Thursday, February 11, 2016

“Huge” number of Mac apps vulnerable to hijacking, and a fix is elusive | Ars Technica

“Huge” number of Mac apps vulnerable to hijacking, and a fix is elusive | Ars Technica: Fellow researcher Simone Margaritelli has developed a technique that streamlines the attack by allowing it to work with the Metasploit exploit framework. He showed how he could exploit the vulnerability on a fully patched Mac running the latest version of the VLC Media Player. VLC developers released an update three days ago that patches the vulnerability so that the attack no longer works against the latest version.
Patch your VLC, people:



http://www.videolan.org/vlc/download-macosx.html

Tuesday, February 9, 2016

Why Stack Overflow Doesn’t Care About Ad Blockers – Stack Overflow Blog – A destination for all things related to development at Stack Overflow

As an interesting follow-on to Wired's article earlier today, see the this post by StackOverflow regarding its advertising policy:

But really: anything that doesn’t speak specifically to the Stack Overflow audience is not permitted. We also don’t accept rich media like animated ads, expandable ads, or video, which are the norm for most publishers today. This strict policy means we leave money on the table, but our team wants to protect Stack Overflow from those kinds of ads, as they run the risk of alienating that established trust.
For those of you that don't know, StackOverflow is a forum where users go to post software development / programming questions and answers. It is one of the single most valuable resources available to any developer out there - I have used it more times than I care to count. To put it mildly, they have very high street cred, and this policy seems totally consistent with that reputation.



Well done, StackOverflow.

How WIRED Is Going to Handle Ad Blocking | WIRED

How WIRED Is Going to Handle Ad Blocking | WIRED: You can subscribe to a brand-new Ad-Free version of WIRED.com. For $1 a week, you will get complete access to our content, with no display advertising or ad tracking.
The above article mentions that WIRED now allows you to easily whitelist its site, or, for $1 a week, you can have an ad-free viewing experience.



While I do not think this is a perfect solution, I think it is a huge step in the right direction, made in good faith. Importantly, it recognizes something so fundamental that so many other subscription services do not seem to grasp:



If I pay for a subscription, it must be both advertisement free and not track my data.



Any other stance is simply going to result in more users using ad-blockers or resorting to more aggressive forms of content-piracy. To be completely frank, it is why I do not, and will not, pay for Hulu.



Kudos, Wired. Here's hoping other publications follow suit.


Monday, January 18, 2016

Apple is not Vertically Integrated (Response to 'Why Big Companies Keep Failing: The Stack Fallacy' | TechCrunch)

Why Big Companies Keep Failing: The Stack Fallacy | TechCrunch: Apple continues to successfully integrate vertically down  — building chips, programming languages, etc., but again has found it very hard to go up the stack and build those simple apps — things like photo sharing apps and maps.


This is super confusing to read from Techcrunch. Surely @anushublog is aware of the fact that Apple is not an OEM and is actually nowhere near vertically integrated? They are a design shop, and up until very recently, 100% of their manufacture was outsourced.



Additionally, one of Apple's core competencies is its software - iphoto is actually great. Apple Maps is not amazing - but certainly way better than it used to be. Apple's messenger app is great. Its mail app is great. Its video editing software (Final Cut Pro)  and music editing software (Logic Pro) are actually industry standards.



This is pretty careless, IMO. Maybe the point is that Apple is bad at making social-media apps? Well, maybe. But they likely make more money off of social media apps than ~99% of social media app publishers, due to their ownership of the App Store.



That aside, the fundamental point of the article - that Product Management is very hard - is a good lesson.

Friday, August 22, 2014

No, Wired - The Internet is Actually Pretty Safe

Wired ran this article today:

The Internet Is Way Too Fragile and Insecure. Let's Build a New One


Featuring this:

You may have had the bad luck of being stuck on a runway when a router failure in Utah grounded commercial flights around the country for several hours. Or maybe you were frustrated by not being able to access government websites the day the .gov domain administration had a glitch in its system. These minor mishaps over the past decade are early rumblings of an uncomfortable truth: The Internet is more fragile than it appears.

The problems with the .gov websites and the FAA were caused by accidents, but such accidents can have widespread effects. In 2008, censorship efforts by the government of Pakistan unintentionally caused YouTube to become inaccessible throughout the world. In another incident in 2010, much of the Internet was rerouted through China for a few hours, including traffic between US military sites. China Telecom plausibly claimed this was also an accident, but scenarios like this could be easily arranged.

Well, two main problems here:

1. As the article admits, those were human errors. A secure internet is never going to fix PEBKAC.
2. You may remember that recently there were reports of a Russian gang stealing over a billion passwords. Bruce Schneier, world-renowned security expert, had this to say in his recent Cryptogram:

I don't know how much of this story is true, but what I was saying to reporters over the past two days is that it's evidence of how secure the Internet actually is. We're not seeing massive fraud or theft. We're not seeing massive account hijacking. A gang of Russian hackers has 1.2 billion passwords -- they've probably had most of them for a year or more -- and everything is still working normally. This sort of thing is pretty much universally true. You probably have a credit card in your wallet right now whose number has been stolen. There are zero-day vulnerabilities being discovered right now that can be used to hack your computer. Security is terrible everywhere, and it it's all okay. This is a weird paradox that we're used to by now.

On this count, I am going to side with Schneier.

  

9th Circuit Takes Closer Look at Arbitration Clauses in Browsewrap Agreements

This decision was handed down by the 9th Circuit the other day, which, for those who follow such things, covers all of California, and is of extremely high importance for the entire tech industry as a result.

Let's summarize why it is important:

1. Browsewrap contracts have traditionally been upheld as valid by the Courts - this means that when you click "I Agree" when signing into a website or installing a piece of software, you are, in fact, agreeing to the dozens of pages of legalese you absolutely have not read.

2. Recently, big companies have been inserting a variety of very troubling, anti-consumer clauses into such contracts, including mandatory arbitration clauses and waiver of right to join class action suits.

(2) has been very troubling, because recently, the Supreme Court basically upheld the notion that by entering a shrinkwrap or browsewrap contract, you can agree to waive your right to participate in a class action suit, and instead have the dispute move to arbitrationThis is bad for consumers because, as customers of corporations themselves, arbitration bodies have a very strong incentive to side with corporations, over consumers, in order to get repeat business.

What is interesting in the above linked case, however, is that the Court basically said that an arbitration clause itself, as opposed to a clause relating about the waiving the right to participate in a class action suit in favor of arbitration, was being thrown out, with the reasoning of "Seriously... who reads those things!?" In other words, the Court said that a browsewrap contract that doesn't bring the mandatory arbitration clause to the forefront gives insufficient notice to the consumer - a very interesting ruling.

SCOTUS is the next step on this particular train - as it has the ability to undo a troubling history of the overreach of browsewrap contracts. It is yet to be seen how SCOTUS will rule on it - given the very pro-corporate history of its browsewrap and shrinkwrap agreements, I'm not holding my breath - but this decision has the possibility to wind back the clock a few steps in the favor of the average web consumer. It may also wind up, however, that next time you buy something on B&N you agree once to a clickwrap contract - and then hit "I Accept" a second time specifically when agreeing to arbitration language. Only time will tell.

Friday, May 30, 2014

Commercializing Open Source Licenses

Nearly a year ago in this blog, I had a post up arguing that Richard Stallman's position on the necessity of using strong copyleft licenses to protect the open source movement was misguided. I'm following that post, now, by explaining that, in fact, not only are strong copyleft licenses inappropriate for certain business cases, but, in others, they are a powerful tool in the monetization of commercial software - where Stallman seems to want to live in a world where copyleft licenses exist only to promote the open source movement as a whole. Let's review:

A "strong" copyleft license is a software license that requires all distributed derivative works of that software to be licensed under the same terms as the original license, which typically includes distribution of source code. E.g. GPL.

A "weak" copyleft license may allow works that are bundled with the original software to be distributed under a different license, as long as the original copyleft software remains unaltered and under the same license. E.G. BSD, MIT, Apache, LGPL (to a lesser extent).

Stallman has argued that unless we all use GPL for all of our libraries, the open source movement will be eaten by the commercial software industry. He is wrong for three sets of reasons:

1. In many circumstances, the GPL is fundamentally incompatible with business needs, and these business needs are simply not going away.
2. The free and open source movement has been shown to co-exist harmoniously with the proprietary, commercial software industry.
3. Strong copyleft licenses have been a powerful tool for the commercialization of proprietary commercial software, under a scheme of dual licensing, totally turning Stallman's vision for the GPL on its head.

(1) Business Needs
If you are distributing software1 that has trade secrets embedded in source code, clearly, a strong copyleft license would be inappropriate, as it would require public disclosure of trade secrets. This could be a trade secret ranging from anything from a financial hedging algorithm or controls of precision machinery, to graphics processing or even your secret fantasy football handicapping scheme. Laying your code bare would give all these secrets away, which, from a trade secret law perspective, would invalidate their standing as trade secrets. This is a big no-no.

Additionally, the terms of the Apple App Store make it very difficult to include GPL licensed software in apps. For instance, the App Store may distribute your software outside of the united states, and the GPL requires that you cannot restrict licenses for GPL licensed software, which includes geographic restrictions. So, if you are distributing software that has export restrictions, either due to technology, agreement, or privacy laws, you find yourself in a very tricky situation. It is navigable with clever engineering and proper lawyering, but it is an enormous headache.

(2) Harmonious Coexistence with Commercial Software
As stated in previous posts, the Ruby on Rails community basically lives off of the MIT, BSD and Ruby licenses, all of which are weak copyleft licenses. This is simply a fact that cannot be disputed. It may be the case that when Stallman first founded the GNU foundation, strong copyleft licenses were a necessity for the success of linux - given the nature of the atmosphere back then, with only a few large companies controlling the balance of commercially viable developers. However, as time has passed, the number of developers has grown tremendously, and they are not all controlled by a handful of old-world corporations. As a result, there are now many totally viable motivations for contributing to open source projects beyond mere legal compulsion to do so - the Apache foundation is an excellent example of this motivation. Quite simply, developers enjoy having access to tools with large user bases, the prestige and reputation of being an open source contributor, which may further a commercial career, and the sense of community that comes with being part of an open source project.

(3) Dual Licensing
Stallman has accepted that while Dual Licensing is legal, he is not a fan. In essence, Dual Licensing, (in certain circumstances called Single Vendor Commercial Open Source Business Model) is where a company may make their proprietary software available under the GPL and also under a commercial, proprietary license. MySQL is an excellent example of the success of this license. It can be thought of as a type of "freemium" model - as long as you are not distributing your software, you are free to use, study and modify GPL licensed software pretty much to your hearts content. This allows for academic use, and purely internal commercial use, e.g., a hedge fund can download MySQL and use it internally, modifying it as much as they want, without worrying about the copyleft provisions. However, if they want to license their hedge-fund approved version of MySQL, but don't want to release their entire codebase to the public, they need to pay Oracle for a commercial license. This is precisely what happened to MySQL, which has very successfully used dual licensing to create a substantial business.

In the end, I think that it is clear that strong copyleft software has a permanent place in commercial applications - but I also believe that at this point, the alternative motivations for contributing to open source software - beyond mere legal compulsion to do so - are more than sufficient to allow for a vibrant weak copyleft open source community to thrive.

However, if you are considering integrating GPL code into your proprietary, commercial software before it ships, I highly suggest you find a very competent lawyer.