security on Yet Another Me 2014-10-15T00:00:00-05:00 https://blog.sergiodj.net/tags/security/ Hugo -- gohugo.io <![CDATA[Respectful Software]]> https://blog.sergiodj.net/posts/respectful-software/ 2014-10-15T00:00:00-05:00 2014-10-15T00:00:00-05:00 To what extent should Free Software respect its users?

The question, strange as it may sound, is not only valid but also becoming more and more important these days. If you think that the four freedoms are enough to guarantee that the Free Software will respect the user, you are probably being oversimplistic. The four freedoms are essential, but they are not sufficient. You need more. I need more. And this is why I think the Free Software movement should have been called the Respectful Software movement.

I know I will probably hear that I am too radical. And I know I will hear it even from those who defend Free Software the way I do. But I need to express this feeling I have, even though I may be wrong about it.

It all began as an innocent comment. I make lots of presentations and talks about Free Software, and, knowing that the word “Free” is ambiguous in English, I started joking that Richard Stallman should have named the movement “Respectful Software”, instead of “Free Software”. If you think about it just a little, you will see that “respect” is a word that brings different interpretations to different people, just as “free” does. It is a subjective word. However, at least it does not have the problem of referring to completely unrelated things such as “price” and “freedom”. Respect is respect, and everybody knows it. What can change (and often does) is what a person considers respectful or not.

(I am obviously not considering the possible ambiguity that may exist in another language with the word “respect”.)

So, back to the software world. I want you to imagine a Free Software. For example, let’s consider one that is used to connect to so-called “social networks” like GNU Social or pump.io. I do not want to use a specific example here; I am more interested in the consequences of a certain decision. Which decision? Keep reading :-).

Now, let’s imagine that this Free Software is just beginning its life, probably in some code repository under the control of its developer(s), but most likely using some proprietary service like GitHub (which is an issue by itself). And probably the developer is thinking: “Which social network should my software support first?”. This is an extremely valid and important question, but sometimes the developer comes up with an answer that may not be satisfactory to its users. This is where the “respect” comes into play.

In our case, this bad answer would be “Facebook”, “Twitter”, “Linkedin”, or any other unethical social network. However, those are exactly the easiest answers for many and many Free Software developers, either because those “vampiric” services are popular among users, or because the developer him/herself uses them!! By now, you should be able to see where I am getting at. My point, in a simple question, is: “How far should we, Free Software developers, allow users to go and harm themselves and the community?”. Yes, this is not just a matter of self-inflicted restrictions, as when the user chooses to use a non-free software to edit a text file, for example. It is, in most cases, a matter of harming the community too. (I have written a post related to this issue a while ago, called “Privacy as a Collective Good”.)

It should be easy to see that it does not matter if I am using Facebook through my shiny Free Software application on my computer or cellphone. What really matters is that, when doing so, you are basically supporting the use of those unethical social networks, to the point that perhaps some of your friends are also using them because of you. What does it matter if they are using Free Software to access them or not? Is the benefit offered by the Free Software big enough to eliminate (or even soften) the problems that exist when the user uses an unethical service like Linkedin?

I wonder, though, what is the limit that we should obey. Where should we draw the line and say “I will not pass beyond this point”? Should we just “abandon” the users of those unethical services and social networks, while we lock ourselves in our not-very-safe world? After all, we need to communicate with them in order to bring them to our cause, but it is hard doing so without getting our hands dirty. But that is a discussion to another post, I believe.

Meanwhile, I could give plenty of examples of existing Free Softwares that are doing a disservice to the community by allowing (and even promoting) unethical services or solutions for their users. They are disrespecting their users, sometimes exploiting the fact that many users are not fully aware of privacy issues that come as a “gift” when you use those services, without spending any kind of effort to teach the users. However, I do not want this post to become a flamewar, so I will not mention any software explicitly. I think it should be quite easy for the reader to find examples out there.

Perhaps this post does not have a conclusion. I myself have not made my mind completely about the subject, though I am obviously leaning towards what most people would call the “radical” solution. But it is definitely not an easy topic to discuss, or to argument about. Nonetheless, we are closing our eyes to it, and we should not do so. The future of Free Software depends also on what kinds of services we promote, and what kinds of services we actually warn the users against. This is my definition of respect, and this is why I think we should develop Free and Respectful Software.

]]>
<![CDATA[Encrypting your e-mails to yourself using GnuPG]]> https://blog.sergiodj.net/posts/gnupg-encrypt-to-self/ 2014-06-08T00:00:00-05:00 2014-06-08T00:00:00-05:00 It has been a while since I dream of being able to send encrypted e-mail to everyone in my contact list. It is still a distant future, but fortunately it is getting closer with campaigns like the Reset the Net. And while I already send encrypted messages to a couple of friends, it is always good to discover (and share!) some configuration tips to make your life easy :-).

I use Gnus as my e-mail (and news!) reader for quite a while, and I can say it is a very nice piece of software (kudos to Lars and all the devs!). For those who are not aware, Gnus runs inside Emacs, which is a very nice operating system (and text editor also).

Emacs provides EasyPG for those who want to make use of cryptographic operations inside it, and Gnus also uses it to encrypt/decrypt the messages it handles. I am using it for my own messages, and it works like a charm. However, there was something that I had not had configured properly: the ability to read the encrypted messages that I was sending to my friends.

In a brief explanation, when you send an encrypted message GnuPG looks at the recipients of the message (i.e., the people that will receive it, listed in the “From:”, “Cc:” and “Bcc:” fields) and encrypts it according to each recipient’s public key, which must be present in your local keyring. But when you send a message to someone, you are not (usually) present in the original recipients list, so GnuPG does not encrypt the message using your public key, and therefore you are unable to read the message later. In fact, this example can be used to illustrate how secure this system really is, when not even the sender can read his/her message again!

Anyway, this behavior was mostly unnoticed by me because I rarely look at my “Sent/” IMAP folder. Until today. And it kind of pissed me off, because I wanted to read what I wrote, damn it! So, after looking for a solution, I found a neat GnuPG setting called hidden-encrypt-to. It basically tells GnuPG to add a hidden recipient in every message it encrypts. So, all I had to do was to provide my key’s ID and ask GnuPG to always encrypt the message to myself too.

You basically have to edit your $HOME/.gnupg/gpg.conf file and put this setting there:

hidden-encrypt-to ID

That’s it. Now, whenever I send an encrypted message, GnuPG encrypts it for me as well, so I just need to go to my “Sent/” folder, and decrypt it to read.

I hope this tip helps you the same way it helped me!

]]>