It seems we have bounced from one consultation on a threat to the internet to another. The UK government is now consulting on the idea to introduce an opt-out ‘internet filter’ for certain types of content.

I have absolutely no problem with empowering parents/guardians and internet subscribers in general to control their own internet connections. Providing inexpensive and free tools, combined with education on how to use them (and what they can and cannot do) is something I would wholeheartedly support.

However, performing filtering at the network level, using the tyranny of the default to effectively impose certain decisions on parents is not just a dangerous precedent to set. It is also extremely likely to be technically ineffective, and therefore will create a false sense of security for parents and guardians. A false sense of security does not protect children.

» Read the rest of this post…

Before the release of Apple’s OS X Mountain Lion, when the Gatekeeper feature was first announced, Apple proudly proclaimed on the relevant page that developers distributing their apps outside of the Mac App Store would be able to get a “free Developer ID certificate”.

Unfortunately, I did not have the foresight to screenshot the page that said this, because now, even a month after the release of Mountain Lion, their generosity appears to have evaporated.

Only Mac Developer Program members are eligible to request Developer ID certificates and sign applications or installer packages using them.

The aforementioned Developer Program(me) is the standard, $99/£69 per year subscription that entitles you to full Mac App Store distribution rights. Unless I am missing something obvious, and I really wish that I am, there are no free Developer ID certificates.

This disappoints me — I cannot justify enrolment in the paid program for DfontSplitter for Mac, which doesn’t generate me significant donation revenue at all. This means I cannot sign DfontSplitter for use with Gatekeeper, which degrades the experience for Mountain Lion users of the software, and maybe even puts them off entirely.

I am definitely in favour of security measures that put the control in the hands of the user. I cannot, however, get behind a system which appears to discriminate against all developers who are not in a position to join Apple’s certification programme. I am left disappointed, and my app is left unsigned.

Photo is Barbed Wire Twilight, by Orin Zebest. Licensed under CC-BY 2.0 GB.

Like many of my generation, I have grown up expecting the rich benefits, and accepting the unique risks, an open and free internet presents.

I do not pretend that this medium for open exchange does not, at times, facilitate truly terrible things. I do not deny that the lives and security of millions of people are, at times, put at risk by this platform.

Behind the Black Boxes

I seek to urge balance — balance between the competing demands of liberty and security. A balance of the risk of crime that is faciliated by free communications with installing tools and technology that could so easily be abused by those charged with protecting our safety.

The UK government, like many others at this point in time, is planning to introduce widespread surveillance of internet communications, in the form of the Communications Data Bill.

They will collect the ‘communications data᾿, the metadata of with whom we communicate, through traditional channels like email, but also through any number of third-party services. This will require them to employ deep packet inspection on all our internet traffic to extract the data that they would, under the Bill, be lawfully allowed to store.

But:

• Who will make the ‘black boxes᾿ that will be doing all the collecting?
• If the ‘black boxes᾿ are necessarily hunting through the whole communication for the communications metadata, how can we be sure that content will not also be collected?
• Who will have access to these machines?
• Are their access controls going to be subject to penetration testing by well-respected security researchers, so we can be confident that our data will remain under the control of the designated officials?
• How do we know that the boxes have not been, and will not be, altered to do more than their original lawful task?

Our Patterns are Private

… unless there is good reason to suspect us of committing an offence.

One of the things that troubles me greatly is the proposal of storing the address of every website we visit. We are promised that the addresses of individual pages will not form part of this data, but nevertheless, an extraordinary amount of information can be inferred from a list of websites that an individual has visited.

Sensitive political information, medical details we have a right not to disclose, valuable commercial intelligence…

The more data that is accumulated, the more an abusive or corrupt agent can infer, and the more damage they could do. The information about where we go online also has a very high commercial value (as many internet companies are already well aware), making the likelihood of illicit commercial exploitation of this government-held data by rogue officials vastly higher.¹

Unless there is reason to believe we have done something wrong, we have a right to withhold this information.

We should resist routine collection and storage of this information where there is no suspicion of wrongdoing.

The Balance of Power

Protecting citizens against risks to their safety is obviously a priority, and clearly a huge challenge. Many people devote their lives to doing so, and many people have made significant sacrifices in pursuit of security. I deeply respect these people, and the need for this work.

We must, however, limit the power we entrust to those who protect us. There will always be some who are liable to corruption, and some intent on harming us whilst purporting to do the opposite.

We have to balance the risk posed by ‘others᾿ — criminals, terrorists, rogue states, with the risk posed by those inside the system who may exploit us with it.

Unfortunately, the abuse of power is made much more efficient where technology is involved.

The wide, sweeping powers of surveillance that the Bill mandates afford dangerous levels of power that are all too easily turned against us. We might trust this government and the software they put on the black boxes that watch all our traffic. What about the next one, and the software they load onto these machines? What if a group much less trustworthy are able to seize these powers in the future? What if the collection and storage technology itself is fundamentally insecure?

It is much easier to resist these overbroad powers now, than to try and re-balance rights and risks later.

Think

I ask that if you do nothing else, spend a little time thinking about these balances of power, and balances of risk.

If, like me, you read between the lines of the Bill and find these balances troublingly one-sided, then write to your MP and write about this issue. Make your voice heard.

Rightful liberty is unobstructed action according to our will within limits drawn around us by the equal rights of others. I do not add ‘within the limits of the law’ because law is often but the tyrant’s will, and always so when it violates the rights of the individual.

— Thomas Jefferson.

1: The UK᾿s recent huge press scandal has highlighted the issue of corrupt law enforcement officials giving privileged access and preferential treatment to private media companies. It is naïve to believe that this risk will not present itself again. The best way to protect against this kind of corruption and exploitation is to limit the collection of and access to our private data.

In “A Tale of Stale Content”, on the Van Patten Media blog, I take a somewhat philosophical look at IT problem solving, told through the story of an intensely frustrating issue with Nginx serving up stale content in virtualised environments. Apparently, the sendfile on; setting in Nginx will cause it to deliver old versions of files you have since updated on disk.

Sometimes a problem comes up that is just weird. It seems completely illogical. But these computery things are supposed to be nothing but logic, right?

When we eventually arrive at the solution, after many hours of hair loss and bad language, we are reminded of the sheer complexity of these systems. Our assumptions about how something at a higher level should behave are entirely dependent on the premise that the lower levels are all doing exactly as expected too.

It’s humbling, in a slightly odd technical sense. We all need to be humbled sometimes.

Read the full post over on the Van Patten Media blog.

Image is “Engine room”, by Maggie Stephens (Pot Noodle) on Flickr. Licensed under CC-BY.

Today’s release of Firefox 13 brings with it more imposed functionality changes to the only version of the browser that we can use, because it is is the only one kept current with security updates*.

This time, it is a brand new, Google Chrome-style ’New Tab’ page. I’m sure it is great for lots of people, but personally, I prefer a blank home page and a blank page when I open a new tab.

To restore the old behaviour, and have a blank new tab, browse to about:config. Accept the warning, then search for newtab. Do not change newtabpage.enabled.

Instead, double-click browser.newtab.url and set it to about:blank.

There, that’s how I prefer it again!

* UPDATE: A slight correction — there is a version of Firefox 10.x called Firefox ESR (Extended Support Release) that is kept up-to-date, so that is also an option!

I’m really pleased to announce that the WordPress plugin I have been working on with Van Patten Media, Total Slider, has now been released!

Total Slider is a plugin for WordPress from Van Patten Media that will transform your experience with sliders forever. Build your own templates in PHP and CSS, then preview the output in a beautiful WYSIWYG interface designed to blend seamlessly with the WordPress core.

Total Slider is released under the GNU GPL version 2 or later. We’d love your feedback, ideas, bug reports, translations and more.

Here is a quick 2-minute video introduction:

You can find out more and download Total Slider from the WordPress plugin directory.

In my most recent article for For Mac Eyes Only, I ponder the implications of the remarkably speedy scheduled release of Apple’s OS X Mountain Lion on the longer term viability of older Mac hardware. Mountain Lion is due to arrive just a year after the release of Lion.

We now await OS X 10.8, Mountain Lion. Scheduled to be released a mere year after Lion, we are promised even more features ‘inspired by iPad’.

Wait a second. What was that? It is due to arrive this summer. Just one year after Lion was released.

A new release of OS X hasn’t come so quickly since the operating system was very young and was still being established and stabilised.

This strikes me as quite a shift, and it brings me to an important issue — how does this affect the lifespans of the Apple products we buy?

You can read the full article over on the For Mac Eyes Only site.

The security landscape for Mac OS X is changing. It has been for some time, but every now and then, an event comes along that highlights it.

I am thoroughly disappointed with how tardy Apple can be with releasing security updates. Java has been one of the components most visibly neglected in terms of timely patches. The recent ‘Flashback’ trojan for OS X exploited old, well-known vulnerabilities in Java that Apple had failed to promptly patch.

Java on Lion is deprecated, and is no longer installed by default. However, some upgrades from Snow Leopard bring Java along with them, and some users have manually installed Java for compatibility with certain applications.

If you do not know that you need Java installed on your system, do not install it. That is the best way to mitigate any security threat that would try to leverage a Java vulnerability to get into your system.

On Lion, however, once Java is installed, it does not seem to be possible to completely remove it.

What you can do is change the permissions on the relevant files so that it is ‘neutered’ and cannot run at all.

How to Completely Disable Java for Lion

I don᾿t recommend you disable Java on Snow Leopard. It is part of the operating system there, not an optional add-on component. I have not tried this process on Snow Leopard. Proceed to disable Java like this at your own risk (even on Lion)!

While logged in as an administrator user, open Terminal from Applications > Utilities.

Type the following commands in, pressing Enter after each one. You might be asked for your password.

sudo chmod 000 /System/Library/Java/JavaVirtualMachines/
sudo chmod 000 /Library/Java/JavaVirtualMachines

What these commands do is change the permissions mode to 000 on these Java files, meaning that no users have any permissions to even enter these folders, let alone read any files in them. This stops Java from running.

You can test that it is working, or, rather, not working, by now attempting to load Java Preferences in Applications > Utilities. You should be told that Java is not installed, and invited to install it. Click Not Now.

Re-enabling Java

If you suddenly find that actually you do need Java again, simply run the same commands in Terminal, but with the permissions mode 755 (the folder’s owner can read, write, and enter the directory, and everyone else can just read and enter the directory).

sudo chmod 755 System/Library/Java/JavaVirtualMachines/
sudo chmod 755 /Library/Java/JavaVirtualMachines

It should spring back into life!

Infected?

If you were unfortunate enough to be infected by Flashback (even if you did not type the Administrator password when it prompted), F-Secure has some instructions on its detection and removal. (Hat tip to @bldngnerd.)

Ubuntu founder Mark Shuttleworth, on user interface and user experience, and looking at desktop user interfaces holistically:

In the open source community, we celebrate having pieces that ‘do one thing well’, with lots of orthogonal tools compounding to give great flexibility. But that same philosophy leads to shortcomings on the GUI / UX front, where we want all the pieces to be aware of each other in a deeper way.

…

It’s only by looking at the whole, that we can design great experiences. And only by building a community of both system and application developers that care about the whole, that we can make those designs real. So, thank you to all of you who approach things this way, we’ve made huge progress, and hopefully there are some ideas here for low-hanging improvements too 🙂

This approach is why I find myself most aligned with where Ubuntu is taking the Linux desktop. The changes they have introduced to the UI over recent versions have been controversial — sometimes even breaking with revered Unix-y traditions — but I broadly think they are the right decisions to move the platform forward.

With mobile computing taking the lion’s share of industry attention, who is doing the thinking on innovating the traditional desktop? Ubuntu.

I will readily acknowledge that this kind of traditional desktop computing will probably be less important in the future than it has been in the last decade.

I don’t think that means no-one will want to use a desktop. I certainly don’t think it is a reason to stop innovating.

Since version 10.3 of Flash Player for the Mac, there has been an automatic update feature for the plugin, as part of a System Preferences pane. Unfortunately, I have not had much luck with it actually doing updates automatically!

I have, then, found it necessary to either check for updates manually, or devise a custom script to do an automatic check for updates.

Based on this MacOSXHints post, here is the script I am using to keep Flash Player on Mac OS X up-to-date. Combined with an OS X LaunchAgent to check every two hours, this is an automatic update solution that actually is automatic!

Download Flash Checker Script

Installation

• Copy the ‘Flash Checker’ folder into /Library/Application Support.
• Make sure the execute permissions are set on /Library/Application Support/Flash Checker/flash_checker.
  (From Terminal, run: sudo chmod +x /Library/Application\ Support/Flash Checker/flash_checker.)
• Copy the ‘uk.org.upfold.FlashChecker.plist’ file into ~/Library/LaunchAgents.
• Optionally, edit the RunAtLoad directive in the plist to true to check for updates each time you log on, or edit the StartInterval to check more or less frequently than the default of two hours.

Disable without Uninstalling

• Set the Disabled directive to true in the ~/Library/LaunchAgents/uk.org.upfold.FlashChecker.plist.

Uninstallation

• Remove the ‘uk.org.upfold.FlashChecker.plist’ file from ~/Library/LaunchAgents.
• Delete the folder /Library/Application Support/Flash Checker.