Inferencium/website
1
0
Fork 0
Code Issues Activity

Update Blog #0 webpage from version 4.0.0.18 to 4.1.0.27.

Browse Source
This commit is contained in:
inference 2023-06-22 19:46:06 +01:00
parent 31ef015027
commit b80bcfa7f0
Signed by: inference
SSH Key Fingerprint: SHA256:9Pl0nZ2UJacgm+IeEtLSZ4FOESgP1eKCtRflfPfdX9M
1 changed files with 162 additions and 195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

357
blog/foss_is_working_against_itself.html
View File

@ -5,202 +5,169 @@
<!-- Copyright 2022 Jake Winters --> <!-- Copyright 2022 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause --> <!-- SPDX-License-Identifier: BSD-3-Clause -->
<!-- Version: 4.0.0.18 --> <!-- Version: 4.1.0.27 -->
<html> <html>
<head>
<head> <title>Inferencium - Blog - FOSS is Working Against Itself</title>
<title>Inferencium - Blog - FOSS is Working Against Itself</title> <link rel="stylesheet" href="../inf.css">
<link rel="stylesheet" href="../inf.css"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="viewport" content="width=device-width, initial-scale=1"> </head>
</head> <!-- Navigation bar -->
<div class="sidebar">
<!-- Navigation bar. --> <a href="../index.html"><img src="../asset/img/logo-inferencium-no_text.png" width="110px" height="110px"></a>
<div class="sidebar"> <a href="../index.html" class="title">Inferencium</a><br>
<img src="../asset/img/logo-inferencium-no_text.png" <br>
width="110px" height="110px"> <br>
<a class="title">Inferencium</a><br> <div><a href="../about.html">About</a></div>
<br> <div><a href="../contact.html">Contact</a></div>
<br> <div><a href="../blog.html">Blog</a></div>
<div><a href="../about.html">About</a></div> <div><a href="../source.html">Source</a></div>
<div><a href="../contact.html">Contact</a></div> <div><a href="../key.html">Key</a></div>
<div><a href="../blog.html">Blog</a></div> </div>
<div><a href="../source.html">Source</a></div> <body>
<div><a href="../key.html">Key</a></div> <h1>Blog - #0</h1>
</div> <section id="blog">
<h2>FOSS is Working Against Itself</h2>
<body> <p class="update_date">Posted: 2022-01-27 (UTC+00:00)</p>
<h1>Blog - #0</h1> <p class="update_date">Updated: 2022-11-09 (UTC+00:00)</p>
<br> <!-- Table of contents -->
<br> <section id="toc">
<br> <h2 id="toc"><a href="#toc" class="h2">Table of Contents<a/></h2>
<ul>
<h2>FOSS is Working Against Itself</h2> <li><a href="#introduction" class="body-link">Introduction</a></li>
<br> <li><a href="#examples" class="body-link">Examples</a></li>
<p class="update_date">Posted: 2022-01-27 (UTC+00:00)</p> <ul>
<p class="update_date">Updated: 2022-11-09 (UTC+00:00)</p> <li><a href="#examples-smartphones" class="body-link">Smartphones</a></li>
<br> </ul>
<br> <li><a href="#solution" class="body-link">Solution</a></li>
<li><a href="#conclusion" class="body-link">Conclusion</a></li>
<!-- Table of contents. --> </ul>
<h2 id="toc"><a href="#toc" class="h2" </section>
>Table of Contents<a/></h2> <section id="introduction">
<ul> <h2 id=introduction"><a href="#introduction" class="h2">Introduction</a></h2>
<li><a href="#introduction" class="body-link" <p>The world has become a dangerous, privacy invading, human rights stripping, totalitarian place;
>Introduction</a></li> in order to combat this, people are joining a growing, and dangerous, trend, which I will refer to
<li><a href="#examples" class="body-link" in this post as the "Free and Open Source (FOSS) movement". With that stated, I will now debunk the
>Examples</a></li> misinformation being spread inside of this extremely flawed movement.</p>
<ul> <p>The
<li><a href="#examples-smartphones" class="body-link" <a href="https://en.wikipedia.org/wiki/Free_software" class="body-link">FOSS</a>
>Smartphones</a></li> movement is an attempt to regain
</ul> <a href="https://en.wikipedia.org/wiki/Privacy" class="body-link">privacy</a>
<li><a href="#solution" class="body-link" and
>Solution</a></li> <a href="https://en.wikipedia.org/wiki/Control_(psychology)" class="body-link">control</a>
<li><a href="#conclusion" class="body-link" over our devices and data, but the entire concept of FOSS-only, at the current time, is
>Conclusion</a></li> severely, and dangerously, flawed. What the FOSS community does not seem to understand is the fact
</ul> that most FOSS software cares not about
<br> <a href="https://en.wikipedia.org/wiki/Security" class="body-link">security</a>.
<br> "Security"; keep that word in mind as you progress through this article. What is security? Security
is being safe and secure from adversaries and unwanted consequences; security protects our rights
<h2 id=introduction"><a href="#introduction" class="h2" and allows us to protect ourselves. Without security, we have no protection, and without protection,
>Introduction</a></h2> we have a lack of certainty of everything else, including privacy and control, which is what the
<p>The world has become a dangerous, privacy invading, human rights stripping, totalitarian place; FOSS movement is seeking.</p>
in order to combat this, people are joining a growing, and dangerous, trend, which I will refer to <p>FOSS projects rarely take security into account; they simply look at the surface level, rather
in this post as the "Free and Open Source (FOSS) movement". With that stated, I will now debunk the than the actual
misinformation being spread inside of this extremely flawed movement.</p> <a href="https://en.wikipedia.org/wiki/Root_cause_analysis" class="body-link">root cause</a>
<br> of the issues they are attempting to fight against. In this case, the focus is on
<p>The privacy and control. Without security mechanisms to protect the privacy features and the ability to
<a class="body-link" href="https://en.wikipedia.org/wiki/Free_software" control your devices and data, it can be stripped away as if it never existed in the first place,
>FOSS</a> movement is an attempt to regain which, inevitably, leads us back to the beginning, and the cycle repeats. With this
<a class="body-link" href="https://en.wikipedia.org/wiki/Privacy" <a href="https://en.wikipedia.org/wiki/Ideology" class="body-link">ideology</a>,
>privacy</a> and privacy and control will *never* be achieved. There is no foundation to build privacy
<a class="body-link" href="https://en.wikipedia.org/wiki/Control_(psychology)" or control upon. It is impossible to build a solid, freedom respecting platform on this model.</p>
>control</a> over our devices and data, but the entire concept of FOSS-only, at the current time, is </section>
severely, and dangerously, flawed. What the FOSS community does not seem to understand is the fact <section id="examples">
that most FOSS software cares not about <h2 id="examples"><a href="#examples" class="h2">Examples</a></h2>
<a class="body-link" href="https://en.wikipedia.org/wiki/Security" <section id="examples-smartphones">
>security</a>. <h3 id="examples-smartphones"><a href="#examples-smartphones" class="h3">Smartphones</a></h3>
"Security"; keep that word in mind as you progress through this article. What is security? Security <p>A FOSS phone, especially so-called
is being safe and secure from adversaries and unwanted consequences; security protects our rights <a href="https://en.wikipedia.org/wiki/Linux_for_mobile_devices#Smartphones" class="body-link">"Linux phones"</a>
and allows us to protect ourselves. Without security, we have no protection, and without protection, are completely
we have a lack of certainty of everything else, including privacy and control, which is what the detrimental to privacy and control, because they do not have the security necessary to enforce that
FOSS movement is seeking.</p> privacy.
<br> <a href="https://en.wikipedia.org/wiki/Bootloader_unlocking" class="body-link">Unlocked bootloaders</a>
<p>FOSS projects rarely take security into account; they simply look at the surface level, rather prevent the device from
than the actual <a href="https://source.android.com/docs/security/features/verifiedboot/" class="body-link">verifying the integrity of the boot chain</a>,
<a class="body-link" href="https://en.wikipedia.org/wiki/Root_cause_analysis" including the OS, meaning any adversary, whether a
>root cause</a> of the issues they are attempting to fight against. In this case, the focus is on stranger who happens to pick up the device, or a big tech or government entity, can simply inject
privacy and control. Without security mechanisms to protect the privacy features and the ability to malicious code into your software and you wouldn't have any idea it was there. If that's not enough
control your devices and data, it can be stripped away as if it never existed in the first place, of a backdoor for you to reconsider your position, how about the trivial
which, inevitably, leads us back to the beginning, and the cycle repeats. With this <a href="https://en.wikipedia.org/wiki/Evil_maid_attack" class="body-link">evil maid</a>
<a class="body-link" href="https://en.wikipedia.org/wiki/Ideology" and data extraction attacks which could be executed on your device, without coercion?
>ideology</a>, privacy and control will *never* be achieved. There is no foundation to build privacy With Android phones, this is bad enough to completely break the privacy and control the FOSS
or control upon. It is impossible to build a solid, freedom respecting platform on this model.</p> movement seeks, but "Linux phones" take it a step further by implementing barely any security, if
<br> any at all.
<br> <a href="https://en.wikipedia.org/wiki/Privilege_escalation" class="body-link">Privilege escalation</a>
is trivial to achieve on any Linux system, which is the reason Linux
<h2 id="examples"><a href="#examples" class="h2" <a href="https://en.wikipedia.org/wiki/Hardening_(computing)" class="body-link">hardening</a>
>Examples</a></h2> strategies often include restricting access to the root account; if you
<h3 id="examples-smartphones"><a href="#examples-smartphones" class="h3" <a href="https://en.wikipedia.org/wiki/Rooting_(Android)" class="body-link">root your Android phone</a>,
>Smartphones</a></h3> or use a "Linux phone", you've already destroyed the security model,
<p>A FOSS phone, especially so-called and thus privacy and control model you were attempting to achieve. Not only are these side effects
<a class="body-link" href="https://en.wikipedia.org/wiki/Linux_for_mobile_devices#Smartphones" of FOSS, so is the absolutely illogical restriction of not being able to, or making it unnecessarily
>"Linux phones"</a> are completely difficult to, install and update critical components of the system, such as proprietary
detrimental to privacy and control, because they do not have the security necessary to enforce that <a href="https://en.wikipedia.org/wiki/Firmware" class="body-link">firmware</a>,
privacy. which just so happens to be almost all of them. "Linux phones" are not as free as
<a class="body-link" href="https://en.wikipedia.org/wiki/Bootloader_unlocking" they proclaim to be.</p>
>Unlocked bootloaders</a> prevent the device from <p>You may ask "What's so bad about using
<a class="body-link" href="https://source.android.com/docs/security/features/verifiedboot/" <a href="https://lineageos.org/" class="body-link">LineageOS</a>?",
>verifying the integrity of the boot chain</a>, including the OS, meaning any adversary, whether a to which I answer with "What's not bad about it?".</p>
stranger who happens to pick up the device, or a big tech or government entity, can simply inject <ul>
malicious code into your software and you wouldn't have any idea it was there. If that's not enough <li>LineageOS uses
of a backdoor for you to reconsider your position, how about the trivial <a href="https://github.com/LineageOS/hudson/blob/master/lineage-build-targets" class="body-link">debug builds</a>,
<a class="body-link" href="https://en.wikipedia.org/wiki/Evil_maid_attack" not safe and secure release builds.</li>
>evil maid</a> and data extraction attacks which could be executed on your device, without coercion? <li>LineageOS requires an unlocked bootloader. Even when installed on devices which support custom
With Android phones, this is bad enough to completely break the privacy and control the FOSS Android Verified Boot (AVB) keys, the bootloader cannot be locked due to lack of the OS being
movement seeks, but "Linux phones" take it a step further by implementing barely any security, if signed.</li>
any at all. <li>LineageOS does not install critically important firmware without manual flashing, requiring users
<a class="body-link" href="https://en.wikipedia.org/wiki/Privilege_escalation" to perform a second update to install this firmware; this likely causes users to ignore the
>Privilege escalation</a> is trivial to achieve on any Linux system, which is the reason Linux notification or miss firmware updates.</li>
<a class="body-link" href="https://en.wikipedia.org/wiki/Hardening_(computing)" <li>LineageOS does not implement
>hardening</a> strategies often include restricting access to the root account; if you <a href="https://source.android.com/docs/security/features/verifiedboot/verified-boot#rollback-protection" class="body-link">rollback protection</a>,
<a class="body-link" href="https://en.wikipedia.org/wiki/Rooting_(Android)" meaning any adversary, from a stranger who physically picks up the device,
>root your Android phone</a>, or use a "Linux phone", you've already destroyed the security model, to a goverment entity remotely, can simply downgrade the OS to a previous version in order to
and thus privacy and control model you were attempting to achieve. Not only are these side effects exploit known
of FOSS, so is the absolutely illogical restriction of not being able to, or making it unnecessarily <a href="https://en.wikipedia.org/wiki/Vulnerability_(computing)" class="body-link">security vulnerabilities</a>.</li>
difficult to, install and update critical components of the system, such as proprietary </ul>
<a class="body-link" href="https://en.wikipedia.org/wiki/Firmware" <p>LineageOS is not the only Android OS (commonly, and incorrectly, referred to as a "ROM") with such
>firmware</a>, which just so happens to be almost all of them. "Linux phones" are not as free as issues, but it is one of the worst. The only things such insecure OSes can provide you are
they proclaim to be.</p> customisation abilities, and a backdoor to your data. They are best suited as a development OS, not
<br> a production OS.</p>
<p>You may ask "What's so bad about using </section>
<a class="body-link" href="https://lineageos.org/" </section>
>LineageOS</a>?", to which I answer with "What's not bad about it?".<br> <section id="solution">
<br> <h2 id="solution"><a href="#solution" class="h2">Solution</a></h2>
<ul> <p>What can you do about this? The answer is simple; however, it does require you to use logic,
<li>LineageOS uses fact, and evidence, not emotion, which is a difficult pill for most people to swallow. Use your
<a class="body-link" href="https://github.com/LineageOS/hudson/blob/master/lineage-build-targets" adversaries' weapons against them. The only way to effectively combat the privacy invasion and lack
>debug builds</a>, not safe and secure release builds.</li> of control of our devices and data is to become a
<li>LineageOS requires an unlocked bootloader. Even when installed on devices which support custom <a href="https://en.wikipedia.org/wiki/Turncoat" class="body-link">renegade</a>
Android Verified Boot (AVB) keys, the bootloader cannot be locked due to lack of the OS being and not take sides. Yes, that means not taking sides with the closed source,
signed.</li> proprietary, big tech and government entities, but it also means not taking sides with any
<li>LineageOS does not install critically important firmware without manual flashing, requiring users FOSS entities. The only way to win this war is to take *whatever* hardware and software you can, and
to perform a second update to install this firmware; this likely causes users to ignore the use it tactically.</p>
notification or miss firmware updates.</li> <p>The only solution for phone security, privacy, and control, is to use a Google Pixel (currently,
<li>LineageOS does not implement Pixel 4a-series or newer) running
<a class="body-link" href="https://source.android.com/docs/security/features/verifiedboot/ <a href="https://grapheneos.org/" class="body-link">GrapheneOS</a>.
verified-boot#rollback-protection" Google Pixel phones allow you complete bootloader freedom, including the
>rollback protection</a>, meaning any adversary, from a stranger who physically picks up the device, <a href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later" class="body-link">ability to lock the bootloader after flashing a custom OS</a>
to a goverment entity remotely, can simply downgrade the OS to a previous version in order to (GrapheneOS includes a custom OS signing key to allow locking the bootloader and enabling verified
exploit known boot to prevent
<a class="body-link" href="https://en.wikipedia.org/wiki/Vulnerability_(computing)" <a href="https://en.wikipedia.org/wiki/Malware" class="body-link">malware</a>
>security vulnerabilities</a>.</li> persistence, evil maid attacks, and boot chain
</ul> <a href="https://en.wikipedia.org/wiki/Data_corruption" class="body-link">corruption</a>),
<br> <a href="https://support.google.com/nexus/answer/4457705" class="body-link">long device support lifecycles</a>
<p>LineageOS is not the only Android OS (commonly, and incorrectly, referred to as a "ROM") with such (minimum 3 years for Pixel 4a-series to Pixel 5a, minimum 5
issues, but it is one of the worst. The only things such insecure OSes can provide you are years for Pixel 6-series and newer), and
customisation abilities, and a backdoor to your data. They are best suited as a development OS, not <a href="https://source.android.com/docs/security/bulletin/pixel/" class="body-link">guaranteed monthly security updates</a>
a production OS.</p> for the entire support timeframe of the devices.</p>
<br> </section>
<br> <section id="conclusion">
<h2 id="conclusion"><a href="#conclusion" class="h2">Conclusion</a></h2>
<h2 id="solution"><a href="#solution" class="h2">Solution</a></h2> <p>Use what you can, and do what you can. By neglecting security, you are, even if unintentionally,
<p>What can you do about this? The answer is simple; however, it does require you to use logic, neglecting exactly what you are trying to gain; privacy and control.</p>
fact, and evidence, not emotion, which is a difficult pill for most people to swallow. Use your </section>
adversaries' weapons against them. The only way to effectively combat the privacy invasion and lack </section>
of control of our devices and data is to become a </body>
<a class="body-link" href="https://en.wikipedia.org/wiki/Turncoat"
>renegade</a> and not take sides. Yes, that means not taking sides with the closed source,
proprietary, big tech and government entities, but it also means not taking sides with any
FOSS entities. The only way to win this war is to take *whatever* hardware and software you can, and
use it tactically.</p>
<br>
<p>The only solution for phone security, privacy, and control, is to use a Google Pixel (currently,
Pixel 4a-series or newer) running
<a class="body-link" href="https://grapheneos.org/"
>GrapheneOS</a>. Google Pixel phones allow you complete bootloader freedom, including the
<a class="body-link" href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later"
>ability to lock the bootloader after flashing a custom OS</a>
(GrapheneOS includes a custom OS signing key to allow locking the bootloader and enabling verified
boot to prevent
<a class="body-link" href="https://en.wikipedia.org/wiki/Malware"
>malware</a> persistence, evil maid attacks, and boot chain
<a class="body-link" href="https://en.wikipedia.org/wiki/Data_corruption"
>corruption</a>),
<a class="body-link" href="https://support.google.com/nexus/answer/4457705"
>long device support lifecycles</a> (minimum 3 years for Pixel 4a-series to Pixel 5a, minimum 5
years for Pixel 6-series and newer), and
<a class="body-link" href="https://source.android.com/docs/security/bulletin/pixel/"
>guaranteed monthly security updates</a> for the entire support timeframe of the devices.</p>
<br>
<br>
<h2 id="conclusion"><a href="#conclusion" class="h2">Conclusion</a></h2>
<p>Use what you can, and do what you can. By neglecting security, you are, even if unintentionally,
neglecting exactly what you are trying to gain; privacy and control.</p>
<br>
<br>
</body>
</html> </html>