Let me get you jealous of me… Summer time. South of France. Ideal conditions to attend the worldwide conference of the free software (Rencontres Mondiales du Logiciel Libre, in french). Lets call it RMLL2014. What is it about ? All about free software and open source, covering broad topics such as society, internet, art, collaborative tools, software suites, security, open data…
All free software, offering alternatives to proprietary software, together with its designer, coders, evangelist and their free mindset were present. One may ask ‘what the hell was she doing there ?’. That happened because Christophe Brocas @cbrocas, Mathieu Blanc @moutane, and Philippe Teuwen @doegox organized a security track. And it happens that free software, open source, W3C security do have something in common. My presence here, was also the opportunity to attend some amazing talks. Here are some benefit of sitting here and listen.
Getting free software essence, from Richard Stallman, himself
Mister Free Software Foundation, the daddy of GNUproject, the man who showed the path to open source, collaborative wealth and promoting citizen control over software. After selling few goodies for the FSF and taking pictures with fan, Richard Matthew Stallman exposed his theory. Simple and efficient. Any software which is not open is killing freedom and is a potential danger. As a consequence, a relevant software has to embed the following merits : the freedom to run the program as you wish, for any purpose (freedom 0), to study how the program works, and adapt it to your needs (freedom 1), to redistribute copies so you can help your neighbor (freedom 2), to improve the program, and release your improvements to the public, so that the whole community benefits (freedom 3). This implies access to the software source code. The ideology behind that business model proposal is to give back power to the people, reducing technology attacks on citizen freedom. Having by default the possibility to analyse collectively a software gives, from Stallman perspectives, more chance to refrain editors to performed actions without user consent (understand, implementing tempting things such as backdoors, user tracking systems…).
Discovering Caliopen, the new private messaging project, by Laurent Chemla
Another free thinker. Laurent Chemla, french, on the internet since ages, promoter of individual freedom and collective activism, founder of Gandi (a hosting server service). Laurent wrote ‘Confession d’un voleur‘ (confession of a robbery) in 2002, where he confesses how he made money because he was curious and visionary, because playing days at nigh on internet while other did not realize it was existing. This gave him a competitive advantage he transformed into money, but he did not feel comfortable with it, as his vision was more that internet was about changing the world, and giving a chance for the citizen to take power back on politics and locked systems. Since few months, Laurent is working and thinking about a new service related to messaging, that would fit his dream, aka being privacy centric and secured. Rationale for designing this offer is the following : freedom is at risk those days (and since a long time, by the way, but lets pretend Snowden was a new thing, says Laurent). Except few geeks ready to get technical skills to protect themselves and suffer the pain of using PGP, noone is really taking serious action. He re-assessed that freedom must be protected, by political and social actions, but also with technical tools (another domain where he feels he can do something). Laurent does not want to build another complex solution, or a like-gmail-but-more-secured solution, but rather offer to users an attractive email service. Here is Caliopen. Caliopen promise is to manage conversation, whatever is their media (email, sms, pigeon, …) and associate trust level to every piece of the communication. A user, a conversation, a device, a context for using Caliopen, any central piece has a trusting level. Which allows power to the user to decide. Shall I send this sensitive email to my friend Stéphanie who is well known for opening her mails on her crappy device in the train, on public wifi ? Part of Caliopen exists, the back end side, and the project is looking for skilly web developers to code the client side.
Hearing recent news about Tor Project, by Lunar
Lunar is one of the voice of the french association Nos Oignons, which aims to raise fund and maintain some exit nodes of Tor project. Lunar shared during the security Track of the RMLL2014 principles, weaknesses, and stakes behind Tor Project. For the ones not yet familiar with Tor, it is a network allowing users to access to internet resource, with an anonymized address. The aim is to counter the filters over internet imposed by application, services, ISP or government. Tor Project relies on a network of 4000 nodes, which are driving the communication on a random path, inducing the scrambling of the IP address of the machine which initiated the request. lunar is clear. Anonymity is not perfect. For example by spying data entering the Tor network, and data getting out of the network and making correlation. For example, some information about traffic can be guessed by observing the Tor Network life, or by entering the guard allocation entry and exit nodes… But the network is used and maintained by people having a vision, always trying to improve its reliability, usability, supported by a researcher community. What was also discussed were the conditions for hosting an exit node. As it is a special node, exposed to a large traffic, and to potential legal attacks, it requires to have a fix IP address, with reception of notification and better if it is an association behind, rather then a specific person. Integration of Tor access into software is also a key discussion point and the conclusion was that only Tor Browser or Tails should be used. One should note that Mozilla and Tor Project are working together on the definition of the next privacy feature of Firefox, in order to make ‘private navigation’ a feature with a real value proposition. Lets stay tuned… A lots of usefull references for understanding Tor projects and limits can be found under https://pad.riseup.net/p/lsm2014-tor.
Next episod of that post will tell you more about other projects discussed in the RMLL2014 Security track…