Rick Falkvinge's Blog, page 14

Pirate Parties: More or less overnight, betting companies slashed their odds of the Swedish Pirate Party’s re-election to the European Parliament. Where a re-election scenario used to give you 8x your money back in a bet with them, it now gives a mere 1.25x. It appears the betting companies know something that Swedish oldmedia haven’t picked up on yet.

Late yesterday, the betting company Unibet slashed the odds of the Swedish Pirate Party getting re-elected to a mere 1.25x. This is lower than several of the more-established parties. Other betting companies followed suit, and no betting company is currently offering higher odds. This flies in the face of a press release a month ago, when the odds were at 8x, and Unibet issued a press release stating that the Pirate Party wouldn’t make it back in, giving negligible odds (1.05x) for the lose-all-seats scenario.

The Swedish Pirate Party holds two seats in the European Parliament today, with MEPs Engström and Andersdotter, and those seats are up for re-election this month and need to be defended. The Pirate Party’s MEPs have been successful in everything from defending net neutrality to being instrumental in torpedoing ACTA and outlawing “three strikes” schemes.

Therefore, re-election has remained crucial, both to continue this work of net liberty and civil rights, as well as for the overall narrative – that their initial election wasn’t a stroke of luck or a freak random occurrence, but a sign of fundamentally changing values in society toward caring for civil rights online and the sharing economy.

In general, there are two reliable predictors of election results. One is the ordinary run-of-the-mill polls, which there haven’t really been any in Sweden for the European Elections (which is a problem in itself); all the polls concern the local government, which is little more than a budget council when you’re a member state of the EU. Apart from the polling, there’s the betting companies, which tend to be notoriously precise as the election approaches – and the urns open on May 7, six days from now. Yesterday, they all slashed their odds for the Pirate Party’s re-election as one.

Therefore, there’s something the betting companies know that hasn’t come to the attention of the mainstream oldmedia yet. And to be honest, I don’t know what it is. It could be a leak from an ongoing poll before the results are presented. It could be a poll of their own. It could be patterns of betting that only they are privy to, and know through decades of betting management what it translates to. But in either case, this is a really strong indicator.

This has happened once before, on April 29, 2009. On that day, the first poll in Sweden ahead of the 2009 European Elections was published, and that poll predicted a sensation – that the Pirate Party was about to get elected, with 5.1% of the vote in that poll. That also happened, with 7.13% of the final vote on June 7, 2009. On that day, the betting companies slashed their odds from 6x your money back in an election success scenario to 1.2x your money back – essentially the same odds as in this dramatic slashing of the odds from 8x to 1.25x.

What information, exactly, is it that the betting companies have acquired that cause them all to bet on a re-election?

Canada – Travis McCrea: After a deep look into my own personal values, and the values of both my party and the international movement, I have decided that my place is in the Green Party. This is my story why. [Editor's note: This article is by Travis McCrea, and concerns his personal opinions only.]

I want to preface this post to point out that it is largely talking about politics in Canada, and in the end I am a Pirate. My ideology has never changed, I will keep supporting my fellow pirates in other countries.

I have been the leader of two Pirate Parties and have spent countless hours at many different levels of involvement, and spent thousands of dollars on the cause. Even after I had left the leadership position in the Pirate Party of Canada, I stayed relatively involved, wanting to promote my party any way I can. I also introduced the Pirate Party of Canada’s new platform, one that was pretty much entirely copied from the PPUK. Their platform was amazing, and all it needed to be was localized in my opinion.

I joined the Pirate Party when I was still conservative (super conservative, like a right wing American, which is pretty much off the charts elsewhere), but it was the libertarian values of the party as well as it’s focus on copyright reform that brought me in. The Pirate movement, in my opinion, is progressive. It’s not tied to progressivism, it doesn’t make decisions just to appear progressive… we just make decisions based on facts and humanism and in the end we have progressive values. As I grew and developed, learning to ask questions, asking why the party believed the things it did I have come around and have abandoned my conservative thoughts.

As Pirates, who believed strongly in our cause, we were offended in Canada when Elizabeth May, the leader of the Green Party said “there doesn’t need to be a Pirate Party in Canada, there is already a Green Party”. As though she knew what we were fighting for, and as though we would ever be like her and her party.

The truth, however, is that the Pirate Party of Canada and the Green Party have always been very similar. Even as the leader of the Pirate Party when I was asked what makes us different I would point out that the Pirate Party is based on science while the Green Party supports homeopathy (something that most Green leadership that I have met, don’t actually support). But it was that one little thing, homeopathy, which set us apart. That and our egos.

As the Pirate Party starts attracting more and more libertarian minded people, and our values are changing, I find them in many respects to be away from what the Pirate Party should be about. Members who support the death penalty, people who believe that guns should be more accessible, and a leadership who is afraid of sounding too “socialist”, even when the facts support the platform.

I feel that making this switch is the most Pirate thing I can do, to look at the facts and realize that the evidence (at least in my case), show that I should change. This isn’t me turning away from my ideology, but reaching a new level of understanding that my party doesn’t define my ideology, and I can be a pirate no matter what party I am in.

The Green Party of Canada is not different than what the Pirate Party of Canada has been about. Two progressive parties with comprehensive platforms that basically say the same things. So now I will say what Elizabeth May said 5 years ago: Why do we have a Pirate Party when Canada already has a Green Party?

I encourage my fellow party members to seriously read through the platform of the Greens and see what they stand for. You might be surprised at just how little you disagree with.

Pirate Parties: In one month, on May 25 at 20:00, the voting stations close for the European Elections. You’re never entitled to complain when media doesn’t cover you, but for some reason, the fifth-largest party out of Sweden’s eight – the Pirate Party – is consistently omitted from listings, events, debates, and coverage ahead of European Elections. For a challenger, this would be acceptable, but not for a defender of title: the pretend-does-not-exist attitude is reaching ridiculous levels.

Sweden has eight parties in the European Parliament, all of which are up for re-election in exactly one month. Of these, the Pirate Party is the fifth largest with two seats out of Sweden’s 20; three political parties are measurably smaller with just one seat. In a reasonable election, these eight parties – defenders of their respective title – would be treated fairly equally, with credible challengers given a go at pointing out the shortcomings of the title defenders.

Yesterday, the Svenska Dagbladet (“Swedish Daily Paper”) – as the name implies, one of Sweden’s largest daily newspapers – published their election assistant with 25 questions to assist people in choosing which party to vote for. Launched on April 25, with the European Elections one month out, on May 25 – perfect timing. There’s only one strange catch: you can’t get a recommendation to vote for the Pirate Party. As in, the party is not even in there. The other seven title-defending parties are, as well as one challenger. The election assistant is effectively saying that the Pirate Party does not exist, but all the other seven do.

It’s not a freak accident. This has happened all the time in the time leading up to the European Elections. The Pirate Party is consistently dropped from lists of parties defending the title. Even Public Service Television, the Swedish SVT, is hosting a debate between party leaders on May 4, just three days before the voting opens on May 7. One challenger, the Sweden Democrats, is allowed to participate. But the Pirate Party was not invited to the debate, despite defending seats; all other seven title defenders were invited and are there. Public Service Television defends themselves on their blog by saying that the debate just before the European Election is about domestic issues (do read the comments tearing that argument apart), but not before having silently dropped all references to the imminent European Elections from the debate’s advertising.

Two mistakes only? Hardly. How about this rather ordinary presentation of top candidates in an ordinary newspaper, presented as “the eight top candidates”?

The ETC newspaper presenting the "top 8 candidates" – seven defenders of the title, plus a challenger at bottom right. In small print, it notes "also running: Pirate Party, Feminist Initiative, and June List". The Pirate Party is not presented as a defender at all.

This goes on and on and on with countless examples – how practically the entire Swedish media establishment is collectively pretending that Sweden’s fifth-largest party in the European Elections out of eight does not exist, whenever defenders of the title or eligible parties are listed. It’s breathtakingly bizarre.

For reference, the defenders listed are the Moderaterna (M), Socialdemokraterma (S), Vänstern (V), Miljöpartiet (MP), Centern (C), Kristdemokraterna (KD), and the Folkpartiet (FP). The challenger listed is typically the Sverigedemokraterna (SD), sometimes joined by the Feministiskt Initiativ (Fi). The one consistently and conspicuously missing is the Piratpartiet (PP), the fifth-largest party in the middle of the pack.

Fortunately, Swedish oldmedia continuously measures its own bias to Sweden’s political parties, so that it is at least aware of any shortcomings in the reporting. Here’s the latest bias measurement (full report here):

Swedish oldmedia bias measurement, as reported by TNS SIFO, per party. The report slide title says “Number of positive/neutral vs. criticizing articles, per party”. The measurement lists seven defenders and two challengers.

These scientific measurements do not show any bias for or against Swedens fifth-largest party in the imminent European Elections, the Piratpartiet. Fact is, the party is not even listed as a defender in the report at all – it’s not just a lack of data, it’s not listed as if it didn’t exist – so there’s nothing to alert oldmedia to a potential subjective bias, should it happen to be there.

This is getting seriously ridiculous.

Privacy: Sweden, like most European countries, has a number of governmentally-run state lotteries that are an efficient extra tax on the people who can’t math properly. Because of the jackpot sizes (nine-figure euro or dollar amounts), they are still hugely popular. From June 1, the Swedish state lottery requires people who want to buy a simple lottery ticket to identify and register.

For some time, the Swedish governmental lottery has allowed people to identify and register, in which case, the lottery will perform the service of checking each lottery ticket for winnings and depositing any winnings directly into the winner’s bank account. This has been a provided and convenient service.

However, as of June 1, this service instead goes full mandatory surveillance, requiring people to show proof of identity and be entered into a “register of gamblers” with the lottery – and since the lottery is a governmental monopoly, register with the government.

The governmental lottery is trying to spin this with all the usual words like “responsibility”, but in reality, what is happening here is yet another large stride into a full-blown surveillance state. This is not taking responsibility; this is absconding it and going full retard.

Infrastructure – Zacqary Adam Green: Unsurprisingly, it turns out that the NSA knew about the Heartbleed bug since shortly after it was added to OpenSSL. While thousands of salaried NSA personnel search for bugs like these to exploit, OpenSSL has only four part-time volunteers maintaining it. Of course this was going to happen.

The idea behind open source software is that “given enough eyeballs, all bugs are shallow.” This only works if there actually are enough eyeballs. Code audits can only happen if there are people with the will, expertise, and time to do so. Rusty Foster pointed out the problem with OpenSSL:

The project’s code is more than fifteen years old, and it has a reputation for being dense, as well as difficult to maintain and to improve. Since the bug was revealed, other programmers have had harsh criticisms for what they regard as a mistake that could easily have been avoided.…

Unlike a rusting highway bridge, digital infrastructure does not betray the effects of age. And, unlike roads and bridges, large portions of the software infrastructure of the Internet are built and maintained by volunteers, who get little reward when their code works well but are blamed, and sometimes savagely derided, when it fails. To some degree, this is beginning to change: venture-capital firms have made substantial investments in code-infrastructure projects, like GitHub and the Node Package Manager. But money and support still tend to flow to the newest and sexiest projects, while boring but essential elements like OpenSSL limp along as volunteer efforts.

This point is only compounded by the NSA news. As it turns out, a great deal of funding was going towards meticulously auditing OpenSSL. The problem is that the NSA keeps the results of these audits to themselves. No bugs are fixed. No patches are committed. Critical flaws are kept under wraps so that they can be used to siphon more data and break into more computers.

Never mind the fact that the NSA’s priority is supposed to be the defense of the United States, when critical infrastructure in the US was potentially affected by this bug. If they wanted to call this defense, then the NSA must have been really confident that the classic go-to bogeymen of China, Russia, Iran, or Al Qaeda hadn’t also discovered Heartbleed. Which, of course, they couldn’t be, because Neel Mehta at Google eventually reported it, so it’s not like it was impossible to find without NSA super-wizardry.

But back to the issue at hand: the NSA has, potentially, a small army of security researchers doing all of the code audits that tech companies and the open source community should be doing, and hoarding the benefits for themselves. The Is TrueCrypt Audited Yet? project might as well change its website header from “Not Yet” to “Who Knows?” This is awful. Economically, it’s also unsurprising.

The NSA has an entire budget devoted to doing just this: “$1.6 billion a year on data processing and exploitation, more than a thousand times the annual budget of the OpenSSL project” reports The Verge. Their prime directive is to find bugs, keep them quiet, and exploit them for their own gain (sorry, “national security”). OpenSSL’s volunteers, on the other hand, need jobs to feed their families. As much as they might want to, they don’t have the time to devote the effort needed to make sure their code is rock-solid. And apparently, neither do its users. It took a Google employee two years to discover Heartbleed, despite the fact that they’re a multi-billion dollar corporation that depends on the integrity of things like OpenSSL. Evidently, though, it’s still not cost-effective to have dedicated teams keeping an eye on the code.

My instinct is to just say that this is another infopolicy case for a universal basic income, to free up volunteers who are willing and able to perform these audits from the pressure of having to work another job. While that would certainly help, I admit it’s a bit reductionist. Code audits can be boring, tedious work, and while with 7 billion people in the world I’m sure some of them would be jumping out of the woodwork to proofread thousands of lines of code, I can’t say how many. But the NSA has apparently figured out how to efficiently spot glaring security flaws, so it’s high time the white hats did too.

Privacy: The Swedish Pirate Party has been consistently ignored by Swedish media from our setting foot in the European Parliament in general, and in this election campaign in particular. After having been excluded from televised live debates three days ahead of voting despite being up for re-election to the European Parliament, we had a huge victory yesterday where the European Court of Justice made us right in what we had been saying all along about privacy. Swedish oldmedia responded with a story about the party leader’s cat.

Yesterday, the European Court of Justice ruled the detested Data Retention Directive invalid. Retroactively invalid, even: the court ruled that it had never existed. The directive (a directive is sort of a federal law covering the EU) mandated all EU states to log all communications from all citizens: from whom, to whom, from where, using what method, and when. No communication would be unseen by the Government.

This wasn’t for the usual organizedcrime-terrorism-pedophiles-filesharing mantra. This was for everybody, with the express purpose of using your communications logs against you. The Pirate Party was founded as a direct reaction to this blanket violation; we were quoted in 2006 saying “this is worse than Stasi” in a context depicting us as though we were talking complete rubbish and nonsense.

Yesterday, the European Court of Justice – the highest court of the world’s largest economy – said the same thing in a historic verdict. The blanket violations are intolerable and inexcusable.

So in the past two weeks, the Swedish Pirate Party has had these amazing progresses and successes:

An amazing gathering of 300 pirates in Brussels, founding the European Pirate Party.
April 3, The Pirate stance on Net Neutrality won in the European Parliament, something we’ve been fighting hard for against the European Commission, safeguarding the future of free enterprise in Europe.
The Swedish Pirate Party’s European Election campaign kickoff on April 5.
Yesterday April 8, the highest court of the world’s largest economy saying we had been right the entire time with our “unconstructive” stance, pointing out that blanket violations of privacy are inexcusable.

On the day that the highest court in the largest economy on the planet says the same thing that the Pirate Party has been saying for almost a decade, while constantly being belittled by the powers that be, governmental oldmedia finally writes about the Pirate Party. Bloody finally.

On the eve of this string of successes, when you expect a heavy political analysis of all the successes and an admission that there may have been some kernel of truth to the basic idea of privacy being fundamentally inviolable, they write a story about how the party leader was locked into her bathroom by her cat, and post it as a highlight on their election coverage (“Val 2014″). I wish I were joking.

In the words of Calandrella, this is a facepalm, this is an eternal facepalm.

I’ve been frustrated by Swedish governmental media before, when I took actions that got headlines all over the world but not in Sweden. It was deemed newsworthy in Japan, China, Thailand, Greece, and elsewhere, but not in Sweden where it had actually happened. This final straw crosses the line. This is where it gets personal. I had had these plans loosely before, but this is where it gets official.

I pledge to outcompete this collection of bastard oldmedia and commit them to irrelevance over the coming years.

They’ve already committed themselves to irrelevance, as illustrated clearly by their own actions above. What I’m going to provide is an alternative that makes it clear how obsolete they are. I aim to have outcompeted European oldmedia for all intents and purposes in five years, with launch about a year from now (I’m in process of coding the infrastructure).

We’re not supposed to have a governmental news station. The idea is repulsive. The fact that they’re branding themselves as “independent”, and that people listening actually believe that crap, turns into an unworthy Foxesque “fair and balanced” situation – but revoltingly funded by public money. It needs to go.

I’ve already demonstrated my ability to kick stale powerholders out of their jobs when they’re underperforming. Watch me repeat that in a new field.

Pirate Parties: This weekend, hundreds of pirates from all over Europe gathered in the European Parliament to formally found the European Pirate Party. It was an amazing gathering of determined activists, many of which were absolutely electrified at realizing the sheer scale of this movement, seeing 400 of Europe’s brightest activists gathering for the occasion. I had the honor of giving one of the opening keynotes (below).

The exact sequence of words has been slightly edited for readability.

Amelia Andersdotter: Tonight, we have the honor of welcoming a very special keynote speaker. He was the founder of the Swedish Pirate Party in 2006, a reaction to changes in the Swedish legislation brought about by the same directive that Julia Reda [the previous speaker] asks us to pay close attention to in the coming five years. Since 2006, he has succeeded not only in forming a political party in Sweden, but also to bring all of us together here. I would like to welcome up on the stage — Rick Falkvinge.

Rick Falkvinge: Thank you so much, Member of European Parliament Andersdotter, all staff, and all volunteers, for making this possible.

I would imagine a lot of us speak almost daily about tactical operational details about how we go about changing the world. It’s what we strive for, after all: we are here to change the entire world for the better. Nothing more, and nothing less.

So instead of talking about operational details, having so many prominent people here today, I take the opportunity to remind us all how large our goal and our opportunities are.

The title of this conference is Internet Governance. You see a lot of conferences called Internet Governance these days. The problem is, it’s a total contradiction in terms. This term, Internet Governance — this is not an Internet term. Nobody on the Internet would talk about Internet Governance. This is a governmental term, this is a corporate term. And there are reasons for that.

In 2003, two writers named Searls and Weinberger wrote a short essay named World of Ends. How many in here have have read that – let’s see a show of hands? World of Ends. A few scattered hands. Those here who haven’t, please take the time to do so before tomorrow. World of Ends, a very short read. They’re talking about What The Internet Is, and How To Stop Mistaking It For Something Else, and describe in detail how a few actors in society are suffering from Repetitive Mistake Syndrome. This was in 2003, and they name six specific industries who, like blatant idiots, keep making the same mistakes over and over. Those six named industries, in 2003, were:

Newspaper Publishing
Broadcasting
Cable TV
Record Industry
Movie Industry
Telephone Industry

Nothing has happened for the past decade. These people keep making the same mistakes over and over – and the reason for that is that there is a fundamental disconnect in how they see the world versus how the net generation sees the world. (You will observe that these six industries can be generally categorized into copyright industry and wannabe gatekeepers – with telco and cable TV industries in the latter category.)

There is this concept of permissionless innovation – permissionless innovation – that these corporate behemoths just do not grok, can’t wrap their head around. In their mind, innovation takes place a bit like Google’s driverless cars are being developed. You have this huge corporate giant who sets out to build something new. So they go to lawmakers and say they need these new regulations to build this fantastic new thing, and then they both go to banks and VCs to raise funds for this new thing that everybody in the elite of society wants to build. This is their view of the world, this is how innovation works in their mindset. Every piece of innovation requires regulation, funding, and corporate actors. Otherwise, it cannot work, it cannot happen, it has no place in society.

Then, the net happened, and these actors are left standing completely dumbfounded and still try to do as they’ve always done, and kind of wonder why it doesn’t work any longer. That doesn’t stop them from just keeping on trying.

But the Internet is not a corporation. The Internet is not a department. The Internet is not a legal entity. The Internet is something much larger than that. It is an agreement. It is an agreement between everybody in this room and several billion other people. And it’s a very simple one. At its core, this agreement is about three things:

The easiest method to get a message from A to B
The idea that everybody in this agreement is forwarding these messages on a best-effort basis
The principle that every message and every participant in the network is equal

This agreement makes no difference whatsoever whether one of its messages comes from the President of the United States or the European Union, or from a doorknob in Nigeria. That’s one of the beautiful things about it. And here’s where this misunderstanding comes into play. Governments have this self-image… they define themselves by what they regulate. Corporations define themselves and their power by what they own. So governments want to regulate the internet because it’s beautiful and useful; corporations want to own the Internet. But it doesn’t work that way, does it?

This is why we are seeing gatekeepers-wannabe, in particular the telco industry, putting a lid on it. Trying to prevent this utility, this beautiful agreement that we have. Like they could just stand in the middle and say we may not agree between ourselves because they don’t like it? That’s a real threat today. I’m certain we’ll circumvent it sooner or later, but time is not on our side here. Governments are threatening the Internet for the exact same reason – if they can’t regulate it, they’re going to try anyway and apply as much violence as it takes, make as many examples out of people as it takes until they’ve regulated this thing. Because that’s what they do. Legislators make laws – that’s what they do.

But there are a few good forces that understand this on a conceptual level and everything that it brings to the table. There are a few good forces who understand that the Internet was not built to be… governed. [Applause.] The Internet was not built to be controlled, and it was not built to be owned. The Internet was built to connect people, and that brings beautiful possibilities.

Good forces who understand this are few and far between, so far, and the finest hope for humanity at this point sits in this very room, because this is not just about the European Union, and I really want to highlight that. When we are talking about founding an organization for the EU, it’s important to remember that the EU is the largest economy on the planet. Whatever rules are set in Europe, others will follow – either because they see it as good examples to follow, or in most cases, because they don’t have any other choice. When it comes to loosening restrictions [of freedom of speech] – any restriction that Europe does not agree to on the Internet does not exist in practice. That gives us a beautiful window of opportunity here.

In the end, this isn’t just about Europe. Yes, we are fighting for ourselves. Yes, we have been fighting from our own experiences. Yes, we understand this because we live it on a daily basis. But it’s so much larger than that.

We’re talking about freeing up knowledge for the six and a half billion people who don’t have access to it. We are talking about making medicine possible for the six and half billion who don’t have any, who cannot afford it because somebody realized it made a greater profit to let millions of people die and look good in the next quarterly report. We are talking about letting billions of people manufacture in ways they couldn’t before [with 3D printing], spreading means of production, as it’s called, to corners of the world where it’s never been before, where people didn’t know this was even possible. When I see the billions of people, our brothers and sisters around the world, being shut out of the opportunity to learn and to contribute to humanity… I just think what a sad waste and tragedy that is.

There’s so much we can do for humanity as a whole here by just tweaking a few parameters of Europe. We really can build a better humanity. We can make higher education available for all seven billion people on the planet. We can allow all seven billion people to contribute their brilliance to what we are building on a daily basis. This is not just about changing the laws of Europe. This is about making it possible to communicate love between billions of people on the planet. This is about making wars impossible to wage, because people can see through lies. This is about, in the end, making sure that we can feel like the good brothers and sisters that we are on this planet.

The people in this room today is humanity’s best hope towards that mission. We have work to do, and I’m absolutely confident that we can pull it off. I’m very proud to call myself your colleague in this distinguished crowd. Thank you.

The full-resolution of the image above, from the PPEU founding in the European Parliament on March 21, 2014, is here (free for any use).

Copyright Monopoly: Sweden has invoked a previously-unknown “Perpetual Copyright” clause against carmaker Mercedes-Benz, who recited a public-domain work by the poet Boye in a recent ad. The legal threat was brought by the Swedish Academy, which is tasked with overseeing the clause. This has severe chilling effect on culture even 70 years past an artists’ death.

Mercedes-Benz used a recital from the poet Karin Boye in a recent ad. She passed in 1941, and her work has therefore been in the public domain since January 1, 2012, under the planet’s most stringent copyright monopoly laws. “Public domain” is supposed to mean free for anybody to use for any purpose without restriction.

However, a number of self-appointed cultural guardians were horrified that a commercial company was actually legally allowed to use something in the public domain for an advertisement, and invoked an until-now-unknown clause that amounts to nothing less than perpetual copyright monopoly: the Swedish Academy, most known for selecting the yearly Nobel Laureate in Literature, decided to sue Mercedes-Benz under “protection of cultural heritage” laws. They even go as far as calling it “graverobbing” of the late poet.

This is utterly insane. If something is in the public domain, which happens much too late anyway, then everybody and their brother must be unconditionally certain they have the right to use it as they like – or it is, by definition, not in the public domain. The Swedish Academy just introduced a perpetual clearance culture, effectively killing the Swedish cultural heritage rather than allowing it to live on and take new forms.

It should be particularly noted that the Boye heritage had already agreed to the poem’s usage in the Mercedes ad, despite not having to be asked permission for a public-domain work.

Also, a recent ad by car manufacturer Volvo, an ad where the Swedish national anthem was recited, was not hit with any such lawsuit. Seeing how Volvo has Swedish origin (but is now Chinese-owned), this can be construed as a trade embargo against other European manufacturers with little effort. If the Swedish Academy gets sued to high hell over their invocation of the high-horse “perpectual copyright” clause, I would be happy.

Privacy: The European Parliament has just voted on a comprehensive bill to express its massive disapproval of U.S. mass spying on ordinary citizens. In the bill, it calls for suspension of trade talks, suspension of data sharing, suspension of U.S. corporate rights to European data, and calls for the general principle of only surveilling suspects to be honored. This follows a several-months-long continuous inquiry into United States spying practices.

While the exact wording of the finished bill is still being prepared, as it looks after all amendments have been rolled in, there are a few things we already know that the European Parliament stated today:

The European Parliament disapproves of mass surveillance of everybody, all the time. Surveillance is reserved for people under concrete suspicion of a crime.
The European Parliament desires to suspend negotiations of the protectionist agreement TTIP until the United States issues credible guarantees of respecting fundamental citizen rights of European people.
The Europarl decides it wants to terminate the Safe Harbor agreement about transfer of European personal data, when such data is transferred to U.S. corporations, under the condition of proper protection and safeguards of such data. (It’s become increasingly apparent that U.S. corporations completely ignore the obligations of said agreement.)
The so-called Terrorist Finance Tracking Programme, also known as the SWIFT agreement, which transfers data on all bank transactions to the United States, is to be suspended immediately.
Calls for a European program to protect whistleblowers.
More European IT solutions, located in European jurisdictions, to protect European sensitive data from the spying of United States. (This ties well in to Chancellor Merkel’s calls for a European-only storage cloud, designed specifically for data to not become available to the NSA.)
Named countries are strongly criticized for the way they conduct mass surveillance and violate civil liberties: United Kingdom, France, Germany, the Netherlands, Poland, and Sweden.

Ironically, while there was a call to protect whistleblowers in the bill, an amendment to offer asylum to Edward Snowden – who, after all, set this ball rolling – was not carried. Even more ironically, the same people who accuse Snowden of ulterior motives for taking refuge in Russia are the same people who stubbornly refuse him asylum in Europe.

More information follows as the full text gets published.

Source: Hax (in Swedish).

Image: U.S. President Nixon looking into the distance with binoculars, smiling. Photo courtesy of NASA.

Cryptocurrency: Revelations of the mismanagement at the now-bankrupt Japanese bitcoin exchange keep surfacing. When laying the puzzle as pieces keep coming, it becomes obvious that security at the billion-dollar vault was practically nonexistent. This adds to previous insights of economic and/or fraudulent mismanagement.

An interesting blog post from Mark Karpeles resurfaced recently. Mr. Karpeles was the CEO of the now-imploded Japanese bitcoin exchange MtGox, nicknamed “Empty Gox” for its previously-rumored insolvency. The blog post reveals a stunning ignorance of the concept of security, going beyond nonexistent security and into daredevil-reckless territory.

Jacob Appelbaum, the world-class security researcher and one of the spokespeople for the anonymity service Tor that has saved many activist lives worldwide, tweeted sarcastically about the article:

I think this is perhaps the most amusing technical blog post I've read in ages: http://t.co/uJwtz5xtrU

— Jacob Appelbaum (@ioerror) February 28, 2014

The article in question (gone from the server, but saved by the Internet Archive) was about how Karpeles had decided to write his own security mechanisms for remote access to his core servers. This goes against every grain, every practice, every professionalism of good security that exists. Security is hard and needs thousands of eyes to find the small but important bugs – just last week, a bug in Apple’s iOS was discovered where an attacker could have impersonated any target. And that was from Apple.

Any person who calls themselves a professional in the IT field will end the conversation with anybody, no matter what title, who boasts that they have created their own security. You just don’t do it. It’s beyond reckless. It’s practically a guarantee that you will get broken into tracelessly.

It gets worse. Karpeles didn’t just write his own remote-access security (“SSH server”). He did so in the programming language PHP, which is a dangerously unsafe language intended for low-security applications like displaying web pages. It basically has no error checking or safety nets of any kind. So not only did Karpeles think it was a good idea to do something that almost guaranteed MtGox to get hacked, he did so using one of the worst possible tools imaginable. It wasn’t enough to shoot himself in the foot and reload, he had to pick a bazooka to do it.

(UPDATE: As some have pointed out, this is no definite proof said home-cooked SSH server written in PHP was used as production code on Gox. This observation is correct. However, the primary observation here is the reckless disregard for security. This is further accented by three more observations: first, in the comments in the article, Karpeles states that he intends to wrap this PHP SSH code into a production library, and second – quote in same comment field – “RSA re-implemented in pure PHP is not a bad thing.” The third observation is that a commenter named Nanashi pointed out the PHP SSH server as “the least secure implementation ever” in 2010, and while we still don’t know if it was run at Gox in production for remote server access, it’s a rather striking coincidence that the same name – Nanashi – was behind an the enormous database leak from Gox’ internal databases described later in this article.)

This is not professional behavior. This is completely-over-the-top amateurish, from somebody who a) doesn’t understand security at all and b) is so convinced of their own perfection that they dismiss every criticism. People are even pointing out flaws in his implementation in his own comment field, and he just dismisses it, despite the fact that these flaws would be enough for an adversary to assume remote control of his core servers – “ownage”, as it is called.

Traditional SSH servers too secure for you? Write one in PHP! http://t.co/v2in7x6NJd

— Kyle Steely (@modalexii) February 28, 2014

When you read these facts, if you understand security, your hairs stand on your arms, you are pushing away from the screen in balking disbelief, and your eyes are going wide. This guy had taken on safekeeping of a billion dollars for his clients?

Let’s be clear: To anybody who is the slightest aware of good security practices, this article from the principal architect of the bitcoin exchange is not some government-issue red flare going off in the corner of your eye. This is a goddamn Betelgeuse going off.

To put it in non-technical terms, this is roughly somebody who claims they are qualified to be a heart surgeon because they have read the back cover of “Anatomy for Dummies”. Not just that, but they actually open a heart surgery practice.

It’s like asking for a hardened veteran infantry officer to lead a batallion into battle, and having a random guy who has read military comic books show up for the task.

It’s like asking if somebody can build a complex skyscraper, and somebody shows up with a grin from ear to ear explaining that they already found everything they need for the job in trash bins on the way to the meeting.

Somebody who was utterly not qualified to go near any kind of security job had built a vault for a billion dollars using a completely unsafe webpage scripting language. And people were using it, trusting him with their money, more or less because he said he was honest in the Terms of Service.

It gets worse. The forensic site MtGoxProtest has an interesting inside view of security practices at the company that stored bitcoin, US Dollars, and euros for its clients to a value of about a billion dollars (at peak bitcoin value).

If the product was so thorougly shoddy in terms of security, some very skilled staff at some very skilled companies are able to mitigate that by rigorous processes and consistent pride in their work. What about Gox? How did they relate to security in their daily work?

They didn’t give a shit.

Security alarms would go off, somebody would notice something totally alarming, and they would basically just ignore it.

On the surface, security looked decent. Clients would log in using two-factor authentication, not relying on a hackable password alone. Clients could separate withdrawal security from authentication security, adding a second security layer when they wanted to get money out of their account.

(This is disregarding all jokes that you couldn’t actually get any money out of the vault, because it was empty – hence “Empty Gox”.)

But it happened much too frequently that client accounts were emptied anyway overnight, and provably so by somebody else than the account holder. This should have set of major alarm bells at the Gox offices; somebody was apparently and obviously able to circumvent their security layers and access the servers directly. Mere suspicion of that is cause for a total shutdown until forensics have cleared out what the hell happened.

So what happened?

They didn’t give a shit. They blamed the customers and went about their daily business.

Coupled with the above article from Karpeles – who wrote much of the initial Gox codebase - about how Gox would violate every security practice in existence and then invent some more just so they too could be violated, it becomes clear that the strict login procedures were just for show. Gox was leaking like a bloody sieve, and Karpeles was too incompetent and too proud to understand the magnitude of the disaster in the making.

This seems a good analogy of the security thinking at Empty Gox. While the two-factor login procedures appeared to be proper, in hindsight, it should have been clear that they were also trivially circumventable – like a strong keylocked and concrete-anchored metal gate surrounded by ankle-height hedge.

According to the insiders’ information, security researchers would regularly submit alarming reports of gaping security holes that would just as routinely be completely ignored. And then security researchers did what they do when companies ignore them, which is publish their findings. So now there was not only a billion-dollar vault with security holes the size of the Empire State Building, there were also published research papers on where they were and how they worked.

And Gox? They continued to not give a shit.

It gets worse. They treated business processes the exact same way as they did security processes: “It seems to run well and we don’t really care”. I have hinted in my previous posts that I’ve got stuff that would be jawdropping; I’m not sure it is anymore, it’s just in line with the total mismanagement – no, fraudulent operations – that has been going on. They basically didn’t know anything about contract or finance business, either.

My specific case was that I had been offered X bitcoin for Y US Dollars on the exchange webpage, clicked “buy”, and even got a separate confirmation box: “Do you want to buy X bitcoin for Y US dollars?”. As I clicked “Yes” to that, that’s entering into a legally binding contract. But I wasn’t delivered X bitcoin – I was delivered X-56 bitcoin for the Y USD, which is a rather large difference. As I pointed this out to support, that they had an unfulfilled obligation of 56 bitcoin to me, they explained patiently how the quote price was calculated from a technical standpoint, why I had been charged a much higher price than quoted, and implied that the technology and interface were working just as designed.

Listen here Karpeles, I don’t care in the slightest why you think the price should be higher than quoted – if you quote a price and I accept the offer, you deliver on it, and you deliver exactly what was offered. If you can’t do so, that’s your problem, not mine.

They didn’t understand these very basics of running a business. They didn’t understand the concept of offers, accepts, and contracts. Or they just didn’t care. This 56-coin claim of mine was one of the open items in support threads when Gox folded, and I was totally prepared to bring that to court. Now it’s rolled up in my overall bankruptcy claim instead.

It gets worse.

Yesterday, a leak was posted with internal accounting data at MtGox. It contained every customer balance, their last login timestamp, withdrawal limits for every customer, and a lot of other client data. Whoever orchestrated that leak had access to the internalmost servers at Empty Gox.

But just to drive the point home, the damning leak was posted from Mark Karpeles’ personal accounts, both on Reddit and in an article on his own personal blog.

That is such total ownage of somebody’s poor security, there’s nothing left to say. It’s confirmation of everything from the original article – that this is a person who didn’t understand the most basic security practices.

Gox appears to have been run on the kind of security that only an idiot would have on their luggage.