Hugo’s Notes in English only

I’ve had some problems with the timeline lately. I’m trying to see if there’s a way to “reboot” it and get clean of the bits that should have been left out… This will probably flood the RSS a bit, sorry for the inconvenience!

Mozilla is currently promoting the new Firefox 29 (Go get it!). Now, they’re asking us on Twitter: What do you want for the Web? So I clicked on their link and here’s what I got.

A broken Flash-YouTube video
Screenshot of Mozilla website with broken youtube

I haven’t been able to play YouTube videos for weeks now. Sometimes, it works though. I have no idea what’s going on…

Dear Mozilla, next time you publish a video on your website, I don’t want Flash and I don’t want YouTube. I want HTML5 video (in an open standard format, i.e. free of patent restrictions) and I don’t want you to promote a platform with crappy terms of service.

I was reading an article by Lorrie Cranor in the MIT Technology Review on how it’s difficult even for her to protect her privacy online.

I appreciate Lorrie Cranor’s work on privacy at Carnegie Mellon University. I have extensively cited her study of the length of privacy policies when I introduced ToS;DR.

However in this article, I was disappointed to see Ghostery mentioned. Ghostery is an browser extension supposed to help users against tracking and surveillance on the web. The main problem is that Ghostery is not released as Free Software1

Earlier on Twitter I quickly posted my frustration about this. People who promote web privacy should stop promoting Ghostery, as it’s proprietary. What’s their business model exactly? ;-)

In my earlier tweet I wrongly stated that the source code was not disclosed; but that’s not accurate. There is some code disclosed (I suppose it’s entirely readable and not obfuscated nor minified). But as you’ll notice, the license is “All rights reserved” so, basically, users have no rights.

Ghostery has been playing on the ambiguity for too long. This hypocrisy must stop. See these tweets from years ago…


  1. a.k.a Open Source. Both these terms designate the same set of programs. ↩

It seems Secret is the new thing. So I had a look at their terms of service. Here are some extracts:

TL;DR: They’re not good.

However, unless we expressly state otherwise, your right to use the Service does not include (i) publicly performing or publicly displaying the Service,

That’s funny, because it seems to imply that taking a screenshot of a secret and tweeting it is forbidden (although the Secret co-founder uses them in his post explaining how it works technically.)

When you post, link or otherwise make available content to the Service, you grant us a nonexclusive, royalty-free, perpetual, irrevocable and fully sublicensable right to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform and display such content throughout the world in any manner or media, on or off the App.

This got to be the most extreme copyright license in Terms of Service that I have ever seen.

Basically, it’s as if you did not exist as an author. Which is fine because it’s supposed to be a secret. But in the process, Secret wants all the rights for themselves (and their future business partners I assume).

(I’m not sure that most Secret messages would pass the originality threshold required for copyright and authors’ right protection anyway.)

Modification to the service

Secret reserves the right in its sole discretion to review, improve, modify or discontinue, temporarily or permanently, the Service and/or any features, information, materials or content on the Service with or without notice to you.

 

Suspension/Termination

Secret may suspend and/or terminate your rights with respect to the Service for any reason or for no reason at all and with or without notice at Secret’s sole discretion.

 

Governing Law; Arbitration

PLEASE READ THE FOLLOWING PARAGRAPHS CAREFULLY BECAUSE THEY REQUIRE YOU TO ARBITRATE DISPUTES WITH SECRET AND LIMIT THE MANNER IN WHICH YOU CAN SEEK RELIEF FROM SECRET.

[…]

If settlement is not reached within 60 days after service of a written demand for mediation, any unresolved controversy or claim will be resolved by arbitration in accordance with the rules of the American Arbitration Association before a single arbitrator in San Francisco, California.

 

Legal Compliance

You represent and warrant that: (i) you are not located in a country that is subject to a U.S. Government embargo, or that has been designated by the U.S. Government as a “terrorist supporting” country; and (ii) you are not listed on any U.S. Government list of prohibited or restricted parties.

That’s funny. I guess I don’t know if I’m on a US government list of restricted parties!

Oh, and here’s the Privacy policy.

In case you thought you were “anonymous” when using Secret, think again:

We may share information about you as follows or as otherwise described in this privacy policy:

  • In response to a request for information if we believe disclosure is in accordance with any applicable law, regulation or legal process, or as otherwise required by any applicable law, rule or regulation;

Wall Street Journal: The encryption flaw that punctured the heart of the Internet this week underscores a weakness in Internet security: A good chunk of it is managed by four European coders and a former military consultant in Maryland.

To answer some of the astonished comments I made yesterday, the lack of contributors to the project is baffling. So: the whole Internet relied on 10 volunteers and 1 employee and nobody helped them?

I guess this sort of comes back to one of the essential question in Free Software: how do you get the users to fund it? For some kind of software, this can be difficult; but in the case of OpenSSL I would have thought this to be an easy thing, since so many banks and web companies intensively rely on it.

But apparently, they didn’t care at all if this major piece of security they were using was able to keep up with security standards or not. Considering the number of people involved with the project, I don’t see how it can put enough scrutiny and efforts to make sure it follows the best security review.

(Now, I have to wonder if the WSJ piece is actually correct in the way it counts the contributors to the project, because it’s fairly possible that lots of companies making use of OpenSSL actually had security experts and developers in-house test the code and send patches and bug reports upstream; a bit like Google and that other security firm did when they found out about Heartbleed…)

According to Brett Simmons, That pretty much wraps it up for C.

The whole heartbleed bugs also reminds me that OpenSSL is also an example of bad idea when it comes to licensing issues.

The heartbleed vulnerability is not only a catastrophic security issue, it also spans other interesting topics.

The first obvious lesson, is that the communication around the vulnerability was brilliant marketing.

The other lesson, less satisfying, is why is the majority of the internet relying on a very poorly funded project?!

The Washington Post published an article that misses the real issue. The heartbleed debacle is not an issue with the fact that OpenSSL is Free Software (the Apple goto fail bug shows it’s even worse when it’s proprietary—all Apple users had to wait several days before a patch was sent), nor with the fact that the Internet have no single authority (if anything, the openssl library is a single point of failure).

I find it astonishing that OpenSSL is so poorly funded and apparently lacks a governance strategy that includes large stakeholders such as the major websites making use of the library and which, instead, are essentially all irresponsible free-riders.

The real issue here is one of responsibility.

XKCD has an amazingly simple explanation of how the vulnerability works.

Somebody working at Mozilla put together a timeline of facts surrounding Brendan Eich’s resignation.

And the real tragedy here is that Mozilla would have sorted this out satisfactorily if it hadn’t been sensationalized by the media and turned into an internet witch hunt. Anyone who wrote a news story, posted to their blog, or tweeted about Brendan without understanding paragraph (i)(c) of the Community Participation Guidelines was part of the mob that brought Brendan down.

For more than 15 years, Brendan fought for openness and freedom on the web, and led many of the people who built that open and free web. This week, in a senseless, vicious convulsion, the web turned on him.

Meanwhile, Mozilla published an FAQ.

Q: Was Brendan Eich forced out by employee pressure?

A: No. While these tweets calling for Brendan’s resignation were widely reported in the media, they came from only a tiny number of people: less than 10 of Mozilla’s employee pool of 1,000. None of the employees in question were in Brendan’s reporting chain or knew Brendan personally.

In contrast, support for Brendan’s leadership was expressed from a much larger group of employees, including those who felt disappointed by Brendan’s support of Proposition 8 but nonetheless felt he would be a good leader for Mozilla. Communication from these employees has not been covered in the media.

Which echoes something written in the timeline mentioned above:

11) On March 27th, a small number of Mozillians tweeted variants of “I am an employee of @mozilla and I’m asking @brendaneich to step down as CEO”. These tweets were reported by the tech press, and my perception is that this was the start of the media firestorm. Most (or perhaps all) of the Mozillians who tweeted this were employed by the Mozilla Foundation, not the Mozilla Corporation which means that they report to the executive director of the foundation and not to the CEO. As foundation employees, they did not share the same org chart as Brendan.

This is why pieces like this trouble me:

Both writers seem concerned that Eich’s resignation is a defeat for freedom of expression. If anything, it is a victory – the ouster of a founder and CEO by his own people, at a foundation based on open and equal expression, should be the new textbook example of the system working exactly as it should.

I hope this episode is now closed and that everybody learns a lesson from this.

(Especially, the guys at Rarebit who, after publishing an article “5 reasons why Brendan Eich should step down” now write “I want to say how absolutely sad to hear that Brendan Eich stepped down.” No comments.)

Since I first set up Firefox Sync, things have changed. Mozilla thought that they needed to completely change the user experience of setting it up in firefox, thus discarding the previous firefox sync server for a totally new system of “Firefox Accounts”.

That sounds nice, however at the moment it’s nowhere as easy to set up if you want to self-host it instead of relying on Mozilla’s services.

You have to start 3 services:

Unfortunately, the READMEs are not as good as before. Sometimes, they ask you to change settings, but they don’t always tell you in which file you should modify it; or it also happens that the file they mention does not exist (e.g. the “config.json”).

I’ll have to give it another try… I hope that for next time, the documentation will have improved.

I get a CORS issue, but then… what?

I’m having a splendid Sunday at my desk, working on some moot cases for school.

Sometimes to get going, I need some good music that fits the mood. If you’re like me, you’re probably listening to some ambient or minimal music.

I’m on Trentemøller’s 2006 Last Resort right now and it feels great. I have no idea where I got that from, I just don’t remember. But anyway, thanks to the person who gave me this!

BBC: Microsoft admits reading Hotmail inbox of blogger:

Microsoft is caught up in a privacy storm after it admitted it read the Hotmail inbox of a blogger while pursuing a software leak investigation.

While the search was technically legal, [Microsoft’s deputy general counsel] added Microsoft would consult outside counsel in the future.

So if it’s not just legal, but “technically legal”: what does that mean?

Yes, it means the way companies like Microsoft handle privacy is wrong. Yet another example.

I just came back from the cinema, where I watched Spike Jonze’s Her. This movie has got me thinking.

One thing I notice which was funny is how Theodore’s job kind of makes him fit the same role that her, the AI, is doing for him. Let me explain a little bit. Theodore, the main character, works at beautiful-handwritten-letters.com a service where people ask him to write beautiful letters to their wife for their 50th wedding anniversary, or to their son for his diploma, etc. You get it. By writing letters for other people, expressing some of their most personal emotions for them or even, instead of them, he participates to this society where the human self dissolves.

I guess what I’m saying isn’t making sense if you haven’t seen the movie. So go see it! There aren’t movies like this every year!

zappa and his cat

Frank Zappa used to say that he viewed some of his work as journalism: reporting what he saw around him in society. Thus, if historians from the future want to learn more about our society, looking at rock songs might be a good start.

Well, now we have the web, and with blogging, we’ve got way better materials for historians in the future. Although, as usual, the biggest challenge here is that most of the links from 2001 blogging don’t work any more. Most of the time, professional editors and big companies are usually better in keeping their URI cool.

All I ask you to do today is go back to 2001 — a big moment in the history of blogging. The archive page is in reverse-chronologic order, so you might want to start at the bottom and scroll up. #

http://scripting.com/2001/09.html#

That’s the kind of flow I am going to have again. I’ve been blogging in this form, off on the side, since March 2. To me it isn’t theoretical that it will work, I already know it will. #