Inferencium/website
1
0
Fork 0
Code Issues Activity

Update webpage "Blog - #0" from version "9.0.0-beta.1" to "9.0.1-beta.1"

Browse Source
This commit is contained in:
inference 2024-03-18 02:39:49 +00:00
parent c2d38dd442
commit 8b840152d9
Signed by: inference
SSH Key Fingerprint: SHA256:FtEVfx1CmTKMy40VwZvF4k+3TC+QhCWy+EmPRg50Nnc
1 changed files with 164 additions and 184 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

348
blog/foss_is_working_against_itself.xhtml
View File

@ -1,195 +1,175 @@
<!DOCTYPE html> <!DOCTYPE html>
<!-- Inferencium - Website - Blog - #0 --> <!-- Inferencium - Website - Blog - #0 -->
<!-- Version: 9.0.0-beta.1 --> <!-- Version: 9.0.1-beta.1 -->
<!-- Copyright 2022 Jake Winters --> <!-- Copyright 2022 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause --> <!-- SPDX-License-Identifier: BSD-3-Clause WITH AdditionRef-Inferencium-Personal-exception -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head> <head>
<meta charset="utf-8"/> <meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/> <meta name="viewport" content="width=device-width, initial-scale=1"/>
<link rel="stylesheet" href="../main.css"/> <link rel="stylesheet" href="../main.css"/>
<link rel="icon shortcut" href="../asset/img/logo/inferencium-notext.png"/> <link rel="icon shortcut" href="../asset/img/logo/inferencium-notext.png"/>
<title>Inferencium - Blog - FOSS is Working Against Itself</title> <title>Inferencium - Blog - FOSS is Working Against Itself</title>
</head> </head>
<body> <body>
<nav class="navbar"> <nav class="navbar">
<div class="logo"><a href="../index.xhtml"><img src="../asset/img/logo/inferencium-notext.png" alt="Inferencium logo"/></a></div> <div class="logo"><a href="../index.xhtml"><img src="../asset/img/logo/inferencium-notext.png" alt="Inferencium logo"/></a></div>
<div class="title"><a href="../index.xhtml">Inferencium</a></div> <div class="title"><a href="../index.xhtml">Inferencium</a></div>
<div><a href="../about.xhtml">About</a></div> <div><a href="../about.xhtml">About</a></div>
<div><a href="../news.xhtml">News</a></div> <div><a href="../news.xhtml">News</a></div>
<div><a href="../documentation.xhtml">Documentation</a></div> <div><a href="../documentation.xhtml">Documentation</a></div>
<div><a href="../source.xhtml">Source</a></div> <div><a href="../source.xhtml">Source</a></div>
<div><a href="../changelog.xhtml">Changelog</a></div> <div><a href="../changelog.xhtml">Changelog</a></div>
<div><a href="../blog.xhtml">Blog</a></div> <div><a href="../blog.xhtml">Blog</a></div>
<div><a href="../contact.xhtml">Contact</a></div> <div><a href="../contact.xhtml">Contact</a></div>
<div><a href="../directory.xhtml">Directory</a></div> <div><a href="../directory.xhtml">Directory</a></div>
<div><a href="../key.xhtml">Key</a></div> <div><a href="../key.xhtml">Key</a></div>
<div class="sitemap"><a href="../sitemap.xhtml">Sitemap</a></div> <div class="sitemap"><a href="../sitemap.xhtml">Sitemap</a></div>
</nav>
<h1>Blog - #0</h1>
<h2>FOSS is Working Against Itself</h2>
<p class="update_date">Posted: 2022-01-27 (UTC+00:00)</p>
<p class="update_date">Updated: 2023-10-31 (UTC+00:00)</p>
<nav id="toc">
<h2><a href="#toc">Table of Contents</a></h2>
<ul>
<li><a href="#introduction">Introduction</a></li>
<li><a href="#examples">Examples</a></li>
<ul>
<li><a href="#examples-smartphones">Smartphones</a></li>
</ul>
<li><a href="#solution">Solution</a></li>
<li><a href="#conclusion">Conclusion</a></li>
</ul>
</nav> </nav>
<h1>Blog - #0</h1> <section id="introduction">
<h2>FOSS is Working Against Itself</h2> <h2><a href="#introduction">Introduction</a></h2>
<p class="update_date">Posted: 2022-01-27 (UTC+00:00)</p> <p>The world has become a dangerous, privacy invading, human rights stripping, totalitarian
<p class="update_date">Updated: 2023-10-31 (UTC+00:00)</p> place; in order to combat this, people are joining a growing, and dangerous, trend, which I will
<nav id="toc"> refer to in this post as the "Free and Open Source (FOSS) movement". With that stated, I will
<h2><a href="#toc">Table of Contents</a></h2> now debunk the misinformation being spread inside of this extremely flawed movement.</p>
<ul> <p>The
<li><a href="#introduction">Introduction</a></li> <a href="https://en.wikipedia.org/wiki/Free_software">FOSS</a>
<li><a href="#examples">Examples</a></li> movement is an attempt to regain
<ul> <a href="https://en.wikipedia.org/wiki/Privacy">privacy</a>
<li><a href="#examples-smartphones">Smartphones</a></li> and
</ul> <a href="https://en.wikipedia.org/wiki/Control_(psychology)">control</a>
<li><a href="#solution">Solution</a></li> over our devices and data, but the entire concept of FOSS-only, at the current time, is
<li><a href="#conclusion">Conclusion</a></li> severely, and dangerously, flawed. What the FOSS community does not seem to understand is the
</ul> fact that most FOSS software cares not about
</nav> <a href="https://en.wikipedia.org/wiki/Security">security</a>.
<section id="introduction"> "Security"; keep that word in mind as you progress through this article. What is security?
<h2><a href="#introduction">Introduction</a></h2> Security is being safe and secure from adversaries and unwanted consequences; security protects
<p>The world has become a dangerous, privacy invading, human rights stripping, our rights and allows us to protect ourselves. Without security, we have no protection, and
totalitarian place; in order to combat this, people are joining a growing, and without protection, we have a lack of certainty of everything else, including privacy and
dangerous, trend, which I will refer to in this post as the "Free and Open control, which is what the FOSS movement is seeking.</p>
Source (FOSS) movement". With that stated, I will now debunk the misinformation <p>FOSS projects rarely take security into account; they simply look at the surface level,
being spread inside of this extremely flawed movement.</p> rather than the actual
<p>The <a href="https://en.wikipedia.org/wiki/Root_cause_analysis">root cause</a>
<a href="https://en.wikipedia.org/wiki/Free_software">FOSS</a> of the issues they are attempting to fight against. In this case, the focus is on privacy and
movement is an attempt to regain control. Without security mechanisms to protect the privacy features and the ability to control
<a href="https://en.wikipedia.org/wiki/Privacy">privacy</a> your devices and data, it can be stripped away as if it never existed in the first place, which,
and inevitably, leads us back to the beginning, and the cycle repeats. With this
<a href="https://en.wikipedia.org/wiki/Control_(psychology)">control</a> <a href="https://en.wikipedia.org/wiki/Ideology">ideology</a>,
over our devices and data, but the entire concept of FOSS-only, at the current privacy and control will <em>never</em> be achieved. There is no foundation to build privacy or
time, is severely, and dangerously, flawed. What the FOSS community does not control upon. It is impossible to build a solid, freedom respecting platform on this model.</p>
seem to understand is the fact that most FOSS software cares not about </section>
<a href="https://en.wikipedia.org/wiki/Security">security</a>. <section id="examples">
"Security"; keep that word in mind as you progress through this article. What is <h2><a href="#examples">Examples</a></h2>
security? Security is being safe and secure from adversaries and unwanted <section id="examples-smartphones">
consequences; security protects our rights and allows us to protect ourselves. <h3><a href="#examples-smartphones">Smartphones</a></h3>
Without security, we have no protection, and without protection, we have a lack <p>A FOSS phone, especially so-called
of certainty of everything else, including privacy and control, which is what "<a href="https://en.wikipedia.org/wiki/Linux_for_mobile_devices#Smartphones">Linux phones</a>"
the FOSS movement is seeking.</p> are completely detrimental to privacy and control, because they do not have the security
<p>FOSS projects rarely take security into account; they simply look at the necessary to enforce that privacy.
surface level, rather than the actual <a href="https://en.wikipedia.org/wiki/Bootloader_unlocking">Unlocked bootloaders</a>
<a href="https://en.wikipedia.org/wiki/Root_cause_analysis">root cause</a> prevent the device from
of the issues they are attempting to fight against. In this case, the focus is <a href="https://source.android.com/docs/security/features/verifiedboot/">verifying the integrity of the boot chain</a>,
on privacy and control. Without security mechanisms to protect the privacy including the OS, meaning any adversary, whether a stranger who happens to pick up the
features and the ability to control your devices and data, it can be stripped device, or a big tech or government entity, can simply inject malicious code into your
away as if it never existed in the first place, which, inevitably, leads us back software and you wouldn't have any idea it was there. If that's not enough of a backdoor
to the beginning, and the cycle repeats. With this for you to reconsider your position, how about the trivial
<a href="https://en.wikipedia.org/wiki/Ideology">ideology</a>, <a href="https://en.wikipedia.org/wiki/Evil_maid_attack">evil maid</a>
privacy and control will <em>never</em> be achieved. There is no foundation to and data extraction attacks which could be executed on your device, without coercion?
build privacy or control upon. It is impossible to build a solid, freedom With Android phones, this is bad enough to completely break the privacy and control the
respecting platform on this model.</p> FOSS movement seeks, but "Linux phones" take it a step further by implementing barely
any security, if any at all.
<a href="https://en.wikipedia.org/wiki/Privilege_escalation">Privilege escalation</a>
is trivial to achieve on any Linux system, which is the reason Linux
<a href="https://en.wikipedia.org/wiki/Hardening_(computing)">hardening</a>
strategies often include restricting access to the root account; if you
<a href="https://en.wikipedia.org/wiki/Rooting_(Android)">root your Android phone</a>,
or use a "Linux phone", you've already destroyed the security model, and thus privacy
and control model you were attempting to achieve. Not only are these side effects of
FOSS, so is the absolutely illogical restriction of not being able to, or making it
unnecessarily difficult to, install and update critical components of the system, such
as proprietary
<a href="https://en.wikipedia.org/wiki/Firmware">firmware</a>,
which just so happens to be almost all of them. "Linux phones" are not as free as they
proclaim to be.</p>
<p>You may ask "What's so bad about using
<a href="https://lineageos.org/">LineageOS</a>?",
to which I answer with "What's not bad about it?".</p>
<ul>
<li>LineageOS uses
<a href="https://github.com/LineageOS/hudson/blob/master/lineage-build-targets">debug builds</a>,
not safe and secure release builds.</li>
<li>LineageOS requires an unlocked bootloader. Even when installed on devices
which support custom Android Verified Boot (AVB) keys, the bootloader cannot be
locked due to lack of the OS being signed.</li>
<li>LineageOS does not install critically important firmware without manual
flashing, requiring users to perform a second update to install this firmware;
this likely causes users to ignore the notification or miss firmware
updates.</li>
<li>LineageOS does not implement
<a href="https://source.android.com/docs/security/features/verifiedboot/verified-boot#rollback-protection">rollback protection</a>,
meaning any adversary, from a stranger who physically picks up the device, to a
goverment entity remotely, can simply downgrade the OS to a previous version in
order to exploit known
<a href="https://en.wikipedia.org/wiki/Vulnerability_(computing)">security vulnerabilities</a>.</li>
</ul>
<p>LineageOS is not the only Android OS (commonly, and incorrectly, referred to as a
"ROM") with such issues, but it is one of the worst. The only things such insecure OSes
can provide you are customisation abilities, and a backdoor to your data. They are best
suited as a development OS, not a production OS.</p>
</section> </section>
<section id="examples"> </section>
<h2><a href="#examples">Examples</a></h2> <section id="solution">
<section id="examples-smartphones"> <h2><a href="#solution">Solution</a></h2>
<h3><a href="#examples-smartphones">Smartphones</a></h3> <p>What can you do about this? The answer is simple; however, it does require you to use logic,
<p>A FOSS phone, especially so-called fact, and evidence, not emotion, which is a difficult pill for most people to swallow. Use your
"<a href="https://en.wikipedia.org/wiki/Linux_for_mobile_devices#Smartphones">Linux phones</a>" adversaries' weapons against them. The only way to effectively combat the privacy invasion and
are completely detrimental to privacy and control, because they lack of control of our devices and data is to become a
do not have the security necessary to enforce that privacy. <a href="https://en.wikipedia.org/wiki/Turncoat">renegade</a>
<a href="https://en.wikipedia.org/wiki/Bootloader_unlocking">Unlocked bootloaders</a> and not take sides. Yes, that means not taking sides with the closed-source, proprietary, big
prevent the device from tech and government entities, but it also means not taking sides with any FOSS entities. The
<a href="https://source.android.com/docs/security/features/verifiedboot/">verifying the integrity of the boot chain</a>, only way to win this war is to take <em>whatever</em> hardware and software you can, and use it
including the OS, meaning any adversary, whether a stranger who tactically.</p>
happens to pick up the device, or a big tech or government <p>The best solution for device security, privacy, and control, is to use a Google Pixel
entity, can simply inject malicious code into your software and (currently, Pixel 5a or newer) running
you wouldn't have any idea it was there. If that's not enough of <a href="https://grapheneos.org/">GrapheneOS</a>.
a backdoor for you to reconsider your position, how about the Google Pixel devices allow you complete bootloader freedom, including the
trivial <a href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later">ability to lock the bootloader after flashing a custom OS</a>
<a href="https://en.wikipedia.org/wiki/Evil_maid_attack">evil maid</a> (GrapheneOS includes a custom OS signing key to allow locking the bootloader and enabling
and data extraction attacks which could be executed on your verified boot to prevent
device, without coercion? With Android phones, this is bad <a href="https://en.wikipedia.org/wiki/Malware">malware</a>
enough to completely break the privacy and control the FOSS persistence, evil maid attacks, and boot chain
movement seeks, but "Linux phones" take it a step further by <a href="https://en.wikipedia.org/wiki/Data_corruption">corruption</a>),
implementing barely any security, if any at all. <a href="https://support.google.com/nexus/answer/4457705">long device support lifecycles</a>
<a href="https://en.wikipedia.org/wiki/Privilege_escalation">Privilege escalation</a> (minimum 3 years for Pixel 5a, minimum 5 years for Pixel 6-series and 7-series, and minimum 7
is trivial to achieve on any Linux system, which is the reason years for Pixel 8-series and newer), and
Linux <a href="https://source.android.com/docs/security/bulletin/pixel/">guaranteed monthly security updates</a>
<a href="https://en.wikipedia.org/wiki/Hardening_(computing)">hardening</a> for the entire support timeframe of the devices.</p>
strategies often include restricting access to the root account; </section>
if you <section id="conclusion">
<a href="https://en.wikipedia.org/wiki/Rooting_(Android)">root your Android phone</a>, <h2><a href="#conclusion">Conclusion</a></h2>
or use a "Linux phone", you've already destroyed the security <p>Use what you can, and do what you can. By neglecting security, you are, even if
model, and thus privacy and control model you were attempting to unintentionally, neglecting exactly what you are trying to gain; privacy and control.</p>
achieve. Not only are these side effects of FOSS, so is the </section>
absolutely illogical restriction of not being able to, or making <div class="sitemap-small"><a href="../sitemap.xhtml">Sitemap</a></div>
it unnecessarily difficult to, install and update critical </body>
components of the system, such as proprietary
<a href="https://en.wikipedia.org/wiki/Firmware">firmware</a>,
which just so happens to be almost all of them. "Linux phones"
are not as free as they proclaim to be.</p>
<p>You may ask "What's so bad about using
<a href="https://lineageos.org/">LineageOS</a>?",
to which I answer with "What's not bad about it?".
<ul>
<li>LineageOS uses
<a href="https://github.com/LineageOS/hudson/blob/master/lineage-build-targets">debug builds</a>,
not safe and secure release builds.</li>
<li>LineageOS requires an unlocked bootloader.
Even when installed on devices which support
custom Android Verified Boot (AVB) keys, the
bootloader cannot be locked due to lack of the
OS being signed.</li>
<li>LineageOS does not install critically
important firmware without manual flashing,
requiring users to perform a second update to
install this firmware; this likely causes users
to ignore the notification or miss firmware
updates.</li>
<li>LineageOS does not implement
<a href="https://source.android.com/docs/security/features/verifiedboot/verified-boot#rollback-protection">rollback protection</a>,
meaning any adversary, from a stranger who
physically picks up the device, to a goverment
entity remotely, can simply downgrade the OS to
a previous version in order to exploit known
<a href="https://en.wikipedia.org/wiki/Vulnerability_(computing)">security vulnerabilities</a>.</li>
</ul>
</p>
<p>LineageOS is not the only Android OS (commonly, and
incorrectly, referred to as a "ROM") with such issues, but it is
one of the worst. The only things such insecure OSes can provide
you are customisation abilities, and a backdoor to your data.
They are best suited as a development OS, not a production
OS.</p>
</section>
</section>
<section id="solution">
<h2><a href="#solution">Solution</a></h2>
<p>What can you do about this? The answer is simple; however, it does require
you to use logic, fact, and evidence, not emotion, which is a difficult pill for
most people to swallow. Use your adversaries' weapons against them. The only way
to effectively combat the privacy invasion and lack of control of our devices
and data is to become a
<a href="https://en.wikipedia.org/wiki/Turncoat">renegade</a>
and not take sides. Yes, that means not taking sides with the closed-source,
proprietary, big tech and government entities, but it also means not taking
sides with any FOSS entities. The only way to win this war is to take
<em>whatever</em> hardware and software you can, and use it tactically.</p>
<p>The best solution for device security, privacy, and control, is to use a
Google Pixel (currently, Pixel 5a or newer) running
<a href="https://grapheneos.org/">GrapheneOS</a>.
Google Pixel devices allow you complete bootloader freedom, including the
<a href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later">ability to lock the bootloader after flashing a custom OS</a>
(GrapheneOS includes a custom OS signing key to allow locking the bootloader and
enabling verified boot to prevent
<a href="https://en.wikipedia.org/wiki/Malware">malware</a>
persistence, evil maid attacks, and boot chain
<a href="https://en.wikipedia.org/wiki/Data_corruption">corruption</a>),
<a href="https://support.google.com/nexus/answer/4457705">long device support lifecycles</a>
(minimum 3 years for Pixel 5a, minimum 5 years for Pixel 6-series and 7-series,
and minimum 7 years for Pixel 8-series and newer), and
<a href="https://source.android.com/docs/security/bulletin/pixel/">guaranteed monthly security updates</a>
for the entire support timeframe of the devices.</p>
</section>
<section id="conclusion">
<h2><a href="#conclusion">Conclusion</a></h2>
<p>Use what you can, and do what you can. By neglecting security, you are, even
if unintentionally, neglecting exactly what you are trying to gain; privacy and
control.</p>
</section>
<div class="sitemap-small"><a href="../sitemap.xhtml">Sitemap</a></div>
</body>
</html> </html>