strugee.net

Posts from November 2016

Friendly reminder: protect yourself while protesting

In light of the recent protests against Donald Trump's nomination, I wanted to write up some tips for people going out and protesting on how to protect themselves from retribution, both physical and legal. These guidelines are especially critical given the almost unfettered power the federal government and (through the federal government) local governments have to surveil citizens exercising their constitutional right to free assembly.

This is not a laughing matter: recall that President-elect Trump has repeatedly called for greater surveillance of mosques, indicating that he will have no problem expanding and abusing the power of the federal government's mass surveillance network. In this Guardian article, Thomas Drake (an NSA whistleblower predating Snowden) says it far better than I could:

The electronic infrastructure is fully in place – and ex post facto legalised by Congress and executive orders – and ripe for further abuse under an autocratic, power-obsessed president. History is just not kind here. Trump leans quite autocratic. The temptations to use secret NSA surveillance powers, some still not fully revealed, will present themselves to him as sirens.

So, here are some tips on how to protect yourself while engaging in a political protest:

General guidelines

  • Don't talk to police
  • If possible, leave your phone at home
    • If this isn't possible, leave your phone in Airplane Mode or even better, turn it off. It is not enough to not post anything; you cannot connect to the cell network at all. See IMSI catchers.
    • Use a passcode on your phone - this gives you a better position under the 5th Amendment for resisting a search of your phone
    • If police try to force you to give up the passcode of your phone, they are probably breaking the law
    • Disable fingerprint unlock, as police are legally allowed to force you to unlock the phone via your fingerprint (note: this link is insecure; consider visiting it in Tor Browser)
    • Disable face unlock (or any other form of biometric authentication) since the police may be able to force you to unlock the phone for the same reason they can do this with fingerprint unlock
    • Make sure full-disk encryption is enabled on your phone
      • iPhone users: this is already on if you're using iOS 8 or later
      • Android users: this is often enabled by default, but you should check by going to Settings > Security and looking under "Encryption"
      • Windows Phone users: not available. Leave your phone at home.
  • Do not bring laptops or tablets - the 5th Amendment protections above do not necessarily apply to these devices, so they can be seized and searched even without a warrant
  • Seriously do not talk to the police
  • Use strong encryption for everything you do online
  • Don't post anything on social media about the protest, including photos, checkins, and text, either during or after. (Remember: the protest lasts one night, but metadata lasts forever.)
  • Under the First Amendment you have the right to film police officers but be extremely careful because some police departments are extremely hostile towards this behavior anyway, to the point of physical violence. See the ACLU's guide for more information.

What do do if you're stopped by the police

If you're stopped by the police and they start questioning you, be polite but invoke the Fifth Amendment (i.e. say: "I don't want to answer any questions unless my lawyer is present", and keep saying it if the officer presses you). Ask if you're under arrest. If not, great! The police officer cannot legally detain you and you're free to go - do so calmly and silently.

If you are under arrest, here are the things you should do right away:

  • Say: "under what grounds am I under arrest?" The officer is only allowed to arrest you if they believe you are about to commit or are in the act of committing a crime. (Remember, photographing officers is not a crime; if they say something about this, remind them that it's protected under the First Amendment.)
  • Immediately ask for a laywer. If you don't have one, the government is required to provide you with one.

Then, keep these tips in mind:

  • Stay calm
  • Be polite
  • Don't run
  • Don't lie
  • Do not resist, argue, or be rude, even if you are innocent
  • No matter what the officer asks you or tells you, always say: "I invoke my right to remain silent until I can talk to my lawyer." Do not answer any questions, no matter how innocuous. Your lawyer will tell you to remain silent but it is important that you make it clear you're requesting a lawyer anyway, because it will look better in case you end up in front of a jury.
  • If you do answer questions, you're allowed to stop at any time. But still don't do it in the first place.
  • Under some states, you can be compelled to give your name (but nothing else). Before you leave your house, look up whether your state has this policy. These are sometimes called "Stop and Identify" laws.
  • If possible, write down the details of what's happened.
  • Do not physically resist the officer, even if they're violating your rights. Instead, write down the violation. Then file a written complain later and/or contact a lawyer or your local ACLU.
  • Useful things to write down in this case: the officer's name, their badge and patrol car numbers, the agency the officer is from, contact information for witnesses
  • If you're injured, photograph the injuries
  • You don't have to consent to searches of your person or your car. If you don't, make it very clear that you don't. The officer may pat down your clothes for a weapon, but anything beyond that requires your consent.

The ACLU also provides additional information for non-citizens, people taking photos or videos, young people (e.g. college students) and deaf people.

More resources

A lot of the above is based on the ACLU's excellent "Know Your Rights" booklet. The ACLU also has a page specifically devoted to rights violations at demonstrations and protests.

PRISM Break is a good resource for technology that will help you resist mass surveillance. Signal is on that list and is very, very good and extremely easy to use; it's what I recommend. Keep in mind, however, that following recommendations from PRISM Break is not a substitute for leaving your phone at home.

If you have more resources or tips that should be listed here, contact me (or edit this on GitHub) and I'll be sure to add them.


Pump.io 2.0.4 is available

Greetings!

After a beta period of just over a week, pump.io 2.0.4 is now available on npm and GitHub. Whoohoo!

(This was originally going to be 2.0.0, but we had to do a couple patch releases due to some outdated documentation and several critical bugs. 2.0.4 is mostly the same thing as 2.0.0.)

Changes

Note that this release includes security improvements - namely, a newer Express version and a better TLS configuration - and therefore admins are encouraged to upgrade ASAP.

For the full list of changes, see the change log.

Breaking changes

(As I said in [the beta announcement][0]:)

Pump.io 2.0.4 is a drop-in replacement for 1.0.0 unless you have any plugins configured or you modify the templates.

Plugins are likely to be affected by the upgrade to Express 3.x. The easiest way to migrate is probably to just run pump.io, test out the relevant parts of the app, and see where your plugin crashes. You might also want to look at the Express 3 change log.

If you modified the templates, you'll be affected by the templates' rewrite from utml into Jade. Migration should be relatively painless but has to be done manually. Your best bet will be to save a copy of the diff you created, undo your changes, upgrade, then use the diff you saved to reintroduce your changes. You'll have to run npm run build after making changes to Jade files.

Non-breaking changes

This release is actually relatively minor in terms of non-breaking changes; however, we do have some nice new improvements:

  • A pump(1) manpage is now included
  • Any internal web UI link with a data-bypass attribute is now ignored by the routing logic (useful for e.g. custom pages added by the admin)
  • YouTube links in posts are now shown as embeds by the web UI (#1158)
  • TLS connections now use Mozilla's "intermediate" cipher suite and forces server cipher suite preferences (#1061)
  • Various minor fixes and improvements

Upgrading

Upgrading is dead-simple. If you used our recommended install method, and installed from npm, you can upgrade with:

sudo npm install -g pump.io@2

If you installed from source, you can upgrade with:

git fetch
# If you modified templates, save the diff at this step
git checkout .
git checkout v2.0.4
npm install
# Restore your template changes
npm run lint:jade # Optional but recommended if you changed templates
npm run build

Both of these methods will work whether you're running 0.3.0, 1.0.0, or 2.0.0 beta. Make sure to restart pump.io after performing the upgrade.

Getting help

If you have any issues with the upgrade, get in touch with the community. You can also email me at alex@strugee.net.


'Free software' phrasing considered harmful

For a while now I've been avoiding using the term "free software."

Why? It's just plain confusing to people. I know Richard Stallman will tell you that it means freedom, not gratis. It doesn't matter. It's still ambiguous and needlessly conflates two different concepts.

Instead of "free software," I propose "freedom-respecting software" as a replacement. This phrasing is not only unambigous, it also does a much more effective job of communicating the general meaning of the term without further explanation. (Of course you'll probably still need to explain it, but you'll have to spend a lot less time doing so.) The one problem with this phrasing is that it's longer, but even that doesn't hold water - because of the aformentioned problems with "free software," people actually don't say "free software" all that much; instead, they say "free (as in freedom) software" which is unambiguous, but awkward on multiple levels. Not only is it a less eloquent way of describing the concept, but gramatically speaking it's really terrible as it puts a parenthetical qualifier in-between an adjective and a noun, which just sounds terrible and unnatural. Seriously, say both of them out loud. "Freedom-respecting software" and "free (as in freedom) software" - which one sounds like less of a mouthful?

Hence, I think "free software" as a term should be considered harmful, and replaced with "freedom-respecting software" instead.

Edit 0:58 10/10/16:

Another advantage of "freedom-respecting software" is that it's still closely related to the old term, allowing for a much easier pivot. Consider "libre software" which AFAICT had the same goals as this proposal but never really took off - in part, I think, because it sounds very different from an already-established term. (Another way of putting this is that it's conceptually an improvement to an existing term instead of being something brand-new, and therefore all existing associations will carry over with far more ease.)

I'd also point out that the problem of ambiguity is more serious than I've said above. First of all, generally speaking I'm suspicious of any proposal or argument that begins or ends with "we just need to educate people more." Education is an important part of the freedom-respecting software movement - remember, that movement is by and for the people - but I think that argument is too frequently simply an excuse for a poor initial design. (Security, I'm looking at you.) Second, such an ambiguity also muddles our search results. When people search for "free software" they do get our stuff (a fact that I was pleasantly surprised by!) but they also get loads and loads of pages for gratis Windows crapware. That's unideal and it is unlikely to change, ever. Even if people were able to readily grasp the distinction between freedom and gratis that we're pitching, we will never, ever have enough influence on the language people use to get them to stop using "free" to mean gratis - which means that Google will continue showing gratis crapware as "free software."

Finally, as pointed out by some excellent PRISM Break contributors, me writing this blog post and then talking about it occasionally is a far dumber idea than directly contacting the FSF, which I now intend to do Real Soon Now™.


Pump.io 2.0.0 beta is here

Greetings!

As pump.io is gearing up for our 2.0.0 release, I just published a beta to npm. We'd love it if any interested admins could upgrade their nodes and report any bugs you may run in to. (All bug reports are helpful, but just so we're clear, we're likely to only fix regressions from 1.0.0.)

Changes

Pump.io 2.0.0 beta is a drop-in replacement for 1.0.0 unless you have any plugins configured or you modify the templates.

Plugins are likely to be affected by the upgrade to Express 3.x. The easiest way to migrate is probably to just run pump.io, test out the relevant parts of the app, and see where your plugin crashes. You might also want to look at the Express 3 change log.

If you modified the templates, you'll be affected by the templates' rewrite from utml into Jade. Migration should be relatively painless but has to be done manually. Your best bet will be to save a copy of the diff you created, undo your changes, upgrade, then use the diff you saved to reintroduce your changes. You'll have to run npm run build after making changes to Jade files.

For the list of non-breaking changes, see the change log.

Upgrading

Upgrading is very easy. If you used our recommended install method, and installed from npm, you can upgrade to the beta with:

sudo npm install -g pump.io@beta

If you installed from source, you can upgrade with:

git fetch
# If you modified templates, save the diff at this step
git checkout .
git checkout v2.0.0-beta.1
npm install
# Restore your template changes
npm run lint:jade # Optional but recommended if you changed templates
npm run build

Make sure to restart pump.io after performing the upgrade.

Getting help

If you have any issues upgrading to or running the beta, please don't hesitate to get in touch with the community. You can also email me at alex@strugee.net.


Webmention test receiver

This post exists only to have a dedicated test URL to send example webmentions to until webmention.io issue 77 is fixed (or in other words, I need a URL with a wide variety of webmention data associated with it so I can test the webmention styling you see at the bottom of all individual post pages).

It will be removed eventually, probably.


~