Companies and hacktivism

Companies and hacktivism

Google’s case

On the 12nd of March, I was at the Cyber-censorship event organized by RWB and sponsored by Google. There was a nice panel after that, with a lot of activists from Belaruss, Egypt, Tunisia and Syria among others. And, well, could not restrain myself, but I’ve expressed some worries about Google, Skype and others companies providing tools used by activists to communicate and about the lack of openness of them.

The Google representative that was there answered briefly that

"[He] do not understand the criticism about the lack of openness of Youtube, everyone can access it".

Well, that’s not true. For instance, tehre’s a video posted by Fhimt.com was locally censored for no apparent reason (the story is on reflets.info). And that’s only one case. I’ve got another one of an allegedly leaked video of torture of syrian that is ‘not available’ (but given the numbers of views and other thing, it was available), and while building the TBS I saw that about twenty videos we once got in the past, are not available anymore.

So, yeah, youtube.com is available in most part of the world. But not the content of it, and Google gives no reason of the specifics (except for ‘copyright claims’), they give no guarantee that anything that is available now, will be available tomorrow.

Worst, when reading their terms of use they restrain the avaibility of the contents to the only authorized Google apps (youtube.com being one), that means that, yes TBS is violating the clause 4.C and H of the terms of use:

You agree not to access Content through any technology or means other than the video playback pages of the Service itself, the Embeddable Player, or other explicitly authorized means YouTube may designate.

You agree not to use or launch any automated system, including without limitation, "robots," "spiders," or "offline readers," that accesses the Service in a manner that sends more request messages to the YouTube servers in a given period of time than a human can reasonably produce in the same period by using a conventional on-line web browser. Notwithstanding the foregoing, YouTube grants the operators of public search engines permission to use spiders to copy materials from the site for the sole purpose of and solely to the extent necessary for creating publicly available searchable indices of the materials, but not caches or archives of such materials. YouTube reserves the right to revoke these exceptions either generally or in specific cases. You agree not to collect or harvest any personally identifiable information, including account names, from the Service, nor to use the communication systems provided by the Service (e.g., comments, email) for any commercial solicitation purposes. You agree not to solicit, for commercial purposes, any users of the Service with respect to their Content.

So, it means that, everything that is on youtube is subject to the good will of Google. If they decide for one reason or another that you must not see a content on youtube, then they will destroy it and you have no legal way to make an archive of it. Not without a commercial agreement.

Hence, the youtube services is, indeed, free of charge and accessible. But it is not free at all, because you cannot do a lot of things with it.

I mean, Google could be an amazing archiving tool, they have an insane amount of data at end, and they could archive them, providing to the citizens that content on Google (email, video, docs, search results, whatever) will always be available using, for instance, documented and free standard. But they aren’t and they won’t.

They won’t because, besides what Google can say, they are a company. And the only goal of a company is to earn a big pile of cash. They can have an ethics, they can pretend their going social, whatever. In the end, what will dictates their move is the quantity of money they will have at the end of the month.

That’s why they moved in China, despite the censorship over there. They saw 300 millions people that can use Google, that’s 300 millions people that can be submitted to compartmental analysis to serve theme efficiently targeted advertisement (which is the Google job).

Google is not about freedom of information, so they accepted a partial censorship from China authority. Then, they discovered they where targeted by a huge attack, the Aurora attack, probably commanded by China’s authority to go after some intellectual property of Google, so they went out.

They didn’t move because their tool was censored. They moved because their business was under attack. They’ve done some PR move about the China being uncooperative, violating their property (no shit?) and forcing them to do insane censorship (oh, really? So, you’re not censoring yourselves?) and then they moved to Hong Kong, acting like the good guys.

The good guys will have stay there, will have disobey and will have provided activists there online tool to preserve their anonymity and their security, fighting the laws and regulation of the Chinese government.

The Skype case

Skype is even worse. Even without being now a Microsoft product, Skype is designed on closed and obfuscated protocols that are designed to go through most of the firewall on both side of the call. The utility allow for Desktop Sharing that grants execution on distant host, your address book is stored somewhere, the cryptography is based on secret algorithm not documented anywhere, so it is Security through obscurity which is as bad as no security (even worse, because it gives a false feeling of security).

The only strength of Skype is to have a good marketing team, and to be available on whatever platform you can think about (the free of charge thing is the same for all VoIP providers).

One big problem with Skype, is the auto-update thing. It is used a lot to deploy malware, notably in Syria where activists get killed for organized themselves (so, yes, a government using such malware can now the people you’re calling and can arrest you and them, alongside with their friend and families). I’m not saying Skype is collaborating with government, just that a closed proprietary software that will get installed on all the computers, that can install things on his own without warning users, that can get through all firewall and that do things in your back is called a trojan over here.

Worst, now Microsoft bought Skype. And Microsoft have a lot of patents. There is one that need all your attention right now. The patent 2010153809 labelled ‘Legal Intercept‘. So, in short, Microsoft as patented the technology required to give any government the capability to intercept any communication using one of their software. Most of the government now have law to authorize such things. There was law for that in classic-phone system, as long as on GSM, and I always thought it’s legal for them to intercept any communication they need to build a case against you as long as the legal system allow them (and it will). The thing with Skype is, it was supposed to be end to end encrypted, so, mainly, the snoopers cannot have a verbatim of the talk.

With this patent, however, Microsoft is telling that any government can now intercept communication in Skype. So, basically, anyone who have access to the Microsoft tool for lawful intercept can now intercept Skype communication. So, the encryption is now broke and will never be recoverable.

The weird thing is that the Syrian government, for instance, has law that grants him access to spy on its people. With this kind of patent, they do not even need DPI and hackers tobreak it, just to ask Microsoft to give them the key of the system.

Facebook Google, Twitter and the One identity problem

As I saod before, most of the website you use have only one goal: serves you with the data they want you to access (because they’re paid for that), not the one you want. And, for this to be efficient, they need to know you in a lot of details.

They do not care about you having a pseudonym or a real name (except for Facebook). What they do care about is the fact that you must have only one name. They need it, because they wants to track you everywhere you go to build of profile of you they can sell to whoever pays for it (or access their data using more creative way).

For instance, Google has changed their Privacy Policy, requiring that you use only one account for all their services (and that all of those services will share data with all the services). So, youtube will now about what you wrote on gmail and what’s on your blog (if you use blogger).

Facebook, and its ‘like’ button is even worse. If you’ve got a facebook cookie in your browser (which, if you have a facebook account, is the case) and even if you’re disconnected, the simple fact of loading the ‘like’ button (which is a script) will tell it to facebook.

Twitter is now selling your public tweets (and all the informations associated to each tweet, including localisation if it’s active). I still do not understand who will buy something that is already free because it’s public, so I suppose they, in fact, sell analysis and profile that match some criteria to target them with advertisement. Or by selling them to a governmental agency that is willing to pay to watch their citizen. Don’t think it’s not the case, government are spending a huge amount of money on CCTV camera and other way of spying on their people.

So what?

The thing is that those company have product almost in every country, their product is free of charge because the users are the product, but still, you have it every where. They can live with insane traffic, they’re translated in the much common languages, they are easy to use, multi-platform and idiot-proof. And that’s why people uses them to share pictures of their sex life or of their last trip to Vietnam, to share videos of riots and uprising or about clever cats playing on a keyboard, to harass underage girls or to share an amazing animation clip.

Those tools are everywhere because they are big, they’ve made internet popular, they’re in part responsible for the development of those smart-phones and of the eradication of the dumb-phones.

And given that, and the fact that the last websites you will access in case of crisis are Google, Facebook and Twitter while news sites will be closed to protect the government, activists can and will uses them. And some of them will get killed for this, because those website do not provides way of communication that are really anonymous.

Google told they’re making an effort to be as ethical as possible. If they really was, they’ll open the code they use on their servers, they’ll open and disclose their algorithm, they’ll provide way of enjoying fully their services without building a profile.

Surely, they’ll earn less money. But they will still earn some. Plus, some people should have remain alive and free instead of being jailed for having uploaded content on facebook or Google.

Be Evil, Kick Google In the balls

Be Evil

All of you might have heard the Google moto:

Don’t be evil

With a bit of context, this is said by a company that have only one goal: Be the only web that people will use. Glazman explain that Google, and Apple, are working to build a works only on webkit web, using some CSS closed properties (the one that starts with webkit-*). I won’t develop too much on this, it’s just that this is the event that generates this post.

So, we need to be evil and to move out of the googles-centralized-and-closed-space.

There is a lot of steps, and I’ll probably miss some. You have to know that I’m using an Android too, and that I’m tweaking it (and I almost managed to kick google out of it). But first thing first, let’s go for the easiest part first.

Gmail

So, let’s start. I do not like webmail. Not back when POP3 was hype, not even now that we have IMAP. I do not want to gives my personal email to a third party that will do whatever they want with it (yeah, even with encryption, if the mail is decrypted on the server, that gives the server to read it and break the point of encryption.

We know that Google is reading your mail, to place targeted advertisements on the page you’re reading it. We do not know what they’re doing with your mail and, since there still is an issue with censorship and google being ruled by US laws and regulation, you cannot be sure you won’t have any legal problem with your mails.

So, what can you do? Simple answer: host your mails. You will need a server. It’s cheap, and there is some nice virtual server hosted in Iceland, a country which have strong personal data protection law. Head at https://www.1984hosting.com for instance. That will cost you a few bucks per month. You’re going to need a domain name to. I made a mistake, mine is nation-tied (.fr), don’t do it, try to find a non nation-linked one.

Now, you’ve got a nice server, install an OS server (one open and free, as in freedom, one you know or can learn about, one designed for servers so, basically, a Linux distribution or a BSD one), plug a small databases in it, that will be needed later, and install stuff.

For your mail, I’ll advise you with postfix, I know it more than I know the other ones out there (but not enough to treat myself as a guru). There’s a lot of interesting Howto in the wild, pick one.

Look at TLS too, and grab a SSL Certs (either fire up an account on https://cacert.org, a distributed Certificate Authority based on trust, not on money, or create your own authority.

So, you know have your own server for sending and receiving mail. It’s enough for my needs, because I do not use webmail. If you really want one, have a look at roundcube, it’s pretty and shiny, works on most of the modern browser (probably even with links or mozaic), it looks a bit like gmail so you won’t be lost.

Nice isn’t it, you’re now in charge of your own mail system. No more advertisement, no more dependencies on an external company for that, plain and total autonomy. How does it feel?

You’re addicted now and you want more fix of decentralized freedom? You’re a junkie. But so am I, so, here is your new fix.

Google search

The previous one was easy to understand and to do. Now, we’re going after the big player. Search engines. Google wants you to find websites they think is more relevant to you. They do not want to tell you how they’re doing it, they will target you with advertisement, and they will operates real time censorship and suggestion.

But then, you’re going to say ‘Hey, no choices.’ For one, it’s not true. Even among the closed search engines, there’s Bing (and Yahoo, same engine now) which is quite interesting. Or http://duckduckgo.com. But those are still centralized and closed source solution.

We want to go derper. And farther. We want really open and decentralized search solutions. There’s two out there: YaCy, a java implementation of P2P search and seeks, a C++ one.

I do not know well YaCy, but it have the advantage of scanning and index local pages, and it has its own fans and community. I’m more a seeker (and I run my personal seeks node). They started like a proxy and a meta-engine, but they are now sharing results across P2P and, since the 0.4.0 version, there’s pure seeks results.

You can use a public node for seeks (like mine) that will learn from the uses of all the people that uses it, or you can install your private one. You can use it as a proxy that will intercept all the query that should have landed on Google to process it via seeks instead.

It will require you to build it from sources, but it’s easy to do, there’s an updated and fully detailed tutorial, so go for it. Also, there’s an IRC chan: #seeks@freenode.org, they’re quite nice people to hang with.

So, now, you won’t use google anymore to search your stuff. You see? The Colossus won’t feed on you. Now, worst part is done, let’s deal with the details.

Calendar and contact

Yeah, those are nice tools. But you do not need to them being on google. They are ical compatible, which is nice. VCARD is a old protocol, that used to work on my Nokia 3210 (the phone that can break the world in half with enough velocity). You just need an ical server (and a webserver, but with nginx or apache out there… Plus, if you have roundcube, you already have one).

The best solution I can found until now is Davical. It’s light, it do the job, it works on Postgresql. The sad part is that it does not gives you a shiny interface to click on. But that’s why you need software, no? You need an RSS Reader to read RSS flux, you need a client mail to read mail, you need a calendar client to read calendar. Claws-mail have one, but I assume that if you’re reading this, you’re not on claws. I suspect mutt to have one, emacs-fan will tell you that emacs most probably have one calendar included.

If you want a client that won’t scare you, go for the Mozilla Sunbird or, if you’re already using ThunderBird, there is a lightning add-on.

Davical works with contact to. And the calendar can be read by a lot of other clients, just go through their wiki. Or use your new seeks node to find more about it.

Documents

Use a local office suite (such as libre office if you really need the weight of it. You can use some pad (etherpad one for instance), like the one on Telecomix for on line and collaborative editing. You can even set one up on your own server, yay \o/.

If all you want is hosting and sharing documents, you have two choices. Owncloud will give you the possibility to use a part of your server as a public (or private: your server, your rules) hard drive. I strongly suggest you to encrypt it. Or Unhosted which, as the name suggest, is based on ‘not hosting’ the data. Sounds promising, the fact that the data are encrypted before being stocked anywhere is promising, and, since it’s free software, you can add your own server.

So, no more google docs, ok people?

The last fix will be for the coders one.

Google reader

A RSS Reader. It’s extremely easy and there’s a lot of one. I personally use tinytinyrss. Again it needs a webserver, but then you’ll have all your RSS in the same place. You can probably find other project like this one, but it works quite well.

And you can import OPML (or whatever the acronym is) file format. The one used by google when you want to do a backup of your flux.

Google talk

And last but not least (also, quite an easy one). Google talk. Google talk is pure XMPP. Just like jabber is. You can find a lots of client for jabber, but go for pidgin-otr, you’ll then have the possibility of Encrypted chat with plausible deniability for the same price.

You’ll just need an account for that. EIther set-up your own jabber server (all the XMPP-server can talk to each other) or you use one. Use your seeks node to find a provider you like.

For hosting your own XMPP server, go for Jabberd. Simple, packaged for most distribution. You can then register there with your own nick and talk to other XMPP accounts.

Google Code

Get out of it now, and as fast as you can. There’s plenty of open source git forge out there, especially the most notorious one Gitorious. GitHub isn’t free (does not run on free software) but is a not that bad candidate. But you do not want me to feed you with half-freedom, right? So, gitorious.

What else?

I need to talk to you about Android, but I’m not fully satisfied with what I have now, so you’ll have to wait for your next fix of freedom.

If you’ve done everything here, you probably have nothing left on google. Close and destroy your account. If they ask you why, just answer:

I do what I want, I’m a Matser of Evilness, MOUAHAHAHAHAHAH!

Or RickRoll them.

If you find one server for only you is a bit overkill, then go talk to your friends and family, have them in your server. It will be funnier if you’re a lot. Do not sold them anything, have them understand that the services might or might not working. Do backup. Try restoring your backup. Encrypt them. And do not forget:

Computers and freedom are like sex. The more we are doing it at the same time, the better it get.


version 2.0 – I’ve forgot about reader and talk. Need to find a picasa