Thoughts on Linux and so-called Secure Boot.

DRM, fun for the whole Family License Pack

The uEFI Forum is largely a bunch of SOPA promoters hoping to turn your PC into a locked platform using DMCA anti-circumvention laws.

Unfortunately, the next generation boot firmware for the PC not only fails to completely replace the PC BIOS (which will continue to be used for power on self test and hardware initialization). Those in the know, beyond the corporate media spin doctoring, know that uEFI is just a layer of DRM and corporate lock-in that rides on top of the 30 year old legacy BIOS that starts the computer in real mode just like it did in the 1980s.

uEFI is not a next generation PC boot firmware, we’re being sold a bill of goods. The biggest particular problem is “Secure Boot”. Users are being mislead into believing it has something to do with securely booting a computer while its true purpose is to lock the user into running whatever corporate-sponsored OS that came with the computer, and turning them into a criminal by forcing them to commit a US federal felony by circumventing it to install free software as the computer’s operating system instead.

For the latest lies from the corporate-sponsored media, we go to The H Online which has declared that “Securely booting Linux [is] a “difficult” proposition”. The H is becoming less of a legitimate news source about free and open source software, and becoming more like just any other anti-free and open source rag that mindlessly recites anything that Microsoft pays for. The Register is another example of such an occurance. Over time, Microsoft starts writing their Linux news and you get libellous headlines instead of information. It’s not like the Red Hat employee that they cite is helping dispel this propaganda. (more in a moment)

uEFI “Secure Boot” (which should be called Restricted Boot since it is designed to lock you into an ISV’s operating system software), is is a complex specification. It relies on a nebula of assumptions about the state of the hardware and the bootloader that are not necessarily true and are easily forged. Even if that was not the case, it relies on an assumption that there are no firmware bugs which can be used to subvert and bypass it. It will not provide any meaningful level of additional security to users of any PC operating system, even if it agrees to boot the operating system that the user is trying to use at all. It is designed to turn anyone who cracks it into a criminal, by forcing them to violate Section 1201 of the Digital Millennium Copyright Act and being liable to be sentenced to prison for trying to use their computer in freedom.

Cited in the contemptible malarkey is Matthew Garrett, a Red Hat employee. Red Hat is a member of the uEFI forum so that they can sign RHEL and won’t be stopped by Restricted Boot on any workstation or server that comes with their software. I’m pretty sure that this is why we won’t be seeing the GRUB 2 bootloader on RHEL any time soon. GRUB 2 is licensed under the GPL version 3, which  protects users from what the FSF refers to as “Tivoization”, which refers to the practice of using free software in a manner that locks the user out of their system with free software, by using DRM in that software.

If Red Hat shipped GRUB 2 and did not disclose their signing keys as teh GPL 3 requires(to protect the user from exploitative hardware/software vendors), they would be in violation of the GPL. The Free Software Foundation could revoke their rights to use the GRUB 2 software. Red Hat has a lot of resources and can probably maintain their fork of Grub 0.97 indefinitely so that they can cooperate with hardware makers to restrict the user. Red Hat benefits from user lock-in just as surely as Apple and Microsoft do if only their signing key is in the uEFI Secure Boot implementation on hardware that ships with their operating system, because there won’t be any of that pesky competition on any system that comes with RHEL.

So right off the bat, I don’t think Matthew Garrett can be a trusted source of information because he is obviously tainted by his employer, and has the same reasons to lie and mislead you as Stevan Sinofsky of Microsoft.

Canonical (Ubuntu) is also a member of the uEFI forum and can probably use Secure Boot on embedded ARM systems to trap people in Ubuntu. They can’t use GRUB 2, but there are bootloaders for ARM, some of them proprietary, which can be used instead. They can probably also sign Ubuntu LTS releases and get their signing key into workstations and servers that ship with Ubuntu, for much the same end result as the RHEL situation I described above. They could even use Grub Legacy in that situation. It didn’t just disappear, it’s still being carried by them if you look up “grub” in their software repository.

A better news flash would be that there never was, is, or will be a way to securely boot a PC, and that corporations are salivating at the prospect of using it to lock end users into their operating system software, to keep the user trapped with whatever their computer happened to come with. The headlines designed to smear Linux are just paid for by Microsoft. The “bootloader attacks” that Secure Boot is supposedly meant to deal with are mostly attacks on the Windows Activation system that rely on bootloader exploits to make Windows believe it is an OEM copy that came with the PC so that the user may use a copy of Windows without paying for it.

Microsoft isn’t interested in stopping the malware of the week from stealing your identity or subverting your system and using it to display (sometimes pornographic) advertisements, which are just two of the things that Windows is known well for. They are interested in stopping the user from being able to run their own software on their private property and from getting away with using a less crippled version of Windows than what came with their computer without forking over more money through the Anytime Upgrade scam.

I don’t believe the corporate ambitions of Red Hat or Canonical are any different.

This work by Ryan Farmer is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

Installing Privoxy 3.0.18 in Ubuntu Oneiric or derivatives

Since Adblock Plus sold out and can no longer be considered trustworthy, I have decided to explore other options.

Short story: Adblock Plus 2.0 development branch has added a new “feature” they call “acceptable advertising” and flipped it on by default without asking the user. The default whitelist is so far only including advertising from networks like Google with suspiciously deep pockets, leading me to believe that money has probably changed hands somewhere along the way. You can opt out of this through a rather unwieldy process, but most people won’t. I find “acceptable ads” to be unacceptable because even Google Adwords is well known for profiling the user even if they only use non-Google sites and they’ll let anyone with enough money take out an ad, even if it leads to phishing sites or Windows malware. Most definitely NOT acceptable. (But hey, it’s your computer and if you like XP AntiVirus Super Duper 2012 Edition, I think you’re beyond my help.

Privoxy is powerful but has a daunting (not terrible, but compared to Adblock Plus, rather involved) setup if you want it to work as best it can, so I have decided to document the entire process here that I used.

Step 1: Remove Adblock Plus from Firefox. The only reason we’re going to switch to Privoxy is because Adblock Plus is no longer trustworthy.

Open the add-ons menu. Either by clicking the Firefox button followed by Add-Ons, or if you use the classic menu, then Tools followed by Add-Ons.

Find Adblock Plus. Click “Remove”. Firefox will want to restart.

Step 2: Install Privoxy.

Ubuntu Oneiric comes with 3.0.17, which is now outdated and has some serious bugs that have been fixed in 3.0.18. The packages from the development branch of Ubuntu (codenamed Precise) work fine and provide version 3.0.18.

Go to this page: http://packages.ubuntu.com/precise/privoxy

Under Download Privoxy, choose the package for your architecture. Mine is AMD64, but you might be using the i386 version of Ubuntu. Choose whichever applies to your system.

Click on any mirror you want, it will offer you the DEB file. Once the DEB file has finished downloading, either double click on it in the Downloads or open your file manager and go to where you downloaded it and double click (single click for Kubuntu users) on it to launch the package installer. Install the package.

NOTE: Installing packages from other versions of Ubuntu is not always a great idea. Privoxy just happens to be really small with no dependencies that can’t be satisfied by Oneiric. DO NOT make a habit of doing this!

Step 3: Make sure the Privoxy daemon (service) is running. It probably is, but this can’t hurt.

Open a terminal.

sudo service privoxy start

Step 4: Configure your proxy settings to route through Privoxy (Privoxy operates as a local non-caching proxy server).

In GNOME or KDE or whatever you use, set HTTP and HTTPS to use 127.0.0.1 on port 8118 (where Privoxy listens). Do this again in Firefox’s Network preferences. It should pick up your global settings but it is Firefox and you know how things that should happen on Firefox for Linux sometimes don’t.

Firefox/Preferences/Preferences/ or Edit/Preferences followed by Advanced then the Network tab, click Configure How Firefox connects to the Internet, and use 127.0.0.1 and port 8118 for HTTP and HTTPS.

(Yo dawg, I heard you liked Preferences so I gave you Firefox so you can have Preferences with your Preferences!)

Step 5: Configuring Privoxy.

Privoxy is actually a pain in the ass to configure with text files by hand. It does have a web browser-based GUI setup for filtering operations, but it must be enabled in a configuration file. There is no need to restart Privoxy after modifying anything since the daemon (service) notices a few seconds later that the settings changed and applies them immediately.

Press Alt+F2, this brings up a run dialog under pretty much any desktop environment worth using. Remember this is for Ubuntu derivatives, others tend to use gksu and kdesu, but since Ubuntu does not set up the root user by default, it uses gksudo and kdesudo instead. Fedora KDE also seems to come with kwrite instead of kate, so Fedora KDE users would use kwrite. I use Nano but I am striving to make this as painless as possible for users accustomed to a GUI.

GNOME/UNITY: gksudo gedit /etc/privoxy/config

KDE: kdesudo kate /etc/privoxy/config

Now we can edit the main config file. Note. Make sure any lines I say to edit don’t have a hash symbol in front of them (one of these #) or Privoxy will interpret them as a comment and fail to parse the rule.

Go to section 4.5, titled enable-edit-actions. Scroll down. Find the line that says:

enable-edit-actions 0

change it to

enable-edit-actions 1

Go to section 4.8, titled buffer limit.

It defaults to 4096 with a line such as:

buffer-limit 4096

I find it runs better with a 16 MB buffer. I have lots of RAM. Yay RAM. I change it to:

buffer-limit 16384

Go to section 6.4, titled keep-alive-timeout.

It’s set to 5 I find it works best with 300.

So I change this:

keep-alive-timeout 5

to this:

keep-alive-timeout 300

Save the file and exit.

Step 6: Close Firefox if you still had it open, and restart it.

Step 7: Type this into the location bar and hit enter:

config.privoxy.org

(Privoxy intercepts this and redirects it to its own configuration page, if Privoxy is not running,  you get a page on Privoxy.org telling you it is not running, if this happens, try clearing your history and trying again.)

You should get something like this on the page that comes up:

This is Privoxy 3.0.18 on localhost (127.0.0.1), port 8118, enabled

Step 8: Configure the filtering rules. (We’re almost done)

On the config page, click the link “View & change current configuration”, then under “Actions Files” there should be “/etc/privoxy/match-all.action” as the first listing. Click the Edit button next to it.

Under “Actions” set to “Cautious”, it should provide a minimal template from which to work without stupid filters that don’t apply to Linux users. (At least, I don’t think many of us need a filter to block some common Internet Explorer 6 vulnerabilities)

Now, to the left of the Cautious button, click the Edit button. What follows is how to get the setup I use. Some filters look tempting but actually break some sites. If you want to experiment with them later, do it one at a time and turn them off if they break something you use.

fast-redirects, click green button to enable, check decode entire url.

filter refresh-tags, green to enable, check “Decode URL before checking”

filter img-reorder, green to enable

filter banners-by-size, green to enable

filter banners-by-link, green to enable

filter webbugs, green to enable

filter no-ping, green to enable

filter google, green to enable

hide-from-header, red to disable (No browser since the mid 90s that I know of sends out your email address to every page you visit. This one is stupid.)

hide-referrer, green to enable, check “Forge referrer if host has changed, but don’t touch in-site referrers.”

set-image-blocker, green to enable, check “Send a 1×1 transparent GIF” to reduce page clutter.

Click submit.

Step 9: Privoxy doesn’t handle pop-ups and unders that well since there’s a lot of sneaky ways to load them. We can deal with this problem from within Firefox itself. Note: Adblock Plus was only blocking most pop-ups because it had explicit rules for them which needed a lot of complicated filtering and still missed some.

In Firefox’s location bar, type this, and hit enter.

about:config

If necessary, click the do not show me this again thing that comes up and jokes about “voiding your warranty”.

In the filter box type popup and locate dom.popup_allowed_events and double click it. Remove everything. Sites now have no way of loading pop-ups. The “Firefox has blocked a pop-up” thing will appear when one tries and you can use that to load the pop-up anyway or whitelist that site for next time. (My bank uses them, sigh).

Step 10 (Optional): While in about:config, let’s toggle some other nonsense that Firefox has done by default.

In the filter bar, search general.autoscroll, double click it to change it to true. Mouse wheel scrolling on Linux instead of the stupid X11 clipboard ftw.

In the filter bar, search for trim, locate browser.urlbar.trimURLs and double click to change it to false. This will revert Firefox to the traditional behavior of telling you what protocol the loaded site is using in the address bar and fixes the problem (on Linux anyway) of occasionally copy pasting a URL without the http:// or https:// or ftp:// or whatever bits.

Congratulations. Privoxy should now be set up. It’s a shame that Adblock Plus decided to take on an anti-user stance in exchange for Google’s money and that we have to block ads in Firefox now with a local proxy server like it was 1999 all over again if we want to avoid the abuse I’m sure is coming from Wladimir Palant and “Rick752″ and friends.

Until next time, this is DaemonFC reminding you that the only “acceptable” ad is a dead ad.

VLC now has a Java dependency. I give up.

So I went to install VLC in Kubuntu and find it depends on libbluray, which wants to pull in Java.

I can almost hear you saying “VLC plays Blu Ray now? Cool! Finally those MAFIAA bastards will pay for their DRM crimes! Viva la libdvdcss!”, but before you get excited, it doesn’t play any DRM’d discs, which as far as I know includes all of them. . What’s worse than useless is useless and bringing in Java. I hate desktop Java.

This is in addition to the fact that Pulseaudio support (You know, Pulseaudio, unless you’ve been living under a rock) has been broken in VLC for a very long time.

I give up, you win, no longer will I use your software. UMPlayer is better anyway.

Ubuntu Natty: The Indicator Crapplet Strikes Back

I recently spent a day with Ubuntu Natty and Unity:

I was not expecting it to work well, and I got everything I expected. Unlike some reviewers, I’m aware that the thing is essentially a broken GNOME 2 fork and will treat it as such.

The thing that is most annoying is that Unity replaces a lot of standard desktop features with proprietary Canonical replacements that fall under the Canonical Contributor Agreement. This effectively is as good as making all of this stuff nonfree software, because Canonical could at some point re license all of it however they like. It’s not like any other distro (or desktop environment) is jumping at the chance to ship broken software like the Indicator API, precisely because it is broken and just a really dumbed down notification tray.

Which brings me to indicator applets:

Why? Why why why why WHY!? How can you replace standard notification applets that work, that the user can right click on, that every other desktop environment uses, and call them deprecated, and then replace them with something that doesn’t work right most of the time?

The GNOME 2 system tray is still there, but Canonical only allows “whitelisted” applications to use it. This is necessary because not everything works with Indicators and likely never will. Rather than simply blacklist the applications that have Indicators from using the system tray, Canonical has decided to break many applications, such as XChat and the HP printer toolkit (just to name a couple that I use. And the gain? My 1920 x 1080 display saves like 2″ of horizontal top bar space because Canonical wants to be Nazis and dictate how many icons I can have up there, and of what kind they can be.

A fix has been posted, but don’t count on it working for long, as Canonical’s Sebastian Bacher explains that the standard notification tray will be removed eventually and Canonical doesn’t care if their replacement doesn’t really work.

“…re-enforce the message to application writer that they will need to update their code if they want it to work correctly in Ubuntu in the next cycles“

I kind of take that to imply that upstream application writers should give a crap whether or not their application that uses standard notifications breaks in Canonical’s Indicator Crapplet. If you’re an application writer, you shouldn’t be bullied into breaking your application to work with the incorrect behavior of Indicators.

There’s a lot about Unity that doesn’t work right, why focus on Indicators?

Because they don’t work right, they never will, and it’s by design. Maybe someday a user will be able to use Unity without it freezing their computer every hour or so (like it currently does), because that’s not intentional, it’s just shoddy work. Indicators are one of those “solution looking for a problem” deals where I don’t believe that anyone from Canonical will ever admit that they are wrong and that it was a bad idea.

Not that I think GNOME 3 is better.

Unity and GNOME 3 are both “designed” (if you can call it that) around incompetent users who are confused with user-toggled settings. They both manifest bad design with the idea that the user is an idiot confused by features, they just go about it in different ways. GNOME 3 is worse in some ways than Unity (No Maximize/Minimize, very difficult to change your theme, they break notifications in their own way by hiding them unless you mouse over, etc.).

Bottom Line:

Use something else if you value your sanity. KDE has sane defaults, user-toggled settings abound, it doesn’t crash a lot, and the desktop is basically the same with or without a fancy video card/driver combo that give you eye candy. (Where you get a totally craptacular fallback mode in GNOME 3 and GNOME 2 with Indicator Crapplets with Ubuntu.)