BREAKING: iTWire’s Varghese is terrible journalist, person

Remember a few weeks back, when we USians were still in the throes of election-induced political madness? Remember how Republican politicians kept saying just awful things about how some rape was “legitimate” and how pregnancies from rape were “a gift from God”? Yikes.

The Ada Initiative (a non-profit dedicated to supporting women in open technology and culture) published this article, which rightly points out that, y’know the Linux community is not completely immune to this kind of thinking, and when it occurs we really ought to say something.

And so Matthew Garrett wrote a blog post, entitled “Ted Ts’o is a rape apologist and why this matters“, which does exactly that. He says:

I realised that my effective silence was not only helping to alienate 50% of the population from involving themselves with Linux, it was also implicitly supporting my community leadership. I was giving the impression that I was basically fine with our community leaders telling people that it wasn’t really rape if you were both drunk enough. I was increasing the chances of members of our community being sexually assaulted. Silence is endorsement. Saying nothing is not ok.

So. A bitter truth, but an important discussion of a serious problem, motivated by conscience.

Sam Varghese sees this discussion and completely ignores the actual problems of, y’know, sexual harassment and the treatment of women because oh boy, an opportunity to try to make Matthew Garrett look bad!

Some excerpts from his resulting articles, which I refuse to link to, because like hell am I gonna send them more traffic:

Garrett slams Ts’o as ‘rape apologist’

Linux kernel developer Matthew Garrett has kicked off what could be a damaging episode in the free and open source software community by describing a fellow developer, senior Linux guru Ted Ts’o, as a “rape apologist” over comments the latter made in 2011.

[…]

Garrett, who styles himself as a defender of women’s rights, used Aurora’s piece as a fuse. After mentioning the incident at LCA 2011 and Ts’o’s comments, he wrote: “Ted Ts’o argues that only a small percentage of rape really counts as what people think of as rape. Ted Ts’o is a rape apologist.”

I love “styles himself as a defender of women’s rights”. Yes, because “making sure nobody gets harassed/raped” is just some silly little “women’s rights” problem. Who cares about that – MATTHEW GARRETT SAID SOMETHING MEAN!

Red Hat evades query about Garrett’s ‘rape’ post

WOOO BUDDY! Now THAT is a headline that will generate some pageviews! Who cares if the article is completely fucking worthless?

The company was asked about the case of its employee Matthew Garrett (who has now left, his last day at the company being November 9), who recently posted an entry on his blog accusing senior Linux kernel developer Ted Ts’o of being an apologist for rape.

[…]

Her response was: “These posts are from Matthew’s personal blog. As a standard practice, we do not comment on our employees’ personal blogs.” 

“So um, that’s his personal blog, and he’s not actually a Red Hat employee..”
“YOU’RE EVADING THE QUESTION!”

Valerie Aurora, the co-founder of The Ada Initiative, resurrected the Ts’o affair; he had made certain comments on a mailing list back in February 2011.

[…]

When she was contacted to ask why she had dug up these comments after nearly two years,

Sure, nobody said anything publicly about it before, but c’mon, it’s been two years. Everyone knows we solved sexism in May of 2011! Why are you bothering poor Ted with your mean “hey guys rape is bad” mumbo-jumbo feminist talk? You might hurt his feelings!

the reply was: “Thanks for your email! I will be on semi-vacation till November 8th and only reading urgent email once a day. If you need a response before November 8th, you can do one of: *Resend your email with “URGENT” in the subject, and I will check it within 24 hours; * Contact my assistant Kathy at <email_address> and ask for my phone number.”

When the message was resent with the word “URGENT” as part of the subject line, the same reply was received.

Then, after resending the message with the just the one word “URGENT” in the subject line, Aurora sent a two-word response: “No comment.”

Absolutely top-notch journalism here. Riveting.

Garrett said his post had been prompted by Aurora’s digging up of this hoary chestnut. “As I explained in my post, the timing was prompted by the post on the Ada Initiative blog causing me to rethink the effect on the community of nobody saying anything,” he said, when asked about his motivation for calling Ts’o an apologist for rape so long after the actual incident.

Seriously, “hoary chestnut”. Yes, I remember..  back in the ancient, foggy mists of early 2011.. hard, bitter times those were.. why, the iPhone 4 had only been released 6 months earlier! Can people really be expected to be held accountable for anything they said or did so very long ago??

None of the media outlets that normally report on matters concerning the FOSS community have even mentioned this issue.

Nobody else seems to think this is a Big Story? SHOCKING!

Senior Debian developer Russell Coker appears to be the only member of the FOSS community who has commented on the matter but this was on his personal blog.

But wait, why does Matthew Garrett’s personal blog count, but Russell Coker’s blog doesn’t deserve mention? What does Coker say, anyway?

Sam Varghese has written about the issue for ITWire. He has taken the wrong approach to this, he specifically claims that “Matthew Garrett has kicked off what could be a damaging episode“. I think that Matthew’s approach is necessary and the situation demands it.

Heh! Maybe I should write an article: “Debian evades query about Varghese’s ‘wrong approach’ to journalism“, perhaps? Anyway, Varghese’s last paragraph:

(When iTWire contacted Ts’o for his reaction to Garrett’s post, he apologised for the comments that had caused offence and denied ever saying that rape was not a problem.)

So Ted Ts’o has already apologized and the only other person who’s interested in the story thinks Varghese is completely wrong and that Garrett did the right thing. WOW. COOL STORY, SAM.

In summary: Sam Varghese is an awful journalist and from all evidence an all-around terrible person. iTWire should be ashamed of themselves for publishing this garbage, but they won’t, so instead let’s all just agree to ignore them completely – except perhaps laugh at them and anyone who takes them seriously.

Firesheep, and what you (as a user) should do about it

So there’s this thing called Firesheep. It’s a Firefox add-on (not yet available for Linux) that makes it easy to steal someone’s connection to basically any website (like Facebook, Twitter, or Amazon) – if:

  1. You’re on the same network as that person (think free coffee shop Wi-Fi, college networks, etc.), and
  2. The connection to the website is unencrypted – that is, it’s not using HTTPS.

Let’s be clear: it’s always been possible to do this. In fact it’s never been that hard. All this tool actually does is make it easy. Really, really easy: I installed it yesterday while in a coffee shop here in Raleigh and within 5 minutes had access to a dozen different Facebook accounts, a couple of Yahoo accounts, and at one Amazon account. (Imagine what I could have bought myself with that Amazon account if the owner had 1-Click ordering turned on!)

The reason this is possible comes down to money: Most web companies aren’t spending the time and money necessary to properly support encrypted connections, and they’re leaving us – their users – vulnerable. Every web service already uses HTTPS for encrypted connections – they use them when you log in, in order to protect your password. Once you’ve logged in, though, they switch you back to the unencrypted connection, and your session becomes vulnerable.

For example, you can log into Facebook securely. Go ahead and try https://www.facebook.com/ and you’ll see the nice lock icon that indicates that yes, your connection is encrypted and secure. But you’ll notice that clicking any link on the page will bring you to regular unencrypted Facebook – and make you vulnerable to hijacking.

Twitter’s almost worse: while https://twitter.com/ works, and all the links will keep you on the secure site, the automatic refreshing code uses an insecure connection. So you don’t even need to click any links to make your session vulnerable.

Amazon is possibly the most blatant: if you go to https://www.amazon.com/ you will be automatically redirected to the insecure http://www.amazon.com/. Oddly, though, https://www.amazon.ca/ works just fine. Score one for Canada, I guess!

Google does a better job than most. They changed GMail to use HTTPS by default a while ago, and you can go to https://www.google.com/ and conduct all your searching over encrypted links. Because of this, I wasn’t able to steal any GMail sessions (even though they did show up in Firesheep).

A lot of the press reaction has completely missed the point. Computerworld published an article with the headline: “Mozilla: No ‘kill switch’ for Firesheep add-on“. What? There’s no point in trying to block the add-on itself. It’s still just as possible to hijack people’s web sessions as it’s always been. They also mention that “Using Firesheep may be a criminal offense under U.S. law”, a useless non-revelation echoed by AOL’s Download Squad. Yes, it might be illegal, but this won’t stop anyone from using it any more than jaywalking laws prevent people from walking across streets. ZDNet claims: “Firesheep’s Real Lesson: Take Wi-Fi Security Seriously“, which is utter nonsense. It doesn’t matter whether you used a password to access the coffeeshop’s Wi-Fi or not, as long as Facebook, Amazon, et. al. are failing to keep your data safe anyone on your network can steal your session.

Here’s the point, in the words of Firesheep’s author: “Websites have a responsibility to protect the people who depend on their services. They’ve been ignoring this responsibility for too long, and it’s time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.

Or in other words: Facebook is screwing your privacy, yet again. And they’re not the only ones. So start writing to them. Tell them they need to start moving to HTTPS everywhere.

In the meantime, if you’re going to use any public networks – coffee shop Wi-Fi, computer labs, dorms, whatever – either stay off of Facebook and Twitter and friends (it’ll help you focus, anyway) or set up a VPN on your home network and connect through that.