General talk about privacy, security and FSF
- Vous devez vous identifier ou créer un compte pour écrire des commentaires
Greetings to everyone!
What I write are personal considerations that in no way want to fuel controversy but instead I would like to promote a healthy debate.
The FSF promotes using only fully free software and hardware, even recommending very old laptops without Intel ME and with open-source BIOS (Libreboot/Coreboot).
Their approach is ideologically coherent but extremely impractical and disconnected from modern computing realities.
Fully “free” hardware is outdated:
These laptops are often 10–15 years old (e.g. ThinkPad X200/X230).
They lack modern security features and are no longer supported by manufacturers.
Firmware updates are rare or nonexistent, leaving known vulnerabilities unpatched.
Free software ≠ secure software:
Just because software or firmware is free/libre doesn't mean it's actively maintained or secure against modern threats.
In fact, these niche systems may be more vulnerable, due to lack of resources and scrutiny.
True digital freedom is impossible when connected to the Internet:
Even with 100% free hardware and software, you're still relying on non-free infrastructure: ISPs, protocols, DNS servers, fiber cables, etc.
Complete control and privacy exist only in total disconnection, which is not realistic for most people.
The FSF’s stance is coherent but "paranoid":
While consistent with their values, it ignores practical trade-offs.
Choosing ancient, underpowered, and vulnerable systems in the name of freedom is counterproductive for modern users.
I think free software is about educating the individual and giving back to the community rather than expectations of security. The Free Software Movement does not endorse the idea that we are getting security through the many eyes that we don't actually have. The many eyes argument was the Open Source Movement argument, IIRC. I don't think we have many eyes, because most people can't code and don't know the difference like me about what is setuid and stickybits or whatever that have made software insecure even though the vulnerability was not the developers'.
I think we are giving up our freedom through this update to latest argument. I don't understand how are we going to expect the manufacturer to submit to our demands when we willing give in to theirs.
I do not think there is security though obscurity, which I think you argument depends on because you are essentially saying "updated non-free means no known vulnerabilities."
I don't know why you are bringing up non-free choices that we don't control of the ISP.
I am not sure why you think the FSF is paranoid when they argue for people helping each other rather than building more fortresses. I might be paranoid, there might be a paranoid individual at the FSF, I don't see it in their argument though.
Thanks for your precise and interesting comment.
Free software is certainly a valuable theoretical tool for reflection and education, but from a technical and practical perspective, it loses some advantages. According to the FSF’s guidelines, we are expected to use free software daily in practice — and that’s where certain problems arise.
The FSF’s focus is absolutely noble and right, but recommending its strict implementation can be problematic and potentially expose users to risks — precisely because freedom is the main priority, whereas security is also a crucial concern for the end user.
And to be clear, I’m not saying that proprietary software is better just because it may offer more security.
You say you don’t understand why ISPs or other nonfree external choices are being brought up — but that’s exactly the point:
If I use only free software, but then hand over all my data to a service I can’t inspect or control, I’m still giving up my freedom — even if my client is ethical.
There’s a point where my control ends — the Internet — and at that point, my freedom ends too, simply because it’s normal not to be able to control everything. And that’s okay.
But when we try to ensure that everything is free then controlled, while overlooking something just as important — like security — it starts to feel a bit paranoid.
You’re probably right that this isn’t necessarily the case with free software itself but personally, I wouldn’t be so sure.
When I asked my professor why would a company actually allow their billion dollar private piece of work (warplane design IIRC) to be on a computer that accesses the Internet, I believe her response was the Internet is so important. It's clear that our society has Internet addiction. There isn't a way that I know of to be completely in control of your real life, let alone your Internet. You can be followed by your government offline and online.
I for one hope that we still have time to elect people who can be held accountable, who put in just laws and do not follow unjust laws. I think that is the only way we be free.
That sounds incredibly hard to even happen let alone keep having happen. The vigilance you would need would be immense. And the public is not sadly willing to do such vigilance usually.
I agree with both your posts. The FSF values leave me much to be desired. I don't consider harmless blobs to decrease my freedom. Its when DRM is in place that I consider my freedom harmed. As in, stuff that is actively backdooring or limiting my freedom of what I want to do.
This however is not the FSF's understanding.
I fear the FSF's understanding is hurting software freedom. But then again, I am not sure 100% how you would even make criteria for DRM free software/hardware either.
Different people, different perspectives. Obviously ignore the corporate model though. They are like, if its good for business then suck it!
So I completely reject that model clearly.
> I agree with both your posts. The FSF values leave me much to be desired. I don't consider harmless blobs to decrease my freedom. [...]
Free software is also about fighting unjust power structure, if developer/manufacturer of a software has more power over computing than you, then it's wrong. In the case of "harmless" blobs, manufacturer still has more power over you. They can remotely change change and update the blob on your machine while you can't. This is what FSF means; you'll have less freedom than the manufacturer over your own machine!
If you keep the blob to yourself, apply it yourself, make the choice of updating it yourself, then you're in as much control over the machine as the manufacturer (after the machine has been sold). Now, it's not unjust anymore.
Ideally though, if you had the four freedoms over the blob, it would have been much better, but at least now you can imagine it to be hardware.
Sounds preposterus to me. DRM is always a bad blob, non-drm blobs are harmless.
Your viewpoint leaves me scratching my head
DRM is always a bad blob, non-drm blobs are harmless.
How do you know? Maybe the blob is a spyware. Maybe it is a backdoor. Maybe it wastes your resources mining bitcoins. Maybe it is actually DRM you do not know about. Maybe, it will command your machine to stop working in the future (forced obsolescence).
You do not know. You cannot know, by definition of a blob. But you should be allowed to know, if the blob is on your machine. It is your work you do with it. You deserve control over it.
"Harmless"? By definition, you don't control a non-free program - the developer does. Even if that non-free program does nothing else, that lack of control is harm, because it lets someone else dictate what your computer does - not you. Ever heard "code is law"? Who writes the laws your computer obeys; you or someone else? Free software says: it should be you. I encourage you to read and consider
https://jxself.org/free-firmware.shtml
>"Even if that non-free program does nothing else, that lack of control is harm, because it lets someone else dictate what your computer does"
This is a contradiction - if a non-free program does nothing then it does not dictate what your computer does, otherwise it would be doing something. A non-free program that does nothing is just taking up space, from a functional perspective. And your article that you linked does not discuss programs that do nothing.
I wonder what are the arguments against a completely non-functional non-free program residing on your system? The possibility that at some point in the future, based on some triggering event, it could wake up and start doing something? I guess that would be a concern.
The fact that it takes up space that you could otherwise be using for something useful would be an issue. Although it's rare for a computer user to use 100% of all their storage space, and the blobs in question might be quite small.
I am a translator!
Magic Banana replied to you already: You do not know. You cannot know, by definition of a blob.
You can, if you disassemble/decompile it and take the time to understand what it does. It's not easy but there are people who do it. Regardless, it's still bad that you are not allowed to modify it.
I am a translator!
In many (most?) cases, the blobs are distributed with a licence indicating that you are not allowed to disassemble or decompile them. So if you would try this, you would have not to tell anyone and even if you found anything of public interest, telling others about it might be very risky.
Assuming you don't publish any of the code, I don't think such a provision is legally enforceable unless you're circumventing DRM (or a "technological measure" as I think it's called in the DMCA).
I have been part of a community that reverse engineers the software on TI calculators, to allow them to run native code (like programs written in C/C++). The only time that TI actually went after anyone legally was when some hacker published the factors of an RSA signing key (used by TI to prevent people from installing a non-TI OS on the calculator) because that counts as circumventing a "technological measure". Otherwise it's just a cat and mouse game where someone finds a hole and exploits it (to allow users to control the software on their calculator) and TI patches the hole in the next version of their OS.
At the end of the day, I don't think the hacker that published the signing keys ever faced any consequences because he took them down, but the keys were spread all over the web, a result of the Streisand effect. I think TI learned their lesson after that.
For a more "professional" example, Coreboot developers use Ghidra and other software to reverse engineer firmware, and the Coreboot project is sponsored by Google.
By the way, if you're interested in reverse engineering at all (and I personally have only dabbled a little bit), Ghidra is really good. For the first time we have free software reverse engineering tools that are actually competitive with the proprietary ones. It was developed by the NSA though.
I am a translator!
> Coreboot developers use Ghidra and other software to reverse engineer firmware
Do you know what software they reverse engineer? To me, one problem is that, if a company like Intel sues a developer, even if legally the developer can provide evidence that they did not do anything illegal, Intel has sufficient financial power to make the developer's situation very difficult for many years by claiming breach of many laws and paying experts to support their claims. If a company like Google is sponsoring a project, I guess it makes the situation rather different as the companies know that by suing a developer of the project, they may soon be fighting against Google.
You can read about it here: https://blogs.coreboot.org/blog/2019/06/04/gsoc-ghidra-firmware-utilities-weeks-1-2/
The typical strategy to avoid legal issues is clean-room reverse engineering: one person (or team) examines the system and writes a specification, without any copyrighted material included. Another person writes an implementation of the specification. Since there's no connection between the two people besides the specification, none of the copyrighted code gets included in the reimplementation.
What part of this did you not understand - maybe my English was not clear?
"This is a contradiction - if a non-free program does nothing then it does not dictate what your computer does, otherwise it would be doing something."
We are talking about a non-free program that does nothing. Magic Banana is talking about a non-free program that does do measurable or observable things. And none of that defines what a blob is. A blob is just a descriptive term. Some blobs are just arrays of numbers which are intended as inputs in other programs.
I didn't say "does nothing" - I said "does nothing else." The point is: even without DRM or spying, a non-free program still denies your control. That's harm in itself.
"I wonder what are the arguments against a completely non-functional non-free program..."
No need to entertain that - if it truly does nothing, replacing it with a free program would be faster than debating it.
Good enough.
Perhaps I should say it this way, if a blob does nothing harmful besides what you just said, it might as well be non-functional data.
And I recall FSF considers this a non-issue.
non-functional data is a non-issue I mean.
If there is no DRM functionality, how is it any different from non-functional data?
Can you explain that to me?
I don't quite understand where your thinking is coming from.
Unless it is some ideological purity type stuff. Although even then, I am a bit puzzled why that specifically matters so much more than DRM in general.
There's a specific definition for Non-functional Data in the FSDG. For an example, BASH doesn't contain DRM. It's still a software; not "non-functional data". The key difference: non-functional data doesn't run; software does. If it runs, it acts - it enforces rules. DRM or not, that's control, and if it's non-free, not your control. That's the issue. The FSF has never excused non-free software under the notion that a non-free program without DRM is "non-functional data".
"non-drm blobs are harmless."
You may be interested in this for how non-free software has caused harm:
https://softwarefreedom.org/podcast/2010/jul/20/episode-0x2c-eben-software-liability/
I encourage you to listen. If you dare.
Unfortunately, there is no guarantee that free software will not cause harm.
Free software can contain serious vulnerabilities, with significant impacts on security and operations. The legal liability of the authors is often limited or nonexistent, due to the disclaimers included in free software licenses. If many developers contribute to a free software project, it becomes even harder to determine who is responsible.
Paradoxically, a user of proprietary software often has more legal avenues for recourse (refunds, replacement, support), whereas in the GPL world:
"You use it at your own risk."
Even if a bug causes enormous damage, you cannot sue anyone—so the user is left to fend for themselves. Unfortunately, freedom does not guarantee security, nor code review, nor quality.
Not arguing free software is "safe" - just that proprietary software without DRM isn't "harmless" as claimed, but Eben Moglen addresses that best in his speech.
Hmm... i hadn't realized that non-free software without drm isn't non functional data.
I guess there is much i don't know yet.
I'm kind of confused about why you keep bringing up DRM. Even for people who don't care about software freedom, there are a lot of harmful things that software can do besides DRM.
For example, the Replicant team once found a backdoor in a blob found on Samsung mobile devices: https://www.fsf.org/blogs/community/replicant-developers-find-and-close-samsung-galaxy-backdoor
To be fair, it might not be the case that this was added maliciously by Samsung. But it's bad either way.
Actually, built in malware is DRM as far as I am concerned.
All the abuses listed on gnu.org/malware
are DRM in my opinion.
So thats why I said what I said.
That is not what DRM means though: DRM is specifically technology that restricts the user from copying or sharing books, movies, etc.
Hmmm... well my understanding was DRM is any anti feature like malware built in. If I am wrong, perhaps I need to rephrase what I mean.
In which case, anti-features in software and hardware is what I detest.
That to me is built in malware and is unacceptable.
That make more sense?
I hadn't realized DRM was so limited in scope as to what was called DRM.