Re: [Trisquel-users] Web Browser

[Mason Hock]

> For instance, it wouldn't call home
> if the browser is not accessing a page with JS which makes outbound
> connections. The JS (and its outbound connections) has nothing to
> do with the spyware or its home address.

Yes, that would be the smart way to do it. I'm glad you don't work for Mozilla.

> To our relief, Mozzarella the cheesy borser is not that wise
> apparently, as it bluntly goes out to various 3rd party sites no
> matter what (I hope they are not lurking here). But who can say all
> the spyware out there are as dumb?

Well, if we want to be fully paranoid, there's no reason Mozilla couldn't have 
Firefox make blatant third-party connections, be somewhat transparent about 
their existence, provide security rationales for having them and half-assed 
broken documentation for disabling them, while *also* doing as you describe 
with additional connections that are completely undocumented and only occur 
when there is sufficient noise. I suspect you're right, though, and that this 
is giving Mozilla too much credit. 

Re: [Trisquel-users] Web Browser

[ar018]

> (1) Malevolence = Deliberate info leaking. In this case, no matter where  
you access, what the content or protocol is, the browser will do its thing.


Giving it a second thought, this can depend on how wisely a spyware is  
written. A good spyware would be wise enough to stick its nose out *only* in  
a "noisy crowd". For instance, it wouldn't call home if the browser is not  
accessing a page with JS which makes outbound connections. The JS (and its  
outbound connections) has nothing to do with the spyware or its home address.  
A spyware can behave like this just to confuse the matter, so that you would  
never know which address is which, and whether spy-home is accessed by JS or  
by spyware.


There may be other examples of a spyware hiding behind complexity. So, it can  
be rather difficult to catch an intelligent spyware. To catch sophisticated  
spyware, a detailed strategy to outsmart them should be devised, which I  
don't have currently.


To our relief, Mozzarella the cheesy borser is not that wise apparently, as  
it bluntly goes out to various 3rd party sites no matter what (I hope they  
are not lurking here). But who can say all the spyware out there are as dumb?

Re: [Trisquel-users] Web Browser

[ar018]

> ... everyone is just clapping from the sidelines ...

BTW I must apologize for this sweeping generalization. It was unfair.

Re: [Trisquel-users] Web Browser

[ar018]

As for direct IP addressing, it should be straightforward to filter out DNS  
queries and responses from the chatter, so access by domain names should be  
tolerable - as long as you filter DNS part from the chatter. But then, since  
you include DNS chatter to the test case, that means you also want to inspect  
that. And this adds up to the work you're carrying on.


That aside, I can't really see what can go wrong - deliberately - with a  
simple DNS name resolution. But since root servers are 0wned, you may have a  
point in wanting to inpect DNS chatter. It maybe worthwhile not to assess the  
browser, but to assess DNS infrastructure. Then again, testing DNS  
infrastructure is a different case that should be isolated from browser  
tests, I think.

Re: [Trisquel-users] Web Browser

[ar018]

> I actually thought of what you suggest. But:

Let me put it this way: You are testing the browser, and there can be 2 modes  
of failure.


(1) Malevolence = Deliberate info leaking. In this case, no matter where you  
access, what the content or protocol is, the browser will do its thing. To  
isolate malicious behavior and to make it stick out, the least parasitic  
environmet (simplest protocol, no scripts, etc.) is best.


(2) Inferiority = Inadvertent info leaking. This is much more difficult to  
spot than the former case. Leakage due to inferior implementation can occur  
almost anywhere and everywhere. You need to test zillion combinations, and  
spot the leakage among the chatter. Sorry but this is beyond my mortal  
capabilities. Good luck, if you want to test that.


Also, inferiority means bug, and this is a technical failure (which can occur  
in any software any time) rather than a behavioral one. So I assume you are  
after behavioral failures (deliberate spying), that is you are after (1).


Therefore I sustain my original suggestion - of the simplest test case  
possible.


As for doing the tests myself, I'm also aware of the fact that everyone is  
just clapping from the sidelines for something they would directly benefit  
from. But for me, while I find your work very commendable and very useful for  
many, I'm only interested in it as a technical debate, and not concerned  
enough to protect my privacy. I don't know why - I should have been. For  
instance I haven't tried the user.js you have shared (yet). So I talk the  
talk, but don't walk the walk. :) (correct usage of the term, I hope)

Re: [Trisquel-users] Web Browser

[studio]

I actually thought of what you suggest. But:

1. Testing plain http may never reveal things like this (which may be  
additional info)


2. Testing plain http may not show connections specific to TLS (e.g. OCSP  
requests), so it may create a false sense of privacy


3. Although for the sake of testing we may create a simplified connection  
test access by IP address already goes a bit too far from what normally one  
does in a browser. So it may limit the scope of what we would actually see.  
Additionally it may hide some irregular connections related to name resolving  
(if there are any).


A full featured test would probably look at many various aspects separately  
and in combination. However this one is really simplified, not an extensive  
one.


BTW you can test for yourself too and share your findings. You may even find  
a better and more complete testing procedure. It seems everyone is waiting  
for me to test and saying "how nice" :)

Re: [Trisquel-users] libre software freedombox on orange pi one and zero?

[dhood]

Probably not, you would have to do a lot of manual checking. This is why the  
RFY program exists.


It would seem that Freedombox would at minimum have the same issues Debian  
has since it is based on Debian. Moreover, because this supports several  
SoC's I don't see how that can work with a de-blobbed kernel because various  
proprietary bits are needed for the various boards the project supports.


As I am sure you are aware based on the specifics in your questions SoC  
boards are really problematic, there is a good reason why none are officially  
endorsed and their architecture isn't supported by libre o/s's


https://www.fsf.org/resources/hw/single-board-computers

Re: [Trisquel-users] Web Browser

[ar018]

BTW, why don't you use plain http URL's to test? The less protocol  
complexities are involved, the less parasitic effects there are. This also  
goes for DNS lookups. It might be worthwile to use direct IP addresses  
instead of domain names. Of course it wouldn't work on shared host sites but  
then you don't have to test with shared host sites either. Just find a  
convenient site to test, which is accesible through raw IP address, offers  
plain http service, and the test page is script-free. You are not testing the  
site, anyway, you are testing the browser.

[Trisquel-users] "Cloud computing" complexities can confound

[J.B. Nicholson]

leestro...@gmail.com wrote:
Hi jxself, I find your response interesting. So, you're saying the concept 
of 'cloud computing' is fundamentally incompatible with free software, 
because we don't have control of software that is running on another 
person's computer?


I find the FSFE graphic to be far too vague to be informative except to 
those who are already aware of the complex tradeoffs involved. I find 
https://www.gnu.org/philosophy/who-does-that-server-really-serve.html is a 
better way to explain the issue. In other words, for the computer owner, 
running a free software service is valuable because their software freedom 
is worth respecting. For a service customer, one should always be aware 
that any data they host somewhere else is available to that computer's 
owner. But the implications of that are unclear to the novice.


There are times when not having full control is okay: if you're 
distributing copies of something you want everyone to be able to get 
verbatim (such as uploads to archive.org typically are), hosting the data 
somewhere else might be right and proper regardless of what software the 
remote side is using. It's up to the computer owner if they want to host 
the service on free software, and one hopes they'll choose to do so because 
their software freedom should be respected.

Re: [Trisquel-users] Web Browser

[ar018]

> HTTPS is not VPN tunnel. What are you talking about? A metaphor?

It's *literally* not VPN but, *functionally* equivalent (or similar) AFAIK. I  
don't know if this is within the definiton of metaphor.

[Trisquel-users] libre software freedombox on orange pi one and zero?

[svhaab]

http://www.orangepi.org/orangepione/
http://www.orangepi.org/orangepizero/
https://www.freedombox.org/

Is it correct, if you install the freedombox on beaglebone black revision c  
you

get a computer which upholds the fsf's requirements to libre software?

Can you install a similar libre software freedombox version on the
orange pi one and orange pi zero?

Thank you.

Re: [Trisquel-users] Web Browser

[studio]

HTTPS is not VPN tunnel. What are you talking about? A metaphor?

The rest sounds logical but it doesn't invalidate the possibility for using  
it as an anti-privacy feature.


Some searching lead me to https://tools.ietf.org/html/rfc5246#section-7.2.1  
but from that explanation I don't understand at which point exactly the  
close_notify should be sent (after downloading the document or at any other  
point), what effect it may have if the client is not sending it etc. Seems  
quite a complex matter as a whole (at least for me) and unfortunately I don't  
have the time to dig deeper into it right now.

[Trisquel-users] Community or Partner Website Link Page demand

[mertgor]

Can we make a community or partner web site link page for who works for  
Trisquel ?
Like Foundations : FSF , Linux Foundation Companies : Technoethical  
Individuals Subcommunities and workgroups etc

Re: [Trisquel-users] Web Browser

[studio]

I have been testing different browsers and settings with Panopticlick.

However I can't find a single browser for which "Is your browser accepting Do  
Not Track commitments?" to show something different from "no". I have sent an  
email to EFF a few days ago but no reply at all.



Another strange observation: setting

user_pref("privacy.donottrackheader.enabled", true);

in Firefox results in decrease of bits. Putting the same value in Tor results  
in increase of bits.

Re: [Trisquel-users] Free Software Alternative to AWS?

[leestrobel]

Hi jxself, I find your response interesting. So, you're saying the concept of  
'cloud computing' is fundamentally incompatible with free software, because  
we don't have control of software that is running on another person's  
computer?


But, I often see web-based e-mail services, such as Disroot mail, recommended  
on here. Clearly, those servers are running on someone else's hardware, which  
we don't have control over. As is this forum and any other web site I browse  
to. If we can't trust anything that is running on someone else's computer,  
then we shouldn't be using the internet at all! ;-)


I thought the concept of using a service that someone else is providing is  
ok, even if they are not using 100% free software themselves? Because that's  
an ethical issue for them and not for me?


(I didn't watch the video yet, as I'm at work. But I will watch it later)

Re: [Trisquel-users] Free Software Alternative to AWS?

[jason]

https://fsfe.org/contribute/promopics/thereisnocloud-bluecolor-preview.png

[Trisquel-users] abrowser 57.0.4 trisquel7 32+64bit

[emailgueemangdisini]

Is there trisquel-users here who had link of abrowser up to 57.0.4 package  
i386/x86_64 since I do not intend to use 58.0.1 while those version abandon  
legacy addons?


I try to update in the past but there are none version of 57.0.x in the  
trisquel7 repo, now suddenly jump into version 58.0.1.


pls advise where i can get those version or anyone here help to upload since  
looking to search duckduckgo or google i can't found abrowser 57.0.x life  
link?

Re: [Trisquel-users] family privacy Again

[Adonay Felipe Nogueira]

You can get your copy of GNU Social to be like Facecrap, most
importantly change the character limit to something equal or greater
than 500.

Also you don't need the Raspberry stuff if you are going for a simple
home server, various free/libre system distribution projects use Beagle
Bone Black and other which at least initialize completely with
free/libre software for this stuff, specially because serving a GNU
Social instance doesn't require GPU.

For more information you can also see [1] and [2].

RPi crap is not an option unfortunatelly. :S

Addendum: Thanks for those responsible for Raspberry Pi (and future
versions) for making this thing so difficult for us.

[1] .

[2] .

2018-02-06T06:08:23+0100 s...@vmail.me wrote:
> I tried to install diaspora but the server which is a ra*berry pi (it
> is n ot open hardware i asked in the forums and they CAN NOT release
> the gpu code, and they say it does not have backdoors but who will
> believe that,
>
> eoma68 is too much expensive that I cannot buy locally) not being able
> to handle it (low ram) so I just installed humhub community edition,
> but disasppointed to not find any mobile  apps and I saw a discussion
> that the offcial mobile app will not be free.
>
>  I tried gnu social but I need something that almost mimics book of
> faces, friendica cannot be installed for some reason and no other
> alternatives that I can think of. Thank you for suggesting the
> deleting their accounts @SuperTramp but that would just spark world
> war, they did not remove my face in the post and I am still pissed of
> because of that, in the next family gathering I will refuse to take
> any pictures whatever be the consequences of it.
>

-- 
- https://libreplanet.org/wiki/User:Adfeno
- Palestrante e consultor sobre /software/ livre (não confundir com
  gratis).
- "WhatsApp"? Ele não é livre. Por favor, veja formas de se comunicar
  instantaneamente comigo no endereço abaixo.
- Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
- Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
  Office, MP3, MP4, WMA, WMV.
- Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
  GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
  (apenas sem DRM), PNG, TXT, WEBM.

Re: [Trisquel-users] Free Software Alternative to AWS?

[leestrobel]

Hi! Yes, I mean the latter - an external service similar to AWS, where I  
could rent access to cloud computing hardware for hosting a website or web  
application.


You don't think any of the options on the page I linked are fully compatible  
with free software? Why is that?

Re: [Trisquel-users] Web Browser

[ar018]

> Yeah...of course.

I have been lurking in several forums / lists for a long time. Sometimes  
there would be a thread which intrigues me so much that I can't curb the urge  
to post something, and that's the point when I actually become a member,  
until I got bored or another forum intrigues me better. Which results in  
hopping forums.


This is mostly how the first post goes for me, and I guess for the most  
people. So, someone popping out of nowhere and joining the discussion is not  
quite strange.


That aside, I can't see how ad hominem exchanges would help a rather  
technical debate. Why don't we leave it as it is and move on to the technical  
aspects of the discussion?

Re: [Trisquel-users] Web Browser

[studio]

Conformity again. I don't know that person (in case anyone implies some  
hidden connection) but everyone is free to be abnormal. Normality is a  
statistical term, not a measure of sanity. Just like "Firefox respects your  
privacy better" is a normal assumption but far from reality.

Re: [Trisquel-users] Free Software Alternative to AWS?

[ivan . baldinotti]

I think that this question must be clarified.
What do you mean for free alternatives to AWS?
AWS is a service not a software.
With the question you mean software that you would self host and use as  
similar to AWS services?

Or a similar service as AWS?
If the second I don't think that anything but self-hosted solutions can fully  
be compliant with the free software definition.