Bonum Certa Men Certa
Jesper_Kongstad | Antitrust

Librethreat Database

Summary: malware-threat-like database of threats to libre software (especially those that can be used to compromise software itself)

Tivoisation

  • Threat type: License circumvention
  • Affects: Devices, copyleft
  • Recognised by: Most free software advcates
  • Also recognised by FSF: Yes
  • Summary: GPL2 not strong enough to prevent DRM/TPM from allowing device owners to change operating system in devices
  • Mitigation: Migrate to GPL3
  • Examples: Tivo


    • Cloud

  • Threat type: Hybrid (Marketing, Technology category)
  • Affects: Privacy, freedom, control by the user
  • Recognised by: Many
  • Also recognised by FSF: Yes
  • Summary: There is no cloud, only someone else's computer (so you have no control over your computing)
  • Mitigation: To be very sceptical of / avoid relying on / boycott "cloud" solutions
  • Examples: Adobe, Delete Github|Microsoft Github, countless others


    • Punix

  • Threat type: Broad category
  • Affects: Free software development, stability and reliability, autonomy, organisational structure
  • Summary: EEE of free software projects, Infiltration of organisations that offer free software
  • Recognised by: freelabs federation
  • Also recognised by FSF: Not officially, at least
  • Mitigation: PONIX! Also avoid / fork / replace / document examples of Punix in software, assist Hyperbola and Guix developers
  • Examples: Pending


    • Redix

  • Threat type: Broad category
  • Affects: Free software development, stability and reliability, autonomy, organisational structure
  • Summary: Disruption of POSIX, EEE of free software projects, Infiltration of organisations that offer free software
  • Recognised by: freelabs federation, some critics of Systemd
  • Also recognised by FSF: No
  • Mitigation: Avoid / fork / replace / document examples of Redix in software, use Systemd-free distros, assist Hyperbola developers
  • Examples: Pycon, Systemd


    • Infinite scrolling

  • Threat type: Semi-malicious UI design
  • Affects: Mostly websites, Server-side software
  • Summary: Deliberately addicitive design not only psychologically manipulates user to keep scrolling, also makes it difficult to navigate pages or reach bottom of page (when there is one.)
  • Recognised by: Advocates of users, good design, ethics
  • Also recognised by FSF: Unknown
  • Mitigation: To boycott / avoid webpages that use infinite scrolling, create plugins that turn high-profile pages that use it into pages / demand old-fashioned paging as option from webmins
  • Examples: Twitter, wordpress.com (includes some limited mitigation/option), Diaspora, many others


    • Gratuitous interdependency

  • Threat type: Semi-malicious design attack / development disruption
  • Affects: Existing modularity, user freedom, free software development / packaging / vital software that lots of people rely on
  • Summary: Grab lots of stable projects and deprecate/rework them into something more monolithic / EEE design tactics
  • Recognised by: Steve Litt, freelabs federation, some critics of Systemd
  • Also recognised by FSF: Very unlikely (or in very limited/historical context)
  • Mitigation: Avoid / boycott / document / stand against projects that use EEE-like tactics against high-profile free software projects
  • Examples: Systemd, PulseAudio, GNOME (GNOME does not strictly depend on Systemd, these are three separate examples)


    • Framework attack

  • Threat type: Semi-malicious design attack / development disruption
  • Affects: Free software development / UX / UI, sometimes for years at a time
  • Summary: Replace mature and stable framework with new shiny and send devs scrabling to make reliable software work again
  • Recognised by: Steve Litt, freelabs federation
  • Also recognised by FSF: No (except when the framework is non-free, of course)
  • Mitigation: To be sceptical of unnecessary framework replacement, to maintain forks (if possible) of versions with old framework until new one is reliable / maintain LXDE
  • Examples: Systemd, LibreOffice, LXQT (non-malicious example, can't blame them for not wanting GTK3)


    • Framework / dependency hijacking

  • Threat type: development disruption
  • Affects: Free software development, stabilty, UX / UI, sometimes for years at a time
  • Summary: Similar to framework attack, except that happens from inside a project and this happens upstream
  • Recognised by: Anybody that doesn't like GNOME, people who prefer GTK2, Python2 users
  • Also recognised by FSF: No (except when new versions of the framework become non-free, of course)
  • Mitigation: Modest or conservative dependency usage / minimal design / design that is compatible with at least 2 or more frameworks, choice of two default configuations (one that gets as close as possible to the previous version to allow smoother transition)
  • Examples: GTK3, Themed applications


    • https://framasphere.org/uploads/images/scaled_full_1033d2f64866dafcd9b7.png

    Code of Conduct

  • Threat type: development disruption, social
  • Affects: communication, software development, organisations
  • Recognised by: Some free speech advocates, some free software advocates, freelabs federation, Eric S. Raymond
  • Also recognised by FSF: Not necessarily (though the KIND guidelines suggest a possibility)
  • Summary: Can be abused to stifle and silence important feedback
  • Mitigation: Adopt more reasonable version, avoid altogether, address same problems that CoC aims to, but with more allowance for free speech and diversity of opinion
  • Examples: FreeBSD Code of Conduct


    • Bigotry, hate, discrimination

  • Threat type: development disruption, social
  • Affects: communication, software development, organisations
  • Recognised by: freelabs federation, Most free software advocates
  • Also recognised by FSF: Yes
  • Summary: Can silence important feedback or punish/hurt people just for their differences
  • Mitigation: Work together to help prevent and counteract discrimination
  • Examples: insisting any gender is ill-suited to coding or technology use/creation, harassing people for being trans


    • AI-assisted software engineering

  • Threat type: Design attack/ design disruption / highly speculative
  • Affects: Security, maintainability, human software development
  • Summary: If AI is already being used to cut corners in engineering, it can be used to plan and assist the implementation of disruptive software redesign-- key points of stability can be determined and undermined, AI could be used to introduce weaknesses in overall design as well as code
  • Recognised by: Science fiction authors, perhaps
  • Also recognised by FSF: Not yet
  • Mitigation: Not much needed, it is largely hypothetical and proposed as a thought experiment-- it would be interesting though, for someone to create an AI that invents scenarios that threaten software freedom
  • Examples: only hypothetical ones-- suppose you had AI map out a software project as a video game, and then wanted to introduce "baddies" that gradually overwhelm developers-- AI can be used for planning, it can be used to drive enemy characters, it should be possible to use it for creating subtle and increasing disruption in software development http://www.primaryobjects.com/2015/11/06/artificial-intelligence-planning-with-strips-a-gentle-introduction/


    • Co-opting charities

  • Threat type: Development disruption, social
  • Affects: Communication, software development, organisations
  • Summary: Some FLOSS-related and non-free software-related companies have complementary non-profit and commercial organisations; that isn't the problem, though it is a problem when the co-opt charities to promote non-free software
  • Recognized by: Techrights, some public schoolteacher/activists, freelabs federation
  • Also recognized by FSF: At least as much as you would expect
  • Mitigation: Avoid / boycott / document / stand against projects that use EEE-like tactics combined with public charity organisations
  • Examples: Influence and changes in both public education and OLPC


    • Apathy

  • Threat type: Development disruption, social
  • Affects: Communication, software development, organisations
  • Summary: Deface Wikipedia, get called a bastard; but deface free software projects and take over related organisations, get named a "contributor" and people saying "it's not our problem"-- as the problems get larger, why are advocates getting quieter?
  • Recognized by: Techrights, freelabs federation, most likely some people from Dyne or Devuan also
  • Also recognized by FSF: To be determined
  • Mitigation: Avoid / boycott / document / stand against projects and companies that use EEE-like tactics against high-profile free software projects and organisations
  • Examples: Systemd, Many free software advocates


    • Appliance-like Distributions

  • Threat type: Hybrid (technical restriction, design disuption, marketing, oem abuse)
  • Affects: Security, maintainability, privacy, freedom, control by the user
  • Summary: Some distros seem to be designed with building more restrictions into the user experience as a priority-- making GNU/Linux better simulate or act as a non-free platform. "Distros like this are the killshot for GNU/Linux, the triumph of Open Source over freedom" -- Ted MacReilly
  • Recognized by: freelabs federation
  • Also recognized by FSF: Yes, to the degree that they include non-free software
  • Mitigation: AVOID platforms that are more locked down than traditional GNU/Linux, document restrictions inherent and endemic to those platforms, encourage people to mitigate those restrictions and remove compromised features (F-droid, AOSP, Android without Google)
  • Examples: Chrome OS, Endless OS, Android, Elementary OS


    • Digital Restrictions, other malware in kernel

  • Threat type: Technical restriction, design disuption
  • Affects: Security, privacy, freedom, control by the user
  • Summary: Handing control of the Linux kernel over to compromised developers could result in anti-features
  • Recognized by: freelabs federation, Techrights, others
  • Also recognized by FSF: One would hope they would treat fixing this as a priority if it happened
  • Mitigation: Reject DRM in other products to show a firm stance from users, expand Linux-libre scripts to remove Digital Restriction Malware
  • Examples: proposals for DRM in Linux kernel already exist


    • GNOME

  • Threat type: Treacherous Anti-Free-Software organisation
  • Affects: Security, freedom, design
  • Summary: Corruption among high-profile people in GNOME so extensive, sustained that it should be considered a feature
  • Recognized by: Who agrees?
  • Disputed by: (let us know)
  • Also recognized by FSF: No, but Stallman did call de Icaza a traitor
  • Mitigation: Reduce reliance on software from GNOME, Examine corruption endemic to the project, Fight systemd, Make people more aware of the history of GNOME abuses, Reinstate Stallman, Kick GNOME out of the GNU project, Kick corrupt people out of GNOME.
  • Examples: Supporting and promoting Mono, de Icaza's treachery and defecting to Microsoft, Stormy Peters defecting to Microsoft, de Blanc's conflict of interest (OSI, Debian) creating systemd dependencies, taking money for "defending" from patent attacks in a way that harms GNOME and Free Software simultaneously.
  • More information: https://debian.community/mollamby-conflict-of-interest-privacy/ https://debian.community/fragmentation-and-maturity-in-debian/ https://debian.community/feed.xml


    • Clickbait defamation

  • Threat type: Social, Economic, Organisational
  • Affects: Organisational stability, social standing of developers and free software leaders
  • Summary: Mainstream media (MSM) attacking free software developers and leaders with a very modern attack based on the contemporary ways in which consumers read and share news stories; deliberate dishonesty is a key factor
  • Recognized by: Lawrence Lessig, freelabs federation
  • Also recognized by FSF: At least a small but significant part of it
  • Mitigation: at least boycott sources that use Clickbait for character assassination and to imply things that would traditionally set off a defamation suit if said outright
  • Examples: Forbes, Vice coverage of rms in 2019


    • Malicious hardware and firmware

  • Threat type: Design attack / development disruption
  • Affects: User freedom, free software development, security
  • Summary: Harmful features that affect the user even if they reinstall the operating system
  • Recognized by: Techrights, Mark Shuttleworth, freelabs federation, free software advocates
  • Also recognized by FSF: Yes
  • Mitigation: Avoid / boycott / research / modify / document such hardware
  • Examples: Lenovo firmware payloads, ACPI vulnerabilities and exploits


    • Academia

  • Threat type: Hybrid (Surveillance, Marketing)
  • Affects: Privacy, freedom, control by the user
  • Recognised by: ?
  • Also recognised by FSF: ?
  • Summary: Modern universities have unethical practices that include requiring students to install malicious and privacy-destroying software on their PC's.
  • Mitigation: Find universities that don't use this software; replace academia with something that actually respects human rights
  • Examples: > 1000 campuses across the world and growing


    • NOTE:

    The four freedoms allow unrestricted modification and redistribution of software.

    This database is not about making the 4 freedoms invalid or less important.

    This database is a list of attacks that could be used to disrupt or lower the quality of existing free software projects (Distributions, high-quality applications, organisations, and user freedom that is more abstract than the 4 freedoms.)

    These attacks are not always a threat-- they depend on context and the level of mitigation. Being able to change and redistribute (and sometimes choose alternatives to) the software is a requirement for mitigating these attacks, but there is a categorical difference between "the problem can be solved because the source is right there" and "the problem does not exist." It exists until you can actually solve it, of course-- and until you or someone actually does.

    Licensing cannot mitigate all of these attacks, because to try to mitigate all of these attacks in the license would interfere/clash with the 4 freedoms necessary to be a free software license.

    These attacks can only be mitigated by the cost of freedom itself: eternal vigilance, free and open debate, plus educated, well-informed users. It also requires understanding and integrity on the part of developers.