Librethreat Database

From Techrights

(Difference between revisions)
Jump to: navigation, search
Line 1: Line 1:
'''Summary''': malware-threat-like database of threats to libre software (especially those that can be used to compromise software itself)
'''Summary''': malware-threat-like database of threats to libre software (especially those that can be used to compromise software itself)
-
 
-
'''first entries'''
 
== Tivoisation ==
== Tivoisation ==

Revision as of 17:02, 17 July 2019

Summary: malware-threat-like database of threats to libre software (especially those that can be used to compromise software itself)

Contents

Tivoisation

  • Threat type: License circumvention
  • Affects: Devices, copyleft
  • Recognised by: Most free software advcates
  • Also recognised by FSF: Yes
  • Summary: GPL2 not strong enough to prevent DRM/TPM from allowing device owners to change operating system in devices
  • Mitigation: Migrate to GPL3
  • Examples: Tivo

Cloud

  • Threat type: Hybrid (Marketing, Technology category)
  • Affects: Privacy, freedom, control by the user
  • Recognised by: Many
  • Also recognised by FSF: Yes
  • Summary: There is no cloud, only someone else's computer (so you have no control over your computing)
  • Mitigation: To be very sceptical of / avoid relying on / boycott "cloud" solutions
  • Examples: Adobe, Microsoft Github, countless others

Redix

  • Threat type: Broad category
  • Affects: Free software development, stability and reliability, autonomy, organisational structure
  • Summary: Disruption of POSIX, EEE of free software projects, Infiltration of organisations that offer free software
  • Recognised by: Free Media Alliance, some critics of Systemd
  • Also recognised by FSF: No
  • Mitigation: Avoid / fork / replace / document examples of Redix in software, use Systemd-free distros, assist Hyperbola developers
  • Examples: Pycon, Systemd

Infinite scrolling

  • Threat type: Semi-malicious UI design
  • Affects: Mostly websites, Server-side software
  • Summary: Deliberately addicitive design not only psychologically manipulates user to keep scrolling, also makes it difficult to navigate pages or reach bottom of page (when there is one.)
  • Recognised by: Advocates of users, good design, ethics
  • Also recognised by FSF: Unknown
  • Mitigation: To boycott / avoid webpages that use infinite scrolling, create plugins that turn high-profile pages that use it into pages / demand old-fashioned paging as option from webmins
  • Examples: Twitter, wordpress.com (includes some limited mitigation/option), Diaspora, many others

Gratuitous interdependency

  • Threat type: Semi-malicious design attack / development disruption
  • Affects: Existing modularity, user freedom, free software development / packaging / vital software that lots of people rely on
  • Summary: Grab lots of stable projects and deprecate/rework them into something more monolithic / EEE design tactics
  • Recognised by: Steve Litt, Free Media Alliance, some critics of Systemd
  • Also recognised by FSF: Very unlikely (or in very limited/historical context)
  • Mitigation: Avoid / boycott / document / stand against projects that use EEE-like tactics against high-profile free software projects
  • Examples: Systemd, PulseAudio, GNOME (GNOME does not strictly depend on Systemd, these are three separate examples)

Framework attack

  • Threat type: Semi-malicious design attack / development disruption
  • Affects: Free software development / UX / UI, sometimes for years at a time
  • Summary: Replace mature and stable framework with new shiny and send devs scrabling to make reliable software work again
  • Recognised by: Free Media Alliance
  • Also recognised by FSF: No (except when the framework is non-free, of course)
  • Mitigation: To be sceptical of unnecessary framework replacement, to maintain forks (if possible) of versions with old framework until new one is reliable / maintain LXDE
  • Examples: Systemd, LibreOffice, LXQT (non-malicious example, can't blame them for not wanting GTK3)

Framework / dependency hijacking

  • Threat type: development disruption
  • Affects: Free software development, stabilty, UX / UI, sometimes for years at a time
  • Summary: Similar to framework attack, except that happens from inside a project and this happens upstream
  • Recognised by: Anybody that doesn't like GNOME, people who prefer GTK2, Python2 users
  • Also recognised by FSF: No (except when new versions of the framework become non-free, of course)
  • Mitigation: Modest or conservative dependency usage / minimal design / design that is compatible with at least 2 or more frameworks, choice of two default configuations (one that gets as close as possible to the previous version to allow smoother transition)
  • Examples: GTK3, Themed applications

Code of Conduct

  • Threat type: development disruption, social
  • Affects: communication, software development, organisations
  • Recognised by: Some free speech advocates, some free software advocates
  • Also recognised by FSF: Not necessarily (though the KIND guidelines suggest a possibility)
  • Summary: Can be abused to stifle and silence important feedback
  • Mitigation: Adopt more reasonable version, avoid altogether, address same problems that CoC aims to, but with more allowance for free speech and diversity of opinion
  • Examples: FreeBSD Code of Conduct

Bigotry, hate, discrimination

  • Threat type: development disruption, social
  • Affects: communication, software development, organisations
  • Recognised by: Free Media Alliance, Most free software advocates
  • Also recognised by FSF: Yes
  • Summary: Can silence important feedback or punish/hurt people just for their differences
  • Mitigation: Work together to help prevent and counteract discrimination
  • Examples: insisting any gender is ill-suited to coding or technology use/creation, harassing people for being trans

AI-assisted software engineering

  • Threat type: Design attack/ design disruption / highly speculative
  • Affects: Security, maintainability, human software development
  • Summary: If AI is already being used to cut corners in engineering, it can be used to plan and assist the implementation of disruptive software redesign-- key points of stability can be determined and undermined, AI could be used to introduce weaknesses in overall design as well as code
  • Recognized by: Science fiction authors, perhaps
  • Also recognized by FSF: Not yet
  • Mitigation: Not much needed, it is largely hypothetical and proposed as a thought experiment-- it would be interesting though, for someone to create an AI that invents scenarios that threaten software freedom
  • Examples: only hypothetical ones-- suppose you had AI map out a software project as a video game, and then wanted to introduce "baddies" that gradually overwhelm developers-- AI can be used for planning, it can be used to drive enemy characters, it should be possible to use it for creating subtle and increasing disruption in software development http://www.primaryobjects.com/2015/11/06/artificial-intelligence-planning-with-strips-a-gentle-introduction/

Co-opting charities

  • Threat type: Development disruption, social
  • Affects: Communication, software development, organisations
  • Summary: Some FLOSS-related and non-free software-related companies have complementary non-profit and commercial organisations; that isn't the problem, though it is a problem when the co-opt charities to promote non-free software
  • Recognized by: Techrights, some public schoolteacher/activists, Free Media Alliance
  • Also recognized by FSF: At least as much as you would expect
  • Mitigation: Avoid / boycott / document / stand against projects that use EEE-like tactics combined with public charity organisations
  • Examples: Influence and changes in both public education and OLPC

Apathy

  • Threat type: Development disruption, social
  • Affects: Communication, software development, organisations
  • Summary: Deface Wikipedia, get called a bastard; but deface free software projects and take over related organisations, get named a "contributor" and people saying "it's not our problem"-- as the problems get larger, why are advocates getting quieter?
  • Recognized by: Techrights, Free Media Alliance, most likely some people from Dyne or Devuan also
  • Also recognized by FSF: To be determined
  • Mitigation: Avoid / boycott / document / stand against projects and companies that use EEE-like tactics against high-profile free software projects and organisations
  • Examples: Systemd, Many free software advocates

NOTE:

The four freedoms allow unrestricted modification and redistribution of software.

This database is not about making the 4 freedoms invalid or less important.

This database is a list of attacks that could be used to disrupt or lower the quality of existing free software projects (Distributions, high-quality applications, organisations, and user freedom that is more abstract than the 4 freedoms.)

These attacks are not always a threat-- they depend on context and the level of mitigation. Being able to change and redistribute (and sometimes choose alternatives to) the software is a requirement for mitigating these attacks, but there is a categorical difference between "the problem can be solved because the source is right there" and "the problem does not exist." It exists until you can actually solve it, of course-- and until you or someone actually does.

Licensing cannot mitigate all of these attacks, because to try to mitigate all of these attacks in the license would interfere/clash with the 4 freedoms necessary to be a free software license.

These attacks can only be mitigated by the cost of freedom itself: eternal vigilance, free and open debate, plus educated, well-informed users. It also requires understanding and integrity on the part of developers.

Personal tools
Search entire domain
Stories