PROJET AUTOBLOG


Free Software Foundation News

source: Free Software Foundation News

⇐ retour index

Free Software Foundation stresses necessity of full user control over Internet-connected devices

vendredi 9 septembre 2016 à 21:09

Most IoT systems consist of three components:

1) The "smart" device itself, capable of communicating via a protocol such as Z-Wave, Zigbee, Bluetooth or IEEE 802.11, running either a full operating system (commonly based on the kernel Linux) or an embedded OS designed for this purpose.

2) A remote service provided by the device manufacturer. The smart device communicates with this service in order to provide information about its current state and in order to provide an interface for users to control the device.

3) An application designed for mobile platforms which interacts with the remote service and allows control of the smart device regardless of whether the user is currently located near the device or not.

Devices that use the Zigbee or Z-Wave protocols also typically require a local "hub," a device running interface software that bridges the devices to the remote service.

There are multiple significant security concerns around this design pattern. The first is that either the smart devices themselves or the hub that they communicate with require Internet access. Depending on local network configuration, this may result in the devices being visible to the public Internet. These devices inherently provide a service of some description in order to permit their integration with the remote services, but frequently also provide additional services for directly local communication and often include further unnecessary services used for diagnostics during the design and production stage (such as MicroCell -- the same backdoor was present on a series of baby monitors shipped by a major manufacturer).

These devices are often locked down in such a way that it is impossible for the user to replace the software that they run. These devices are also often abandoned by their manufacturers after a short space of time due to them being either discontinued or replaced by newer devices. Users who continue using these devices are thus at significant risk, without any real chance of security updates being made available and frequently without any notification that any security issues have been identified. If any issues are identified, then without the permission of the manufacturer it is impossible for any third party to provide aid to said users.

This concern is frequently mitigated by typical home network setups that restrict external access to internal devices. But smart devices inherently require external access to be possible, and this functionality is provided by the remote service. The smart device connects to the remote service and awaits commands -- users in turn connect to the remote service and send commands.

These remote services are themselves frequently insecure. Authentication details are often sent in plaintext, allowing anyone who can observe network traffic to obtain credentials. Some systems involve no authentication at all (for instance). This makes it possible for a malicious individual to gain control over home devices, in some cases potentially even being able to execute arbitrary code on said devices and gain access to the internal network.

If vendors are unwilling or unable to fix these security issues, users are left in an unfortunate position. They can either retain the convenience provided by the smart devices they paid for, or they can remove them and attempt to obtain a refund. The worst case scenario is perhaps when the vendor unilaterally decides to shut down the remote service, rendering the devices useless.

Another consideration is the behavior of the manufacturer itself. Manufacturers may not always act in the interests of their customers, doing things ranging from invasive collection of personal data to intrusive advertising or even disabling device functionality remotely. Even if ostensibly permitted by terms of service, users should be able to protect themselves against such scenarios.

There is an alternative. Third-party free software alternatives to the pre-installed software are common in certain market segments, such as home routers (libreCMC, OpenWrt and DD-WRT, for instance). Security vulnerabilities can be mitigated by replacing the original software with a functional equivalent provided by a third party. Unfortunately, many IoT devices are designed such that the software can only be replaced by the manufacturer. The software will only communicate with the manufacturer's remote service -- no third party can provide a functional equivalent.

To ensure that users do not end up in a situation where they are left choosing between security and convenience, or left with no ability whatsoever to use the devices they bought, it is vital that these devices be ultimately under the control of the user. The user should be able to replace the software on the device in order to fix security vulnerabilities. The user should be able to modify the software on the device such that it communicates with a different remote service that provides strong security guarantees. The user should not be left with no option other than to discard the device and replace it with a new version.

In order for this to be possible, it is necessary to know how the devices communicate with the remote server. Unfortunately this is frequently in the form of a proprietary protocol that lacks any public documentation, and as such it is a significant engineering effort for anyone to implement a replacement service. Several well-known protocols exist for controlling remote devices (such as MQTT) and re-using these rather than proprietary protocols makes it easier to both identify whether any security issues exist (being forced to reverse engineer a protocol may result in missing subtle aspects that cause security issues) and provide alternative implementations in the event of significant security flaws being discovered or the vendor choosing to cease support of the remote services.

To that end, we encourage the adoption of practices that:

a) Ensure that documented and freely-implementable (rather than patent-encumbered) protocols be used for communication between smart devices and remote services, and

b) Ensure that owners of smart devices are able to replace their software with implementations provided by either themselves or third parties in order to prevent the vendor being a single point of failure in either service

c) Strongly encourage the use of free "as in freedom" software throughout the entire stack, making it easier for security researchers to identify issues, third parties to provide alternative implementations and users to retain as much control as possible over devices that will become increasingly integrated into their homes and lives.

Matthew Garret is a member of the FSF's board of directors.

This was submitted in response to the Commission on Enhancing National Cybersecurity request for information about current and future states of cybersecurity in the digital economy.

FSF Job Opportunity: Copyright and Licensing Associate

mardi 30 août 2016 à 20:02

This position, reporting to the executive director, works as part of our licensing and compliance team to protect and promote the use of freely licensed works of software and documentation. For over twenty years, the FSF's Licensing and Compliance Lab has been the preeminent community resource for information about free licensing. From enforcement of the GNU General Public License, to certifying software and devices as fully free, to the writing and distribution of licensing-related educational materials, the team does work vital for the free software movement.

For this position, we are looking for a strong writer who is familiar with free software copyright licenses, and understands the basics of how software is written, compiled, and distributed. Neither a legal nor computer science education is required, but both would be a plus. Ideal candidates will also have experience with administrative tasks and record keeping.

Examples of job responsibilities include, but are not limited to:

Because the FSF works globally and seeks to have our materials distributed in as many languages as possible, multilingual candidates will have an advantage. With our small staff of thirteen, each person makes a clear contribution. We work hard, but offer a humane and fun work environment at an office located in the heart of downtown Boston. The FSF is a mature but growing organization that provides great potential for advancement; existing staff get the first chance at any new job openings.

Benefits and Salary

This job is a union position that must be worked on-site at the FSF's downtown Boston office. The salary is fixed at $51,646/year and is non-negotiable. Other benefits include:

Application Instructions

Applications must be submitted via email to hiring@fsf.org. The email must contain the subject line "Copyright and Licensing Associate". A complete application should include:

All materials must be in a free format. Email submissions that do not follow these instructions will probably be overlooked. No phone calls, please.

Applications must be received by Sunday, September 18, 2016 at 17:00 EDT.

The FSF is an equal opportunity employer and will not discriminate against any employee or application for employment on the basis of race, color, marital status, religion, age, sex, sexual orientation, national origin, handicap, or any other legally protected status recognized by federal, state or local law. We value diversity in our workplace.

About the Free Software Foundation

The Free Software Foundation, founded in 1985, is dedicated to promoting computer users' right to use, study, copy, modify, and redistribute computer programs. The FSF promotes the development and use of free (as in freedom) software -- particularly the GNU operating system and its GNU/Linux variants -- and free documentation for free software. The FSF also helps to spread awareness of the ethical and political issues of freedom in the use of software, and its Web sites, located at fsf.org and gnu.org, are an important source of information about GNU/Linux. Donations to support the FSF's work can be made at https://donate.fsf.org. We are based in Boston, MA, USA.

More information about the FSF, as well as important information for journalists and publishers, is at https://www.fsf.org/press.

FSF Job Opportunity: Web Developer

lundi 22 août 2016 à 19:42

The Free Software Foundation (FSF), a Massachusetts 501(c)(3) charity with a worldwide mission to protect computer user freedom, seeks a motivated and talented Boston-based individual to be our full-time Web Developer.

This position, reporting to the executive director, works closely with our sysadmin team to maintain and improve the FSF's Web presence. The FSF uses several different free software Web platforms in the course of its work, both internally and externally. These platforms are critical to work supporting the GNU Project, free software adoption, free media formats, and freedom on the Internet; and to opposing bulk surveillance, Digital Restrictions Management, software patents, and proprietary software.

We are looking for someone who is comfortable with keeping these systems up-to-date and working, as well as customizing them when necessary. While the main duties will relate to the backend systems, frontend experience with templates, HTML, CSS, JavaScript, and design tools will be a big plus. The Web Developer will help lead major projects, such as the relaunch of https://www.fsf.org and migration of https://audio-video.gnu.org to GNU MediaGoblin. S/he will also be part of the team running the annual LibrePlanet conference as well as contribute to decisions about which new platforms to use or which existing ones to retire.

Examples of platforms maintained by the Web Developer include, but are not limited to:

Because the FSF works globally and seeks to have our materials distributed in as many languages as possible, multilingual candidates will have an advantage. With our small staff of thirteen, each person makes a clear contribution. We work hard, but offer a humane and fun work environment at an office located in the heart of downtown Boston.

The FSF is a mature but growing organization that provides great potential for advancement; existing staff get the first chance at any new job openings. This position is also a good starting point for anyone who might be interested in other roles on our technical team in the future.

Benefits and Salary

This job is a union position that must be worked on-site at the FSF's downtown Boston office. An on-site interview will be required with the executive director and other team members. The salary is fixed at $51,646/year and is non-negotiable. Other benefits include:

Application Instructions

Applications must be submitted via email to hiring@fsf.org. The email must contain the subject line "Web Developer". A complete application should include:

All materials must be in a free format. Email submissions that do not follow these instructions will probably be overlooked. No phone calls, please.

Applications must be received by Thursday, September 1, 2016 at 17:00 EDT.

The FSF is an equal opportunity employer and will not discriminate against any employee or application for employment on the basis of race, color, marital status, religion, age, sex, sexual orientation, national origin, handicap, or any other legally protected status recognized by federal, state or local law. We value diversity in our workplace. Women, people of color and LGBTQ individuals are strongly encouraged to apply.

About the Free Software Foundation

The Free Software Foundation, founded in 1985, is dedicated to promoting computer users' right to use, study, copy, modify, and redistribute computer programs. The FSF promotes the development and use of free (as in freedom) software -- particularly the GNU operating system and its GNU/Linux variants -- and free documentation for free software. The FSF also helps to spread awareness of the ethical and political issues of freedom in the use of software, and its Web sites, located at fsf.org and gnu.org, are an important source of information about GNU/Linux. Donations to support the FSF's work can be made at https://donate.fsf.org. We are based in Boston, MA, USA.

More information about the FSF, as well as important information for journalists and publishers, is at https://www.fsf.org/press.

Free Software Foundation releases FY2015 Annual Report

vendredi 12 août 2016 à 00:28

The report is available in low-resolution (2.4 MB PDF) and high-resolution (30.7 MB PDF).

The Annual Report reviews the Foundation's activities, accomplishments, and financial picture. The report examines the impact of the FSF's programs, and FY2015's major events, including LibrePlanet and our thirtieth anniversary.

As with all of the Foundation's activities, the Annual Report was made exclusively using free software, including Scribus, GIMP, Inkscape, and LibreOffice, along with freely licensed fonts and images. The report is released under a CC BY SA 4.0 license.

About the Free Software Foundation

The Free Software Foundation, founded in 1985, is dedicated to promoting computer users' right to use, study, copy, modify, and redistribute computer programs. The FSF promotes the development and use of free (as in freedom) software -- particularly the GNU operating system and its GNU/Linux variants -- and free documentation for free software. The FSF also helps to spread awareness of the ethical and political issues of freedom in the use of software, and its Web sites, located at fsf.org and gnu.org, are an important source of information about GNU/Linux. Donations to support the FSF's work can be made at https://my.fsf.org/donate. Its headquarters are in Boston, MA, USA.

More information about the FSF, as well as important information for journalists and publishers, is at https://www.fsf.org/press.

Media Contacts

Georgia Young
Program Manager
Free Software Foundation
+1 (617) 542 5942 x 17
campaigns@fsf.org

Web DRM standard moves to next phase of development, FSF's Defective by Design campaign to continue opposition

mercredi 6 juillet 2016 à 22:38

EME (full text) is a proposed technological standard for Web-based Digital Restrictions Management (DRM), digital handcuffs that video-streaming services use to micromanage users' access to legitimately obtained media. As Web users asserted while protesting the W3C's meeting this March, DRM is coercive, disempowering and insulting to users. It also causes broad collateral damage to the health of our digital society. DRM's dark history — from the Sony rootkit malware to draconian anti-circumvention laws — demonstrates that integrating it into Web standards would be nothing but bad for the Web's users. It is predicted to stymie security research, curtail privacy, freedom, and accessibility, and set back the interoperability that is necessary for innovation on the Web. There is considerable dissent about EME within the W3C — staff member Harry Halpin has pledged to resign if it becomes an official standard.

Defective by Design is the FSF's campaign against DRM in all its forms and the aegis for its work against EME. Campaigns manager Zak Rogoff made this statement:

"The W3C and its director, Tim Berners-Lee, are abdicating their responsibility — as stated in their official design principles — to put users first in the design of the Web. We had hoped that Berners-Lee would uphold the vision of inclusion and empowerment that he articulated in his famous Tweet about the Web: 'This is for everyone.' But by allowing EME to continue, he has given license to Netflix, Google and media owners to warp the Web so that it works firstly for them.

We are inspired by the worldwide network of activists who have joined us in our struggle for the freedom-respecting Web we deserve. Defective by Design will continue to escalate our campaign, deploying new and creative forms of resistance until EME is stopped."

The EME standardization effort, sponsored by streaming giants like Google and Netflix, aims to take advantage of the W3C's influence over Web technology to make it cheaper and more efficient to impose DRM systems. As of yesterday, the EME proposal is now upgraded from Working Draft to Candidate Recommendation within the W3C's process. Under the W3C's rules there are at least three more chances to pull the plug on EME before it becomes a ratified standard, also known as a W3C Recommendation.

W3C member organizations wishing to join the campaign against EME are invited to contact Defective by Design at info@defectivebydesign.org. Concerned individuals can start by signing Defective by Design's petition or adding a protest selfie to the growing gallery.

About Defective By Design

Defective by Design is the Free Software Foundation's campaign against Digital Restrictions Management (DRM). DRM is the practice of imposing technological restrictions that control what users can do with digital media, creating a good that is defective by design. DRM requires the use of proprietary software and is a major threat to computer user freedom. It often spies on users as well. The campaign, based at defectivebydesign.org, organizes anti-DRM activists for in-person and online actions, and challenges powerful media and technology interests promoting DRM. Supporters can donate to the campaign at https://www.defectivebydesign.org/donate.

About the Free Software Foundation

The Free Software Foundation, founded in 1985, is dedicated to promoting computer users' right to use, study, copy, modify, and redistribute computer programs. The FSF promotes the development and use of free (as in freedom) software — particularly the GNU operating system and its GNU/Linux variants — and free documentation for free software. The FSF also helps to spread awareness of the ethical and political issues of freedom in the use of software, and its Web sites, located at fsf.org and gnu.org, are an important source of information about GNU/Linux. Donations to support the FSF's work can be made at https://donate.fsf.org. Its headquarters are in Boston, MA, USA.

More information about the FSF, as well as important information for journalists and publishers, is at https://www.fsf.org/press.

Media Contact

Zak Rogoff
Campaigns Manager
Free Software Foundation
+1 (617) 542 5942 x31
info@defectivebydesign.org