[pfSense] naive suggestion: conform to US laws

Eugen Leitl eugen@leitl.org
Sat Oct 12 10:38:52 PDT 2013


----- Forwarded message from Jim Thompson <jim@netgate.com> -----

Date: Sat, 12 Oct 2013 11:59:33 -0500
From: Jim Thompson <jim@netgate.com>
To: pfSense support and discussion <list@lists.pfsense.org>
Subject: Re: [pfSense] naive suggestion: conform to US laws
Message-Id: <9D8BFE6E-48A9-42E2-A494-99892FA27C90@netgate.com>
X-Mailer: Apple Mail (2.1812)
Reply-To: pfSense support and discussion <list@lists.pfsense.org>


On Oct 12, 2013, at 7:20 AM, Thinker Rix <thinkerix@rocketmail.com> wrote:

> On 2013-10-11 22:33, Walter Parker wrote:
>> Yes, you have been informed correctly. There are more than 2. According the World Atlas (http://www.worldatlas.com/nations.htm#.UlhOHVFDsnY) the number is someone between 189 and 196.
> 
> No kidding! ;-)
> 
>> But you did not answer the question asked: Name the country that you would move the project to and why you believe that country would do a better job?
> 
> Why should *I* name it and why should I present ready solutions for an idea another community member brought up? Why should anybody be in a position to present ready solutions at this point? How about having a fruitful discussion and find solutions together?

There is no reason to build a house on sand.

There is no fruitful discussion to be had when the premise is patently false.

>> Then because the USA can't be trusted, who is going to replace the Americans on the project?
> 
> You are mixing things up here. Just because the USA invented their tyrannous "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act", for which they perversely coined the euphemistic term "Patriot Act" and there fore can not be trusted anymore for hosting anything there, why should the Americans be replaced?!?!?
> 
>> The name and logo are owned by an American company.
> 
> I guess, that is true, i.e. that ESF registered pfSense and it's log as a brand name.

You seem upset at this.  Why?

Instead of some kooky conspiracy theory that ESF could be tortured or pressured to weaken pfSense, is this the *real* issue you have?

>> I doubt they want to give them up to a foreign company owned by non-Americans
> 
> Nobody suggested that. Try thinking a bit more outside the box!
> For instance: A non-profit foundation could be founded in a country outside the USA, and the brand, hosting of the project, etc. be transferred to that company. A board would be elected for this foundation who just a few basic things annually to keep the foundation running.
> ESF on the other side would be released of a great threat! They could continue offering their pfSense services to their customers as usual, but from now on nobody could come and force them to do things to pfSense since "they have nothing to do with it”.

You seem upset that ESF controls the project.  Why?

>> just to make it harder for the American government to pressure the project.
> 
> Incorporating pfSense and bringing it out of the reach of US-domestic jurisdiction would not "make it harder" but "impossible" to pressure the project.

You have provided no explanation (other than “rubber hoses”) for what form that “pressure” would take.

>> If the rest of world wants to fork the project because of concerns about the US government, fine, but I don't think you will get buy in from ESF [the American company that owns the rights to the name pfSense].
> 
> Why to fork the code base?! No one suggested that - and no one suggested to do things without - or even against - the key people of the ESF. Right the opposite. It would even protect the ESF!
> 
>> Once again, name some names. Who do you consider more trustworthy?
> 
> I am not Jesus to hand solutions to the community on a silver platter

though point in fact, Jesus didn’t hand anyone a solution.


> (but surely would be available for a *constructive* and *well-disposed*, *amicable* discussion to find solutions together!). I know of quite a lot of countries that seem interesting for a closer analysis for this cause and surely would propose one or another in such a constructive discussion.
> 
> Generally, what Adrian proposed makes only sense, if the community - including ESF - understands the threat and decides to act proactively to fight this threat.

“The community” doesn’t own the copyright on the code, nor the trademarks to the names used.  Those belong to ESF.

Further, you’ve hypothesized about a ‘threat’ without providing any factual basis for same.  The term for this form of argument is “conspiracy theory”.

Since pfSense is open source (specifically, the BSD license), “the community” (or rather “a community”) could take the decision to fork the code and create their own solution.  It’s been attempted a couple times, but none of these have flourished.  While I don’t encourage forks (it’s typically not good for either project), occasionally they work out (at least for a while), I don’t go out of my way to inhibit those who wish to fork.

However, in any case, such a community would be prohibited from naming the result “pfSense”.

> But since 33% of the ESF - namely Jim Thompson

You greatly inflate my ownership interest here.

> - prefers bullying, insulting, frightening and muzzling anybody who brings up the threat that we are facing, trying to strike dead any thought as soon as it comes up (strange, isn't it?),

Not as strange as someone randomly showing up one day, hiding under a pseudonym, having never posted to a pfSense list before, making accusations.   You started throwing accusations, and yes, I got hostile.

Mostly I got hostile because your accusations are baseless, and despite my challenge, you refuse to drop it.  Since your activities are not furthering the project (find bugs, or at least make proposals), you’re wasting everyone’s time.   (I’d quote Spock here, but…)

Goodness man, you don’t even understand what happened with Lavabit, or why the situation would be different if a three letter agency were to show up on the doorstep one morning and demand that we weaken the project.   

Despite my challenges (“name the law that they would use”), you refuse to respond, instead ducking for cover in your empty, baseless accusations that “it might happen”.

Specifically, Lavabit ran afoul of the Stored Communications Act (http://en.wikipedia.org/wiki/Stored_Communications_Act), "a law that addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party internet service providers (ISPs)."

ESF is not an ISP.  The SCA does not apply.

CALEA (http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act) obliges telecommunications companies to make it possible for law enforcement agencies to tap any phone conversations carried out over its networks, as well as making call detail records available. Common carriers, facilities-based broadband Internet access providers, and providers of interconnected Voice over Internet Protocol (VoIP) service – all three types of entities are defined to be “telecommunications carriers” and must meet the requirements of CALEA.

Since ESF is not a “telecommunications carrier”, CALEA does not apply to your proposed “FBI/NSA on the doorstep” scenario.

Even the various provisions of the PATRIOT act of 2001 (and it’s follow-ons) do not apply.  The most abusive of these, the so called “NSLs” are really a demand letter issued to a particular entity or organization to turn over various records and data pertaining to individuals, and an accompanying "gag order".    Since pfSense has no reason to store any records, there is nothing to hand over.   You could *perhaps* make the case that the config backup service could be attacked this way, but it was specifically designed such that ESF (or before January, BSDP) doesn’t have access to the plaintext configuration.   It is encrypted by the remote user, and we store the result.  We don’t know the keys.

Thus, my challenge stands.  You have yet to offer ANY legal authority under which the NSA (or any other agency of the US government) could demand that ESF make changes to pfSense.

Some here in the “community” seem upset that I’ve been so abrasive with you.   If you had an actual argument that made sense, you and they would see a different side (“Oh, you’re right.  We should find a way to close that loophole.”)  Instead, you stood on your accusations, despite any factual basis.  Your "Culture of fear” argument was roughly equivalent to the meme of a couple years ago:

"Did Glenn Beck Rape And Murder A Young Girl In 1990?”

This hoax began as a parody of public perception of Glenn Beck’s over-the-top interview antics on his self-titled television show Glenn Beck, wherein he frequently asks his guests to disprove highly speculative and often outrageous assertions.

(Just like you did.)

About.com published an article titled “Internet Hoax Says Glenn Beck Raped, Murdered Young Girl in 1990”, which called the hoax a textbook example of “…how to construct Internet smear campaigns…”  (http://urbanlegends.about.com/b/2009/09/03/internet-hoax-says-glenn-beck-raped-murdered-young-girl-in-1990.htm)

So yes, I went after you, because the correct response here is to not let the attempt at a smear campaign stand.   People love to take silence as assent.   Placating you would have been a mistake of the first order.

In the past, I’ve stood up to AT&T.  It took a decade, and was both expensive and exhausting.  I won.  Fnord.

You and those in the community who are upset with my behavior (whilst I was defending ESF and pfSense from your smear tactics) can bet their last Euro/Dollar/Yen that I’ll be 10X more abrasive with the US Government if they attempted what you accuse.

Were I to seek a country that was at least outwardly opposed to the behavior of the US security apparatus (and its related apparatus in other countries), I might consider Brazil.   That time is not now.

What you probably don’t appreciate is that the actual “we write code before breakfast” people employed by ESF to work on pfSense are already outside the US(*).  One of them lives in Brazil, another in Albania.  Perhaps of interest.  Perhaps not.  At the very least, they’re not subject to US law, so it would be difficult to get them to “go quiet” about any attempt to weaken the codebase of pfSense.

Jim
 (*) Jim Pingle does some, but not as much as the others.  He does, however, carry most of the support load.



_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5



More information about the cypherpunks mailing list