Re: [GNU/consensus] Why support "Reset the Net" ? I don't get it

consensus

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNU/consensus] Why support "Reset the Net" ? I don't get it

From:	carlo von lynX
Subject:	Re: [GNU/consensus] Why support "Reset the Net" ? I don't get it
Date:	Thu, 12 Jun 2014 00:01:59 +0200
User-agent:	Mutt/1.5.20 (2009-06-14)

On Sun, Jun 08, 2014 at 10:40:27PM -0500, J.B. Nicholson-Owens wrote:
> carlo von lynX wrote:
> >Yet the things the page recommends are band-aids.
> 
> None of the problems you cite are easily fixed. The FSF can't easily

What? It is difficult to add cacert.org to Firefox to name
one thing in the list?

> get people to stop using non-free software despite over 30 years of
> positing robust counterarguments that rely on unchanging
> principles--ethics--and demonstrating doing ethical computing via
> their own acts. That challenge doesn't mean it's time to give up on
> software freedom.

Did I say anything about that? Where is the context?
By the way, the FSFE has not adhered to resetthenet
for similar reasons to mine.

> >- The recommended solutions for mail and chat
> >   are obnoxious for normal users to install and
> >   will be obsolete in a year or so, since no-one
> >   should stick to mail and chat that does not
> >   protect the social graph "meta" data.
> 
> I won't argue that email is sometimes problematic but, as others
> have pointed out, email isn't going away anytime soon (a lot of

I didn't say that. I said that it will be obsolete
because there will be a better alternative. I didn't
say fax machines disappeared instantly with the advent
of email. Pond is already out there, and soon there will
be at least one secure mail system that supports all the
use cases of e-mail.

> other stuff depends on email). I'd also argue that decentralized
> approaches to electronic communication should not go away because
> decentralization is critical to regaining privacy by running one's
> own servers. I understand that the FreedomBox hackers are working
> from this basis as well for the services that computer will use.

There is a big wrong assumption there. Your own server is not
owned by you. Your FreedomBox is, but the server that stands in
some rack and whose RAM is easily made available to authorities
isn't. That's why decentralization is no longer enough. We need
distributed systems.

> >- The idea that all HTTP sites should upgrade
> >   to HTTPS, without at least convincing one CA
> >   to hand out free *.domain certificates, is just
> >   an amazing promotional campaign for the CA industry.
> 
> Or one could consider the Firefox add-on that avoids using CAs
> altogether. As I'm guessing you're aware, Moxie Marlinspike had a
> lecture about the CA problem at the 2011 Black Hat security
> conference titled "SSL And The Future Of Authenticity"[Future of
> Authenticity]. He's also behind the Convergence Firefox
> add-on[Convergence] which offers a practical means of avoiding the
> CA system while still using HTTPS websites.

Yes, unfortunately that exposes your interest in websites
to the Convergence network. Whatever you do, as long as the
website is identified by a domain name rather than a public key,
it's all band-aids. Still, what you suggest would be a better
band-aid than what resetthenet offers.

> >- Would be better if the web browsers were supporting
> >   proper pinning of self-signed certificates. Or
> >   supporting cacert.org so people can reasonably get
> >   free certs. They can show the sites with a yellow
> >   box instead of a green one (if Mozilla thinks cacert
> >   is less safe, which in the current situation is a
> >   ridiculous assertion anyway), but leaving the web in
> >   a state of utter brokenness is sick.
> 
> Running a CA isn't easy and recommending any particular CA is
> risking this part of one's message on the future behavior of that
> CA. If that CA's methods fail and browser programmers remove that CA
> from the browser, website admins who used that CA are left to pick a
> new CA. This is the DigiNotar problem all over again.

You sound like you are not familiar with the cacert.org project.
And of course I'm not suggesting a long-term solution since there
IS no long-term solution that carries X.509 in its name.

> >- Would be better to fix the scalability of Tor hidden
> >   services so we can use .onion instead of the broken
> >   HTTPS thing. Or if that doesn't work, use GNUnet for
> >   the "light web"
> 
> Tor is great but this objection is a bit inconsistent with your
> objections above -- it can't be that bad to expect non-technical
> computer users to install a browser add-on if you're okay with
> expecting them to switch to using Tor.

Eh? Who said it is bad to expect people to install a browser add-on?
Also aren't we talking about a major campaign? Shouldn't we be
as a campaign powerful enough to make Mozilla ship with Tor?

Isn't that a much more realistic goal than to sell certificates to
millions of websites that couldn't afford them as yet?
I mean, if a website doesn't have https these days it might be
because of the price tag. Making a campaign for these people
to please spend money in certification could be insulting.

> >- Would be better to deploy opportunistic forward
> >   secrecy implemented in JS over HTTP (naif has been
> >   working on that)
> 
> Javascript has its own problems for privacy protection. For example,
> JS is quite powerful and capable of reading information which few
> websites can legitimately justify collecting. JS can track
> mouse/keyboard activity, for instance.

Yes, I agree, also because you are off-topic.
PFS over JS is better than nothing and it costs less
then certification.

> >- Would be better if campaign websites weren't themselves
> >   collecting personal data before even saying anything
> >   (the first thing it shows is a prompt to drop your
> >   e-mail into a box.. very reassuring).
> 
> This is better directed at the people who run
> https://www.resetthenet.org/ and not the FSF.

They heard the message and didn't change anything.
Maybe if the FSF tells them, it would matter.
But if just about everything is wrong about that website
why should I expect to be able to convince these folks to
take it down? But since I spend lifetime dedicating software 
to the FSF, maybe I can expect something from the FSF?

> I have JS turned off by default in my browser, so if they're using
> JS to hide some or all of the site until you submit an email address
> I never noticed that. When I visited https://www.resetthenet.org/ I

You're again talking of things I didn't say. I didn't see the video
because the first thing I saw was a big box asking for my email address.
I was mostly attracted by "The solution" because it was obvious
there couldn't possibly be a real solution there, and so there wasn't.

Uh oh, even Edward and Bruce have praised the project saying that
it will do some good. I wished it was so. Who gets to decide what
the things are that resetthenet promotes? How do we get it to make
more reasonable recommendations? Democracy? Meritocracy? Or just
oligarchy?

Now that I saw the video... well yes, it is actually very beautiful.
Why o why is it so hard to make recommendations that actually
make sense?

-- 
            http://youbroketheinternet.org
 ircs://psyced.org/youbroketheinternet

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [GNU/consensus] Why support "Reset the Net" ? I don't get it, J.B. Nicholson-Owens, 2014/06/09
- Re: [GNU/consensus] Why support "Reset the Net" ? I don't get it, carlo von lynX <=

Prev by Date: Re: [GNU/consensus] Why support "Reset the Net" ? I don't get it
Next by Date: [GNU/consensus] Fwd: [SocialSwarm-D] Kill the pseudonyms just to handle sybil attacks?
Previous by thread: Re: [GNU/consensus] Why support "Reset the Net" ? I don't get it
Next by thread: [GNU/consensus] Fwd: [SocialSwarm-D] Kill the pseudonyms just to handle sybil attacks?
Index(es):
- Date
- Thread