Tag Archives: tracker

Check Facebook Privacy Settings with ReclaimPrivacyRights.org’s Scanner Bookmarklet

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/KxCCUb5bO8E/check-facebook-privacy-settings-with.html

ReclaimPrivacyRights.org provides a simple bookmarklet that works simply by loading it when you visit your Privacy settings page on Facebook. Simple, neat, and it appears to be a neat way to get a basic checkup. Better, the source code is available for review.

_uacct = “UA-1423386-1”;
urchinTracker();

Facebook Friend Suggestions – Not a Virus!

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/MFuDDtcWxqw/facebook-friend-suggestions-not-virus.html

Facebook status updates are quickly being populated with warnings that the suggest a friend notes that are appearing in users inboxes are virus driven. They’re not – in fact, Facebook has released a notice that AllFacebook.com posted stating”This is neither a bug nor a virus, and the “Virus Alert” status update is incorrect. Friend suggestions are now mutual and will appear for both users involved. That is, if I suggest that one person become friends with another, both the person I suggested and the person to whom I sent the suggestion will receive the notification.”The fact that the Facebook populace quickly communicates about a potential issue is good – the fact that false information is spreading quickly is not as good – but I’d rather my users avoid a fake virus than not avoid a real one.

_uacct = “UA-1423386-1”;
urchinTracker();

Facebook Friend Suggestions – Not a Virus!

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/MFuDDtcWxqw/facebook-friend-suggestions-not-virus.html

Facebook status updates are quickly being populated with warnings that the suggest a friend notes that are appearing in users inboxes are virus driven. They’re not – in fact, Facebook has released a notice that AllFacebook.com posted stating”This is neither a bug nor a virus, and the “Virus Alert” status update is incorrect. Friend suggestions are now mutual and will appear for both users involved. That is, if I suggest that one person become friends with another, both the person I suggested and the person to whom I sent the suggestion will receive the notification.”The fact that the Facebook populace quickly communicates about a potential issue is good – the fact that false information is spreading quickly is not as good – but I’d rather my users avoid a fake virus than not avoid a real one.

_uacct = “UA-1423386-1”;
urchinTracker();

Experiments in Security: Magstripe Reading Using Rust Particles

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/d1-6WxthgU0/experiments-in-security-magstripe.html

Tetherdcow via BoingBoing has a great science experiment to try with magstripes on credit cards and other ID cards: using rust particles to read the magstripe. This looks like a great hands on and visible way to talk about how data is encoded when teaching students.

_uacct = “UA-1423386-1”;
urchinTracker();

Experiments in Security: Magstripe Reading Using Rust Particles

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/d1-6WxthgU0/experiments-in-security-magstripe.html

Tetherdcow via BoingBoing has a great science experiment to try with magstripes on credit cards and other ID cards: using rust particles to read the magstripe. This looks like a great hands on and visible way to talk about how data is encoded when teaching students.

_uacct = “UA-1423386-1”;
urchinTracker();

Opting out of Facebook’s Instant Personalization

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/3NpFgb4Q9mk/opting-out-of-facebooks-instant.html

The EFF as a quick look at how to opt out of Facebook’s new Instant Personalization capabilities. Of note, you must block ALL of the Instant Personalization websites if you use them, rather than just setting one master setting. They provide both written steps and a video, as well as a suggestion on how to make your voice heard about this new “feature”.

_uacct = “UA-1423386-1”;
urchinTracker();

Opting out of Facebook’s Instant Personalization

Post Syndicated from David original http://feedproxy.google.com/~r/DevilsAdvocateSecurity/~3/3NpFgb4Q9mk/opting-out-of-facebooks-instant.html

The EFF as a quick look at how to opt out of Facebook’s new Instant Personalization capabilities. Of note, you must block ALL of the Instant Personalization websites if you use them, rather than just setting one master setting. They provide both written steps and a video, as well as a suggestion on how to make your voice heard about this new “feature”.

_uacct = “UA-1423386-1”;
urchinTracker();

stet and AGPLv3

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2007/11/21/stet-and-agplv3.html

Many people don’t realize that the GPLv3 process actually began long
before the November 2005 announcement. For me and a few others, the GPLv3
process started much earlier. Also, in my view, it didn’t actually end
until this week, the FSF released the AGPLv3. Today, I’m particularly
proud that stet was the first software released covered by the terms of
that license.

The GPLv3 process focused on the idea of community, and a community is
built from bringing together many individual experiences. I am grateful
for all my personal experiences throughout this process. Indeed, I
would guess that other GPL fans like myself remember, as I do, the first
time the heard the phrase “GPLv3”. For me, it was a bit
early — on Tuesday 8 January 2002 in a conference room at MIT. On
that day, Richard Stallman, Eben Moglen and I sat down to have an
all-day meeting that included discussions regarding updating GPL. A key
issue that we sought to address was (in those days) called the
“Application Service Provider (ASP) problem” — now
called “Software as a Service (SaaS)”.

A few days later, on the telephone with Moglen2 one morning, as I stood in my
kitchen making oatmeal, we discussed this problem. I pointed out the
oft-forgotten section 2(c) of the GPL [version 2]. I argued that contrary
to popular belief, it does have restrictions on some minor
modifications. Namely, you have to maintain those print statements for
copyright and warranty disclaimer information. It’s reasonable, in other
words, to restrict some minor modifications to defend freedom.

We also talked about that old Computer Science problem of having a
program print its own source code. I proposed that maybe we needed a
section 2(d) that required that if a program prints its own source to
the user, that you can’t remove that feature, and that the feature must
always print the complete and corresponding source.

Within two months, Affero
GPLv1 was published
— an authorized fork of the GPL to test
the idea. From then until AGPLv3, that “Affero clause”
has had many changes, iterations and improvements, and I’m grateful
for all the excellent feedback, input and improvements that have gone
into it. The
result, the
Affero GPLv3 (AGPLv3) released on Monday
, is an excellent step
forward for software freedom licensing. While the community process
indicated that the preference was for the Affero clause to be part of
a separate license, I’m nevertheless elated that the clause continues
to live on and be part of the licensing infrastructure defending
software freedom.

Other than coining the Affero clause, my other notable personal
contribution to the GPLv3 was management of a software development
project to create the online public commenting system. To do the
programming, we contracted with Orion Montoya, who has extensive
experience doing semantic markup of source texts from an academic
perspective. Orion gave me my first introduction to the whole
“Web 2.0” thing, and I was amazed how useful the result was;
it helped the leaders of the process easily grok the public response.
For example, the intensity highlighting — which shows the hot
spots in the text that received the most comments — gives a very
quick picture of sections that are really of concern to the public. In
reviewing the drafts today, I was reminded that the big red area in
section 1 about “encryption and authorization codes”
is
substantially
changed and less intensely highlighted by draft 4
. That quick-look
gives a clear picture of how the community process operated to get a
better license for everyone.

Orion, a Classics scholar as an undergrad, named the
software stet for its original Latin definition: “let it
stand as it is”. It was his hope that stet (the software) would
help along the GPLv3 process so that our whole community, after filing
comments on each successive draft, could look at the final draft and
simply say: Stet!

Stet has a special place in software history, I believe, even if it’s
just a purely geeky one. It is the first software system in history to
be meta-licensed. Namely, it was software whose output was its own
license. It’s with that exciting hacker concept that I put up today
a Trac instance
for stet, licensed under the terms of the AGPLv3 [ which is now on
Gitorious ]
1.

Stet is by no means ready for drop-in production. Like most software
projects, we didn’t estimate perfectly how much work would be needed.
We got lazy about organization early on, which means it still requires a
by-hand install, and new texts must be carefully marked up by hand.
We’ve moved on to other projects, but hopefully SFLC will host the Trac
instance indefinitely so that other developers can make it better.
That’s what copylefted FOSS is all about — even when it’s
SaaS.

1Actually, it’s
under AGPLv3 plus an exception to allow for combining with the
GPLv2-only Request Tracker, with which parts of stet combine.

2Update
2016-01-06:After writing this blog post, I found
evidence in my email archives from early 2002, wherein Henry Poole (who
originally suggested the need for Affero GPL to FSF), began cc’ing me anew
on an existing thread. In that thread, Poole quoted text from Moglen
proposing the original AGPLv1 idea to Poole. Moglen’s quoted text in
Poole’s email proposed the idea as if it were solely Moglen’s own. Based
on the timeline of the emails I have, Moglen seems to have written to Poole
within 36-48 hours of my original formulation of the idea.

While I do not accuse Moglen of plagiarism, I believe he does at least
misremember my idea as his own, which is particularly surprising, as Moglen
(at that time, in 2002) seemed unfamiliar with the Computer Science concept
of a quine; I had to explain that concept as part of my presentation of my
idea. Furthermore, Moglen and I discussed this matter in a personal
conversation in 2007 (around the time I made this blog post originally) and
Moglen said to me: “you certainly should take credit for the Affero
GPL”. Thus, I thought the matter was thus fully settled back in
2007, and thus Moglen’s post-2007 claims of credit that write me out of
Affero GPL’s history are simply baffling. To clear up the confusion his
ongoing claims create, I added this footnote to communicate unequivocally
that my memory of that phone call is solid, because it was the first time I
ever came up with a particularly interesting licensing idea, so the memory
became extremely precious to me immediately. I am therefore completely
sure I was the first to propose the original idea of mandating preservation
of a quine-like feature in AGPLv1§2(d) (as a fork/expansion of
GPLv2§2(c)) on the telephone to Moglen, as described above. Moglen
has never produced evidence to dispute my recollection, and even agreed
with the events as I told them back in 2007.

Nevertheless, unlike Moglen, I do admit that creation of the final text of
AGPLv1 was a collaborative process, which included contributions from
Moglen, Poole, RMS, and a lawyer (whose name I don’t recall) whom Poole
hired. AGPLv3§13’s drafting was similarly collaborative, and included
input from Richard Fontana, David Turner, and Brett Smith, too.

Finally, I note my surprise at this outcome. In my primary community
— the Free Software community — people are generally extremely
good at giving proper credit. Unlike the Free Software community, legal
communities apparently are cutthroat on the credit issue, so I’ve
learned.

Launchpad is Evil

Post Syndicated from Lennart Poettering original http://0pointer.net/blog/projects/launchpad-stole-my-name.html

I always think twice before entering my name in any web form or posting to a
mailing list. Is the web site/list respectable? Do the owners of the web site
have any commercial interest in my name (spam, marketing, …)? Would I ever
regret that my name can be found with Google in context with this web
site/mailing list? If I enter my name is it used for collecting data about me?
Is there any reasonable privacy policy?

Often enough I refrain from entering my name after deciding that the answers
to these questions are unsatisfactory. I like to be in control of my name. If I
am not confident that I remain in control I don’t enter my name to any
service.

Recently it came to my attention that Canonical decided to create an account (!) for me in their
commercial, proprietary bug tracker called “Launchpad”. I never asked for one!
I never even considered having one, because their service clearly is nothing
that would pass the tests mentioned above. They are a commercial service, my
account data is apparently “content” for them, they don’t seem to have any
privacy policy. (At least I couldn’t find any, the navigation is pretty
crappy.)

Canonical’s nimbus of being “the good guys” doesn’t hinder them to
incorporate data from free sources (apparently they got my data from the Debian
BTS) and make a commercial service of it, without even asking the original
contributors if that would be OK with them, or if it is OK to incorporate their
name or personal profile in the service. Apparently Canonical is not much
better than a common spam harvester: generating personal profiles for
business, without consent of the “victim”.

If anyone from Canonical reads this: It is not OK for me to use my name as
“content” for your commercial, proprietary service. Please remove any
reference to my name from your “account” database. I don’t want to have a
Launchpad account. I don’t plan to use Launchpad. Let me decide if I ever want to
join! Thank you very much.

Update: I especially dislike the fact that they created an account for me in
a service where Hitler apparently already has six (!) accounts. I am very sure
that I don’t want to be part of that community.

Launchpad is Evil

Post Syndicated from Lennart Poettering original http://0pointer.net/blog/projects/launchpad-stole-my-name.html

I always think twice before entering my name in any web form or posting to a
mailing list. Is the web site/list respectable? Do the owners of the web site
have any commercial interest in my name (spam, marketing, …)? Would I ever
regret that my name can be found with Google in context with this web
site/mailing list? If I enter my name is it used for collecting data about me?
Is there any reasonable privacy policy?

Often enough I refrain from entering my name after deciding that the answers
to these questions are unsatisfactory. I like to be in control of my name. If I
am not confident that I remain in control I don’t enter my name to any
service.

Recently it came to my attention that Canonical decided to create an account (!) for me in their
commercial, proprietary bug tracker called “Launchpad”. I never asked for one!
I never even considered having one, because their service clearly is nothing
that would pass the tests mentioned above. They are a commercial service, my
account data is apparently “content” for them, they don’t seem to have any
privacy policy. (At least I couldn’t find any, the navigation is pretty
crappy.)

Canonical’s nimbus of being “the good guys” doesn’t hinder them to
incorporate data from free sources (apparently they got my data from the Debian
BTS) and make a commercial service of it, without even asking the original
contributors if that would be OK with them, or if it is OK to incorporate their
name or personal profile in the service. Apparently Canonical is not much
better than a common spam harvester: generating personal profiles for
business, without consent of the “victim”.

If anyone from Canonical reads this: It is not OK for me to use my name as
“content” for your commercial, proprietary service. Please remove any
reference to my name from your “account” database. I don’t want to have a
Launchpad account. I don’t plan to use Launchpad. Let me decide if I ever want to
join! Thank you very much.

Update: I especially dislike the fact that they created an account for me in
a service where Hitler apparently already has six (!) accounts. I am very sure
that I don’t want to be part of that community.

Avahi 0.6.13 released

Post Syndicated from Lennart Poettering original http://0pointer.net/blog/projects/avahi-0.6.13.html

Avahi Logo

I am happy to bring you yet another release of Avahi, everyone’s favourite Zeroconf stack.

Add a new D-Bus method for changing the mDNS host name during
runtime. This functionality is only available to members of the
UNIX group “netdev”, which is the same access group that is
enforced by GNOME’s NetworkManager daemon. Since NM will probably
be the most prominent user of this new method, we decided to limit
access to the same group. The access group can be set by passing
–with-avahi-priv-access-group= to “configure”. If you need more
sophisticated access control you can freely edit
/etc/dbus/system.d/avahi-dbus.conf.
Add a new utility “avahi-set-host-name” which is a command line
wrapper around the aforementioned SetHostName() method.
Bonjour API compatibility library:

Implement DNSServiceUpdateRecord()
Allow passing NULL as callback function for DNSServiceRegister()
Implement subtype registration in DNSServiceRegister() in a
way that is compatible with Bonjour.
Update to newer copy of dns_sd.h

If the host name changes update names of static services wich
contain wildcards.
Don’t build documentation about embedding the Avahi mDNS stack into
other programs by default. This is a feature used only by embedded
developers. Pass –enable-core-docs to “configure” to enable
building these docs, like in Avahi <= 0.6.12.
Build Qt documentation only when Qt support is enabled in
the configuration. Same for GLib.
Change algorithm used to find a new host name on conflict. In
Avahi <= 0.6.12 a conflicting host name of “foobar” would be
changed to the new name “foobar2”. With 0.6.13 “foobar-2” will be
picked instead. This follows Bonjour’s behaviour and has the
advantage not confusing people with regular host names ending in
digits.
Don’t disable all static services when SIGHUP is recieved.
Fix build when Avahi is configured without Gtk+ but with Python
support
Fix build on MacOS X
Support using Solaris DBM instead of gdbm for the service type
database. The latter is still recommended
Minor other fixes and documentation updates

The relevant NetworkManager bug about SetHostName() is #352828.

And our bug tracker is back to only two open bugs for Avahi. That’s a good feeling, I can tell you!

Avahi 0.6.13 released

Post Syndicated from Lennart Poettering original http://0pointer.net/blog/projects/avahi-0.6.13.html

Avahi Logo

I am happy to bring you yet another release of Avahi, everyone’s favourite Zeroconf stack.

  • Add a new D-Bus method for changing the mDNS host name during
    runtime. This functionality is only available to members of the
    UNIX group “netdev”, which is the same access group that is
    enforced by GNOME’s NetworkManager daemon. Since NM will probably
    be the most prominent user of this new method, we decided to limit
    access to the same group. The access group can be set by passing
    –with-avahi-priv-access-group= to “configure”. If you need more
    sophisticated access control you can freely edit
    /etc/dbus/system.d/avahi-dbus.conf.
  • Add a new utility “avahi-set-host-name” which is a command line
    wrapper around the aforementioned SetHostName() method.
  • Bonjour API compatibility library:
    • Implement DNSServiceUpdateRecord()
    • Allow passing NULL as callback function for DNSServiceRegister()
    • Implement subtype registration in DNSServiceRegister() in a
      way that is compatible with Bonjour.
    • Update to newer copy of dns_sd.h
  • If the host name changes update names of static services wich
    contain wildcards.
  • Don’t build documentation about embedding the Avahi mDNS stack into
    other programs by default. This is a feature used only by embedded
    developers. Pass –enable-core-docs to “configure” to enable
    building these docs, like in Avahi <= 0.6.12.
  • Build Qt documentation only when Qt support is enabled in
    the configuration. Same for GLib.
  • Change algorithm used to find a new host name on conflict. In
    Avahi <= 0.6.12 a conflicting host name of “foobar” would be
    changed to the new name “foobar2”. With 0.6.13 “foobar-2” will be
    picked instead. This follows Bonjour’s behaviour and has the
    advantage not confusing people with regular host names ending in
    digits.
  • Don’t disable all static services when SIGHUP is recieved.
  • Fix build when Avahi is configured without Gtk+ but with Python
    support
  • Fix build on MacOS X
  • Support using Solaris DBM instead of gdbm for the service type
    database. The latter is still recommended
  • Minor other fixes and documentation updates

The relevant NetworkManager bug about SetHostName() is #352828.

And our bug tracker is back to only two open bugs for Avahi. That’s a good feeling, I can tell you!