Reorder HTML link formatting.
This commit is contained in:
parent
e53261463c
commit
3e70c43aa9
SSH Key Fingerprint:
SHA256:9Pl0nZ2UJacgm+IeEtLSZ4FOESgP1eKCtRflfPfdX9M
@ -5,7 +5,7 @@
|
||||
<!-- Copyright 2022 Jake Winters -->
|
||||
<!-- SPDX-License-Identifier: BSD-3-Clause -->
|
||||
|
||||
<!-- Version: 4.1.0.26 -->
|
||||
<!-- Version: 4.1.0.27 -->
|
||||
|
||||
|
||||
<html>
|
||||
@ -52,15 +52,15 @@
|
||||
in this post as the "Free and Open Source (FOSS) movement". With that stated, I will now debunk the
|
||||
misinformation being spread inside of this extremely flawed movement.</p>
|
||||
<p>The
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Free_software">FOSS</a>
|
||||
<a href="https://en.wikipedia.org/wiki/Free_software" class="body-link">FOSS</a>
|
||||
movement is an attempt to regain
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Privacy">privacy</a>
|
||||
<a href="https://en.wikipedia.org/wiki/Privacy" class="body-link">privacy</a>
|
||||
and
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Control_(psychology)">control</a>
|
||||
<a href="https://en.wikipedia.org/wiki/Control_(psychology)" class="body-link">control</a>
|
||||
over our devices and data, but the entire concept of FOSS-only, at the current time, is
|
||||
severely, and dangerously, flawed. What the FOSS community does not seem to understand is the fact
|
||||
that most FOSS software cares not about
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Security">security</a>.
|
||||
<a href="https://en.wikipedia.org/wiki/Security" class="body-link">security</a>.
|
||||
"Security"; keep that word in mind as you progress through this article. What is security? Security
|
||||
is being safe and secure from adversaries and unwanted consequences; security protects our rights
|
||||
and allows us to protect ourselves. Without security, we have no protection, and without protection,
|
||||
@ -68,12 +68,12 @@
|
||||
FOSS movement is seeking.</p>
|
||||
<p>FOSS projects rarely take security into account; they simply look at the surface level, rather
|
||||
than the actual
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Root_cause_analysis">root cause</a>
|
||||
<a href="https://en.wikipedia.org/wiki/Root_cause_analysis" class="body-link">root cause</a>
|
||||
of the issues they are attempting to fight against. In this case, the focus is on
|
||||
privacy and control. Without security mechanisms to protect the privacy features and the ability to
|
||||
control your devices and data, it can be stripped away as if it never existed in the first place,
|
||||
which, inevitably, leads us back to the beginning, and the cycle repeats. With this
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Ideology">ideology</a>,
|
||||
<a href="https://en.wikipedia.org/wiki/Ideology" class="body-link">ideology</a>,
|
||||
privacy and control will *never* be achieved. There is no foundation to build privacy
|
||||
or control upon. It is impossible to build a solid, freedom respecting platform on this model.</p>
|
||||
</section>
|
||||
@ -82,40 +82,40 @@
|
||||
<section id="examples-smartphones">
|
||||
<h3 id="examples-smartphones"><a href="#examples-smartphones" class="h3">Smartphones</a></h3>
|
||||
<p>A FOSS phone, especially so-called
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Linux_for_mobile_devices#Smartphones">"Linux phones"</a>
|
||||
<a href="https://en.wikipedia.org/wiki/Linux_for_mobile_devices#Smartphones" class="body-link">"Linux phones"</a>
|
||||
are completely
|
||||
detrimental to privacy and control, because they do not have the security necessary to enforce that
|
||||
privacy.
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Bootloader_unlocking">Unlocked bootloaders</a>
|
||||
<a href="https://en.wikipedia.org/wiki/Bootloader_unlocking" class="body-link">Unlocked bootloaders</a>
|
||||
prevent the device from
|
||||
<a class="body-link" href="https://source.android.com/docs/security/features/verifiedboot/">verifying the integrity of the boot chain</a>,
|
||||
<a href="https://source.android.com/docs/security/features/verifiedboot/" class="body-link">verifying the integrity of the boot chain</a>,
|
||||
including the OS, meaning any adversary, whether a
|
||||
stranger who happens to pick up the device, or a big tech or government entity, can simply inject
|
||||
malicious code into your software and you wouldn't have any idea it was there. If that's not enough
|
||||
of a backdoor for you to reconsider your position, how about the trivial
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Evil_maid_attack">evil maid</a>
|
||||
<a href="https://en.wikipedia.org/wiki/Evil_maid_attack" class="body-link">evil maid</a>
|
||||
and data extraction attacks which could be executed on your device, without coercion?
|
||||
With Android phones, this is bad enough to completely break the privacy and control the FOSS
|
||||
movement seeks, but "Linux phones" take it a step further by implementing barely any security, if
|
||||
any at all.
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Privilege_escalation">Privilege escalation</a>
|
||||
<a href="https://en.wikipedia.org/wiki/Privilege_escalation" class="body-link">Privilege escalation</a>
|
||||
is trivial to achieve on any Linux system, which is the reason Linux
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Hardening_(computing)">hardening</a>
|
||||
<a href="https://en.wikipedia.org/wiki/Hardening_(computing)" class="body-link">hardening</a>
|
||||
strategies often include restricting access to the root account; if you
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Rooting_(Android)">root your Android phone</a>,
|
||||
<a href="https://en.wikipedia.org/wiki/Rooting_(Android)" class="body-link">root your Android phone</a>,
|
||||
or use a "Linux phone", you've already destroyed the security model,
|
||||
and thus privacy and control model you were attempting to achieve. Not only are these side effects
|
||||
of FOSS, so is the absolutely illogical restriction of not being able to, or making it unnecessarily
|
||||
difficult to, install and update critical components of the system, such as proprietary
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Firmware">firmware</a>,
|
||||
<a href="https://en.wikipedia.org/wiki/Firmware" class="body-link">firmware</a>,
|
||||
which just so happens to be almost all of them. "Linux phones" are not as free as
|
||||
they proclaim to be.</p>
|
||||
<p>You may ask "What's so bad about using
|
||||
<a class="body-link" href="https://lineageos.org/">LineageOS</a>?",
|
||||
<a href="https://lineageos.org/" class="body-link">LineageOS</a>?",
|
||||
to which I answer with "What's not bad about it?".</p>
|
||||
<ul>
|
||||
<li>LineageOS uses
|
||||
<a class="body-link" href="https://github.com/LineageOS/hudson/blob/master/lineage-build-targets">debug builds</a>,
|
||||
<a href="https://github.com/LineageOS/hudson/blob/master/lineage-build-targets" class="body-link">debug builds</a>,
|
||||
not safe and secure release builds.</li>
|
||||
<li>LineageOS requires an unlocked bootloader. Even when installed on devices which support custom
|
||||
Android Verified Boot (AVB) keys, the bootloader cannot be locked due to lack of the OS being
|
||||
@ -124,11 +124,11 @@
|
||||
to perform a second update to install this firmware; this likely causes users to ignore the
|
||||
notification or miss firmware updates.</li>
|
||||
<li>LineageOS does not implement
|
||||
<a class="body-link" href="https://source.android.com/docs/security/features/verifiedboot/verified-boot#rollback-protection">rollback protection</a>,
|
||||
<a href="https://source.android.com/docs/security/features/verifiedboot/verified-boot#rollback-protection" class="body-link">rollback protection</a>,
|
||||
meaning any adversary, from a stranger who physically picks up the device,
|
||||
to a goverment entity remotely, can simply downgrade the OS to a previous version in order to
|
||||
exploit known
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Vulnerability_(computing)">security vulnerabilities</a>.</li>
|
||||
<a href="https://en.wikipedia.org/wiki/Vulnerability_(computing)" class="body-link">security vulnerabilities</a>.</li>
|
||||
</ul>
|
||||
<p>LineageOS is not the only Android OS (commonly, and incorrectly, referred to as a "ROM") with such
|
||||
issues, but it is one of the worst. The only things such insecure OSes can provide you are
|
||||
@ -142,25 +142,25 @@
|
||||
fact, and evidence, not emotion, which is a difficult pill for most people to swallow. Use your
|
||||
adversaries' weapons against them. The only way to effectively combat the privacy invasion and lack
|
||||
of control of our devices and data is to become a
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Turncoat">renegade</a>
|
||||
<a href="https://en.wikipedia.org/wiki/Turncoat" class="body-link">renegade</a>
|
||||
and not take sides. Yes, that means not taking sides with the closed source,
|
||||
proprietary, big tech and government entities, but it also means not taking sides with any
|
||||
FOSS entities. The only way to win this war is to take *whatever* hardware and software you can, and
|
||||
use it tactically.</p>
|
||||
<p>The only solution for phone security, privacy, and control, is to use a Google Pixel (currently,
|
||||
Pixel 4a-series or newer) running
|
||||
<a class="body-link" href="https://grapheneos.org/">GrapheneOS</a>.
|
||||
<a href="https://grapheneos.org/" class="body-link">GrapheneOS</a>.
|
||||
Google Pixel phones allow you complete bootloader freedom, including the
|
||||
<a class="body-link" href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later">ability to lock the bootloader after flashing a custom OS</a>
|
||||
<a href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later" class="body-link">ability to lock the bootloader after flashing a custom OS</a>
|
||||
(GrapheneOS includes a custom OS signing key to allow locking the bootloader and enabling verified
|
||||
boot to prevent
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Malware">malware</a>
|
||||
<a href="https://en.wikipedia.org/wiki/Malware" class="body-link">malware</a>
|
||||
persistence, evil maid attacks, and boot chain
|
||||
<a class="body-link" href="https://en.wikipedia.org/wiki/Data_corruption">corruption</a>),
|
||||
<a class="body-link" href="https://support.google.com/nexus/answer/4457705">long device support lifecycles</a>
|
||||
<a href="https://en.wikipedia.org/wiki/Data_corruption" class="body-link">corruption</a>),
|
||||
<a href="https://support.google.com/nexus/answer/4457705" class="body-link">long device support lifecycles</a>
|
||||
(minimum 3 years for Pixel 4a-series to Pixel 5a, minimum 5
|
||||
years for Pixel 6-series and newer), and
|
||||
<a class="body-link" href="https://source.android.com/docs/security/bulletin/pixel/">guaranteed monthly security updates</a>
|
||||
<a href="https://source.android.com/docs/security/bulletin/pixel/" class="body-link">guaranteed monthly security updates</a>
|
||||
for the entire support timeframe of the devices.</p>
|
||||
</section>
|
||||
<section id="conclusion">
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user