Since last night I noticed that The Pirate Bay's website appeared down. I checked in this morning, checked via multiple locations (from different countries) and same result. I asked a few friends to help figure this one out because this is not a DNS issue and it seemed to be more than just a server down.

The results is that the Pirate Bay's netblock is no longer advertised, this means there is no known route to 194.71.107.0/24.

MBS (the friend who figured it out) showed me this tool I could use to see for myself:

I found a list of Public Route Servers to query, those I tested say the same.

It appears that The Pirate Bay has been getting DDOSed since last night, however they have only mentioned it recently on their facebook page, and I read that after having investigated this... So is the solution to the DDOS to disappear from the Internet ? Is this a reaction from Anonymous beause of this ?

Friendica is a truly decentralised social network, it has been around for a few years now already. Back in the day it was called Mistpark and already then it was more than just a proof of concept.

Today Friendica 3.0 is released and it is now ready for even more users than ever. Friendica is easy to install, it's Php and Mysql based, so it can even run on a shared hosting platform. There are many plugins and some of those plugins are connectors that can allow you to connect to legacy social networks suck as Facebook and Twitter, but also StatusNet and Diaspora.

Friendica is exactly what many of us have wanted, and these guys, mostly Mike have worked hard and have delivered harder. The project deserves that you try it out. So go install it, or try out a test account on a test server to see what it's like... If you really don't know have a clue about installing "websites" or anything, register an account with a public server.

Finally, France got rid of it's highness Sarkozy. It's good to see the French did not re-elect a president who's campaign was funded by Gaddafi.

Photo by moiles - Andreas Milles

I just read this rant on Google by Whil, it's a bit true but something itches me.

What happened is that Whil surfed the Internet while not logged into his Gaccount and realised that normal people cannot "like" or vote on videos posted to Youtube without upgrading their accounts to G+. What an outrage ! He seemed really outraged.

Whil, I have news for you, but you should sit down before reading this: Some people don't even have any kind of Google account to begin with, they can see the thumbs up and down icons, but they can't action them... Imagine all the upvotes you are potentially losing on your show ! Because from what I got, it's mostly about how your show might lose ratings because your core audience are tech-savvy and may not want to "upgrade".. right ?

Then the interesting part, Whil's website, powered by Typekitpad or whatever, doesn't allow regular humans to post comments without signing up via Facebook or Twitter or at least an OpenID. Some brave person made a comment though: On a slightly related note, Typepad forced me to register or to use my Facebook login if I wanted to "Favorite" this post. Whil's reply is: If I don't require some kind of sign up for blog comments, I am overrun by spammers and anonymous asshat trolls. That is probably why Google is now forcing people to upgrade to G+ accounts, because of "asshat trolls". The reality is that Whil, just like Google are both part of the same problem, they both require users to go sign up somewhere in order to take part of the the interaction they offer.

Tomorrow, May 4th 2012, will be Day Against DRM. Take a moment to reflect on the devices you perhaps use that may infringe on your digital Freedoms.

The short version is, many digital devices and software are designed to restrict the usage you can make of them. In some cases it is the device itself, in other cases it is the files you may purchase. For example, some e-books or films (movies) are sold in a way that do not allow you to use them in certain ways. There is even the incredible example of Amazon remotely deactivating the book 1984 from their Swindles (or Kindles ?).

Another interesting anecdote is South Korea's ministry of defense, they have decided to ban usage of Apple's Iphone because it is so restrictive that they cannot even guarantee the device is not recording them and sending data over wifi. The device is not under their control.

Visit the Day Against DRM website to learn more. See what you can do tomorrow, and after tomorrow.

The other day a good friend of mine suggested I implement Gravatar on my website, so I started checking how it works and found it was incredibly easy. All I'd have to do use put an img element with a link to an md5 hash of the commenter's email. Like this: <img src="http://www.gravatar.com/avatar/205e460b479e2e5b48aec07710c08d50" />

MD5's can be Sensitive Information

There are 2 issues with this:

• Without figuring out the email, you can still find other user's posts on other sites. Indeed, all you need is to search for the MD5 hash. Perhaps the Gravatar user is okay with this maybe not in every case (more later).
• If you are the administrator of a large user database, you can search for MD5 hashes and easily find out what your user database has been posting.

Other Issues

• Non Gravatar user's can be tracked on the web too

  Even if you are not a Gravatar user, many websites will submit your email's MD5 hash to Gravatar and show that hash to the visitor. This means that even non-Gravatar users are now Gravatar users. There is nothing stopping Gravatar from storing this and nothing stopping people you know from finding your posts. Yes, anyone you know can go insane (like many employers who demand your social media credentials) and search the web for your email's md5 hash.

• Gravatar can haz your blog statistics

  Every time someone visits a Gravatar enabled website, Gravatar gets some of the website's user statistics: visitor's IP, browser/OS and the page visited.

• Gravatar Knows Where You Have Been

  Of course, because of the above, Gravatar can know about all the posts made by their users on Gravatar enabled sites. Maybe they don't gather that info, but technically it's totally possible.

• Websites that use Gravatar deliver content from third party sources

  This can be a problem when your website uses HTTPS, using Gravatar means some of your content is no longer encrypted, unless you use Gravatar's https version. But using Gravatars HTTPS version means asking your visitors to trust their SSL certificate, which is issued by GoDaddy !

  I know it is a very common practice to have many bits of websites hosted behind many different URLs, but it's always good to limit that where possible. For example, embedding a Youtube video is understandable as it is actual content and generally users can see where this comes from. Pulling avatars, icons and such from all over the web isn't so cool.

  It also means losing control over what parts of your site are actually getting delivered to your visitors and how they are getting delivered. You cannot know if your visitor's connection to Gravatar is broken or altered.

  On a non-privacy insane perspective there could be performance issues, don't forget visitors now have yet another domain name to resolve. Reducing the amount of DNS queries can help what they call "the user experience".

How can we Fix This ?

• Give your commenter the choice of using Gravatar's service

  Instead of just hashing everyone's email "de force", why not let the commenter chose to have their email hash posted on the Internet first ? Perhaps even a Gravatar user may want to make a comment without linking it to their Gravatar profile ?

  I'll stress this a tiny bit more just because so many sites use Gravatar but don't even inform their users in the slightest way. If you would want to use Gravatar for every comment, why not, but you should at least inform your users.

• Not show the email's MD5 hash in the first place

  Why not just make the request to the Gravatar avatar from the website and then deliver that to the visitors ?

  The technical howto in a nutshell is to replace the Gravatar image link with a script and pass a get variable to it, like the comment id. The script then figures out the md5 hash (if the user agreed), requests an image from Gravatar and shows that to the visitor.

  This also helps reduce the amount of DNS queries your visitors will make, instead your website/webserver will do all the work. And your webserver should probably have better bandwidth than your average visitor.

I think this probably extends to many more services than just Gravatar. And Gravatar are probably nice people with pure intentions... . It's not the end of the world, but it would be nice if webmasters put more thought into this sort of thing. The Interweb is still an experimental place, we should still be actively thinking about how we build it not just lazily and passively do things the way they've always been done.

Gravatar Enabled

Starting today, on this website, if you post a comment you can chose to have your email's md5 submitted to Gravatar to see if you have an avatar there I can use. Your email's MD5 hash will not be visible to other users.

This is what the img element that displays the G/avatars looks like on this website:

<img src="/blah/modules/gravatar/gravatar_img.php?id=1" />

You may have already heard about CISPA (or CISPA or CISPA at !wiki), if not the simple version is: It's another law/bill/treaty/crap designed to waste everyone's time.

The slightly longer version is that it is a bill designed to allow companies to share data with other companies or governments with less hassle, like the hassle of asking or even informing the person who's data is shared. The full title says it nicely: To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.

One interesting thing has popped up in the news, it's that Facebook supports CISPA. Here are some other letters from some brave companies who support CISPA. In Facebook's case I can totally understand their view, their whole business is based on user's data. How could they not support this ?

Now the expected thing to do, if you are interested in privacy and that sort of thing, is to spend hours reading boring legislative crap until your brain starts pouring out of your ears. However, I really don't care this time. This might sound selfish or just lame, but I don't feel very affected by this. I don't have personal data on third party services (or ones I can't trust).

The real reason I don't care is not because I feel covered, it's because many of those that aren't covered do not care. Seriously, so many people believe that the practicality of having an email provider that let's you "star and tag" emails and the convenience of keeping up with friends just by clicking on their name outweighs any reason for concern, since years.

So if you use such services, and again disagree with this sort of legislation then it's your problem to solve now.. You can delete your account(s), write to them or just hope it will go away magically.

Many ISPs or other Internet services in these current days will often voluntarily co-operate with the authorities without requiring warrants and such. Some will be even working directly with the MPAA/RIAA. However there are some people out there, like Nick Merrill who are are totally not like that.

Today he is raising money to start a non-profit ISP and mobile phone service that will be designed to resist surveillance, with things like encryption, minimal logging and mostly by challenging requests by the authorities that are abusive and/or illegal and/or unconstitutional.

So if you do live in the U.S.A. and more precisely NY for now, you could be very interested in checking out Calyx Institute and perhaps donating via Indiegogo or via their Paypal form.

Also, check out the people on the advisory board.

The UK would like to implement a new system (originally brought up by the Labour party) that would oblige Internet access providers to monitor all electronic communications. The ISPs would have to store logs of all communications, though they say the actual content of emails wouldn't be recorded without a warrant.

They will most likely forge email providers certificates in order to intercept encrypted traffic, because most browser by default trust just about any certificate emitted by a "company" most users wont even notice.

If you are a UK citizen you can sign this petition. You can also check out ORG who follow these issues very closely (the only thing they do wrong is that they use bitly links!).

This came out yesterday, yet it's not an April fools joke..

Read more:

• Phone and email records to be stored in new spy plan - telegraph.co.uk
• Backlash over email and web monitoring plan - bbc.co.uk
• Stop the government snooping on every email and Facebook message - action.openrightsgroup.org
• Scrap Plans to Monitor all Emails and Web Usage - epetitions.direct.gov.uk

Ubuntu requires visitors to create an account and log in to view certain threads. I've read this thread (not blocked yet) and now I understand their reasoning: Anything they may have archived is to be considered old and should no longer be readable unless you have a ubuntuforums account.... . Whatever, basically they are trying to protect visitors from accessing archived and potentially outdated information.

The other thing I dislike is their use of vBulletin, it just goes to show how much they really don't care much about Free Software.

Is Ubuntu the new Apple ?

Today I read this rant about how the Linux desktop is not free enough. I almost stopped at the first sentence but still read on. I have to comment on a few things, but of course I don't have a google+ account, it's not free enough.

Desktop Linux Owns Too Many Apps

Ingo Molnar says: Desktop Linux distributions are trying to "own" 20 thousand application packages consisting of over a billion lines of code and have created parallel, mostly closed ecosystems around them. Not really, distributions maintain packages and you are always free to join discussions with most package maintainers/distributions, it's often easier than you think (mailing, IRC, etc) and mostly doesn't require creating an account with google. If your distribution isn't open enough, change. The typical update latency for an app is weeks for security fixes (sometimes months) and months (sometimes years) for major features. They are centrally planned, hierarchical organizations instead of distributed, democratic free societies. It's like that when you depend on your distribution to kindly package everything for you and make your life so much easier and virtually headacheless, however there is nothing stopping you from getting the sources and compiling the latest version yourself.

You seem to not understand that the democracy part is within the distribution, the devs and maintainers (etc) are the demographics that get to vote and decide when and how to implement updates/upgrades and such to their distribution. The passive consumer gets to use the whole thing for free with no questions asked. The passive consumer can also switch to any other distribution, or even create their own distribution, etc. I'm not sure what your vision of a free society is.

The Future is App Stores

No way I would think that, but I then read: What did the (mostly closed source) competition do? It went into the exact opposite direction: Apple/iOS and Google/Android consist of around a hundred tightly integrated core packages only, managed as a single well-focused project. Now I see what Ingo Molnar means by "free society", a free market. ...most new packages are added with a few days of latency (at most a few weeks), app updates are pushed with hours of latency (at most a few days) - basically it goes as fast as the application project wishes to push it. This is exactly why some people are happy to have their once a year updates. My requirement is that the software I use today isn't changed, updated, edited or removed potentially every few hours. If I do need the latest for a specific program, I get the source and compile or even get the easy to use binaries (like for Icecat/Firefox...). And if I always need everything to be bleeding edge there's a distro for that.

On a side note, I am going to guess that there could be less malicious code in among a quality distribution's packages than in an Iphone or Android App store. (Random search result: 30+ New Malicious Apps Spotted In The Android Market).

And so

I'll finish with this last bit: Desktop Linux users are, naturally, voting with their feet: they prefer an open marketplace over (from their perspective) micro-managed, closed and low quality Linux desktop distributions. This would be true if most Linux distributions were closed and low quality, actually I can't speak for most but I can speak for Debian as I've been using that for my workstations since 2002. I can say that it has always worked, updates are fast enough for me and the quality is so high I get dizzy thinking about it.

I've heard many good things about other distributions as well, they each have their ways of doing things which seems to correspond to many different people's needs and such. This sounds more like "free society" to me, the possibility to maintain an entire operating system and all the programs you want however you want.

I don't ever want my desktop or system to be managed or controlled by an "app store". I'm not against paying someone for their code, but I am against giving up the control of my system to every developer whose program I've installed. Mostly I totally respect the work provided by my distribution in keeping everything clean, coherent, maintainable and secure.

Yes, I know.. . . .WTF is Firefox doing here, it's a browser not a resolver. If anyone from Firefox reads this, WHY ?? Let people who want this useless function enable it themselves and not the other way around.

Now to disable it, very simple is the procedure, and very very intuitive.. .aheum:

• Open a new tab and go to about:config
• Search for network.dnsCacheExpiration
• If you don't have it, add it (right click "new Integer)
• Set value to 0

Oh, and don't mess it up because if you create the wrong key or make a boolean rather than a string you can't delete the key or modify its properties, only the value.