Even though I can’t be considered a gamer, I used to support the Humble Indie Bundle, because it supported free software and independent creators, and made it possible for creators to realize that a locked down patent encumbered copyright driven world was not the only option.
But even as free software and free culture supporters flocked to buy Humble Bundles, and incidentally made the Humble Indie Bundle wildly successful, somewhere along the line, the word “Indie” fell by the wayside, and they expanded into publications as well as games. But when they introduced a Microsoft bundle, it became apparent the people running this initiative weren’t as committed to the principals they espoused as they would like us to believe.
Unsubscribing from their mailing list but it doesn’t seem to work, so today I was horrified to receive a mailing for their new offering: The Humble Star Wars Comics Bundle.
I grew up with Star Wars; it has had a profound cultural impact on me. And all of the contemporary culture I grew up with is firmly locked up in copyright. Before I understood how copyright works, I actually thought Sonny Bono was a hero for championing more restrictive copyright law. But I’ve lived through the aftermath, and now I know better.
These days, I don’t go out of my way to find new copyrighted works. The only exception I make is for Independents… I will go to the local music festivals, and buy Indie CDs to support the artists. Funny thing, though; I almost never play them. Oh sure, I have lots of movies on DVD, and I even buy new ones, on occasion; and them only ever from remainder bins, because I think the worst thing we can do is to support the corporations that work so hard to strangle our culture.
So even though both my cultural history and my head are full of copyright encumbered creative works, I don’t need any more.
I do realize that not all Free Software supporters are equally committed to free culture. I will always disagree with Free Software champion Richard Stallman’s position on free culture, because it suggests free culture is somehow less important than free software. And The Humble Star Wars Comics Bundle proves me right.
Star Wars stopped being a creative work a long time ago: these days it isn’t a movie, it’s a “franchise.” And poor George Lucas was so desperate for a few billion dollars that he sold his franchise to Disney. Disney is certainly the corporation most invested in the pursuit of perpetual copyright, the driving force behind the MPAA’s perpetual lobbying for increasingly onerous (and the criminalization of) copyright law — not only with the American government, but with any government it thinks it can influence. So we’ve seen laws like SOPA and secretive International Trade Agreements like ACTA being pushed and passed. Oh sure, Europeans took to the streets over ACTA anf the EU turned it down. And around the world, Wikipedia led a fight against SOPA and it was stopped. Sort of.
Lots of other countries (like my own Canada) went ahead and passed ACTA anyway. And there is no end to secret trade Agreements. All the worst things are coming to pass. Frankly, I would rather be writing a novel than this. If things were left to muddle along at their own pace (as would happen if that mythic “free market” actually existed) I have no doubt that free culture would win in the end. But those powerful special interests aren’t willing to run the risk of that happening. They aren’t willing to live and let live, their goal is total control.
And corporations have an unfair advantage in their war on human beings; they don’t get tired, and they can pursue their goals 24/7. And politicians, especially the unaccountable politicians common in winner-take-all “democracies” like ours, are easily influenced by such powerful special interests.
And our biggest failing is that we humans have other things to occupy us. You know, frivolous things, like raising our families, feeding our children, and sometimes even creating and sharing our own cultural works.
Which is why the too powerful corporate Special Interests are winning… far from being truly defeated, the worst things about CISPA and ACTA keep coming back.
And the formerly humble indie bundle is supporting this. But I can’t. And if you care about freedom, you shouldn’t either.
My own Copyleft Logo for this blog (the copyleft symbol over my Russwurm Social “LR” monogram) is CC0
For some time now, people have been raving about how wonderful “the Cloud” will be/is. In the real world, clouds are made of water vapour, and they are usually positioned far above our heads in the sky.
In computer terms, a “cloud” is a place to store your digital stuff so you can access it anywhere with any device. Commercial clouds are not made of vapour, they are computer servers that somebody else owns. We can pay for the privilege of storing our stuff on somebody else’s servers. Such Clouds have never appealed to me because of my concerns about privacy and freedom.
But that was before it became possible to have a private cloud– a cloud that you control yourself.
Monday’s KWLUG presentation will introduce personal clouds to anyone interested in learning about or having their own cloud — a free software DRM free cloud, there will be a KWLUG presentation at Bob Jonkman and Jeff Smith will be hosting an introduction and demonstration of OwnCloud and Jeff will be showing off a “Synology NAS device running the DS Cloud service”.
I don’t know anything about DS Cloud service, but I have been using Owncloud for a while– it makes it easy to share, either with password protection, or in the clear. If I were to use Flickr to share password protected photos, the person I’m sharing them with has to have a Flickr account. If they don’t have an account, they’ll have to sign up for one (and give Flickr personal information) before they can see the images.
With Owncloud, there is no registration wall, and I can share access with anyone, even anonymous anyones. And, of course, the beauty part is that my data remains in my control. This is still pretty new software, and I understand there have been a lot of enhancements now… I’ll find out more tonight.
The presentation will be at St John’s Kitchen at 97 Victoria Street North in Kitchener, 7pm Monday October 6th, 2014.
When I began blogging in 2009, this was my very first blog. It was the place I established as my home base to get my bearings as I tried to figure out what’s what — and what I was doing here.
Although I’ve been known to refer to this as my “personal blog,” it has never been what most people would consider “personal,” because although I share my personal opinions and ideas, I try to be mindful of the privacy rights of others, so very little in the way of personal information finds its way in.
Early in my blogging career I began learning about copyright, and as the implications began to sink in, this blog began to morph into a Free Culture blog, although I’ve only just now definitively identified it as such by renaming it.
Last weekend I attended the first ever Libre Tea in Toronto. You might be wondering what a #LibreTea might be, and the best explanation I can offer is that a Libre Tea is a social gathering for people who work for and support the idea of freedom.
(And who am I to resist such a brilliantly apt pun?)
Some of the freedom fighters who attended the gathering are pictured below;
The films screened at The Free Culture Film Festival qualify as free culture either because:
- they are in the Public Domain or
- they have been licensed to share.
This means you can legally watch and share them as you wish. Each film title is the link that will take you to a page where you can watch and/or download the movie online:
Charade (1963) Cary Grant, Audrey Hepburn ~ Public Domain
Never Weaken (1921) Harold Lloyd & Mildred Davis ~ Public Domain
His Girl Friday (1940) Cary Grant, Rosalind Russell ~ Public Domain
Fleischer Studios animated “Superman” (1941) and “The Billion Dollar Limited” (1942)
Warner graciously made high definition copies of all of the the Fleischer Studios/Famous Studios Superman shorts online.
The Durian Movie Project: Sintel (2010) Creative Commons Attribution 3.0 License
Sita Sings The Blues (2008) originally released as Creative Commons Attribution Share-alike; now CC0
[It is not unheard of for media to be knocked off the Internet via specious DMCA Takedown notices. After all, such takedowns don't require any pesky evidence and there are zero consequences to the DMCA applicant if peoves to be incorrect. If any of these links doesn't work for you Drop me a line at firstname.lastname@example.org]
I’ve been asked to put together a Free Culture Film Festival as part of Waterloo Region’s Software Freedom Day Celebration this Saturday. This year Software Freedom Day is brought to you by the KWLUG in co-operation with The Working Centre.
I wasn’t sure what I would be able to find, and as it turns out, my biggest problem wasn’t how little was available, but how much.
I wanted to present a varied selection of films that qualify as Free Culture for different reasons.
For information about the #SFD Presentations, Workshops and Installfest visit the KWLUG Software Freedom Day page.
All activities are free of charge unless you are purchasing computer equipment during the Installfest.
10:00am “Charade” (1963) ~ Copyright Never Happened
Cary Grant/Audrey Hepburn (113 min)
In 1963 American copyright required registration. One of the requirements was that any work to be protected by copyright had to be properly identified as such. What should have been the copyright notice included in the opening credits of the movie Charade failed to include the word “copyright” or the abbreviation “copr” or the © symbol, which meant Charade was inadvertently published directly into the public domain the moment it was released.
But although the film itself is in the Public Domain, any artwork and publicity material may or may not be, so for the purposes if this screening, it was safer for not to use an official movie poster, but to instead cobble together my own with images taken directly from the film. I have in turn released my poster directly into the Public Domain with the Creative Commons CC0 license.
My DVD copy of Charade was a bonus feature included with one of the the Charade remakes, The Truth About Charlie. Since Charade is in the public domain, no royalties would be required for a film that choses to do this. In fact, when I bought the DVD I had no idea if I would like the remake, but it was worth risking because to replace my Charade VHS with a DVD.
12:00pm Harold Lloyd: “Never Weaken” ~ Copyright Expired
Harold Lloyd, Mildred Davis ~ running time: 29 minutes
Silent screen film maker and movie star Harold Lloyd co-starring with his leading lady (and later wife) Mildred Davis in Never Weaken. This was the last short film he ever – all his subsequent films were feature films.
Harold Lloyd continued making films even when they started talking, and he retained copyright to his work. Lloyd’s films enjoyed only very limited re-release due to his stringent demands: he insisted his silent movies had to be accompanied by organ, not piano; he demanded $300,000 for 2 showings of his films on television. This had the effect of pulling his work out of the public eye, with the result his work is largely forgotten today.
American films released prior to 1923 have expired which is why all his early works are in the Public Domain. Lloyd was careful to keep all his work under copyright, so his subsequent work is protected by copyright for 95 years due to the Sonny Bono copyright extension.
12:30pm “His Girl Friday” ~ Cary Grant/Rosalind Russell (92 min) Copyright Expired
Cary Grant, Rosalind Russell ~ running time: 92 min
His Girl Friday is a derivative work; this is one of many remakes of the successful stage play, “The Front Page.” The original story was about two men; this version made Hildie and Walter an ex-wife and husband. Although it failed to be a huge hit, apparently because audiences thought Cary Grant too much of a light weight for the part, for me, this is the version I like best.
As a result, the studio couldn’t be bothered to renew its copyright. I think at least part of His Girl Friday’s later success on television, video and now DVD formats may well be due to urs Public Domain status. Judging by images on the Internet, it has also enjoyed no small success as a live theatre production. In many ways, this version resonates better with modern audiences.
2:00pm The Fleischer Animated “Superman” ~ Copyright Expired
Fleischer Studios animated Superman short ~ running time: 11 minutes
To my mind, the best film animation of the early part of the 20th Century was produced by the Fleischer Studios Inc., who were also responsible for technical innovations like the rotoscope and sync sound animation. Although Betty Boop and Popeye are their most famous creations, Brothers Max (producer) and Dave (director) Fleischer produced 9 Superman shorts in 1941 and 1942. Unfortunately there was a huge personal falling out between the brothers (ostensibly begun over Dave’s adulterous affair with a secretary) which resulted in their distributor Paramount taking over their business. With Dave Fleischer out of the picture, the remaining Superman films in the series were directed by Dan Gordon, I. Sparber and Max Fleisher’s son-in-law Seymour Kneitel and produced by the re-branded Famous Studios.
2:15pm Sintel ~ Creative Commons Attribution 3.0
The Durian Open Movie Project ~ running time: 14 min
Blender began as 3D animation proprietary software, but a few years ago the corporation that developed it decided to free the software, and they haven’t looked back since. Sintel is the third Blender film made to demonstrate the capabilities of the software. This one is my personal favorite, both because it’ gorgeous and I like dragons. Since the Blender software has benefited from emancipation, it is hardly surprising to find these films were released with a Free Culture license (Creative Commons Attribution 3.0) right from the start.
2:30pm “Sita Sings The Blues“~ emancipated by Nina Paley
Nina Paley‘s classical animation feature film ~ running time: 82 min
Nina Paley’s original vision for Sita Sings The Blues included the public domain recordings by Annette Hanshaw to form the musical score. As it turned out, big media driven “copyright reforms” retroactively extended the copyright term for the sync rights (the particular rights necessary when using recorded music in a film). The long and the short of it is that Nina Paley had to pay gigantic sums to acquire these rights to release her film.
“Having paid these extortionate fees, I could have gone with conventional distribution, and was invited to. I chose to free the film because I could see that would be most beneficial to me, my film, and culture at large. A CC-SA license does not absolve a creator of compliance with copyright law. The law could have sent me to prison for non-commercial copyright infringement. I was forced to borrow $70,000 to decriminalize my film, regardless of how I chose to release it.”
~ Nina Paley, “Correction”
As Nina continued to question copyright, she decided to take it to the next level, and so she has since released this wonderful film into the Public Domain.
3:50pm Superman:“The Billion Dollar Limited” ~ Copyright Expired
Why we need Free Culture (in case you didn’t know…)
In the beginning human beings lived in a Free Culture world. If a writer published a play, or an author a novel, this new creative work left his private domain (his mind, home or working space) and entered the Public Domain. Anyone who saw the play performed was free to be inspired to remake it as a new creative work, or to mount their own production of it as is. Anyone who read a book could quote from it or copy it and even sell their own copies if they wanted to.
The grandmother of copyright law was the “Statute of Anne” enacted by Queen Anne in 1710. In spite of the name, “copyright” is a state imposed monopoly, not a “right.” In exchange for limiting the public’s right to copy, learn and share our culture, the copyright monopoly was supposed to encourage good creators to create works to benefit our culture. And maybe it worked that way once. Although originally limited to books, the scope of copyright has spread like cancer to nearly every form of human creativity, and the “limited” terms are so long most of my own culture will be “protected” until long after I am dead. And creators still can’t make a living from their work.
Today’s technology makes it possible for anyone to create our own digital work. Every cell phone is a camera, every school child has access to computers; that’s all you need to make movies. But the minefield of potential copyright infringement and criminalization is enormous. Copyright law is a tangled mess of law written differently in every country, and it can be used against anyone who uses any digital device. We must understand copyright basics for our own protection. Because today copyright law is used to “protect” our own culture from us.
Anything we are free to use as we like is all that remains of Free Culture; everything else is a legal risk. In today’s copyright mad world, creative works that have been Licensed To Share and works in the Public Domain are two sources of Free Culture that we can use legally.
UPDATE: I’ve provided links to all the Free Culture films I presented in LibreTea and Free Culture
Like most people, I’ve spent most of my life not actually thinking about copyright law. I bought into the idea that copyright “protects” creative works and encourages creativity. At least I did until I started actually thinking about copyright law when I sat down to write my submission to the Canadian Government’s Copyright Consultation. That was when I first began to question copyright. Over the years since, I have found less to like and more to dislike about copyright law.
A large part of the problem is that governments take advice and direction from copyright “experts” who represent the special interests that would benefit from perpetual copyright. So the industry that will benefit from increased copyright have been invited to the table, but for the most part no one is asking, let along listening to the public. Every expansion of the copyright monopoly comes at the expense of the public interest by eroding the public domain. Cultural works used to come into the Public Domain within our lifetimes, but that is no longer the case. When copyright terms extend for as many as a hundred years after the death of the creator, our own culture is increasingly outside our grasp.
Because the public domain should be protected, and free culture should be shared, I very much support the work done by the good people involved in the OpenGLAM initiative (run by the Open Knowledge Foundation) that promotes free and open access to digital cultural heritage held by Galleries, Libraries, Archives and Museums. These institutions exist to promote art, culture, history and heritage, so it’s a big problem if copyright law prevents them from achieving their mission. In many respects, because these cultural institutions exist to serve the public, they are increasingly standing up for the public interest.
The recent trend of copyright maximalists has been to take copyright discussions away from lawmakers and out of the public view, instead cloaking international copyright negotiations in secret trade agreements. One of the stunning things about the secret ACTA negotiations was the exclusion of elected government representatives from even knowing the terms of the treaties being discussed. Once such treaties are signed, naturally lawmakers are pressured to rewrite domestic law to accommodate the treaty.
The International Federation of Library Associations and Institutions (IFLA) has been working to make sure the needs of Libraries are taken into consideration at WIPO. Unfortunately the EU seems more interested in supporting corporate special interests than the public interest.
“The EU made no attempt to address the wide range of problems, particularly relating to non-commercial cross-border activities, identified by library and archive NGOs. It seems to value only internal commercial interests, ignoring and its own interests in culture and research.”
— Mr. Tim Padfield, speaking on behalf of the International Council on Archives (ICA)
As Mr. Padfield suggests, the human rights and cultural needs of the world should be be addressed and protected, not cast aside to support commercial special interests.
The following is a press release issued by the The International Federation of Library Associations and Institutions (IFLA)
EU REJECTS INTERNATIONAL SOLUTION TO LIBRARY AND ARCHIVE COPYRIGHT PROBLEMS;
CAUSES COLLAPSE OF WIPO MEETING
Tuesday 6 May 2014
Discussions by the World Intellectual Property Organisation (WIPO) Standing Committee on Copyright & Related Rights (SCCR) broke down in the early hours of Saturday morning 3 May, after the European Union (EU) attempted to block future discussion of copyright laws to aid libraries and archives fulfill their missions in the digital environment.
Library and archive delegations from Europe, Latin America, Australia, the United States, Canada and the UK attended the 27th meeting of the SCCR from 28 April – 2 May 3014, to push for an international treaty to help libraries and archives preserve cultural heritage, facilitate access to essential information by people wherever they are in the world.
The meeting ended in disarray at 1:30am on Saturday morning, after the EU tried to have crucial references to “text-based” work on copyright exceptions removed from the meeting conclusions – a move viewed by other Member States and library and archive NGOs present as an attempt to delay, if not derail, any progress on copyright exceptions at WIPO.
Dr. Stuart Hamilton, Deputy Secretary General of the International Federation of Library Associations & Institutions (IFLA) commented:
“For the past three years, Member States have been looking at draft texts on copyright exceptions for libraries and archives. The EU is now trying to pretend these don’t exist. We’re frustrated, and deeply disappointed. It appears the EU came to WIPO with one goal in mind: to kill the discussion.”
The EU’s attempt to sideline discussion of copyright exceptions at WIPO is particularly concerning in light of the ongoing review of copyright laws at the EU level.
Dr Paul Ayris, President of LIBER, the Association of European Research Libraries, expressed his disappointment:
“The position taken by the EU delegation in Geneva contrasts strongly with current discussions at European level, where it has been recognised that copyright exceptions for libraries are essential, and must be harmonised in order to facilitate international research and innovation in the age of Science 2.0. The conservative position taken at SCCR 27 in Geneva this week is therefore deeply disappointing. It does not support research and education and hampers European researchers in their use of new tools and services.”
The SCCR has been discussing a possible legal instrument to safeguard copyright exceptions and limitations for libraries and archives since 2009. It is due to submit recommendations to the WIPO General Assembly in September 2014.
“We must act now, and engage at WIPO to make sure the EU and other developed countries know just how inadequate copyright laws are for libraries and archives in the digital, global world,” said Dr. Stuart Hamilton.
Manager, Digital Projects & Policy (IFLA)
“Libraries in developing and transition countries seek a level playing field to provide people with information needed for education, research and development. Talks at WIPO, where international copyright law is shaped, must urgently get back on track to advance the goal of equal access to knowledge for all.”
— Ms Teresa Hackett,
Electronic Information for Libraries IP Program
“In Europe we have introduced a mandatory copyright exception specifically to enable and promote cross-border online access to library and archive collections, and yet the EU delegation at the WIPO negotiations repeatedly denied the need for such solutions within an international context. For many, the EU’s position will smack of hypocrisy and economic self interest.”
— Professor Ronan Deazley,
Copyright Policy Adviser to Scottish Council on Archives
“We had just spent a productive week discussing several specific examples of legal inconsistencies and ambiguities that block archival preservation and service across borders. After all that valuable dialogue, it was heart-wrenching to see an elite sector at WIPO obstinately thwart efforts at a global solution to a global problem. It is also disappointing that the United States is not ready to assume a leadership role in working with the delegations of Brazil, Ecuador, India, Iran, Kenya, and others to craft a compromise. Nevertheless, those delegations showed that progress will not happen through unbalanced compromises, but by forthright adherence to a treaty that serves the world’s knowledge needs through the service of archives and libraries.”
— William Maher,
The Society of American Archivists (SAA)
“The EU’s hostility to any substantive discussions that might lead towards an international copyright treaty for the benefit of libraries and archives is reminiscent of its opposition to a treaty for the benefit of blind, visually impaired and print disabled people for most of the five years of talks that concluded in the Marrakesh Treaty 2013. Ironically, the EU signed the Marrakesh Treaty at the same WIPO meeting last week where it sought to wreck discussions concerning libraries and archives.”
— Ms Barbara Stratton,
representative of the Chartered Institute of Library and Information Professionals (CILIP)
With the exception of Nina Paley‘s copyright jail graphic (she has deeded to the Public Domain) that I remixed into my book jail, all images in this article are my own, and as such are released with a Creative Commons Attribution 4.0 International License.
Although WIPO Standing Committee on Copyright and Related Rights (SCCR) has a published Flickr photostream I didn’t use any of them, since all of these images are Copyright All Rights Reserved, not licensed to share.
As an author of crime fiction, I’ve been trying to get to the City of Waterloo Museum to see the to see their true crime exhibit “Arresting Images: Mug shots from The OPP Museum.”
The tiny museum gallery is housed in Conestoga Mall, with an entrance from the food court, as well as exterior entrance.
Admission is free, and the exhibits I’ve attended have been well worth it.
This exhibition includes 100 framed reproductions of mug shots selected from the from the OPP collection of spanning the late 19th and early 20th century people arrested, as well as selected blowups of what are essentially portrait photographs taken by the same professional portrait photographers who photographed our law abiding ancestors.
There is a post card circulated to identify a suspect,and mug shots not only from Ontario, but including suspects from cities in nearby New York.
The origins of the mug shot
The mug shot as we know it, had it’s beginnings in the early days of photography. In 1841, just two years after the invention of the daguerreotype, the Paris Police began to include daguerreotype portraits in their criminal files. In England, the Bristol gaol staff adopted the practice of photographing prisoners in 1848. American and Canadian police and detective agencies were quick to follow suit. The mug shot was born
In order to display both the front (photograph) and back (arresting information) of the images, faithful reproductions of both sides of 100 mug shot cards have framed for the exhibit.
The exhibit also includes physical memorabilia, so visitors can see early handcuff styles, a section devoted to Waterloo policing, as well as an interactive area where children of all ages can experiment with disguises, find out how big a jail cell was, or take your own mug shot.
My favorite part was the informative display covering early photographic methods. I was surprised to see just how small actual daguerreotypes were.
Since visiting the exhibit, I have a couple of questions, so I might just pop in again before the exhibit closes, on Friday (May 9, 2014).
If you have any passwords on the Internet, whether for email, social media, or buying and selling, you must change them now to protect yourself.
[reblogged from techDITZ]
My favourite spring flowers are called “bleeding hearts,” but this spring the online world is reeling with the discovery of something completely different — an Internet problem that’s been named “Heartbleed.“
This is is not a computer virus, it is a mistake someone made in the SSL software code. When such a mistake is made in a novel it would be called a typo, but on the Internet, Heartbleed is a serious security flaw.
For years watchdog organizations like the EFF (Electronic Frontier Foundation) have been advocating the adoption of internet security feature called SSL/TLS encryption.
Secure Sockets Layer (SSL), more properly called Transport Layer Security (TLS), has become the default approach for protecting sensitive data flowing over the Internet. SSL uses encryption to provide data confidentiality for connections between users and websites and the web-based services they provide. The vast majority of sensitive web traffic, such as user login screens, e-commerce checkout pages, and online banking, is encrypted using SSL.
Over time more and more websites have adopted this security measure as a way to make the Internet a safer place for you and me. That’s why something like three quarters of the Internet uses SSL/TLS encryption today. This is a good thing.
What is Heartbleed?
The security vulnerability known as Heartbleed is a programming error in the SSL code, and it’s a bad thing because it has made every site that uses SSL vulnerable. Although we are only hearing about it now, it has existed since 2011 or 2012.
I first heard about it on Wednesday, April 9th, 2014. Today (April 11th) the Toronto Star reports the Government of Canada is disabling federal government public websites — at taxtime — in a move to protect users. I don’t understand why they didn’t do this the moment the Heartbleed story broke.
This vulnerability went undetected for something like five months (and apparently NSA knew, but didn’t bother to mention it to its Five Eyes allies, like, say, The Government of Canada, because NSA was too busy exploiting the vulnerability for its own purposes.)
Heartbleed vs Websites
A real world comparison might be that using SSL is like a having double lock deadbolts on the door, and “Heartbleed” is what happens when you forget to lock the back door. Ordinary people can’t fix the Heartbleed problem. It can only be repaired (or patched) by the people running SSL websites & servers.
The Internet giants (Facebook, Twitter, Google etc.) were warned first, so they fixed the problem before the vulnerability was announced publicly. Most of them are trying to allay the fears the media has been whipping up about this all week.
But the Internet is also crowded with many smaller sites that smaller organizations and even ordinary people host themselves. The EFF has kindly explained how our SysAdmins can effect the Heartbleed fix:
Correcting the code is not an immediate fix, because each SSL secure website also must have its Security Certificate updated, which will take time with so many websites doing this.
Heartbleed vs People
For you and me, the biggest problem is that our passwords may be compromised.
This is such a big glitch, most of us won’t be attacked today. Our passwords probably won’t be used to crack our accounts right now because so much of the web is affected.
But we can no longer trust that our passwords are secure.
The Apartment Analogy
If the superintendent of an apartment building replaces flimsy locks on the doors of all the rental units with good strong deadbolts, it makes it harder for bad guys to break in.
If someone secretly copies the master key, they can break into apartments.
When clever crooks use the duplicate master key to break into apartments, they are very careful in what they steal. So long as the thefts aren’t noticed, the thieves can keep coming back for more.
No one can tell there is a problem until something is discovered to be missing..
The only defense that the tenants have is to change the locks on the door.
If a website or email platform adopts SSL/TLS security, the website security becomes much more powerful, because it adds encryption which prevents most security breaches.
A bad guy exploits Heartbleed by using it to download passwords etc.
When Internet criminals exploit the Heartbleed error, their intrusion is invisible. There is no way to see how much security information has been downloded, or whose security has been breached.
No one can actually tell who or what is at risk until there is an actual attack.
The only defense that the users have is to change the passwords on their data.
Like the NSA, black hat hackers (or crackers) may have already filled databases of passwords they’ve found the Heartbleed system. . Even if the System Administrator has fixed the Heartbleed problem for their website, it doesn’t change the fact that any bad guy who cracked the website before the fix still has your password. Or passwords.
If three quarters of the people in Toronto left their doors unlocked, only some of those homes would be broken into right away. Because so much of the Internet has been at risk, they might not get you today, but they might tomorrow, or next week.
HTTPS WEBSITES ARE VULNERABLE
You can tell a website uses SSL by looking at the URL (or the website address). SSL website URLs don’t start with http:// (like this one). SSL URLs all begin with https://. You used to be able to tell with a glance at your browser bar, but today’s fashion is to hide this part of the URL in the browser bar. Some browsers show you are at an SSL site with a padlock symbol, others display SSL URLs in different coloured text, but if you aren’t sure, you should be able to see which it is by cutting and pasting the URL it into whatever text editor you use.
Not all HTTPS websites were vulnerable to Heartbleed because there are different versions and configurations, but there is no easy way for you and I to tell which SSL sites were vulnerable.
As well as SSL websites, any secure site where you use passwords — email, instant messengers or IRC services may have been compromised.
Nobody Knows For Sure
Google, Amazon, Facebook and Paypal claim their customers are not at risk because they have fixed any Heartbleed problems they had.
But because the Heartbleed vulnerability is invisible, until someone actually breaks into our accounts, we can’t even tell if they have been compromised. Even if the Internet giants have fixed their problems, the only way we users can be sure we are safe is by changing our passwords.
Someone has put together a Heartbleed Test so we can discover which SSL sites we use are vulnerable or fixed. Once we know the website is no longer vulnerable to Heartbleed, we can only be sure of our security after our password is changed.
Tumblr just told me to change my password, which means Tumbler has fixed their Heartbleed problem, and wants to be sure its users accounts are secure. Bravo.
I am in the process of typing the URLs of sites where I have passwords (Facebook, Twitter etc.) into the Heartbleed Test to find out they are secure before I change my passwords.
Heartbleed isn’t a threat to websites like Pinterest (http://www.pinterest.com/), techDITZ (http://techditz.russwurm.org/blogs/) or deviantART (http://www.deviantart.com/) that have not yet made the transition to HTTPS
- Never use the same password more than once.
- Never use passwords like “Password” or “1234”
- Never use your mother’s maiden name, the name of a loved one, or a birthday… especially these days when all of our personal data is being harvested by corporations and governments alike. If your parent, partner, child, co-worker, next door neighbor or best friend can guess your password, it isn’t secure.
Good Password Practices
I have plenty of passwords, so I keep them filed in a safe place on my desktop computer. But I learned the importance of having a backup copy somewhere else this past summer when I had a major disk failure and I lost something like a terabyte of data — mostly photos —and my password list!
The only time you have to change your password is when:
- it has been breached (or when there is a good probability it has been breached
- when the website owner tells you you must. or
- when you’ve foolishly shared you password with someone you shouldn’t have.
- Use a different password on every site or application for which you need a password. That way if one site is compromised it doesn’t affect every other site. Of course, Heartbleed affects every [https] site, so that’s not always true.
- Make it long. Long passwords are good passwords. 20 characters is good. 16 is probably adequate. 10 is marginal.
- Choose a phrase that is easy to remember, but difficult to guess. As an example, something like “Itookthebustoworkthismorning” — it’s sufficiently long, easy to type, easy to remember.
- Don’t bother with $p3c14l characters or numbers; the bad guys have software that makes those substitutions too. Special characters make the password difficult to type and difficult to remember. If you need to type slowly because of special characters then it’s easy for a bad guy to shoulder-surf and see what you’re typing. According to KeepassX the passphrase “Itookthebustoworkthismorning” has 28 characters for 224 bits of entropy; on the other hand, passwords with 28 random characters with upper-case, lower-case, numbers and special characters (created by KeepassX’s password generator) have only 182 bits of entropy.
- If the site does not offer a password reset option then write down your password, and keep it where you keep your money. If the passphrase is protecting $10 worth of data then keep it in your wallet; if the passphrase is protecting $10,000 worth of data then keep it in a safe. Don’t forget to write down the site or application name, the user ID, and any other credentials you need.
— Bob Jonkman, [kwlug-disc] Heartbleed affected sites
Although Heartbleed is a problem, it is being resolved all over the Internet… all over the world… as you read this.
And SSL encryption is still a good idea, just as house keys are, because personal security is important.
And privacy matters.
XKCD “Heartbleed” by Randall Munroe is released under a Creative Commons Attribution-NonCommercial 2.5 License.