Give Up GitHub: The Time Has Come!

Give Up GitHub: The Time Has Come! - Conservancy Blog - Software Freedom Conservancy

Those who forget history often inadvertently repeat it. Some of us recall that twenty-one years ago, the most popular code hosting site, a fully Free and Open Source (FOSS) site called SourceForge, proprietarized all their code — never to make it FOSS again. Major FOSS projects slowly left SourceForge since it was now, itself, a proprietary system, and antithetical to FOSS. FOSS communities learned that it was a mistake to allow a for-profit, proprietary software company to become the dominant FOSS collaborative development site. SourceForge slowly collapsed after the DotCom crash, and today, SourceForge still refuses to solve these problems0. We learned a valuable lesson that was a bit too easy to forget — especially when corporate involvement manipulates FOSS communities to its own ends. We now must learn the SourceForge lesson again with Microsoft's GitHub.

more...

AzireVPN: A VPN worth trusting?

Damn her! Naomi Brockwell got my shorts in a knot regarding the VPN Hellscape (read that, seriously). I knew the VPN scene was bad, but i didn't realize how bad until i watched her video, The DARK side of VPNs.

I use AzireVPN because i believe they are worthy of a degree of trust, but believing is not enough and, given my freshly ingested fur-ball of fear due to Naomi's video, i decided to put the screws to Azire and see how they fared.

AzireVPN is one of very few VPN service providers that claim to physically own, secure and install their own servers and, in my book, no company is even worth considering if they can't make that claim (that's right; screw you Nord, PIA, Express, HideMyAss, IPVanish and nearly all of the rest of them!). Furthermore, Azire tells us that they physically seal unneeded ports, run the OS in RAM (no hard drives), and run their servers in Blind Operator mode. And of course they have a zero-log policy and do not require any personal information when creating an account. Even payment can be handled anonymously using crypto currency. But in the end, what is all this talk worth without convincing evidence?

I proposed a few ideas of how Azire could potentially reinforce customer trust:

  • By providing purchase orders and receipts for their servers which could potentially be verified by contacting the vendor. My thought here is that, if they provide such evidence, then there is little reason to doubt that Azire is actually using the equipment they paid for.
  • More photographic evidence.
  • Video of how the servers are prepared showing the sealing of unused ports, removal of hard drives, etc..
  • Live-streaming the server installation at the data center during which an Azire customer would provide a random verification string to the installer via an azirevpn.com email address which the installer would then display in the video. The problem with this is that only one, or possibly a small number of people, would be able to verify the installation and every one else could correctly posit that the whole thing was a setup.

Following is their responses to my proposals:

Hi,

Thank you for writing to us, [REDACTED].

We understand your concerns and this is why we have made such an effort to be as transparent and forthcoming as possible in our content and messaging – and also why we have our service in the first place.

As you mentioned, we’ve shown in our various blogs how we transport and install our servers in various datacentres around the world. Adding to this is our documentation (https://www.azirevpn.com/docs/environment#installation), which I am sure you’ve read through by now, where we list as much information about our service as we can without going the opposite direction and compromising our infrastructure’s security, and in effect our user’s security.

We could provide purchase order receipts for the servers and show what we do with them before they get installed, but there is no way for you to know we actually installed the servers we showed. Unless we had a continuous camera shot from arrival of the server at our office all the way through to installation, there isn’t a fool-proof way to show that we do what we say we do – even then, the video could easily be edited.

Moving forward with our new server installations, we will make an effort to provide more details and documentation regarding ownership and installation. However, at a certain point we have to draw a line for our infrastructure’s security, our user’s security, and of course our own personal security.

If you have any specific suggestions, we are eager to hear them.

And in a follow-up email they said:

Hey,

1. Receipts we will begin posting with all servers moving forward, with certain confidential information redacted of course. However, there will be enough to understand we did purchase the specific servers in use.

2. We will do a video demonstrating how we modify servers (some parts may be removed to help preserve the physical security) but the overall outcome and before/after will be shown to illustrate how we handle our servers. Additionally, we will improve the documentation of transportation and installation and security measures we take.

3. The video verification you suggested may be difficult, we are discussing this internally. That said - we do have a semi open door policy where we are happy to invite users to our office in Stockholm and also provide a tour of the datacentre we use here. If this is something you are interested in yourself, please let us know and we are happy to have you come and visit.

If you have any other ideas or suggestions to help improve our efforts towards transparency and security, please let us know. We are happy to improve things always.

I was very pleased with their response and look forward to seeing Azire follow up with tangible results.

The power of uBO filters

I've heard people complain about the lack of granularity of uBlock Origin filtering compared to the no longer developed uMatrix add-on, and i've been one of those people. I still think Raymond's decision to abandon uM in favor of the allegedly easier to use uBO was a mistake and i'm certainty not alone. The pop-up interface of uMatrix always seemed more intuitive to me.

Some folks are adamant that uMatrix is superior to uBlock and is an absolute must-have, like breathing, however i'm not sure there's anything that one can do with uM that cannot be accomplished with uBO's filters, available in the 'My Filters' section of its settings. Other than adding a custom rule or two like *$font,third-party, which allows 1st party fonts while blocking 3rd party fonts, i've not been utilizing this filtering capability until very recently. These filters offer very granular control, right down to individual resources like a specific JavaScript file for a specific domain.

YouTube videos are a valuable resource of information but the website is a f'n joke from a technical point of view, as well as an assault on ones privacy. Sure, you can make use of the many alternative front-ends to YouTube (and Twitter, Instagram, Reddit, etc.) with a browser add-on like LibRedirect, but these alternatives come at a cost. They may not be able to handle the load, or they may be off-line, or they may be run by malicious actors, etc.. Nevertheless i think they are beneficial overall, especially if JavaScript does not have to be enabled to use them, but i digress.

YouTube serves up piles of shit (JavaScript) every time you load the domain and so i wanted to see how much of it could be toileted while still retaining much of the functionality of the platform like, you know, being able to watch videos and read comments and stuff. uBlock's logger makes it really easy to create these granular rules. With the logger open one can create either a URL (dynamic) or a static rule. While URL rules are more efficient, you can't use wildcards (*) in the file paths and for technically retarded sites like YouTube, which appear to use dynamically generated path names for some resources (.../player/c4225c42/player_ias.vflset/...), URL rules aren't going to work for all of the stuff i wanted to block.

I ended up trimming a fair amount of lard from YouTube using static filters while still retaining the appearance and functionality i wanted. Here's the filters i'm currently using (if you're on mobile you may need to adjust):

||fonts.googleapis.com^$stylesheet,domain=www.youtube.com
||jnn-pa.googleapis.com^$xhr
||www.youtube.com/*/jsbin/custom-elements-es5-adapter.vflset/$script
||www.youtube.com/*/jsbin/intersection-observer.min.vflset/intersection-observer.min.js$script
||www.youtube.com/*/jsbin/scheduler.vflset/$script
||www.youtube.com/*/jsbin/serviceworker-notifications.vflset/$script
||www.youtube.com/*/jsbin/spf.vflset/spf.js$script
||www.youtube.com/*/jsbin/web-animations-next-lite.min.vflset/$script
||www.youtube.com/*/jsbin/www-tampering.vflset/www-tampering.js$script
||www.youtube.com/*/player_ias.vflset/en_US/annotations_module.js$script
||www.youtube.com/*/player_ias.vflset/en_US/embed.js$script
||www.youtube.com/*/player_ias.vflset/en_US/endscreen.js$script
||www.youtube.com/*/player_ias.vflset/en_US/miniplayer.js$script
||www.youtube.com/*/player_ias.vflset/en_US/offline.js$script
||www.youtube.com/*/player_ias.vflset/en_US/remote.js$script
||www.youtube.com/api/stats/*$xhr
||www.youtube.com/generate_204$xhr
||www.youtube.com/s/search/audio/*$media,domain=www.youtube.com
||www.youtube.com/sw.js$script
||www.youtube.com/youtubei/v1/att/get?key=*$xhr
||www.youtube.com/youtubei/v1/share/*$xhr