Re: [Update] Big Hairy Audacious Goal: Privacy Software
> Am 2017-09-22 14:48, schrieb Sebastian Kügler: > > What I need now: > > > > * Review: Please look over the proposal, make trivial fixes right > > there, propose more comprehensible or possibly goal-altering changes > > in the comments of that page or in this email thread > > * If you believe this goal is worthwhile for KDE and you support it, > > please add your name under it > > * If you intend to actively support this goal in whatever way, > > please also indicate this on the phab page On zaterdag 23 september 2017 15:55:05 CEST Martin Flöser wrote: > back in 2013 I wrote two blog posts with thoughts about FLOSS in a > world after Snowden: > * > https://blog.martin-graesslin.com/blog/2013/08/floss-after-prism-privacy-by-> > default/ * > http://blog.martin-graesslin.com/blog/2013/08/floss-after-prism-anonymity-by > -default/ > > It might have some good points which might align very well with this > proposal. It does, I think it mostly aligns. I've taken your 5th freedom and added it to the description, and also added a note about anonymity for web services. I *think* the rest of your post is either already covered, or going into to much detail for the scope of this goal. Thanks a lot for your input! -- sebas http://www.kde.org | http://vizZzion.org
Re: [Update] Big Hairy Audacious Goal: Privacy Software
Am 2017-09-22 14:48, schrieb Sebastian Kügler: Hi all, What I need now: * Review: Please look over the proposal, make trivial fixes right there, propose more comprehensible or possibly goal-altering changes in the comments of that page or in this email thread * If you believe this goal is worthwhile for KDE and you support it, please add your name under it * If you intend to actively support this goal in whatever way, please also indicate this on the phab page Hi Sebas, back in 2013 I wrote two blog posts with thoughts about FLOSS in a world after Snowden: * https://blog.martin-graesslin.com/blog/2013/08/floss-after-prism-privacy-by-default/ * http://blog.martin-graesslin.com/blog/2013/08/floss-after-prism-anonymity-by-default/ It might have some good points which might align very well with this proposal. Cheers Martin
Re: [Update] Big Hairy Audacious Goal: Privacy Software
Sorry for the empty reply! On Fri, Sep 22, 2017 at 5:48 AM, Sebastian Küglerwrote: > Hi all, > > ~One month ago, I asked for input and inspiration for the KDE Goal > "Privacy Software", see > https://mail.kde.org/pipermail/kde-community/2017q3/003892.html > > I've put some more time, brainpower and patience into that, and put > together a fairly comprehensible goal proposal, which can be found here: > > https://phabricator.kde.org/T7050 > > TL;DR: > > "In 5 years, KDE software enables and promotes privacy" > > I think this is a goal which is engaging, measurable and most > importantly worthwhile. > > What I need now: > > * Review: Please look over the proposal, make trivial fixes right > there, propose more comprehensible or possibly goal-altering changes > in the comments of that page or in this email thread > * If you believe this goal is worthwhile for KDE and you support it, > please add your name under it > * If you intend to actively support this goal in whatever way, please > also indicate this on the phab page > > Special thanks so far for the help with this go out to: Umberto, > Martin, Volker, Alexander, Agustin, Christoph, Clemens and of course to > Bhushan and Lydia. \o/ > > Cheers, > -- > sebas > > http://www.kde.org | http://vizZzion.org Hey Sebas, thanks for catching the Zeitgeist -- not just of the world, but in the world of software, and especially in the world of FOSS. I think if the KDE community puts our backs into this, we can make some great progress in a few months time. And once this ball gets rolling, we'll keep it going and make it fundamental to how we build our software. I've added my name on Phab as being willing to work on this as I'm able; mostly writing and promotion. Please join me there. All the best, Valorie -- http://about.me/valoriez
Re: [Update] Big Hairy Audacious Goal: Privacy Software
On Fri, Sep 22, 2017 at 5:48 AM, Sebastian Küglerwrote: > Hi all, > > ~One month ago, I asked for input and inspiration for the KDE Goal > "Privacy Software", see > https://mail.kde.org/pipermail/kde-community/2017q3/003892.html > > I've put some more time, brainpower and patience into that, and put > together a fairly comprehensible goal proposal, which can be found here: > > https://phabricator.kde.org/T7050 > > TL;DR: > > "In 5 years, KDE software enables and promotes privacy" > > I think this is a goal which is engaging, measurable and most > importantly worthwhile. > > What I need now: > > * Review: Please look over the proposal, make trivial fixes right > there, propose more comprehensible or possibly goal-altering changes > in the comments of that page or in this email thread > * If you believe this goal is worthwhile for KDE and you support it, > please add your name under it > * If you intend to actively support this goal in whatever way, please > also indicate this on the phab page > > Special thanks so far for the help with this go out to: Umberto, > Martin, Volker, Alexander, Agustin, Christoph, Clemens and of course to > Bhushan and Lydia. \o/ > > Cheers, > -- > sebas > > http://www.kde.org | http://vizZzion.org -- http://about.me/valoriez
[Update] Big Hairy Audacious Goal: Privacy Software
Hi all, ~One month ago, I asked for input and inspiration for the KDE Goal "Privacy Software", see https://mail.kde.org/pipermail/kde-community/2017q3/003892.html I've put some more time, brainpower and patience into that, and put together a fairly comprehensible goal proposal, which can be found here: https://phabricator.kde.org/T7050 TL;DR: "In 5 years, KDE software enables and promotes privacy" I think this is a goal which is engaging, measurable and most importantly worthwhile. What I need now: * Review: Please look over the proposal, make trivial fixes right there, propose more comprehensible or possibly goal-altering changes in the comments of that page or in this email thread * If you believe this goal is worthwhile for KDE and you support it, please add your name under it * If you intend to actively support this goal in whatever way, please also indicate this on the phab page Special thanks so far for the help with this go out to: Umberto, Martin, Volker, Alexander, Agustin, Christoph, Clemens and of course to Bhushan and Lydia. \o/ Cheers, -- sebas http://www.kde.org | http://vizZzion.org
Re: Big Hairy Audacious Goal: Privacy Software
On vrijdag 22 september 2017 06:36:51 CEST Bhushan Shah wrote: > On Fri, Aug 18, 2017 at 06:14:22PM +0200, Sebastian Kügler wrote: > > > > "In 5 years, KDE software enables and promotes privacy" > > Can you please submit this goal to goal settings phabricator board > just like other ideas? Thanks for the reminder, done so. See my latest email to this list. :) -- sebas http://www.kde.org | http://vizZzion.org
Re: Big Hairy Audacious Goal: Privacy Software
Hi Sebastian, On Fri, Aug 18, 2017 at 06:14:22PM +0200, Sebastian Kügler wrote: > "In 5 years, KDE software enables and promotes privacy" Can you please submit this goal to goal settings phabricator board just like other ideas? Thanks -- Bhushan Shah http://blog.bshah.in IRC Nick : bshah on Freenode GPG key fingerprint : 0AAC 775B B643 7A8D 9AF7 A3AC FE07 8411 7FBC E11D signature.asc Description: PGP signature
Re: Big Hairy Audacious Goal: Privacy Software
Hi, > On Mon, 21 Aug 2017 21:58:32 +0200 > Alexander Neundorfwrote: > >> On 2017 M08 18, Fri 18:14:22 CEST Sebastian Kügler wrote: >> > "In 5 years, KDE software enables and promotes privacy" >> >> ... does that kind of imply that we need to offer a range of >> applications which cover the most privacy-sensitive topics, e.g. a >> competetive web browser ? > > On the one hand, yes. On the other hand, our goal should be realistic, > and I don't think "offering our own competitive web browser" ticks that > box. We've been there, we've done that, we succeeded to some degree in > the most spectacular way (think where KHTML successors are shipped and > what they brought to the eco system) and failed in other dimensions > (think about the state of KHTML and our own web browser offering > nowadays). > > What's probably a lot more realistic and worthwhile is > to we make integration for web browsers that do respect privacy work > really well. Integrating Tor really well would also be a good idea in > that regard. Actually, we are ATM trying to incubate a new "browser" as replacement for the old Konqueror that is more or less unmaintained and will then vanish. (was discussed during the konqueror BoF at Akademy this year) It is QWebEngine based, see http://blog.qupzilla.com/2017/08/qupzilla-is-moving-under-kde-and.html https://community.kde.org/Incubator/Projects/QupZilla But this process is only at its early stage. Greetings Christoph -- - Dr.-Ing. Christoph Cullmann - AbsInt Angewandte Informatik GmbH Email: cullm...@absint.com Science Park 1 Tel: +49-681-38360-22 66123 Saarbrücken Fax: +49-681-38360-20 GERMANYWWW: http://www.AbsInt.com Geschäftsführung: Dr.-Ing. Christian Ferdinand Eingetragen im Handelsregister des Amtsgerichts Saarbrücken, HRB 11234
Re: Big Hairy Audacious Goal: Privacy Software
On Mon, 21 Aug 2017 21:58:32 +0200 Alexander Neundorfwrote: > On 2017 M08 18, Fri 18:14:22 CEST Sebastian Kügler wrote: > > "In 5 years, KDE software enables and promotes privacy" > > ... does that kind of imply that we need to offer a range of > applications which cover the most privacy-sensitive topics, e.g. a > competetive web browser ? On the one hand, yes. On the other hand, our goal should be realistic, and I don't think "offering our own competitive web browser" ticks that box. We've been there, we've done that, we succeeded to some degree in the most spectacular way (think where KHTML successors are shipped and what they brought to the eco system) and failed in other dimensions (think about the state of KHTML and our own web browser offering nowadays). What's probably a lot more realistic and worthwhile is to we make integration for web browsers that do respect privacy work really well. Integrating Tor really well would also be a good idea in that regard. -- sebas http://vizZzion.org ⦿http://www.kde.org
Re: Big Hairy Audacious Goal: Privacy Software
Hi, when talking about privacy / security, it comes to my mind the idea of trustable software: https://trustable.gitlab.io/ Best Regards Agustin Benito (toscalix) KDE eV member Profile: http://es.linkedin.com/in/toscalix On Mon, Aug 21, 2017 at 8:58 PM, Alexander Neundorfwrote: > On 2017 M08 18, Fri 18:14:22 CEST Sebastian Kügler wrote: >> Hi all, >> >> I spent some time thinking and working on a proposal for the big hairy >> audacious goal (1), the goal that the KDE community sets for itself to >> strive for in the next five years. (Context: re-read the thread started >> by Kevin with the subject "Proposal: Have the Community Set Ambitious >> Goals for Itself". >> >> [1] https://en.wikipedia.org/wiki/Big_Hairy_Audacious_Goal >> >> I'll try to keep this email short, but I guess I won't be able to, >> given scope, importance, complexity and the general mess in my head >> regarding this topic. >> >> What I wanted to do... >> >> I wanted to write a goal that is snappy to read, easy to understand, >> engaging, worthwhile and measurable. What I came up with so far is: >> >> "In 5 years, KDE software enables and promotes privacy" > > ... does that kind of imply that we need to offer a range of applications > which cover the most privacy-sensitive topics, e.g. a competetive web browser > ? > > Alex >
Re: Big Hairy Audacious Goal: Privacy Software
On 2017 M08 18, Fri 18:14:22 CEST Sebastian Kügler wrote: > Hi all, > > I spent some time thinking and working on a proposal for the big hairy > audacious goal (1), the goal that the KDE community sets for itself to > strive for in the next five years. (Context: re-read the thread started > by Kevin with the subject "Proposal: Have the Community Set Ambitious > Goals for Itself". > > [1] https://en.wikipedia.org/wiki/Big_Hairy_Audacious_Goal > > I'll try to keep this email short, but I guess I won't be able to, > given scope, importance, complexity and the general mess in my head > regarding this topic. > > What I wanted to do... > > I wanted to write a goal that is snappy to read, easy to understand, > engaging, worthwhile and measurable. What I came up with so far is: > > "In 5 years, KDE software enables and promotes privacy" ... does that kind of imply that we need to offer a range of applications which cover the most privacy-sensitive topics, e.g. a competetive web browser ? Alex
Re: Big Hairy Audacious Goal: Privacy Software
On vrijdag 18 augustus 2017 18:14:22 CEST Sebastian Kügler wrote: > Your thoughts and input? Thanks all, for the rather useful input! It's definitely something I can work with! -- sebas http://www.kde.org | http://vizZzion.org
Re: Big Hairy Audacious Goal: Privacy Software
On Saturday, 19 August 2017 13:37:54 CEST Volker Krause wrote: > On Friday, 18 August 2017 18:14:22 CEST Sebastian Kügler wrote: > > So, I could use some help with this, in the form of how this can be > > structured, in what form it will be useful, more ambitious, and very > > importantly measurable: I want us to be able to sit down in two years > > and check: Are we on track? Do we need to change our approach? Do we > > need to work harder? And of course: Did we achieve our goal? > > > > Your thoughts and input? > > Obviously an idea I can support :) > > I have been looking a bit into how to verify the leak and transport > encryption aspects. Using something like > https://github.com/iovisor/bcc/blob/master/tools/tcpconnect.py as a > low-impact long-term recording and adding a decent filter/aggregation tool > for the result should allow us to also find rare short-lived TCP > connections and pin them on the responsible application. > > Port numbers provided by this give a first hint on transport encryption, but > I'm still hoping for something better to verify this automatically and with > a lower impact than a long running Wireshark session. Despite the still very primitive tools and just a few hours worth of data, there is actually a surprising amount of findings... Lacking transport security: - https://phabricator.kde.org/D7408 - https://phabricator.kde.org/D7414 - https://phabricator.kde.org/D7428 - a number of feeds on planet.kde.org Unnecessary network operations: - https://phabricator.kde.org/D7410 - https://phabricator.kde.org/D7438 Dubious SSL code: - https://phabricator.kde.org/D7439 Anyway, I think this proves the approach is viable :) > Another aspect to check might be if we are still storing sensitive > information like passwords outside of KWallet. Clear and consistent UI language around network-related options is probably also worth looking into. It's pretty clear that e.g. adding a mail account will involve network operations, but it's far less clear if that is properly configured regarding transport security. And for options like "Enable Gravatar support" many people might not realize that this involves sending data to a web service. Reviewing SSL error handling code could also be interesting, considering D7439. Regards, Volker signature.asc Description: This is a digitally signed message part.
Re: Big Hairy Audacious Goal: Privacy Software
On Friday, 18 August 2017 18:14:22 CEST Sebastian Kügler wrote: > So, I could use some help with this, in the form of how this can be > structured, in what form it will be useful, more ambitious, and very > importantly measurable: I want us to be able to sit down in two years > and check: Are we on track? Do we need to change our approach? Do we > need to work harder? And of course: Did we achieve our goal? > > Your thoughts and input? Obviously an idea I can support :) I have been looking a bit into how to verify the leak and transport encryption aspects. Using something like https://github.com/iovisor/bcc/blob/master/ tools/tcpconnect.py as a low-impact long-term recording and adding a decent filter/aggregation tool for the result should allow us to also find rare short-lived TCP connections and pin them on the responsible application. Port numbers provided by this give a first hint on transport encryption, but I'm still hoping for something better to verify this automatically and with a lower impact than a long running Wireshark session. Another aspect to check might be if we are still storing sensitive information like passwords outside of KWallet. Regards, Volker signature.asc Description: This is a digitally signed message part.
Re: Big Hairy Audacious Goal: Privacy Software
Am 2017-08-18 18:14, schrieb Sebastian Kügler: So, I could use some help with this, in the form of how this can be structured, in what form it will be useful, more ambitious, and very importantly measurable: I want us to be able to sit down in two years and check: Are we on track? Do we need to change our approach? Do we need to work harder? And of course: Did we achieve our goal? Your thoughts and input? I like this idea. Personally I would suggest to combine it with a strive for security. IMHO we cannot be privacy aware if we have huge security issues which allow to get to the users passwords. This would include for example switching to Wayland by default (security and X are just two things which don't go well together). On the measuring part I agree that it's difficult. I would suggest to come up with a list of tasks which we need to implement and then check how many of these are implemented in a time frame. Cheers Martin
Re: Big Hairy Audacious Goal: Privacy Software
I'm an outsider, so sorry for the intermission, but i think Sebastian goal is the single most important of all, so I wanted to throw my 2cents. For several reasons: - Gnome totally gave up on privacy. They are "integrated" into the "clouds", and doesn't seems to care. - It's a real issue. One that nobody so far took to heart seriously enough IMO - It's in the media and will become even bigger in the coming years - starting early it's always a good thing, and having a DE who focuses on it can spawn other project into focusing themselves into it BUT, I'd go a little deeper: - it's not just privacy, it's doing the same things you could do with - say Google Drive - but with no man-in-the-middle - also very important is informing the users. Sure, the target user of KDE is probably aware of the problem, but sometimes you need to be pedantic. It's like starting a diet where you need a certain amounts of diligence. Clouds services are delicious cakes, easy to consume and tasty. A privacy focused program will probably never be as juicy as those (after all, the amount of ppl working at - say Google Docs - is order of magnitude bigger compared to LibreOffice), so the choice cannot be based on practicality, rather on self preservation (eg: you must invert the "path of least resistance", and impose your will on the issue). Goodbye and keep up the good job! -- Umberto On Aug 18, 2017 18:14, "Sebastian Kügler"wrote: Hi all, I spent some time thinking and working on a proposal for the big hairy audacious goal (1), the goal that the KDE community sets for itself to strive for in the next five years. (Context: re-read the thread started by Kevin with the subject "Proposal: Have the Community Set Ambitious Goals for Itself". [1] https://en.wikipedia.org/wiki/Big_Hairy_Audacious_Goal I'll try to keep this email short, but I guess I won't be able to, given scope, importance, complexity and the general mess in my head regarding this topic. What I wanted to do... I wanted to write a goal that is snappy to read, easy to understand, engaging, worthwhile and measurable. What I came up with so far is: "In 5 years, KDE software enables and promotes privacy" Problem with this is: Arguable, this is already the case today, so it sucks as a goal since it allows us to do or change nothing, it's not measurable, and I haven't figured it out how to make it measurable. It's simply too vague. Alright, so I sat down and tried to make it more concrete, by adding lots of bullet points and thoughts, but I don't think it's much better. I'll post them here: KDE software protects and enables users privacy by: - During normal usage it doesn't leak information to other users or online services when this is not expected to happen - Examples: Typing into KRunner or using the desktop search will not produce artifacts online, but downloading new wallpapers from the Store may lead to the user leaving traces, this is expectable and reasonable - KDE Tools provide sound and state-of-the-art methods for using private communication, such as encrypted communication with other services. Examples: - Communication and data exchange with online services uses SSL encryption (or similar) - KMail offers well-integrated GPG encryption and makes it easy and straight-forward to use encryption to talk to mail servers, it works well with a number of privacy-respecting email service providers - KDE software covers most use-cases to allow the user to privately communicate and store his per personal information on services that are known to protect the user's privacy - top notch support for self-hosted email, file storage, cloud storage, collaborative editing, file sharing Measuring (this is *really* lacking): - what the press writes about us - what our users think (online fora, polls, e.g.) - own website promotes privacy (is this central to our communication?) Tools (can be made more concrete once the above points are fleshed out): - strategy promotes privacy down into details, see the above - collaboration with EFF, other organisations (Whonix, Tor, ...?) So, I could use some help with this, in the form of how this can be structured, in what form it will be useful, more ambitious, and very importantly measurable: I want us to be able to sit down in two years and check: Are we on track? Do we need to change our approach? Do we need to work harder? And of course: Did we achieve our goal? Your thoughts and input? -- sebas http://vizZzion.org ⦿http://www.kde.org
Big Hairy Audacious Goal: Privacy Software
Hi all, I spent some time thinking and working on a proposal for the big hairy audacious goal (1), the goal that the KDE community sets for itself to strive for in the next five years. (Context: re-read the thread started by Kevin with the subject "Proposal: Have the Community Set Ambitious Goals for Itself". [1] https://en.wikipedia.org/wiki/Big_Hairy_Audacious_Goal I'll try to keep this email short, but I guess I won't be able to, given scope, importance, complexity and the general mess in my head regarding this topic. What I wanted to do... I wanted to write a goal that is snappy to read, easy to understand, engaging, worthwhile and measurable. What I came up with so far is: "In 5 years, KDE software enables and promotes privacy" Problem with this is: Arguable, this is already the case today, so it sucks as a goal since it allows us to do or change nothing, it's not measurable, and I haven't figured it out how to make it measurable. It's simply too vague. Alright, so I sat down and tried to make it more concrete, by adding lots of bullet points and thoughts, but I don't think it's much better. I'll post them here: KDE software protects and enables users privacy by: - During normal usage it doesn't leak information to other users or online services when this is not expected to happen - Examples: Typing into KRunner or using the desktop search will not produce artifacts online, but downloading new wallpapers from the Store may lead to the user leaving traces, this is expectable and reasonable - KDE Tools provide sound and state-of-the-art methods for using private communication, such as encrypted communication with other services. Examples: - Communication and data exchange with online services uses SSL encryption (or similar) - KMail offers well-integrated GPG encryption and makes it easy and straight-forward to use encryption to talk to mail servers, it works well with a number of privacy-respecting email service providers - KDE software covers most use-cases to allow the user to privately communicate and store his per personal information on services that are known to protect the user's privacy - top notch support for self-hosted email, file storage, cloud storage, collaborative editing, file sharing Measuring (this is *really* lacking): - what the press writes about us - what our users think (online fora, polls, e.g.) - own website promotes privacy (is this central to our communication?) Tools (can be made more concrete once the above points are fleshed out): - strategy promotes privacy down into details, see the above - collaboration with EFF, other organisations (Whonix, Tor, ...?) So, I could use some help with this, in the form of how this can be structured, in what form it will be useful, more ambitious, and very importantly measurable: I want us to be able to sit down in two years and check: Are we on track? Do we need to change our approach? Do we need to work harder? And of course: Did we achieve our goal? Your thoughts and input? -- sebas http://vizZzion.org ⦿http://www.kde.org