Inferencium/website
1
0
Fork 0
Code Issues Activity

Add references. Improve text.

Browse Source
This commit is contained in:
inference 2022-11-09 12:28:28 +00:00
parent ddf3186282
commit 77ff669c82
1 changed files with 82 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
blog/foss-is-working-against-itself.html
View File

@ -19,65 +19,96 @@
<h2>FOSS is Working Against Itself</h2> <h2>FOSS is Working Against Itself</h2>
<br> <br>
<p>Posted: 2022-01-27 (UTC+00:00)</p> <p>Posted: 2022-01-27 (UTC+00:00)</p>
<p>Updated: 2022-10-29 (UTC+00:00)</p> <p>Updated: 2022-11-09 (UTC+00:00)</p>
<br> <br>
<h4>Introduction</h4> <h4>Introduction</h4>
<p>The world has become a dangerous, privacy invading, human rights stripping, <p>The world has become a dangerous, privacy invading, human rights stripping,
totalitarian place; in order to combat this, people are joining a growing, totalitarian place; in order to combat this, people are joining a growing,
and dangerous, trend, which I will refer to in this post as the "FOSS and dangerous, trend, which I will refer to in this post as the "Free and
movement". Open Source (FOSS) movement".
With that stated, I will now debunk the misinformation being spread inside With that stated, I will now debunk the misinformation being spread inside
of this extremely flawed movement.</p> of this extremely flawed movement.</p>
<br> <br>
<p>The FOSS movement is an attempt to regain privacy and control over our <p>The
<a class="body-link" href="https://en.wikipedia.org/wiki/Free_software"
>FOSS</a> movement is an attempt to regain privacy and control over our
devices and data, but the entire concept of FOSS-only, at the current time, devices and data, but the entire concept of FOSS-only, at the current time,
is severely, and dangerously, flawed. What the FOSS community does not seem is severely, and dangerously, flawed. What the FOSS community does not seem
to understand is the fact that most FOSS software cares not about security. to understand is the fact that most FOSS software cares not about
<a class="body-link" href="https://en.wikipedia.org/wiki/Security"
>security</a>.
"Security"; keep that word in mind as you progress through this article. "Security"; keep that word in mind as you progress through this article.
What is security? Security is being safe and secure from adversaries and What is security? Security is being safe and secure from adversaries and
unwanted consequences; security protects our rights and allows us to unwanted consequences; security protects our rights and allows us to
protect ourselves. Without security, we have no protection, and without protect ourselves. Without security, we have no protection, and without
protection, we have a lack of certainty of everything else, including protection, we have a lack of certainty of everything else, including
privacy and control, which is what the FOSS movement is seeking.</p> <a class="body-link" href="https://en.wikipedia.org/wiki/Privacy"
>privacy</a> and
<a class="body-link" href="https://en.wikipedia.org/wiki/Control_(psychology)"
>control</a>, which is what the FOSS movement is seeking.</p>
<br> <br>
<p>FOSS projects rarely take security into account; they simply look at the <p>FOSS projects rarely take security into account; they simply look at the
surface level, rather than the actual root cause of the issues they are surface level, rather than the actual
<a class="body-link" href="https://en.wikipedia.org/wiki/Root_cause_analysis"
>root cause</a> of the issues they are
attempting to fight against. In this case, the focus is on privacy and attempting to fight against. In this case, the focus is on privacy and
control. Without security mechanisms to protect the privacy features and control. Without security mechanisms to protect the privacy features and
the ability to control your devices and data, it can be stripped away as the ability to control your devices and data, it can be stripped away as
if it never existed in the first place, which, inevitably, leads us back to if it never existed in the first place, which, inevitably, leads us back to
the beginning, and the cycle repeats. With this ideology, privacy and the beginning, and the cycle repeats. With this
<a class="body-link" href="https://en.wikipedia.org/wiki/Ideology"
>ideology</a>, privacy and
control will *never* be achieved. There is no foundation to build privacy control will *never* be achieved. There is no foundation to build privacy
or control upon. It is impossible to build a solid, freedom respecting or control upon. It is impossible to build a solid, freedom respecting
platform on this model.</p> platform on this model.</p>
<br> <br>
<h4>Example: Smartphones</h4> <h4>Example: Smartphones</h4>
<p>A FOSS phone, especially so-called "Linux phones" are completely <p>A FOSS phone, especially so-called
<a class="body-link" href="https://en.wikipedia.org/wiki/Linux_for_mobile_devices#Smartphones"
>"Linux phones"</a> are completely
detrimental to privacy and control, because they do not have the security detrimental to privacy and control, because they do not have the security
necessary to enforce that privacy. Unlocked bootloaders prevent the device necessary to enforce that privacy.
from verifying the integrity of the boot chain, including the OS, meaning <a class="body-link" href="https://en.wikipedia.org/wiki/Bootloader_unlocking"
any big tech or government entity can simply inject malicious code into >Unlocked bootloaders</a> prevent the device
from
<a class="body-link" href="https://source.android.com/docs/security/features/verifiedboot/"
>verifying the integrity of the boot chain</a>, including the OS, meaning
any adversary, whether a stranger who happens to pick up the device, or
a big tech or government entity, can simply inject malicious code into
your software and you wouldn't have any idea it was there. If that's not your software and you wouldn't have any idea it was there. If that's not
enough of a backdoor for you to reconsider your position, how about the enough of a backdoor for you to reconsider your position, how about the
trivial evil maid and data extraction attacks which could be executed on trivial
your device, whether with coercion or not? With Android phones, this is <a class="body-link" href="https://en.wikipedia.org/wiki/Evil_maid_attack"
>evil maid</a> and data extraction attacks which could be executed on
your device, without coercion? With Android phones, this is
bad enough to completely break the privacy and control the FOSS movement bad enough to completely break the privacy and control the FOSS movement
seeks, but "Linux phones" take it a step further by implementing barely any seeks, but "Linux phones" take it a step further by implementing barely any
security, if any at all. Privilege escalation is trivial to achieve on any security, if any at all.
Linux system, which is the reason Linux hardening strategies often include <a class="body-link" href="https://en.wikipedia.org/wiki/Privilege_escalation"
restricting access to the root account; if you root your Android phone, or >Privilege escalation</a> is trivial to achieve on any
Linux system, which is the reason Linux
<a class="body-link" href="https://en.wikipedia.org/wiki/Hardening_(computing)"
>hardening</a> strategies often include
restricting access to the root account; if you
<a class="body-link" href="https://en.wikipedia.org/wiki/Rooting_(Android)"
>root your Android phone</a>, or
use a "Linux phone", you've already destroyed the security model, and thus use a "Linux phone", you've already destroyed the security model, and thus
privacy and control model you were attempting to achieve. Not only are privacy and control model you were attempting to achieve. Not only are
these side effects of FOSS, so is the absolutely illogical restriction of these side effects of FOSS, so is the absolutely illogical restriction of
not being able to, or making it unnecessarily difficult to, install and not being able to, or making it unnecessarily difficult to, install and
update critical components of the system, such as proprietary firmware, update critical components of the system, such as proprietary
which just so happens to be almost all of them. "Linux phones" are not as <a class="body-link" href="https://en.wikipedia.org/wiki/Firmware"
free as they proclaim to be.</p> >firmware</a>, which just so happens to be almost all of them.
"Linux phones" are not as free as they proclaim to be.</p>
<br> <br>
<p>You may ask "What's so bad about using LineageOS?", to which I answer with <p>You may ask "What's so bad about using
<a class="body-link" href="https://lineageos.org/"
>LineageOS</a>?", to which I answer with
"What's not bad about it?".<br> "What's not bad about it?".<br>
<br> <br>
- LineageOS uses debug builds, not safe and secure release builds.<br> - LineageOS uses
<a class="body-link" href="https://github.com/LineageOS/hudson/blob/master/lineage-build-targets"
>debug builds</a>, not safe and secure release builds.<br>
- LineageOS requires an unlocked bootloader. Even when installed on devices - LineageOS requires an unlocked bootloader. Even when installed on devices
which support custom Android Verified Boot (AVB) keys, the bootloader cannot which support custom Android Verified Boot (AVB) keys, the bootloader cannot
be locked due to lack of the OS being signed.<br> be locked due to lack of the OS being signed.<br>
@ -85,10 +116,14 @@ be locked due to lack of the OS being signed.<br>
flashing, requiring users to perform a second update to install this firmware; flashing, requiring users to perform a second update to install this firmware;
this likely causes users to ignore the notification or miss firmware this likely causes users to ignore the notification or miss firmware
updates.<br> updates.<br>
- LineageOS does not implement rollback protection, meaning any adversary, - LineageOS does not implement
from a stranger who picks up the device, to a goverment entity remotely, can <a class="body-link" href="https://source.android.com/docs/security/features/verifiedboot/verified-boot#rollback-protection"
simply downgrade the OS to a previous version in order to exploit known >rollback protection</a>, meaning any adversary,
security vulnerabilities.<br> from a stranger who physically picks up the device, to a goverment entity
remotely, can simply downgrade the OS to a previous version in order to exploit
known
<a class="body-link" href="https://en.wikipedia.org/wiki/Vulnerability_(computing)"
>security vulnerabilities</a>.<br>
<br> <br>
LineageOS is not the only Android OS (commonly, and incorrectly, referred LineageOS is not the only Android OS (commonly, and incorrectly, referred
to as a "ROM") with such issues, but it is one of the worst. The only to as a "ROM") with such issues, but it is one of the worst. The only
@ -101,21 +136,33 @@ production OS.</p>
you to use logic, fact, and evidence, not emotion, which is a difficult you to use logic, fact, and evidence, not emotion, which is a difficult
pill for most people to swallow. Use your adversaries' weapons against pill for most people to swallow. Use your adversaries' weapons against
them. The only way to effectively combat the privacy invasion and lack of them. The only way to effectively combat the privacy invasion and lack of
control of our devices and data is to become a renegade and not take sides. control of our devices and data is to become a
<a class="body-link" href="https://en.wikipedia.org/wiki/Turncoat"
>renegade</a> and not take sides.
Yes, that means not taking sides with the closed source, proprietary, big Yes, that means not taking sides with the closed source, proprietary, big
tech and government entities, but it also means not taking sides with any tech and government entities, but it also means not taking sides with any
FOSS entities. The only way to win this war is to take *whatever* hardware FOSS entities. The only way to win this war is to take *whatever* hardware
and software you can, and use it tactically.</p> and software you can, and use it tactically.</p>
<br> <br>
<p>The only solution for phone security, privacy, and control, is to use <p>The only solution for phone security, privacy, and control, is to use
a Google Pixel (currently, Pixel 4-series or newer) running GrapheneOS. Google a Google Pixel (currently, Pixel 4a-series or newer) running
Pixel phones allow you complete bootloader freedom, including the ability <a class="body-link" href="https://grapheneos.org/"
to lock the bootloader after flashing a custom OS (GrapheneOS includes a >GrapheneOS</a>. Google Pixel phones allow you complete bootloader freedom,
custom OS signing key to allow locking the bootloader and enabling verified including the
boot to prevent malware persistence, evil maid attacks, and boot chain <a class="body-link" href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later"
corruption), long device support lifecycles (minimum 3 years for Pixel 3a >ability to lock the bootloader after flashing a custom OS</a>
series to Pixel 5a, minimum 5 years for Pixel 6 series), and fast, (GrapheneOS includes a custom OS signing key to allow locking the bootloader
guaranteed security updates for the entire support timeframe of the and enabling verified boot to prevent
<a class="body-link" href="https://en.wikipedia.org/wiki/Malware"
>malware</a> persistence, evil maid attacks,
and boot chain
<a class="body-link" href="https://en.wikipedia.org/wiki/Data_corruption"
>corruption</a>),
<a class="body-link" href="https://support.google.com/nexus/answer/4457705"
>long device support lifecycles</a> (minimum 3 years for
Pixel 4a-series to Pixel 5a, minimum 5 years for Pixel 6-series and newer), and
<a class="body-link" href="https://source.android.com/docs/security/bulletin/pixel/"
>guaranteed monthly security updates</a> for the entire support timeframe of the
devices.</p> devices.</p>
<br> <br>
<h4>Conclusion</h4> <h4>Conclusion</h4>