LJ Archive

Letters

Welcome Back, LJ. It Feels Like Forever!

I am very excited by the new issue! I am still digesting it, but it feels just like the old days! I had (am having?) a difficult time transitioning from print media to digital magazines. I subscribed sporadically to the digital edition after the demise of the print format in order to try to support your continued efforts, but I never found it as useful or comfortable, and I often went months without reading new issues.

I can't say enough about the depth of the articles so far—JUST RIGHT: not a textbook, but enough material to be the basis for taking informed action. This issue is literally the first digital magazine issue compelling enough to get me to read it cover to cover. I'm feeling oddly nostalgic, so I'm off to install Debian from floppy.

THANK YOU to everyone who contributed to this renaissance issue!

—Jeffrey Brown

Thanks for the kind words Jeffrey! It's been quite a wild ride, and we're so glad to be back—bigger and better than ever. We truly appreciate your support and the support of every single subscriber. We sincerely hope readers will enjoy each issue, and as always, we ask that readers continue to send any comments, requests and feedback our way.—Ed.

Regarding Doc Searls' "Help Us Cure Online Publishing of Its Addiction..."

Doc, sites loading lots of other sites' cookies are truly irritating, especially if your internet connection is not that great.

On the other hand, I LIKE targeted ads—that is, ones that more or less align to my interests. I used to receive lots of ads from Amazon.fr for fashion; well, you don't know me, but if you did, you could not imagine anybody less interested in fashion. Gradually those ads have dried up, and ads more appropriate to what I actually buy (such as electronic, mechanical, DIY items) have taken their place. Some of these I follow up and discover something of real interest. So something happened to convince the AI to stop decorating my browsing with rubbish.

Now, I don't say that accumulating masses of personal data is the best way of generating the filters driving the ads, but if it is to be suppressed, what is going to be put in its place or is it back to the fashion ads?

A non-online alternative problem is my fixed-line telephone in France. I receive around five calls per day trying to sell me insulation, health care, double glazing and so on, and absolutely nothing I am interested in. Okay, it doesn't take too long to put the phone down (I answer "YOU RANG" in English), but not answering means I miss the one call in two weeks that is from a buddy. There is no means that the advertisers have of determining that they are wasting their time. At least the on-line irritations are getting to be somewhat interesting irritations.

So what is your proposal to substitute tracking by publishing what sort of things I might like to buy?

—Ray Foulkes, 72-year-old British electronics/computing retired techie

Doc Searls replies:

Thanks, Ray.

In this column I should have made clear that there are two kinds of advertising at issue here. One is advertising and the other is adtech. I explain the differences in An easy fix for a broken advertising system:

In the old advertising world, advertising wasn't personal. It was aimed at populations defined by the media people read, watched or listened to. Advertisers sponsored those media directly, because they wanted to reach the kinds of readers, viewers and listeners who liked particular papers, magazines, radio and TV stations, networks and programs....

With programmatic adtech, ads follow eyeballs. Those eyeballs are tracked like animals by beacons placed in people's apps and browsers. In the online print world, readers are tagged with spyware in their browsers or apps and tracked like animals. Personal data and metadata about those readers are harvested by the spyware and munched by machines, which place ads against profiles of reader types, no matter where they show up.

The result on the receiving end looks like old-fashioned advertising, but it's really direct response marketing (née direct mail, aka junk mail), which has always wanted to get personal, has always looked for an immediate personal response, and has always excused massive negative externalities, such as the simple fact that people hate it.

But nearly everybody covering the industry falls for it. So does the industry itself. As I wrote in Separating Advertising's Wheat and Chaff, "Madison Avenue fell asleep, direct response marketing ate its brain, and it woke up as an alien replica of itself."

That alien replica is the vampire I talk about. That isn't our business, and we're not interested in making it our business. If we do bring back advertising, it will be the sponsoring kind. That's what the #DoNotByte agreement is meant to welcome.

Advertising

I agree that tracking by advertisers is vile, but so is tracking by anyone. I think you miss the point that advertising (at least as I understand it) is also vile. I don't need advertising to help me make purchasing decisions. If I'm in any doubt, I'll go poll my peers for their observations. More to the point: publications that carry advertising are more beholden to those advertisers than to their subscribers. A subscriber is going to be a $35 peanut, and the management that decides what content to carry is going to care a lot more about the $35000 advertising goober than the peanut. If a publication carries advertising, it will probably lose me as a subscriber. I might buy a copy from the magazine rack to read while I'm waiting at the airport or something, but advertising seriously degrades the credibility of any publication.

—jimduba

Doc Searls replies: Two things here.

First, good magazine journalism has what's called a "Chinese wall" between the editorial and publishing side of the house. (Look it up.) I can also tell you our Chinese wall has always been intact. I've been involved with Linux Journal since before it was born in 1994, and writing for it since 1996, and I cannot think of a single instance when an advertiser had any influence over anything any of us have written, or even cared about. Advertisers supported us because they liked sponsoring us and speaking to our readers. Since we were essentially a trade magazine, advertising here functioned almost as a breed of editorial copy: entries in our catalog. As writers, we might sometimes notice those ads, but never when we were writing anything. We just didn't care.

Second, take away advertising, and most magazines disappear. Ones that persist have a hard time making enough money off subscriptions alone, but some do. Consumer Reports, for example, has never taken ad money and seems to prosper. Right now we're not taking tracking-based advertising, but we aren't throwing out the whole advertising baby with the adtech bathwater.

We want to make Linux Journal follow our readers rather than vice versa and to model that approach for other magazines. That's why we want to be the first agreeing to terms of engagement our readers proffer, rather than vice versa. And we'd love to have your help in making that new hack work.

Comment on "Security: 17 Things"

First, welcome back.

I'm going through the March 2018 issue (the re-launch issue) and reading Susan Sons' article "Security: 17 Things", and two things stuck out.

"Number 8: Use Your Credit Card": While the debate over paying interest or having money come from your checking account is not what this is about, there is the mis-information that debit liability is higher.

This used to be true. Regulation E of the Electronic Funds Transfer Act also caps liability at $50.00, if the debit card owner notifies the bank within a timely manner (usually two days). Failure to notify leaves the card holder with a larger liability.

Section 205.6 Liability of consumer for unauthorized transfers: "before limits a consumer's liability for unauthorized electronic fund transfers, such as those arising from loss or theft of an access device, to $50; if the consumer fails to notify the depository institution in a timely fashion, the amount may be $500 or unlimited."

Going beyond this, there are other ways to pay that will protect the card for online purchases. Mobile payment (Apple Pay, Google Pay, Samsung Pay), for example, uses tokenization instead of actual card data when making purchases. For online purchases, there are tools to create one-time/one-vendor cards, such as Privacy Card or Abine's Blur.

The second issue was under heading "9. Freeze Your Credit". There are two more places that people should put security freezes in place. While the three listed in the article are the biggest three, the other two are Innovis (the fourth largest) and Chexystem.

—Chris Jenks

Susan Sons replies:

Thanks for writing, Chris.

The debit card regulations have changed somewhat, as you noticed, but because of that short two-day notification period, debit card use still bites people so much more than credit cards.

There are so many other security measures in the world worth considering that didn't quite make the cut for the article. We had to make tough choices! When the list gets too long, many people feel they can't accomplish any meaningful amount and give up. I'd never advise against looking beyond this list for more useful security measures; it's meant as a starting place for those who are overwhelmed by the sheer amount of advice out there.

Matthew Garrett Responds to "diff -u: Detainting the Kernel"

Regarding "Detainting the Kernel" from the March 2018 issue: the kernel has the ability to "taint" itself—i.e., to set a flag that tells you something about the kernel state. Most of these flags indicate that something has happened that means the upstream kernel developers are less interested in bug reports in the kernel (because you've loaded a proprietary driver, for instance), but others are more interesting for the local admin.

If a user builds an out of tree module and loads it, the kernel will be tainted with the O flag. If that out of tree module contains proprietary code, the kernel will also be tainted with the P flag. So, loading the nvidia kernel module will cause the kernel to be tainted with both O and P.

If your kernel supports module signatures, then attempting to load an unsigned module will either fail (if the kernel is configured to enforce module signatures) or taint the kernel with the E flag. It's important to note that this isn't a security feature—if you load an unsigned module, then that module is able to modify the kernel to clear the taint flag. The only reason to taint the kernel is to inform the admin that they loaded an unsigned module. Loading the nvidia driver on this kernel would result in the E, O and P taint flags.

Unfortunately some users see the additional E taint and are unhappy, either because they didn't expect it (because it didn't happen with previous kernels) or because they have objections to the kernel wanting them to sign modules. I wrote a patch that allowed distributions to build kernels that could be configured to enforce module signatures, but wouldn't taint if an unsigned module was allowed to load.

With this patch applied and the option enabled, loading the nvidia driver would still result in the O and P flags being set, and upstream kernel developers would still be able to tell that a proprietary driver had been loaded and ask the user to reproduce the bug without that code. However, the kernel would also be usable in cases where you want to require signed drivers.

Distributions and kernel developers don't really care if you've loaded an unsigned module, so the removal of the E taint flag doesn't change anything. But it does mean that distributions can enable support for module signatures without causing confusion for users, which makes it easier for distributions to continue doing development work on new security features that make everyone safer.

—Matthew Garrett

Bravo! What a Refreshing New Look and Approach

Incredible—one could focus on all the great articles due to the stunning sleek look of the new LJ. You've managed to completely reinvent yourself, the Linux news scene and the world of journalism all in one fantastic issue. This is a watershed moment—returning control to readers and defining a whole new world of vendor respect for customers. Magnificent! I am so glad that I decided to re-subscribe, it was worth the wait. And to vendors who may have doubts—I look forward to signing up with those that decide to provide products with value.

—John

We are so glad to hear you like the new issue and the new concept! Thank you for taking the time to let us know.—Ed.

Send LJ a Letter

We'd love to hear your feedback on the magazine and specific articles. Please write us here or send email to ljeditor@linuxjournal.com.

Photos

Send your Linux-related photos to ljeditor@linuxjournal.com, and we'll publish the best ones here.

LJ Archive