The basis of the problem is a program by Superfish that is designed to interject advertisements into users' Web browsing. That's irritating, but it gets worse. Superfish also installs a certificate that intercepts Web traffic and cripples the host computer's ability to use HTTPS to validate the authenticity of Web sites. This leaves an open door for attackers to use fake versions of sites that should be secure -- like bank Web sites -- to steal personal information. You can read more about the vulnerability at Ars Technica.

Whenever you use proprietary software like Windows or Superfish, true, trustable, verifiable security is always out of reach. Because proprietary code can't be publicly inspected, there's no way to validate its security. Users have to trust that the code is safe and works as advertised. Since proprietary code can only be modified by the developers who claim to own it, users are powerless to choose the manner in which security bugs are fixed. With proprietary software, user security is secondary to developer control.

Recent high-profile security vulnerabilities in free software, like Heartbleed and POODLE, were created when well-intentioned developers made mistakes that were difficult to detect. But this is different -- Lenovo and Superfish caused a massive security breach for the sake of expedience in generating ad revenue.

These companies have shown such blatant disregard for the public trust that they will have to work hard to restore it. Lenovo should work with a third party committed to the public interest -- like the Free Software Foundation -- to create and sell laptops that are certified to respect user freedom and come with a preinstalled free operating system. Join us in calling for this change on social media (see our recommendations for social media platforms).

Regardless of what Lenovo does, you can minimize your risk of exposure to Superfish and similar threats by uninstalling proprietary operating systems and using a free GNU/Linux distribution signed by a source you trust. If you are interested in a new computer, the FSF currently certifies two retail laptops that come with no proprietary software through our Respects Your Freedom program, and you can build your own free software-friendly computer with guidance from the community-maintained hardware database h-node.

If you have used a Lenovo computer running Superfish, make sure to reset any passwords you use on the Web, as they may have been intercepted.

Join the FSF and friends on Friday, February 20, from 2pm to 5pm EST (19:00 to 22:00 UTC) to help improve the Free Software Directory by adding new entries and updating existing ones. We will be on IRC in the #fsf channel on freenode.

Tens of thousands of people visit directory.fsf.org each month to discover free software. Each entry in the Directory contains a wealth of useful information, from basic category and descriptions, to providing detailed info about version control, IRC channels, documentation, and licensing info that has been carefully checked by FSF staff and trained volunteers.

While the Free Software Directory has been and continues to be a great resource to the world over the past decade, it has the potential of being a resource of even greater value. But it needs your help!

If you are eager to help and you can't wait or are simply unable to make it onto IRC on Friday, our participation guide will provide you with all the information you need to get started on helping the Directory today!

We have updated our list of Various Licenses and Comments about Them to include the Creative Commons Attribution 4.0 International license (CC BY 4.0) and the Creative Commons Attribution-ShareAlike 4.0 International license (CC BY-SA 4.0). Both of these licenses are free licenses for works of practical use besides software and documentation.

CC BY 4.0 is a noncopyleft license that is compatible with the GNU General Public License version 3.0 (GPLv3), meaning you can combine a CC BY 4.0 licensed work with a GPLv3 licensed work a larger work that is then released under the terms of GPLv3.

Creative Commons has begun a public discussion process for license compatibility evaluation in order to determine whether or not GPLv3 should be added to the list of CC BY-SA 4.0 Compatible Licenses. If GPLv3 is added to this list, then CC BY-SA 4.0 will be deemed one-way compatible with GPLv3, which means that a person can adapt a CC BY-SA 4.0 licensed work and release the adapted version under the terms of GPLv3.

Throughout the drafting process of both of these licenses, the FSF, with the help of the Software Freedom Law Center, provided feedback and suggestions to Creative Commons. We thank Creative Commons for giving us the opportunity to provide feedback and for incorporating many of our suggestions.

The FSF will continue to provide feedback throughout the current compatibility evaluation discussion process. We will also make updates to our list when have new information regarding compatibility between these CC licenses and other GNU licenses, such as GNU GPLv2 and the GNU Free Documentation License (GFDL).

Valentine's day is this Saturday and, if you're like us, you're either trying to pick the right gift or wishing you had someone to exchange gifts with. We wish you luck with that. But there's something important that you can do regardless of your relationship status:

Ask someone you like -- romantically or otherwise -- to be your cryptovalentine. If they say yes (yikes, nervous!) use the free program GnuPG to set up private and encrypted communication with them. If one or both of you is new to GnuPG, we recommend our beginner-friendly Email Self-Defense guide. Setting up encrypted communication is a quick activity you can do together whether you are across the room or across the world. And what better way to show love than help them defend their security, privacy and freedom?

Once you're done, share your love with the world by posting about it on microblogging with the hashtag #ilovefs. Just make sure not to use proprietary software to post.

This is a fun activity, but it also can make a difference. Forming personal connections is the best way to teach encryption technology and move us closer to a society where everyone has the tools and knowledge for surveillance-resistant communication.

And as we've discussed at length, free software is necessary for privacy online. Because nonfree software's code can't be audited publicly, we can never trust it to be free of back doors inserted by accident or by design. We're thankful to all the hardworking free software developers who give us a fighting chance at privacy. It goes without saying, but we do love FS.

For more free software Valentine's day fun, like postcards and an #ilovefs photo gallery, visit the Free Software Foundation Europe Web site.

<3

In this edition, we conducted an email-based interview with Rainey Reitman, Activism Director for the Electronic Frontier Foundation, about their new EFF Alerts mobile app.

What inspired EFF to create EFF Alerts?

Part of our advocacy efforts includes helping people who care passionately about civil liberties to influence decision makers. We might target a company like Apple, or President Obama, or the U.S. Congress when it's considering proposals that would undermine liberty. We promote these campaigns through social media and our blog, as well as through our mailing list.

One problem we're facing is that people are becoming less receptive to email communications. Part of that is simply email overload (the number one reason people give us for choosing to unsubscribe), as well as email providers trying to block or hide "mass" mailings.

But when Congress is about to act on a bad bill, we may have only days -- or in some cases only hours -- to rally a response. So we need a reliable non-email way for people to connect with us.

That's why we came up with EFF Alerts -- a fast, simple way to get notified on your mobile device whenever digital rights need your help. The EFF Alerts community is basically a fast-response emergency service for speaking out against imminent threats to our freedom.

Do you have to be in the United States to use the app?

Not all all; people all over the world should download the app. Many of our actions are international. However, sometimes we'll be organizing an action specifically targeting the United States Congress (because it is taking up a bill, for example). In those cases, it might not be possible for people outside the United States to complete the action, but there will be future actions they can take.

How can people use it?

Currently, people who want to install the app will get notified about breaking issues and actions through a push notification. People can click on the notification to load a mobile version of the EFF action center. Then they can take action -- often emailing Congress, signing a petition, sending a tweet, etc. To make this easy, you can set up a login and password on the EFF action center. That will retain your information and make it easier to speak out in the future.

Where can people get EFF Alerts?

People can download EFF Alerts from the Play Store. We're working on getting EFF Alerts onto F-Droid, but there are a few technical hurdles we have to jump through. We also have a version we put on our blog that you can download if you don't want to use the store, but the Play Store ensures you get automatic updates with new versions, bug fixes, and new features.

Why isn't EFF Alerts in the Apple App Store?

We thought a long time about putting the app in the Apple store. We'd really like everybody to be able to download our app, regardless of what operating system they choose for their mobile device. But after carefully reviewing Apple's Developer Terms (which we've been criticizing for years), we decided we couldn't sign them. The Apple terms prohibit developers from making any "public statements" about the agreement they sign. It also has a ban on reverse engineering, and gives Apple the right to remotely disable your app at any time, or delay important security updates. Not to mention all Apple apps come wrapped in freedom-hampering digital restrictions management.

Given all of this, we decided we couldn't sign the agreement, even if it meant fewer people getting our app.

Why did you choose the GNU Affero General Public License, version 3 (AGPLv3) as EFF Alert's license?

We used AGPLv3 for both the mobile app and the push server (which pushes notifications to the phones) so that if anyone makes improvements to the software and makes those improvements accessible over the network, the users get to benefit from their improvements and contributions. This helps ensure a robust free software community of developers working together to build the best app, rather than balkanizing their code in ways that lack community input.

How can users (technical or otherwise) help contribute to EFF Alerts?

One easy way to contribute is to download the app and tell your friends about it, either through social media or through other mechanisms.

Coders who want to get involved can check out EFF's GitHub projects. We also have ways to volunteer on our website.

Also, EFF is currently hiring folks to help us out, with both policy positions and technical positions. If you care about these issues, please consider making a career of defending digital rights.

What's the next big thing for EFF Alerts?

We've gotten a bunch of user feedback, so look for a new version in the coming months with a much-improved user interface.

Enjoyed this interview? Check out our previous entry in this series, featuring Aaron Wolf of Snowdrift.coop.