My Accidental Radio.

December 11th, 2015

Wow. I had no idea this could happen!

(Rest of this post is by Michael Albaugh, except for the parts that quote me.)

From: Michael Albaugh
Subject: Re: Wait, what?  Can speakers pick up radio by themselves?
To: Karl Fogel
Cc: The Usual Suspects
Date: Fri, 11 Dec 2015 10:03:22 -0800

Disclaimer: It has been quite a while since I had to deal with this stuff for pay, and my amateur license expired so long ago they recycled my call.

On Dec 11, 2015, at 9:13 AM, Karl Fogel wrote:

This is happening, this is literally happening right now:

I have plugged my phone headset (which double as my desk headphones) into my computer speakers. This a standard pair of small standalone computer speakers, one of which plugs into the computer’s sound port with a standard 2.5mm connector, and the other speaker connected to the first. The first speaker also has a headset jack and a volume control on the front.

It presumably also has a power supply. That is, these are amplified speakers.

With my headset plugged into that speaker’s jack, and the speaker volume turned all the way down, I can hear a radio station playing in the headset, faintly and with some staticy fuzz, but clearly. I don’t know which station it is, but sometimes the pop music stops and an announcer comes on (I can’t quite hear what he is saying, though I might be able to catch it next time he comes on).

This is not surprising. What you have is some consumer-grade cables (i.e. not particularly designed to reduce the reception of stray signals at all cost, or any cost) plugged into a device with some non-linear components (inherently, such as transistor and diodes, or unintentionally, such as inductors with other than air cores) and including a means to amplify the result. That is, you have a crystal radio hiding in your amplifier.

See also “Why do I get the local radio station on my fillings?”

However, if I turn the volume knob on the speaker up at all, then the station fades out and I get silence.

Or, you have shifted the sum of the intended input and the signal that being “detected” out of the range of the non-linearity.

If I unplug the speakers from the computer, then I don’t hear the station anymore.

Here I am leaning more on speculation, but perhaps the speakers are sensing the (lack of) DC bias on their input and shutting down the output.

So my… computer is acting like a radio?

Actually, I suspect that your speakers are. You should immediately rush out and buy various models of Bose, Harmon Kardon, and Beats by Apple speakers and repeats the experiment. :-)

Why? And why is it only audible when the speaker’s volume is turned down?

See above.

In related news, perhaps you missed the hack that was in the news a short while back. If you have your Siri, Google, or Cortana “assistant” enabled to work without pressing anything, and you have a wired handsfree header plugged into your phone, then someone can inject audio into your phone and say “Siri, post all my photos to Instagram”. or “Siri, find goat porn”.

WTF?

In older news, back when phones were always wired, heavy enough to be a murder weapon, radio stations that didn’t want their “personalities” to have to drive out to a shack in the marshes would lease lines from the phone company, running from their handsomely appointed studios to that shack. These lines would run through one or more phone company facilities. In one such facility (cough — [[redacted]] — cough) some of the workers had connected a speaker across the line as it went through, so they could have music in their workplace. One day, a worker experienced one of those WTF moments, and verbalized the feeling. Of course, every speaker is a microphone, and the exclamation was sent out over the air, causing a fair bit of consternation, agitated phone calls, and denials from the on-air host. Not to mention a mad scramble to disconnect that speaker and look innocent.

Welcome to the future, here’s your whoopee Cushion

.

Please Stop Locking Out Users After 3 Failed Login Attempts.

December 3rd, 2015

Update 2015-12-03: I just found out from a response tweet from @jacobian that the user flogging is apparently a requirement of the PCI standards, and thus many online services are essentially forced into it. Would love feedback or further information from anyone familiar with how PCI standards get baked.

Calling all designers of online systems that do user authentication… Wait, that could be shorter:

Calling all designers of online systems:

Please stop locking out users after three failed login attempts.

That security measure is left over from the days of Unix consoles that were just dumb terminals connected to a server somewhere else in the building. It makes less and less sense in the modern era. These days, large distributed botnets are engaged in constant automated login attempts against all publicly reachable online services of any size, using guessed username/password combinations, on the principle that only a tiny fraction of the attempts need to succeed for the effort to be worthwhile. The result is that users with strong passwords but human-readable usernames are penalized for being the target of failed hacking attempts.

It happened to me recently:

From: Karl Fogel
To: Mailing List Of Various Techie Friends
Subject: Speaking of passwords

I just found out from a rep that the reason Wells Fargo Bank kept
resetting my (incredibly secure) online access password, thus
forcing me to do a password reset dance about twice a month, is that
online accounts get automatically locked after three failed login
attempts.  Since my username was "karlfogel" -- it's changed to
something less guessable now -- some jerk with a botnet was causing
Wells Fargo to lock me out on a regular basis, presumably by trying
a username generated from my real name and passwords that were
various combinations of my birthday, relative's names, etc.  The
same is probably happening to thousands of other customers.  After
all, the hackers only need a tiny number of successes.

I wonder if Wells Fargo has really thought carefully about the
usefulness of a 3-failures lockout policy in the modern era of
distributed attacks against your entire user base.  This was not a
topic I felt it profitable to take up with the phone rep, though.
*cough cough*.

Every time you force your users to do a password reset dance, which usually involves some kind of email confirmation step, you are decreasing their security. First, because if a user is forced to change her password frequently, she is likely to start making passwords that are easier to remember, because why invest in memorizing a hard password if one is just going to have to reset it soon anyway? Second, and more importantly, because you are giving hackers the power to lock someone out of their own online account, which creates two vulnerabilities: one, now the hacker has an additional attack surface (the user’s email account), and two, your user support staff also becomes an attack surface because the hacker can now call up and impersonate the legitimate user, saying “Help, I’m locked out of my account” — a fact that the support rep can easily confirm, and which will lend credibility to the hacker’s attempt at social engineering.

Just as a general principle, it’s usually not good to allow attackers to change the behavior of the system for legitimate users. When you allow that, you give the hackers more material to work with, and they will always be more imaginative than your programmers or your support reps, because once they sense that they have a good target, they can spend all day thinking about how to approach it.

It’s fine to have a delay between login attempts. Maybe it’s even okay to increase the delay somewhat when there are a suspicious number of failed login attempts for a given user (although I’m not sure about that, and it is a minor violation of the general principle above).

If you want to help users who have weak passwords, have your security team run guess-in attempts itself (without the rate-limiting), or even run cracking attempts against the password database itself, and then follow up with the users whose passwords fail the test. You can just let them know the next time they log in, or if you want to provide especially deluxe service, follow up via an automated phone call or something. Don’t let them know by email, though: it’s not a great idea to send cleartext email across the Internet telling someone their password is insecure.

But don’t treat failed login attempts as special events that need some kind of reaction. They are more like spam: inevitable, ubiquitous, and best handled in ways that have no effect on the target. It’s not your users’ fault that people are trying to hack into their accounts, so don’t punish them for it.

Agree? Feel free to retweet #EndLoginFailureLockout, or redent.

Addendum: One of my friends on that mailing list followed up with this story:

Anthem Blue Cross, in order to let you make online payments, redirects
you to a random payment processing with a scammy-sounding domain name,
which tells you the following:

1. You need to make a new account with us because we're not tied into
Anthem's database. Because, you know, I can personally take credit
cards - but that's apparently beyond the capability of the largest
health insurance provider in the country.

2. By the way, you might already have an account with us from some
other place, so you'll have to log in with that account instead. No,
we can't tell you whether that's the case or not.

3. You must choose a password between 5 and 8 characters.

I'm not kidding. 5-8 characters.

I make my payments over the phone.

The Software Freedom Conservancy: Why I Donated

December 1st, 2015

Software Freedom Conservancy logo

Update 2015-12-01: How could I have forgotten to mention that there’s a donor match going on right now? If you become one of the next 50 new Conservancy supporters, a donor is matching up to $6000! Please help Conservancy get every dollar they can from this generous donor.

Few organizations are as effective per dollar as the Software Freedom Conservancy.

The list of what they’ve done in 2015 alone is impressive — and that’s before you consider how small a staff they do it with.

You’ll notice that link was actually to their 2015 fundraiser page, which explains why they need to raise money now, and exactly what they plan to do with it. (Did I mention high marks for transparency?)

Today, for Giving Tuesday, I became a Conservancy Supporter again, and hope you’ll consider doing the same. The free software movement doesn’t run on good will. It runs on dedicated people giving their all, and those who do it full-time need support from everyone who understands why this movement is important.

If you’re looking to retweet, try this one, or redent here.

The one 18-minute video you have to see this year: Nina Paley’s “Copyright Is Brain Damage”.

November 25th, 2015

I’ll keep this short, because the very best thing you can do right now is go watch this 18-minute video of Nina Paley giving a talk at TEDxMaastricht about exactly why she is a copyright abolitionist and how copyright abolition starts at home, especially for artists. It is by far the best, most eloquent explanation I’ve seen yet of the harm copyright causes to artists and audiences and how liberation is possible:

If you’re one of the “copy-curious” — people who feel something is wrong with the current copyright system, but who worry about abandoning it wholesale because “how will artists make a living” and other similar questions the intellectual monopoly industry wants circling around in your head — then this talk is for you.

It’s less than 20 minutes. You will be mesmerized. And, like Nina’s audience at the talk, you will come out of it truly understanding the copyright abolition position and why an artist of Nina Paley’s caliber holds it.

Watch it.

Link to it: questioncopyright.org/copyright_is_brain_damage.

Retweet it or redent it.

Please share widely!

Grammar As Proxy: The Experian Data Breach

November 15th, 2015

I got a treeware letter recently from Experian explaining how one of their servers had been hacked and how my private data (name, address, Social Security number, phone number, birth date, etc) was likely obtained by criminal resellers. The letter was a little more euphemistic than that, but that’s basically what Experian was admitting. To make up for this incident, they were offering me a free two-year membership in their “ProtectMyID elite credit monitoring and identity theft resolution services”.

Now, one might, in these circumstances, ask oneself “Why would I want to enroll in an identity protection service offered by the very company that just admitted they compromised my identity when their server got hacked?”

Fortunately, their own FAQ addresses this question forthrightly:

Q: Since Experian was compromised; can it effectively offer credit monitoring?

A: Absolutely. This was an isolated incident of one server and one client’s data. The consumer credit bureau was not accessed in this incident and no other clients’ data was involved.

Well, that makes the decision easy. I don’t blame them for getting hacked — that could happen to anyone. But no way am I trusting my private data to people who use a semicolon where they should use a comma!

Privacy is an ecological concept, not a transactional one.

October 5th, 2015

On a private mailing list, a friend recently asked this:

Playing devil’s advocate here: what privacy are you trying to protect? Is it very important to you that websites not know what sort of products you’re interested in (and if so, why)? Or is it that you simply find targeted ads annoying?

I ask as someone who spent four years trying to help websites show less annoying ads.

Below is my response (after someone else on the list said “Sorely tempted to exfiltrate the hell out of this. Can we have it on a web page please?”):


I think Eben Moglen’s observation that privacy is really an ecological concept, not a transactional one, is the best answer to this. Thinking of privacy primarily in terms of the relationship between the user and various commercial third-parties misses the point. This post gives the relevant passage from Eben (it’s not long, and there’s a link to his full talk):

hroy.eu/posts/moglen_privacy_ecological

He has also pointed out that these days it’s an explicit goal of the U.S. government to have and maintain the social graph of everyone. That is, all the relationships, to the highest degree of accuracy and resolution possible. So the information Google and other online services collect is now potential data for that graph. It’s already both subpoena’d at some times and surreptitiously exfiltrated at others (though Google has done admirable work trying to prevent the second; how successful that has been, we can’t know, but it probably has had some limiting effect).

My point is: all that data we’re collecting, once it exists, it’s valuable to more parties than the ones who originally collected it. And by the Ashley Madison Principle, there’s no such thing a confidential dataset. There are only datasets that have not yet been involuntarily shared, and those which have been. There is no guarantee you will be able to tell which category your particular dataset falls into.

So when you ask “Is it very important to you that websites not know what sort of products you’re interested in?”, you’re framing an ecological question in a transactional way. This unintentionally transforms the question from the one we should care about to the one collectors of large-scale data would prefer we ask :-).

I realize, of course, that there is a tradeoff here. Google really can improve the quality of ads — quality as seen not just from the advertizer’s point of view, but even from the user’s point of view — by tracking and analyzing everything everyone does. The benefits are near-term and (for Google and the advertizers) centralized; the costs are long-term and decentralized. But that doesn’t mean the costs aren’t significant. It’s very similar to the economics of a lot of environmental pollution, actually, which is partly why “ecological” is such a good word here. I think in some ways it’s almost the definition of an ecosystem to say it is a system from which short-term, easily measurable benefits can be extracted for particular members at long-term, hard-to-measure (but real) costs for all members. Privacy turns out to be such a system.

Does that help?

Twitter “Verified” Account… Not So Much.

September 13th, 2015

Update Nov 2015: Many thanks to Twitter engineer Eitan Adler for grabbing this one by the horns and steering it skillfully and persistently through the support team. My friend’s problem is now solved.

Note: If you’re from Twitter Inc., please contact me. If you work at Twitter and you know how to fix the problem described in this post (or even if you don’t work at Twitter but you know how to fix it) please feel free to contact me privately about this. It should be pretty easy to prove my friend’s identity in whatever way is needed. I’m kfogel on Keybase.

Dear Lazyweb,

A friend of mine has a Twitter “Verified Account”. This means he’s a well-known enough public figure (which he is) for Twitter to have verified his identity. His Twitter page has a little blue checkmark, which indicates that Twitter is vouching that this person is who you think he is.

The only problem is, his account got hacked.

Not hacked directly. Instead, the hackers used social-engineering to dupe his email provider into giving the hackers control of my friend’s email account. Then in his Twitter account, they pretended to be him claiming to have lost his password, so they could do Twitter’s mailback-confirmation dance to have themselves emailed a password reset link. That password reset link, of course, went to the hacked email account, so then they had his Twitter account too.

My friend is a normal computer user, but is not otherwise particularly technical, and he asked me for help getting back control of his account.

My first thought was that Twitter, since it provides verified accounts in the first place, would also provide some special means of recovering such accounts. After all, they’re vouching for the identity. The sorts of public figures who get verified accounts are also more likely targets for getting hacked, so it would make sense for Twitter to have some recovery mechanism that is specific to verified accounts, some kind of recovery red carpet.

But if so, I haven’t found it yet. As far as I can tell, once someone gets control of the email address associated with a Twitter account, they effectively can take over that Twitter account and there is no to get it way back, even for “verified” accounts. (No, my friend had not set up any phone-number-based confirmation, just his email address.)

Here’s the the only account recovery screen I can get to; I haven’t found any path for holders of verified accounts, other than this path (click to enlarge):

twitter verified account recovery failure

Any suggestions?

(I’m not mentioning my friend’s name here because I don’t want to out this effort to the hackers.)

Freedom of conscience applies to Kenyan immigrants too.

July 9th, 2015

I’ve run across yet another reference to President Obama’s supposedly Muslim father, this time in a magazine that I subscribe to and like, The Atlantic.

It was in this interview of Michael Oren by Jeffrey Goldberg, but the relevant quote is actually from a piece by Oren in Foreign Policy:

In addition to its academic and international affairs origins, Obama’s attitudes toward Islam clearly stem from his personal interactions with Muslims. These were described in depth in his candid memoir, Dreams from My Father, published 13 years before his election as president. Obama wrote passionately of the Kenyan villages where, after many years of dislocation, he felt most at home and of his childhood experiences in Indonesia. I could imagine how a child raised by a Christian mother might see himself as a natural bridge between her two Muslim husbands. I could also speculate how that child’s abandonment by those men could lead him, many years later, to seek acceptance by their co-religionists.

Leaving aside Oren’s highly suspect psychologizing of Barack Obama, there is a more important error here:

President Obama’s father wasn’t Muslim; he was atheist.

In a limited sense — not one that would be sufficient for Oren’s purposes — the assertion that the President’s father “was” a Muslim is true, in that as a child Barack Obama Sr. was briefly Muslim, until roughly the age of six when he converted to Christianity (Anglicanism) while at a missionary school. But in any case, he later rejected that religion, and religion in general, before he ever married Ann Dunham and before Barack Obama Jr. was born. Not that it should matter if our President had a Muslim father, of course, but as it happens, he didn’t. His father was an atheist.

Although minor, I wish this error would be called out more often by journalists, editors, and interviewers. Freedom of conscience applies to Kenyan immigrants too. What a pity that the man of whom Barack Obama Jr. wrote “he was a confirmed atheist, thinking religion to be so much superstition” should be remembered by the American public primarily by a religious affiliation he did not hold.

It is true that Obama’s grandfather on his father’s side was Muslim — he converted from Roman Catholicism.

Nice web design, but poor logic: Why OccupyGPL is wrong.

February 11th, 2015

Update 2015-02-12, ~12 p.m. CT: Eric Schultz just told me that the OccupyGPL site has suddenly started redirecting to choosealicense.com, within the last few hours! So my post here is already obsolete — the problem has solved itself. If anyone knows more about this, please leave a comment here. In the meantime, I’ve put a copy of the original text at the end of this post for reference.

Someone just pointed out OccupyGPL to me.

The authors of that site are trying to advocate for open source software licenses of the permissive variety as opposed to the copyleft variety — the GPL being the best-known example of the latter.

OccupyGPL’s logic is confused, however, and their conclusion doesn’t hold up.

They start by saying flat-out:

The GPL is not a free license. It restricts freedoms only to people it deems to be morally acceptable. Often there are people who do not fall inside this morally acceptable box, yet they do really have good intentions.

That makes no sense. There is a very specific, well-developed definition of “freedom” that is used by the free and open source software movement. The Free Software Foundation expresses it elegantly in a four-point definition, and the Open Source Initiative expresses it somewhat less elegantly (but no less clearly) in a ten-point definition, but it’s the same concept either way. That’s also the same definition of “freedom” used by Freedom Defined, by Creative Commons, and by virtually every other organization, including even governments (see here for one example), for deciding what constitutes free and open source software. And under this widely-used, extremely well-agreed-on definition of “freedom”, the GPL is a free license. I mean, it’s not even a close call: just look at the definition, look at the GPL, and see that the GPL meets the definition. QED.

What OccupyGPL doesn’t like is the GPL’s “share-alike” clause, the one that says if you share a GPL’d program with someone, even one to which you have made modifications (such modifications are automatically also covered by the GPL), then you have to offer that recipient the full source code under the GPL, so that the recipient has all the same freedoms you have.

In the strange world of OccupyGPL, that’s a “restriction”, I guess because it… restricts you from placing restrictions on someone else? But that’s as silly as saying that outlawing slavery reduces freedom, because it takes away some people’s freedom to own slaves. Hey, the analogy may be inflammatory, but the logic is the same, and it doesn’t make sense in either case. The freedom to take away others’ freedom is not a meaningful freedom to have — the proper word for that is not “freedom” but “power”.

An only slightly less silly argument offered by OccupyGPL is that the requirement to distribute source code (on request) along with your program could be an onerous burden, and that any license that places onerous burdens on the licensor is problematic. Except that the requirement to distribute source code is not onerous and by definition can never be onerous: you have the source code, and clearly you have a distribution mechanism that was sufficient to distribute the program itself, so you can just distribute the source code via that mechanism as well. The marginal cost for doing so is, basically, zero. Anyone who distributes GPL’d software can comply with the terms of the GPL without any significant extra effort. We have all been doing so for decades now. It’s a complete non-problem. A requirement to enable redistribution is not the same as a restriction on use, no matter how hard they try to paint it as such.

So that argument doesn’t really hold up either.

The third argument offered against the GPL by OccupyGPL is a strictly utilitarian one, but even at that it’s pretty weak. Quoting from their site:

Lets assume that there is a company that wants to use your open source library and integrate it into their proprietary program, they’re even willing to improve your library and release the improvements to the public so that the whole community benefits.

Unfortunately, at the end of the day, the company needs to ship a product so it’d like to keep their core closed source. The GPL outlaws this kind of interaction. Our good citizen, a company wants to release their patches to your library back to the community and yet the GPL is banning them from doing so! It’s not giving them freedom at all! Instead, the GPL is a different set of restrictions. It may be that you personally find the set of restrictions that the GPL offers more morally palatable than traditional closed source licenses, but it is not a free license. It does not grant freedom, it grants different restrictions.

Okay, so now we’re not talking about “more free” vs “less free” anymore (despite the non-sequitur that closes the second paragraph above, and the abuse of the word “banning” to mean something it plainly does not mean). We’re just talking about whether the GPL suits someone’s business model. But that’s a pretty short conversation: the GPL doesn’t suit everyone’s business model — specifically, it doesn’t suit business models that involve restrictive monopoly powers. On the other hand, it’s great for those whose businesses depend on preventing monopolies. For example, consider this alternative utilitarian scenario:

Lets assume that there is a company that wants to launch an online srevice based on your open source program. Their plan is to make proprietary improvements to the program, such that people who use their service and come to depend on those proprietary improvements, have no way to get the source code under an open source license from the company. Not only are those people increasingly locked-in to the proprietary company, but your own business suffers because you insist on giving users (and competitors) freedom.

Fortunately, you released your software the AGPL (a variant of the GPL and no doubt equally hated by the folks at OccupyGPL). This means that the other vendor can’t offer customers a version of your code with proprietary additions — instead, that vendor has to release their changes under the AGPL too. They can still offer the service, but now everyone’s freedom is supported, and we get true competition in a non-monopolistic market. May the best service provider win! It’s a good thing you didn’t use one of those “permissive” licenses, because that would have resulted people’s freedoms being taken away.

This is not some far-fetched scenario, by the way. This is the actual, real-world business justification used by many companies — including my own company — for publishing software under copyleft licenses. I’m not saying that OccupyGPL’s scenario is not realistic. It’s also perfectly realistic. It’s just not a very good argument for the GPL being bad. Copyleft licenses have a complex range of effects; to cherry-pick one particular effect and use it as the basis for an unsupportably broad argument is poor logic and not even very convincing rhetoric.

In short, it doesn’t make sense to say that copyleft licenses are “more free” or “less free” as compared to permissive licenses. Both types of license are fully free; they just differ in other respects. Those differences are worth discussing, and which license you use will depend on what your goals are, but nominalism and cherry-picked scenarios are not a contribution to that discussion nor a help to people trying to choose a license.



Original text of OccupyGPL.org, for reference:

 

This is Google’s cache of http://www.occupygpl.org/. It is a snapshot of the page as it appeared on Feb 10, 2015 14:53:17 GMT. The current page could have changed in the meantime. Learn more
Tip: To quickly find your search term on this page, press Ctrl+F or ?-F (Mac) and use the find bar.

 

Occupy GPL! – The movement to encourage the usage of permissive open source licenses.




The movement to encourage the usage of permissive open source licenses.

The Manifesto

The GPL is not a free license. It restricts freedoms only to people it
deems to be morally acceptable. Often there are people who do not fall inside this morally
acceptable box, yet they do really have good intentions.

Lets assume that there is a company that wants to use your open source library and integrate
it into their proprietary program, they’re even willing to improve your library and release the
improvements to the public so that the whole community benefits.
Unfortunately, at the end of the day, the company needs to ship a product so it’d like to
keep their core closed source. The GPL outlaws this kind of interaction. Our good citizen,
a company wants to release their patches to your library back to the community and yet the
GPL is banning them from doing so! It’s not giving them freedom at all! Instead, the GPL
is a different set of restrictions. It may be that you personally find the set of restrictions
that the GPL offers more morally palatable than traditional closed source licenses, but it is
not a free license. It does not grant freedom, it grants different restrictions.

The GPL is not a free license. It does not grant freedom, it grants different restrictions.

The GPL is too restrictive for most projects. Instead it’s a good idea to use a
TRULY OSS license, a permissive license. Doing so will not make you
vulnerable to companies trying to magically make your code closed source, as you will
continue to distribute it.
There is a significant gain from having more people involved in your project.
Even if these people are companies who want to develop proprietary solutions. A company using
your technology will increase the value of the project. A LOT OF contributions
to open source technologies are from companies using these projects. If you however restrict them
from using your open source project, they might develop their own one which may be open source
(Congratz! You just got another competitor!) or proprietary. Neither you nor the company do really
benefit from this situation. You do want more people using your technology! And they do want to use
and work on an existing project to save a lot of development time and possibly creating a new industry
standard.

Join the Fight!

Here are a few ways on how you can encourage the usage of permissive licenses.

Spread the Word!

Let people know about this site:

Prefer projects using a permissive license!

Use more projects which are licensed under a permissive license, e.g. Clang, node.js or jQuery.

(Re-)License your projects using a permissive license!

License your projects using a permissive license like the MIT, BSD or Apache2 license.
If you have existing non-permissive projects think about relicensing them. Please be aware that the other
contributors also need to agree to the relicensing.

Let library developers know that you want to use it under permissive terms.

You want to use a library but you don’t like the license? Try to open an issue and contact a maintainer
about a possible license change. Discussion is healthy!

Help new open source developer understand that the GPL isn’t the right license for everything

A lot of young open source developers license everything with GPL terms without even knowing
possible consequences. The popularity of GPL projects like Linux made the GPL to be a somewhat
standard choice. This isn’t good! A lot of open source projects would benefit more from a
permissive license. Create awareness, be awesome!

Permissive Licenses

Some popular Permissive licenses.

MIT License

A permissive license that is short and to the point. It lets
people do anything with your code with proper attribution and without
warranty.
License | TLDR; Legal

BSD 2-Clause License

A permissive license lets people do anything with your code with proper attribution and without warranty.
License | TLDR; Legal

BSD 3-Clause License

A permissive license lets people do anything with your code
with proper attribution and without warranty. With a Trademark clause.
License | TLDR; Legal

ISC License

The ISC license is functionally equivalent to the BSD
2-Clause and MIT licenses, removing some language that is no longer
necessary.
License | TLDR; Legal

Apache v2

A permissive license that also provides an express grant of patent rights from contributors to users.
License | TLDR; Legal

Frequently Asked Questions

Q: I don’t want others to close my code!

A: They can’t, your code still is open source. What did they close then? THEIR work
which just happens to be based on your open source code. If you don’t like this, then your
existing license may be a good fit after all.

Q: What is if they write a wrapper around my lib and sell it for $10.000?

A: Yes that could happen but it’s also a rather unlikely scenario. If all they’ve done
is a thin wrapper then you or someone else in the open source community is also capable
of making such a thin wrapper in no time. Then all you need do is undercut them
by $10.000 and a good chunk of freedom.

The more likely scenario is that a company takes your code and produces a large amount
of other code that just happens to use your lib at its core. The said company will sell
their code and their extensions for a large sum of money and they are perfectly entitled
to do so. It’s after all THEIR code.

Even this scenario is beneficial to you. Said company will likely find bugs and fix them.

Q: Open source projects can’t live without the restrictions the GPL offers!

A: Thats not true! Several of our most beloved open source projects are using permissive
licenses: Clang, LLVM, node.js, jquery.

Q: Whats with the name? “Occupy GPL” do you want to destroy the GPL? And all GPL projects?

A: No. Yes it may sound like this, especially thanks to the old really misleading
subtitle. We’ve choosen that name because it’s very aggressive and generates a lot of
attention. We think that the GPL isn’t a good license and it shouldn’t be used as much
as it is today in open source software. Thats an opinion. There is lots of cool software
licensed under the GPL which we’re using every day: Linux, Git, Blender and a lot more.
Kudos to all those awesome folks!

Q: You clearly have no idea what free software is about.

A: Maybe, but I’m more interested in open source software anyway (The FSF makes a distinction here).
I’m also not interested in politics. Just technology and how to improve it.
A nice quote from Linus Torvalds:

“That’s the point of open source – the ability to make the code better for your
particular needs, whoever the ‘your’ in question happens to be.”

Q: What about the LGPL? It seems to fit your problem.

A: Yes the LGPL is (in our humble opinion) a huge improvement over the GPL and somewhat
solves a lot of the problems I’ve mentioned. But it’s also way more complicated to use
then a permissive license and you still have the risk of doing copyright infringement
just by using the project the wrong way.

Q: Isn’t this a bit too aggressive? This site and all? GPL is cool, please don’t hate it

A: Yes, it’s aggressive but that was intentional :), we think that there is a problem
which needs to be tackled, for which one needs attention. If you’re hapy with everything
as it is, cool! Have a nice day!
If you however see a problem in

posts like this
you’re probably at the right place!

Q: What is the purpose of this site?

A: To encourage the usage of permissive open source licenses and create awareness that
the GPL isn’t the right license for every open source project.

Q: I HATE YOU, I HATE THIS, I’LL NOW MAKE MY OWN OCCUPY PERMISSIVE LICENSES SITE!

A: Cool. Feel free to fork this
page
. You can even relicense it under GPL terms if you want to. It’s MIT licensed after all.

We ? open source. Want to help with translation or fix a typo? Fork this website on Github! or contact us @OccupyGPL

Noel Taylor: A Scholar and a Gentleman.

January 15th, 2015

I gave my friend Noel Taylor (yes, the noted William Howard Taft scholar) a book as a New Year’s gift.

This was his response.

When you first presented me with “President Taft Is Stuck in the Bath”

Taft In The Bath (cover)

by Mac Barnett, I delighted over what I assumed would be a scholarly and well researched work that would share new insights into the life of one of our most misunderstood presidents. Lamentably, having now read the book cover to cover several times (an enterprise of only two to three minutes’ time) I have come to the unfortunate conclusion that historically speaking, Barnett is on very shaky ground. Although he notes correctly that Taft was our nation’s 27th president and accurately reports the first names of Taft’s wife and some of his cabinet members, most of the book is taken up with a graphic (literally!) realization of what is nearly universally regarded as an apocryphal tale.

I suppose the title should have given the game away, but I admit I expected more from Mr. Barnett, whose previous works such as “Billy Twitters and His Blue Whale Problem”

Billy Twitters And His Blue Whale Problem (cover)

seem substantially more grounded in fact than this latest work. As it stands, this purported history of a widely discredited story comes across at best as a children’s fairy tale, and at worst as a character assassination of the lowest order.

The real kicker though, is that despite all of these obvious shortcomings, Mr. Barnett has once again, and at the eleventh hour, managed to spirit away from me that recognition which I have chased in futility for over 20 years now. Namely, with “President Taft Is Stuck in the Bath”, Mr. Barnett has won the Bancroft Prize!

So I ask, just who the hell do I have to blow to get a Bancroft Prize in American History?

Rants.org is grateful to Prof. Taylor for permission to reprint his review here.