time, cars were a symbol of freedom and independence. No longer. In its Zoe electric car, car maker Renault apparently has the ability to remotely prevent the battery from charging. And that’s more chilling than it sounds.
When you buy a Renault Zoe, the battery isn’t included. Instead, you sign a rental contract for the battery with the car maker. In a Zoe owner’s forum, user Franko30 reports that the contract contains a clause giving Renault the right to prevent your battery from charging at the end of the rental period. According to an article in Der Spiegel, the company may also do this when you fall behind on paying the rent for the battery.
This means that Renault has some way of remotely controlling the battery charging process. According to the Spiegel article, the Zoe (and most or all other electric cars) collect reams of data on how you use them, and send this data off to the manufacturer without your knowledge. This data tells the company where you are going, when, and how fast, where you charge the battery, and many other things besides. We already knew that Tesla was doing this with its cars since the company’s very public spat with a journalist who reviewed one of their cars for the New York Times. Seeing the same thing in a mass market manufacturer like Renault makes clear just how dangerous this trend is.
This sort of thing fits well into the dystopian picture which Cory Doctorow paints in his 2011 talk “The coming war on General Computation” (which you really must watch, if you haven’t already), where he argues that “we don’t have cars anymore, we have computers we ride in”. The question then becomes who is in control of this computer: You, the manufacturer, or someone else?
If there is a mechanism to remotely control what your car does, some will make use of this mechanism at some point. This could be the manufacturer, shutting down your car as you fall behind on the battery rent because you just lost your job, meaning that it becomes harder for you to find work. It could be the government, compelling the manufacturer to do its bidding. In his forum post, Franko30 predicts that at some point, governments may simply ask car manufacturers to block charging near controversial political events (e.g. a G8 summit), in order to prevent you from participating in demonstrations. Or it could be any random criminal out there, gaining access to this mechanism by bribing a Renault employee.
The only way out of this is to stay away from cars and other computers that you can’t fully control; and to build systems that put users in charge. At the Free Software Foundation Europe, we are empowering and supporting people who build systems where you, the user, are in control. Please help us with a donation.
Now that we know for a fact that we’re constantly under surveillance, more people are wondering what you can do to protect yourself. Today I wrote down some thoughts in response to a post on the OKFN-discuss mailing list. Here it is, lightly edited.
In order to protect your privacy, it’s important to think about what, exactly, you’re trying to defend against. You’ll also need to decide to what length you want to go to protect your privacy, and the privacy of the people you talk to online.
If you want to avoid a scenario where some large corporation shares your data wholesale with others, whether voluntarily or under force, then the solution is not to give your data to such corporations in the first place.
Here, running your own mail, XMPP etc. servers (or paying someone you trust to do it for you) helps, as does replacing “data hoovers” such as Facebook with decentralised / distributed social networking tools (e.g. diaspora*, identi.ca etc). You’ll also want to replace Skype with something like Jitsi, and Dropbox with something self-hosted such as OwnCloud.
This will make it less convenient for an attacker to get hold of your information, as it’s no longer all stored in a few central places.
Note that many of these programs will not be as polished as their non-free alternatives, so you’ll need to decide whether you prefer shiny toys or privacy.
If you’re trying to defend against someone who might intercept specific sensitive conversations, you’ll want encryption. A lot of email clients (e.g. Thunderbird) let you use GnuPG, the Free Software implementation of the OpenPGP standard. For chat, a number of Free Software clients can handle OTR encryption (which stands for “off the record”).
Such measures will probably keep the contents of your messages private, but not the metadata (who you’re talking to, for how long, from where etc.).
If you’re trying to protect yourself, and the people you communicate with, against attackers who might simply steal or confiscate your computers, you’ll want to encrypt your hard drives. Many GNU/Linux distributions offer this as an option during the install process.
Whatever programs you use for communication and, especially, encryption, you’ll want to make sure that they’re Free Software. Given the things we’ve learned in the past few weeks, it’s probably safe(r) to assume that anything where you can’t look at the source code contains a back door for the government.
As an example, here’s what I do myself. My work for FSFE means that I communicate with lots of people, and handle sensitive data occasionally [1]. My setup is by no means perfect. It’s merely the balance I’ve found between privacy, security and convenience. YMMV. [2]
Note that all these measures are purely defensive. They don’t make the problem of surveillance go away. They just slightly reduce your risk of suffering from the problems associated with surveillance. So there’s one more point I’d like to add to the list:
Footnotes
[1] I’m talking about sensitive as in “if this leaks, it’d be trouble and bad press” rather than “OMG there’s a SWAT team coming through the window”.
[2] Views on what’s an appropriate level of security differ widely. Some people will think I’m paranoid. Some will think I’m horribly sloppy.
On July 9 at the Libre Software Meeting / RMLL in Brussels, we’re organising a big panel discussion on “Technology, Power and
Freedom“.
After the news about wide-ranging communications surveillance we’ve heard in recent weeks, this topic is arguably even more pressing than it was before. But we want to look at the long term:
What do we need to change in politics and technology today to build a better world tomorrow?
For this discussion we’re bringing some of the Free Software movement’s leading minds together with the people who represent us in the European Parliament. We’re extremely happy to have a list of first-rate participants:
I’d like your input: What should we ask these people? What are your most urgent questions on technology and politics?
Please post your questions in the comments. We’ll gather them and get them to Brussels.
The European Parliament has called upon the Commission and public bodies across Europe to help citizens protect themselves from surveillance. Free Software (referred to here as “open source”) plays a key role in this effort:
The European Parliament:
[…]
29. Urges the Commission and Member States to devise appropriate measures to promote, develop and manufacture European encryption technology and software and above all to support projects aimed at developing user-friendly open-source encryption software;
30. Calls on the Commission and Member States to promote software projects whose source text is made public (open-source software), as this is the only way of guaranteeing that no backdoors are built into programmes;
31. Calls on the Commission to lay down a standard for the level of security of e-mail software packages, placing those packages whose source code has not been made public in the ‘least reliable’ category;
32. Calls on the European institutions and the public administrations of the Member States systematically to encrypt e-mails, so that ultimately encryption becomes the norm;
33. Calls on the Community institutions and the public administrations of the Member States to provide training for their staff and make their staff familiar with new encryption technologies and techniques by means of the necessary practical training and courses;
Good stuff. Too bad it’s twelve years old.
This was how the European Parliament reacted to the revelations that Europeans (and everyone else, for that matter) were being spied upon through the ECHELON system.
The measures which the Parliament proposes are still valid. Unfortunately, I don’t see much public support for user-friendly Free Software encryption systems, or Free Software projects in general. If the Commission has gotten round to laying down a standard for the level of security for e-mail software, I haven’t heard about it (that’s entirely possible). Systematic email encryption in the public sector isn’t happening on any significant scale, and I haven’t had many public servants tell me how they’ve been trained in the use of encryption technologies.
Still, if the EP decides to have a resolution on PRISM and its ilk, they could do worse than look at the Parliament’s own ECHELON text.
There’s a great workshop coming up at the European Parliament, on “Legal aspects of Free Software”. The official link is rather understated, but the speakers are first class [Update” here’s the preliminary agenda]. They include Eben Moglen, economist and Free Software researcher Rishab Ghosh, FSFE’s very own Carlo Piana, and the project lead for Munich’s migration to Free Software, Jutta Kreyss. The workshop will take place on July 9 in Brussels, coinciding with RMLL, so a great many Free Software people will be in town.
So far, so good, and I’m very glad this event is taking place. Of course I want to be there, and registration is required. And to register, you need what? Adobe Acrobat.
*facepalm*
Fortunately, you can also register by mail. I’ve done so, and used the opportunity to raise some concerns about what this choice of procedure means for the EP’s relation to Europe’s citizens. In case you want to come for the workshop, and if you share these concerns, feel free to re-use whatever you see fit of the points below.
UPDATE: I’ve been assured by the people who have been working for about a year to make this workshop happen that they’ve actually tested the sign-up form in a number of Free Software PDF readers, and that they’re going above and beyond their obligations in making sure that people can also register by mail. So the blame for this doesn’t fall with the EP staffers running the sign-up process, who have apparently done the best the can, but rather with the people in charge of the EP’s overall software environment (and those setting their priorities). The problem just becomes more apparent because this particular workshop deals with Free Software.
Dear Madam, Sir,
I would like to register for the
JURI Workshop on LEGAL ASPECTS OF FREE AND OPEN SOURCE
SOFTWAREtaking place in the EP on July 9. Please find my registration data
below.The workshop program is highly promising, with great speakers who
are leading experts in their field.However, I would like to express my severe disappointment at your
decision to require would-be participants to sign up using Adobe
Acrobat. This choice means that in order to participate, I would
have to purchase and install non-free software on my computer,
which might not even work on my operating system.The European Parliament must set itself the highest possible
standards for transparency and citizen participation. In this
instance, it has clearly failed to do so.If I were to recommend a more suitable procedure for handling
registrations in an efficient manner, I would suggest setting up a
simple web form. This is easy, efficient, and is done frequently
at a wide range of institutions, including the European
Commission. I would expect the EP’s IT department to make
available such a tool available to all parliament staff; if this
is not already the case, I recommend requesting it from them.As regards PDF files, you might be interested in the website
PDFreaders.orghttp://pdfreaders.org/
which lists Free Software [1] PDF readers for the most widely used
operating systems.Requiring people to use non-free software in order to
participate in the Parliament’s activities erects unnecessary
barriers between European citizens and their institutions. I urge
you to help reduce those barriers, rather than making them
stronger.My registration data is as follows:
[…]Best regards,
Karsten
[1] Free as in freedom, not price.
I’m Bucharest this weekend for the Coliberator conference, organised by FSFE associate organisation Ceata. In one of my talks, I presented FSFE, and talked about things we can work on together.
In the discussion that followed, we collected problems that Free Software is facing in Romania. It’s a rough-and-ready list of points, collected on a public Etherpad – if you have more, please add them, and give me a ping in the comments. (Just keep it limited to Romania, please.)
- afraid of Free Software
- afraid of change
- afraid of having to learn something new
- companies pressuring politicians to avoid change
- user organisations afraid of lack of support
- corruption
- can’t make hidden deals with Free Software companies as easily
- Lack of collaboration between activists and groups
- Users are unfamiliar with Free Software programs
- hardware sometimes doesn’t support Free Software
- Too little Free Software use in education system
- Education system doesn’t emphasize Free Software well enough
- Asset: Free Software used for training at Bucharest Politechnical Institute
- Asset: some courses on GNU/Linux use at University of Bucharest
- Misconception that Free Software is more buggy than proprietary software
- caused by the fact that we don’t hide problems
- Government forces people to use non-free software
- MS Windows reqired for end-of-high school exams
- Flash widely used in education – platform
- government is contractually obliged to use non-free software through their hardware contracts
- Office suite: People blame Free Software programs for lack of compatibility
- Getting unlicensed proprietary software is much easier than using proprietary software
- and people consider proprietary software to be more professional
Sure, it’s a long list of problems, and most of them are issues that we know well from other countries. The good news is that the list also contains some very specific issues, such as the Flash-based education platform. These things present a clear target, and may well be footholds on the steep climb to solving the other, less well-defined problems.
For the second time, the European Parliament has asked its internal administration to prepare a full report on how the Parliament uses and develops Free Software. Our friends over at EPFSUG have been pushing hard for this for a long time, and we at FSFE have helped where we could:
48. Requests for the second time, after the first request relating to the discharge procedure was made in 2010, a full report on how Parliament’s Free Software projects have developed with regards to use and users in Parliament, citizen interaction and procurement activities; invites for the second time to investigate, in a full study, Parliament’s obligations under Rule 103 of its Rules of Procedure with regard to Free Software and Open Standards; regrets that Free Software and Open Source solutions are not more widely used in the Parliament’s IT infrastructure;
In the slow-moving world of EU administrative processes, a report on the Parliament’s use of Free Software would provide an important reference point for efforts to make European policy makers more aware of Free Software.
So far, the Parliament is moving in the right direction, but at a snail’s pace. In March, we saw the release as Free Software of an internal tool for drafting and tracking legislation.
At the same time, more fundamental problems remain unadressed. The Parliament still offers staffers non-free software for private use, fully expecting them to breach the terms of use of those programs.
The Parliament has also failed to make any progress on breaking free from its lock-in to proprietary vendors. It acquires most of its desktop and software through contracts made by the European Commission. The Commission, in turn, awards those contracts without a competitive tendering process to proprietary software makers and resellers.
The report which the Parliament has now requested from its own administration would represent an important bit of introspection. While not sufficient, this is a necessary condition for improvement.