From 6b85ffa35cdd3ec707c08fc35fbd474641aa13fa Mon Sep 17 00:00:00 2001 From: inference Date: Fri, 9 Dec 2022 14:19:55 +0000 Subject: [PATCH] Update back-end code to new 100-120 column coding style. --- blog/foss-is-working-against-itself.html | 174 ++++++++++------------- 1 file changed, 75 insertions(+), 99 deletions(-) diff --git a/blog/foss-is-working-against-itself.html b/blog/foss-is-working-against-itself.html index d643d09..6835e43 100644 --- a/blog/foss-is-working-against-itself.html +++ b/blog/foss-is-working-against-itself.html @@ -5,7 +5,7 @@ - + @@ -38,12 +38,10 @@

Introduction

-

The world has become a dangerous, privacy invading, human rights stripping, -totalitarian place; in order to combat this, people are joining a growing, -and dangerous, trend, which I will refer to in this post as the "Free and -Open Source (FOSS) movement". -With that stated, I will now debunk the misinformation being spread inside -of this extremely flawed movement.

+

The world has become a dangerous, privacy invading, human rights stripping, totalitarian place; +in order to combat this, people are joining a growing, and dangerous, trend, which I will refer to +in this post as the "Free and Open Source (FOSS) movement". With that stated, I will now debunk the +misinformation being spread inside of this extremely flawed movement.


The privacy and control over our devices and data, but the entire concept of FOSS-only, at -the current time, is severely, and dangerously, flawed. What the FOSS community -does not seem to understand is the fact that most FOSS software cares not about +>control over our devices and data, but the entire concept of FOSS-only, at the current time, is +severely, and dangerously, flawed. What the FOSS community does not seem to understand is the fact +that most FOSS software cares not about security. -"Security"; keep that word in mind as you progress through this article. -What is security? Security is being safe and secure from adversaries and -unwanted consequences; security protects our rights and allows us to -protect ourselves. Without security, we have no protection, and without -protection, we have a lack of certainty of everything else, including -privacy and control, which is what the FOSS movement is seeking.

+"Security"; keep that word in mind as you progress through this article. What is security? Security +is being safe and secure from adversaries and unwanted consequences; security protects our rights +and allows us to protect ourselves. Without security, we have no protection, and without protection, +we have a lack of certainty of everything else, including privacy and control, which is what the +FOSS movement is seeking.


-

FOSS projects rarely take security into account; they simply look at the -surface level, rather than the actual +

FOSS projects rarely take security into account; they simply look at the surface level, rather +than the actual root cause of the issues they are -attempting to fight against. In this case, the focus is on privacy and -control. Without security mechanisms to protect the privacy features and -the ability to control your devices and data, it can be stripped away as -if it never existed in the first place, which, inevitably, leads us back to -the beginning, and the cycle repeats. With this +>root cause of the issues they are attempting to fight against. In this case, the focus is on +privacy and control. Without security mechanisms to protect the privacy features and the ability to +control your devices and data, it can be stripped away as if it never existed in the first place, +which, inevitably, leads us back to the beginning, and the cycle repeats. With this ideology, privacy and -control will *never* be achieved. There is no foundation to build privacy -or control upon. It is impossible to build a solid, freedom respecting -platform on this model.

+>ideology, privacy and control will *never* be achieved. There is no foundation to build privacy +or control upon. It is impossible to build a solid, freedom respecting platform on this model.


Example: Smartphones

A FOSS phone, especially so-called "Linux phones" are completely -detrimental to privacy and control, because they do not have the security -necessary to enforce that privacy. +detrimental to privacy and control, because they do not have the security necessary to enforce that +privacy. Unlocked bootloaders prevent the device -from +>Unlocked bootloaders prevent the device from verifying the integrity of the boot chain, including the OS, meaning -any adversary, whether a stranger who happens to pick up the device, or -a big tech or government entity, can simply inject malicious code into -your software and you wouldn't have any idea it was there. If that's not -enough of a backdoor for you to reconsider your position, how about the -trivial +>verifying the integrity of the boot chain, including the OS, meaning any adversary, whether a +stranger who happens to pick up the device, or a big tech or government entity, can simply inject +malicious code into your software and you wouldn't have any idea it was there. If that's not enough +of a backdoor for you to reconsider your position, how about the trivial evil maid and data extraction attacks which could be executed on -your device, without coercion? With Android phones, this is -bad enough to completely break the privacy and control the FOSS movement -seeks, but "Linux phones" take it a step further by implementing barely any -security, if any at all. +>evil maid and data extraction attacks which could be executed on your device, without coercion? +With Android phones, this is bad enough to completely break the privacy and control the FOSS +movement seeks, but "Linux phones" take it a step further by implementing barely any security, if +any at all. Privilege escalation is trivial to achieve on any -Linux system, which is the reason Linux +>Privilege escalation is trivial to achieve on any Linux system, which is the reason Linux hardening strategies often include -restricting access to the root account; if you +>hardening strategies often include restricting access to the root account; if you root your Android phone, or -use a "Linux phone", you've already destroyed the security model, and thus -privacy and control model you were attempting to achieve. Not only are -these side effects of FOSS, so is the absolutely illogical restriction of -not being able to, or making it unnecessarily difficult to, install and -update critical components of the system, such as proprietary +>root your Android phone, or use a "Linux phone", you've already destroyed the security model, +and thus privacy and control model you were attempting to achieve. Not only are these side effects +of FOSS, so is the absolutely illogical restriction of not being able to, or making it unnecessarily +difficult to, install and update critical components of the system, such as proprietary firmware, which just so happens to be almost all of them. -"Linux phones" are not as free as they proclaim to be.

+>firmware, which just so happens to be almost all of them. "Linux phones" are not as free as +they proclaim to be.


You may ask "What's so bad about using LineageOS?", to which I answer with -"What's not bad about it?".
+>LineageOS?", to which I answer with "What's not bad about it?".

- LineageOS uses debug builds, not safe and secure release builds.
-- LineageOS requires an unlocked bootloader. Even when installed on devices -which support custom Android Verified Boot (AVB) keys, the bootloader cannot -be locked due to lack of the OS being signed.
-- LineageOS does not install critically important firmware without manual -flashing, requiring users to perform a second update to install this firmware; -this likely causes users to ignore the notification or miss firmware -updates.
+- LineageOS requires an unlocked bootloader. Even when installed on devices which support custom +Android Verified Boot (AVB) keys, the bootloader cannot be locked due to lack of the OS being +signed.
+- LineageOS does not install critically important firmware without manual flashing, requiring users +to perform a second update to install this firmware; this likely causes users to ignore the +notification or miss firmware updates.
- LineageOS does not implement -rollback protection, meaning any adversary, -from a stranger who physically picks up the device, to a goverment entity -remotely, can simply downgrade the OS to a previous version in order to exploit -known +rollback protection, meaning any adversary, from a stranger who physically picks up the device, +to a goverment entity remotely, can simply downgrade the OS to a previous version in order to +exploit known security vulnerabilities.

-LineageOS is not the only Android OS (commonly, and incorrectly, referred -to as a "ROM") with such issues, but it is one of the worst. The only -things such insecure OSes can provide you are customisation abilities, and -a backdoor to your data. They are best suited as a development OS, not a -production OS.

+LineageOS is not the only Android OS (commonly, and incorrectly, referred to as a "ROM") with such +issues, but it is one of the worst. The only things such insecure OSes can provide you are +customisation abilities, and a backdoor to your data. They are best suited as a development OS, not +a production OS.


Solution

-

What can you do about this? The answer is simple; however, it does require -you to use logic, fact, and evidence, not emotion, which is a difficult -pill for most people to swallow. Use your adversaries' weapons against -them. The only way to effectively combat the privacy invasion and lack of -control of our devices and data is to become a +

What can you do about this? The answer is simple; however, it does require you to use logic, +fact, and evidence, not emotion, which is a difficult pill for most people to swallow. Use your +adversaries' weapons against them. The only way to effectively combat the privacy invasion and lack +of control of our devices and data is to become a renegade and not take sides. -Yes, that means not taking sides with the closed source, proprietary, big -tech and government entities, but it also means not taking sides with any -FOSS entities. The only way to win this war is to take *whatever* hardware -and software you can, and use it tactically.

+>renegade and not take sides. Yes, that means not taking sides with the closed source, +proprietary, big tech and government entities, but it also means not taking sides with any +FOSS entities. The only way to win this war is to take *whatever* hardware and software you can, and +use it tactically.


-

The only solution for phone security, privacy, and control, is to use -a Google Pixel (currently, Pixel 4a-series or newer) running +

The only solution for phone security, privacy, and control, is to use a Google Pixel (currently, +Pixel 4a-series or newer) running GrapheneOS. Google Pixel phones allow you complete bootloader freedom, -including the +>GrapheneOS. Google Pixel phones allow you complete bootloader freedom, including the ability to lock the bootloader after flashing a custom OS -(GrapheneOS includes a custom OS signing key to allow locking the bootloader -and enabling verified boot to prevent +(GrapheneOS includes a custom OS signing key to allow locking the bootloader and enabling verified +boot to prevent malware persistence, evil maid attacks, -and boot chain +>malware persistence, evil maid attacks, and boot chain corruption), long device support lifecycles (minimum 3 years for -Pixel 4a-series to Pixel 5a, minimum 5 years for Pixel 6-series and newer), and +>long device support lifecycles (minimum 3 years for Pixel 4a-series to Pixel 5a, minimum 5 +years for Pixel 6-series and newer), and guaranteed monthly security updates for the entire support timeframe of the -devices.

+>guaranteed monthly security updates for the entire support timeframe of the devices.


Conclusion

-

Use what you can, and do what you can. By neglecting security, you are, -even if unintentionally, neglecting exactly what you are trying to gain; -privacy and control.

+

Use what you can, and do what you can. By neglecting security, you are, even if unintentionally, +neglecting exactly what you are trying to gain; privacy and control.