Mounting a Samba Share in Debian GNU/Linux

Samba allows a computer running GNU/Linux to connect with and share files with a computer over a Microsoft Windows based network.

To mount a drive or folder that is shared over Samba or over a Windows based
network as a drive on your computer there are three steps:

  • install cifs-utils;
  • create a mount point on your system where the folder is to be mounted; and
  • mount the shared folder.

The first step is to install cifs-utils, which is a “protocol provides support for cross-platform file sharing with Microsoft Windows, OS X, and other Unix systems”.

As root, use:

# apt-get install cifs-utils

Next is to create a mount point where the shared folder will be mounted. This
can be any folder. To make a new folder, as root, use:

# mkdir /netfiles/music

The final step is to mount the shared drive using the “mount” command. The type of file system to be mounted will be specified as “cifs”, to use the cifs-utils protocol.

The standard form for the mount command is

"mount -t <type> <device> <directory>"

For example, lets say there is music shared over a local home network. If the folder is shared with the name “music” from a computer which has an IP address of 192.168.X.XX, this will be the information of the “device”, namely the item to mount. The “directory” is the mount point that has been created on the GNU/Linux computer. As an extra option you can put in your username that is needed to connect.

The command used to mount will be:

# mount -t cifs //192.168.X.XXX/music //netfiles/music -o username=XXX

This work by Clinton Pavlovic is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Installing and Configuring Redshift in Debian GNU/Linux

According to the Redshift man page:

“Redshift adjusts the colour temperature of your screen according to your surroundings. This may help your eyes hurt less if you are working in front of the screen at night.

The colour temperature is set according to the position of the sun. A different colour temperature is set during night and daytime. During twilight and early morning, the colour temperature transitions smoothly from night to daytime temperature to allow your eyes to slowly adapt”.

Install Redshift

To install Redshift run the following command with root access:

# apt-get install redshift

Configuring Redshift

I found that the programme needs some configurations before it will run properly. After running Redshift for the first time I received this message:

Trying location provider `geoclue'... 
Unable to obtain master client: The name org.freedesktop.Geoclue. Master was not provided by any .service files
Failed to start provider geoclue. 
Trying next provider... 
Trying location provider `manual'... 
Latitude and longitude must be set.

Unfortunately the man page isn’t that detailed when it comes to setting up a configuration file. The command:

$ info redshift

gives slightly more detail regarding setting up a configuration file, stating that a “configuration file with the name `redshift.conf’ can optionally be placed in `~/.config/’ “.

To create a configuration file using the example given in the info file:

# vi ~/.config/redshift.conf

Insert the following into the configuration file:

[redshift]
temp-day=5700
temp-night=3500
transition=1
gamma=0.8
location-provider=manual
adjustment-method=randr

[manual]
lat=-27.1
lon=27.5

[randr]
screen=0
screen=1

First, the latitude (lat) and longitude (lon) values should be set to your current location, with negative values representing west and south respectively. My example uses the location of Johannesburg, South Africa.

Secondly, this configuration file if for two screens. If your system only has one screen, delete the line that says “screen=1”.

Running Redshift from the Terminal

Once Redshift is installed and a configuration file is set up, the programme can be run through the terminal by invoking:

$ redshift

Running the programme with this command will, however, leave the process running in the terminal window and it will not return the shell prompt. The result is that the process will terminate as soon as the terminal window is closed.

To prevent this the process must be started in the background using the following:

$ redshift &

The process will now run and the shell prompt will be returned. This will allow you to close the terminal without killing the Redshift process.


This work by Clinton Pavlovic is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

GNU/Linux Debian: Adding Non-Free Repositories, Moving to the Testing Distribution and Choosing the Best Mirrors

The GNU/Linux Debian sources.list is a file that does various functions:

  • it lists the address from where packages (programmes) are downloaded and installed from;
  • it lists the components (main, contrib or non-free) that you want to use; and
  • it lists which distribution (stable, testing or unstable) you want to download; currently there are three different distributions to choose from: stable; testing; and unstable.

The sources.list file is stored in /etc/apt/sources.list and can be edited as root with the following (if nano is not available on the system you can fall back to “vi” or any other editor):

# nano /etc/apt/sources.list

This is an example of a default sources.list file:

deb http://http.debian.net/debian wheezy main
deb-src http://http.debian.net/debian wheezy main
deb http://http.debian.net/debian wheezy-updates main
deb-src http://http.debian.net/debian wheezy-updates main
deb http://security.debian.org/ wheezy/updates main
deb-src http://security.debian.org/ wheezy/updates main

From this example file you can easily determine that:

  • it downloads packages from http://http.debian.net/debian;
  • it uses the “main” components only, and does not include any non-free components; and
  • it uses the stable (Wheezy) distribution.

Adding Non-Free Repositories and Moving to the Testing Distribution

There may be some occasions when it might be necessary to install software from a non-free repository, for example if your hardware needs a proprietary firmware blob to operate properly.

To add the contrib and non-free repositories simply edit the sources.list and add the words “contrib non-free” after the word “main” everywhere it appears inthe file.

To change the distribution from stable (wheezy) to testing (jessie) simply edit the sources.list and replace the words wheezy with the word testing everywhere it appears in the file.

# nano /etc/apt/sources.list

Edit the files to look similar to this (note: I have not reproduced the whole file again), save the file and exit:

deb http://http.debian.net/debian testing main contrib non-free
 deb-src http://http.debian.net/debian testing main contrib non-free

Changing the Download Mirror

The official list of Debian mirror sites is at http://www.debian.org/mirror/list

One problem is that South Africa does not have a primary mirror site, just secondary mirrors, which raises the question: Is it better to download from a local secondary mirror, or a foreign primary mirror?

To help select the best mirror available from your location you can use the programme “netselect-apt” which can determine and suggest the site with the least latency. Running netselect-apt overwrites your existing sources.list, so making a backup first is advised.

# apt-get install netselect-apt
# netselect-apt

Once the best mirror has been determined you can edit your original sources.list file and change the mirrors to the suggested mirror. The security update mirrors should not, however, be changed.

Update the System with the Latest Packages

Once the sources.list file is updated is is then necessary to update your system with the latest packages from you newly selected distribution and repository.

This is done as root with the following:

# apt-get update
# apt-get upgrade

“Update” is used to resynchronize the package index files from their sources and “upgrade” is used to install the newest versions of all packages currently installed on the system.

If you are moving from on distribution to another (moving from stable to testing), or if after running apt-get upgrade there is a message saying that certain packages were held back, you may want to do a dist-upgrade instead:

# apt-get update
# apt-get dist-upgrade

This work by Clinton Pavlovic is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

How to Install FOSS ATI Radeon Drivers on GNU/Linux Debian

After reinstalling my GNU/Linux Debian system I encountered problems with my ATI Radeon graphics drivers. I have always used the Free (FOSS) drivers, so it was unsettling that it now seemed to not be working; the screen resolutions were all wrong and couldn’t be changed.

After a bit of time I discovered that the FOSS ATI Radeon drivers were installed, but the proprietary non-free firmware blob wasn’t, which lead to this problem.

To fix this problem you need to:

  • install the non-free firmware for the graphics card from the non-free repository; and
  • install the FOSS ATI Radeon drivers if not already installed.

To add the non-free repository edit the “/etc/apt/sources.list” file as root. If nano is not available on the system you can fall back to “vi” for editing.

# nano /etc/apt/sources.list

Add the words contrib non-free after the word main where it appears in the file. Save the file and exit. I have previously done a more detailed explanation of the sources.list file and how to add non-free repositories.

Now you need to update and then install the required firmware and drivers as root:

# apt-get update 
# apt-get install firmware-linux-nonfree 
# apt-get install xserver-xorg-video-ati

This work by Clinton Pavlovic is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Reinstalling Debian GNU/Linux with Custom Sized Partitions

Recently I changed the operating system on my home computer from Windows 7 to Debian GNU/Linux. Up until now I have had a fairly good run using Debian and I haven’t encountered any problems that I couldn’t fix with a little bit of effort and a lot of reading.

When preforming a recent “apt-get dist-upgrade” I encountered this message:

failed to write (No space left on device)

Strange, because I thought I had more than enough space on my system. I check the space left on my partitions:

$ df -h

The “-h” is to make the output human readable; I get this response:

Filesystem Size Used Avail Use% Mounted on
 /dev/mapper/pc-root 314M 277M 17M 95% /
 udev 10M 0 10M 0% /dev
 tmpfs 800M 1.5M 798M 1% /run
 tmpfs 5.0M 0 5.0M 0% /run/lock
 tmpfs 1.6G 172K 1.6G 1% /run/shm
 /dev/sda1 228M 23M 194M 11% /boot
 /dev/mapper/pc-home 431G 1.6G 408G 1% /home
 /dev/mapper/pc-tmp 360M 2.1M 335M 1% /tmp
 /dev/mapper/pc-usr 8.2G 4.5G 3.3G 58% /usr
 /dev/mapper/pc-var 2.7G 569M 2.0G 22% /var

The root partition has run out of space.

First, I attempted to free some space with the following:

# apt-get autoremove # Removes all unused packages automatically
# apt-get autoclean # Erases old downloaded archive files

This only freed another 5% space which is clearly still not enough.

During the original installation process on this system, I used the default installation partition sizes, which lead to the 314MB sized partition for the root partition. There are ways to increase the sizes of partitions without repartitioning the entire hard drive and reinstalling the operating system using a live GNU/Linux CD, but but I have been thinking of doing a fresh install so this is the excuse need.

First thing to determine is the amount of space which should be allocated to each partition initially, so similar problems are not encountered so soon after a fresh install.

This is briefly what each partition does:

  • / (root) # anything that doesn’t get a partition of it’s own will become part of the root partition.
  • /boot # contains the operating system kernel and various other data needed for the system to boot.
  • swap # the swap partition is used to temporarily store data when the system does not have enough RAM for it’s current tasks.
  • /home # the home directories of all users. This is where all the user specific files are stored.
  • /usr # installed packages.
  • /var # the data here usually changes frequently.
  • /tmp # used as a temporary space to store files or for programs to write temporary data.

To customise the size of each partition during the installation process I followed the following steps:

  • I opted to use guided partitioning, selecting “Guided – use entire disk and set up encrypted LVM.
  • Select the disk that you want to partition. Beware that selecting the option to use the entire disk will delete all data on the disk.
  • Select the option for “Separate /home, /usr, /var, and /tmp partitions”.
  • Write the changes to disk to create and configure the LVM volume. When prompted enter your disk encryption password that you want to use.
  • You will now be shown a list of partitions (logical volumes) that have been created. Its now necessary to change the default sizes.
  • Select “Configure the Logical Volume Manager” and write the changes to the disk.
  • You can now delete each logical volume in turn and recreate the size that is required. Initially the entire disk is used so you cant increase the size of one volume before decreasing the size of your home partition.
  • To delete a volume:
    • select “Delete logical volume”; and
    • select the volume to delete, starting with the /home volume.
  • To create a volume:
    • select “Create logical volume”;
    • select the logical volume group;
    • enter the name of the volume you want to create, so in order to recreate the /home volume that you deleted, enter “home”;
    • enter the size of the volume you want to create.
  • Once you have deleted and recreated each volume you can then select “Finish” to go back to the main partitioning menu.
  • What you need to do now is configure each volume that you made and select what file system to use, and where it should be mounted:
    • select each volume in turn;
    • select “Use as: do not use”;
    • select the option to use the partition as an “Ext4 journalling file system;
    • select the “Mount point” option, and select where the partition should be mounted, depending on what partition it is.
  • Once the last step has been done for each volume you are done and can select the option to “Finish partitioning and write the changes to disk”

After the re-installation my partitions now look like this:

/dev/mapper/pc-root 46G 348M 44G 1% /
 udev 10M 0 10M 0% /dev
 tmpfs 799M 764K 799M 1% /run
 tmpfs 5.0M 0 5.0M 0% /run/lock
 tmpfs 1.6G 92K 1.6G 1% /run/shm
 /dev/sda1 228M 41M 172M 19% /boot
 /dev/mapper/pc-home 92G 106M 87G 1% /home
 /dev/mapper/pc-tmp 922M 1.3M 857M 1% /tmp
 /dev/mapper/pc-usr 46G 3.0G 41G 7% /usr
 /dev/mapper/pc-var 9.1G 1.3G 7.4G 15% /var
 none 4.0K 0 4.0K 0% /sys/fs/cgroup

There seems to be a lot of debate regarding the optimal size of swap partitions and root partitions, but with storage space not being too much of a problem on my system I opted for 10GB of swap space and oversized partitions for the rest of the system. This might not be an optimal use of space though if storage space on the system is a problem.

To see a tree map of each partition and the mount points the command is:

$ lsblk

This work by Clinton Pavlovic is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Simple Steps to Increase Online Privacy

Since the revelations by Edward Snowden on the online data tracking done by the government of the United States of America, the current state of online privacy has been thrust into public attention, in particular how much information is willingly, and more often unknowingly, given away by internet users.

Your online activities are tracked by every internet service you use, by every web site you visit and by the advertisers and content providers on each page you view. These companies track web users invisibly as they surf the internet recording everything that is searched for online, each link that is clicked and each web page that is visited. The list of people acquiring information that can personally identify you is longer than what you might expect.

Regardless of the reasons provided for tracking your online activities, which include the ability to serve you with targeted adverts and improved customized search results “for your benefit”, the fact remains that large troves of personally identifiable information often unknowingly falls into the hands of third parties.

For an illustration of information that is collected by search engines you should take a look at the database of user searches that America Online released to the public in 2006. This database contains the searches of more than 650,000 AOL users over a three month period and illustrates the privacy nightmares that can arise when even small amounts of private search data becomes publicly available. You can browse this database and see the search queries that the users entered and which links were followed by the user.

For instance, user #2258946 searched for boat motors, golf club grips and sport back braces; user #98280 searched for pregnancy calculators, whether bi-polar personality disorders are hereditary and spiritual beliefs on abortion; and user #110602 searched for Star Wars music, sex games and pornography. People have claimed to have been able to pinpoint the identities of various users using only the search data which was released.

If you have a Google Account and use Google’s services you can take a trip down memory lane and look at some of your own past search queries by logging into your Google account and going to www.google.com/history

Methods Used to Track Internet Users

The most common and simple methods used to keep track of internet users are through tracking cookies, internet browser referrers and IP addresses.

Cookies are small pieces of data which are sent by a web server to your computer when you access a website. These pieces of data, the cookies, are stored on the visiting computer. These are referred to as “first party cookies”. Each website visited may also be linked to and request content from third parties which deliver services to the website, for instance
advertisements or analytic services. These third parties may also upload and store tracking cookies on the visiting computer. These are referred to as “third party cookies”.

Cookies are a way for a website to identify and store information about each visitor. They are used to maintain data related to the visitors during navigation across various visits, store a visitors personal preferences and may also track a visitors web browsing in conjunction with the computers IP address and browser referrer fields.

An IP Address is a unique numerical address which is assigned to any device which connects to the internet. Because it is generally unique and is assigned based on your geographical region and internet service provider it can be used to track the device to the country and city in which the device is connecting to the internet. The IP address can be used to track recurring visitors to the same site or the same visitors across various sites, as visitors with the same IP address will generally be the same person or someone using the same internet connection. To see the IP address and location
information of the device you are currently reading this article on you can visit https://www.dnsleaktest.com/

A referrer is information about which page your request to the web server originated from, the referring page [8]. When you follow a link from a search query or a link on another website the website which you visit receives information about the website that directed you to it.

By analysing stored tracking cookies, IP addresses, referrers and other information made available it is possible to discover the pages the user has visited, in what sequence, and for how long.

What Can Be Done to Increase Online Privacy?

There are some easy tactics that can be used to limit the amount of information that is gathered about your online activities, which will be discussed.

A word of caution: None of these methods will give you anonymity on the internet. Your internet service provider and any local law enforcement will still be able to use methods to track your movements across the internet and record the websites that you visit.

The methods presented here will only minimise the amount of personally identifiable information that can be gathered by private companies across the internet.

Replace Your Internet Browser

The first thing to consider is replacing your proprietary internet browser (such as Microsoft’s Internet Explorer or Google’s Chrome browser) with one that is Free and Open Source Software. Using a free and open source browser allows the community of users to ensure that the browser is secure, does not contain any intentional security back doors and does not do anything unknown that could be malicious or could be used to identify you.

Install Mozilla Firefox, the recommended Free and Open Source internet browser:

Change Your Browser Cookie and Tracking Settings

It is possible to easily minimise the information collected by means of cookies by simply changing some settings in your internet browser. Settings that you should consider changing are:

  • Disable third party cookies, which will immediately reduce the amount of cookies received from third parties and advertisers, reducing the amount of information that these companies can collect. A guide on how to do this in Mozilla Firefox is found at https://support.mozilla.org/en-US/kb/disable-third-party-cookies
  • Set your browser so all cookies are deleted when the browser is closed. This setting is found on the same setting page as third party cookies settings, so after deselecting “Accept third-party cookies”, right below it select “Keep until I close Firefox”. This will ensure that all cookies are deleted when you close your browser and are not stored for years.
  • The browser plugin “Self Destructing Cookies” destroys cookies as soon as a tab is closed and no longer used. This can be installed from https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/
  • Turn on your browsers “do not track” feature. This tells websites not to track you, but unfortunately it is up to the individual websites whether they want to comply with your request. A guide on how to do this in Mozilla is found at https://support.mozilla.org/en-US/kb/how-do-i-turn-do-not-track-feature

Install a Browser Plugin to Eliminate All Online Advertising

Install Adblock Edge to get rid of advertising on websites and to make sure that you do not accidentally click on any of these unwanted links. Adblock Edge is a fork of Adblock Plus software. Both these plugins are popular advertising blockers, but by default Adblock Plus allows adverts that it classifies as “acceptable adverts”. It may be noble to want to support websites and advertisers who promote advertising that does not destroy your viewing experience, but this would may contrary to the objective of increasing privacy. The business model of Adblock Plus, which allows advertisers to pay the company to have their adverts automatically white listed, has also raised some concerns.

Adblock Edge can be found at https://addons.mozilla.org/en-us/firefox/addon/adblock-edge/

Install a Browser Plugin to Prevent Social Networks From Being Sent Data by Websites Visited

Facebook, Twitter and other social networks have buttons which websites can incorporate to make sharing content easier for visitors. An example is Facebook’s “Like” button which is now found on many internet websites and not only on facebook.com. One feature that most internet users are unaware of is that these buttons collect and send information about your browsing back to the company (Facebook, Google or Twitter) regardless of whether or not you use or click the button. The process used is described in detail in this research paper.

Each time you visit a website incorporating a Facebook “Like” button the website sends a request to Facebook to retrieve the button for display, along with a cookie. If you are logged into Facebook at the time, or have visited Facebook and still have a Facebook cookie on your computer, then the cookie that is sent to Facebook will incorporate your unique Facebook user ID. This allows Facebook to monitor every website that you visit whether you are logged into Facebook or not.

Even if you do not have a Facebook account Facebook collects and stores this information about your browsing, creating what it calls “shadow accounts”.

You can prevent this by installing the Disconnect browser plugin, which blocks these requests and information sent to social networks. Disconnect can be downloaded from https://disconnect.me/

One criticism of Disconnect is that it does not go far enough because it only blocks cross-site requests from the largest known social networks and advertisers. To prevent all cross-site requests you can install the Request Policy plugin. This plugin does, however, break most websites but if you are willing to make the effort to configure it properly for the websites that you visit often it will greatly increase your privacy and security.

Install HTTPS Everywhere Browser Plugin

The HTTPS Everywhere browser plugin maximises your use of HTTPS encrypted connections and ensures that your browser will use a secure encrypted connection to a web server if one is available.

HTTPS Everywhere is found at https://www.eff.org/https-everywhere

Use a Search Engine That Does Not Track You

The major search engines, Google, Yahoo and Bing, record each search query entered into their search engine along with the links followed. This information is used together with your computers IP address to track your browsing habits and build databases containing all information and location details. This information is then used by the companies and their partners to attempt to increase their own revenue by serving you personalised, targeted, adverts.

Your search results can contain very personal and intimate details about you as highlighted in the released AOL database of user searches, and will likely contain personally identifiable information.

To prevent a company from building up a detailed database like this you must not use a search engine which generates income through advertising, but should instead use an alternate search engine which takes its users privacy seriously. Two search engines to consider are:

I personally use startpage.com because it provides search results as if you are using Google. When you search with Startpage the web results are generated by Google and not by Startpage itself. Startpage takes your search query and
sends it to Google without providing Google with any identifying information about you. Startpage then delivers the Google search results to you. Startpage does not collect or store any personal information, including your IP address, and has been awarded the European Privacy Seal.

Set Startpage as your homepage, add Startpage search to your browser, and configure your internet browser so you can search Startpage from your URL bar.

Other Privacy Improvements to Consider

There are many other methods that can be considered to improve privacy and security online, but each of these topics would require a separate guide on their own. These include:

  • turning off your internet browsers “referers”, so websites are not sent information about the links you followed to arrive on their page; I have, however, found that this breaks some websites which requires a login;
  • increasing the strength and uniqueness of your online passwords;
  • using services to hide your IP address, such as through a virtual private network (VPN) or Tor (the Onion Router);
  • taking steps to change and protect your internet browsers fingerprint;
  • installing browser plugins to prevent websites from loading java script; this has the benefit of increasing both privacy as well as security; and
  • encrypting emails.

This work by Clinton Pavlovic is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Free Software and its Security Advantages

Everyone loves free software, but not all free software is Free. With software there is a substantial difference between “free”, “Free”, and “open source”.

As an end user Free Software can in some cases offer advantages over closed and proprietary software, especially in the case of software which is relied on for security.

The Definition of Free

The Free Software Foundation defines Free Software as “software that respects users’ freedom and community. Roughly, the users have the freedom to run, copy, distribute, study, change and improve the software. With these freedoms, the users (both individually and collectively) control the program and what it does for them.”

Free Software is not about price, but about protecting users freedom to use, modify and distribute software. The four fundamental freedoms that are applicable to Free Software are:

  • The freedom to run the program, for any purpose (freedom 0). Does the software do what it purports to do? Does the software only do what it purports to do, free from any nefarious other uses or intentional back doors that are unknown to you? Is the software secure from attackers;
  • The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1);
  • The freedom to redistribute copies so you can help your neighbour (freedom 2);
  • The freedom to distribute copies of your modified versions to others (freedom 3). Access to the source code of the software is a precondition for the practical exercise of these freedoms. This access is the largest difference between proprietary software and Free Software.

Free Software, and its accompanying freedoms, should not be equated or confused with software that does not have a price; it is possible for a company to charge a price for Free Software, just as it is possible for a company to give away its own proprietary software at no cost. Also, just because software is Free, does not necessarily mean it is not subject to copyright; one method used to protect Free Software is to make it subject to a “copyleft” license, such as the GNU GPL License, which requires modifications to the software to be distributed under the same license, preventing persons from modifying Free Software and re-releasing it as proprietary code.

Free Software is about liberty, not price. As the FSF puts it, “[t]o understand the concept, you should think of ‘free’ as in ‘free speech,’ not as in ‘free beer’.”

The term “open source software” is often incorrectly used interchangeably with the term “Free Software”. With open source software you can usually view and modify source code, but open source software does not necessarily grant all the freedoms associated with Free Software.

Security Advantages Offered by Free Software

When selecting a software to use there are often various programs available, some proprietary and others Free Software. When using any software it is essential to be able to ensure that:

  • the software indeed does what it says it does;
  • the software does not do anything malicious or contain “back doors”; and
  • the software does not contain any exploitable bugs or security flaws.

These concerns are amplified if the software it being used to preform a critical function, to protect systems or store and safeguard confidential information.

Proprietary software is developed in a closed fashion by a limited development team. Nobody has the right or the ability to examine the source code. This means that you are putting your trust in the software’s development team. Unfortunately trust can be placed in the wrong people.

How certain can you be that your encryption software does indeed encrypt your data using the algorithm that it says it does? Does the encryption program implement the algorithm correctly? Does your software phone home or otherwise send requests or information to an unknown server? Does your software contain intentional back doors to allow third parties or law enforcement to circumvent security? Is your software free from security vulnerabilities that can be exploited?

These concerns are addressed by Free Software.

First, with Free Software you can be certain that the software does indeed do
what it purports to do. The source code is available and users are able to examine exactly what the software does and how it aims to do it.

Secondly, because users are able to examine the source code any intentional back doors build into the software can be more easily discerned and anything malicious in the software can be identified.

Thirdly, serious security flaws can be quickly identified and addressed. Linus Law, named in honour of Linus Torvalds, is “given enough eyeballs, all bugs are shallow”. Free Software is often developed by extremely large groups of people, for example the latest Linux report states that more than ten thousand people have contributed to the Free operating system. Arguably the large amount of people actively combing through, improving and adding to the software source code weed out many of the exploitable bugs and security flaws.

Some opponents of Free Software argue that by having code open for inspection it makes software less secure, allowing people to look at the software code, find and exploit flaws. This is an argument in favour of “security through obscurity”, an argument that a security flaw in code is acceptable as long as it is hidden and no body can easily see it. Security through obscurity is never a good idea as it works off of the premise that would be attackers are not looking for vulnerabilities that exist in the proprietary software.

Unfortunately no software can ever provide a guarantee that it is one hundred percent secure, but it should not be necessary to place your trust in a group of developers who may not have your best interests in mind. With Free Software you don’t have to trust so blindly.

Edit: A fascinating perspective on the topic of trusting code is given in this speech by Ken Thompson, published in Communications of the ACM, August 1984 Volume 27 Number 8, entitled “Reflections on Trusting Trust: To what extent should one trust a statement that a program is free from Trojan horses. Perhaps its more important to trust the people who wrote the software”.

“The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect …”


This work by Clinton Pavlovic is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

How Existing Human Rights Law Applies to Modern Digital Surveillance

A group of worldwide privacy organizations and advocates have adopted and released a document entitled “The International Principles on the Application of Human Rights to Communications surveillance“.

The document sets out how existing international human rights laws applies in the digital environment and details thirteen principles that must be adhered to by any government in order to comply with current international law.

Importantly, the document addresses the distinction between collection of the content of a communication and the collection of the “communications metadata”, and concludes that the distinction between the two are no longer appropriate; metadata and other non-content data deserves equal protection because it may reveal even more about an individual than the content of the communication itself.

The thirteen principles, based on current international law, outlined in the document are summarized below.

Legality

Any limitation to the right of privacy must be prescribed by a publicly available legislative act, and subject to periodic review.

Legitimate Aim

Laws should only permit surveillance by specified state authorities.

Any surveillance must be conducted to achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society.

Necessity

Surveillance should not be widespread, but must be restricted only to what is necessary to achieve the legitimate aim.

Surveillance should only be conducted when it is the only method to achieve the legitimate aim, or is the method that is least likely to infringe on the persons human rights.

Adequacy

The surveillance must be able to fulfil the legitimate aim.
Proportionality

Before any state engages in surveillance for the purposes of a criminal investigation it must establish before an independent court that:

  • there is a high degree of probability that a serious crime has been or will be committed;
  • evidence of that crime will be obtained by the surveillance;
  • other less invasive techniques have been exhausted;
  • the information gathered will be limited to that which is relevant to the alleged crime; and
  • the information gathered will only be accessed by the specified authority and used only for the purposes for which permission was granted.

If the surveillance will not put the person at risk of criminal prosecution the state must establish before an independent court that:

  • less invasive investigative techniques have been considered;
  • the information accessed will be confined to what is reasonably relevant and any excess information will be destroyed or returned; and
  • the information gathered will only be accessed by the specified authority and used only for the purposes for which permission was granted.

Competent Judicial Authority

All determinations relating to surveillance should be made by a competent, impartial and independent court which is separate from the authority conducting the surveillance.

Due Process

In the determination of human rights everyone is entitled to a fair and public hearing. The mere risk of flight or destruction of evidence shall never be considered as sufficient to justify retroactive authorization.
User Notification

Users must be notified of a decision authorizing surveillance to enable them to appeal the decision. Delay in notification is justifiable if:

notification would would seriously jeopardize the purpose of the surveillance; or
authorization to delay is granted by the judicial authority; and
the individual is notified within a reasonably practical time period.

Transparency

States must be transparent about the use and scope of surveillance techniques used. States should publish transparency reports detailing the type and nature of surveillance, including the number of surveillance requests approved or rejected, in order for individuals to fully comprehend the scope, nature and application of the laws permitting surveillance.

Public Oversight

Independent oversight mechanisms, which has access to all potentially relevant state information including secret and classified information, must be established. This is to ensure that the state is acting within its lawful authority.

Integrity of Communications and Systems

States should not compel service providers or hardware or software providers to build in surveillance capabilities into their systems; compromising security for the state always compromises general security which would make these systems more vulnerable to attack by unauthorized third parties.

Service providers should not be compelled to collect information purely for state surveillance purposes.

Individuals have the right to express themselves anonymously, and states should not require service providers to identify their users as a precondition
for providing services.

Safeguards for International Cooperation

When concluding multinational mutual legal assistance treaties, states must ensure that when the laws of more than one state applies to the communication then the law which provides the greatest protection to the individual is applied. This prevents states from circumventing their own domestic legal restrictions.

Safeguards Against Illegitimate Access

Legislation criminalizing illegal surveillance by public and private persons, and providing for significant criminal and civil penalties if contravened, must be enacted.

Legal protection must be provided to whistle blowers.

Information obtained in contravention of the principles must be inadmissible as evidence in any proceedings.


This work by Clinton Pavlovic is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.