Add table of contents. Indent code to match coding style.

2023-03-13 13:22:35 +00:00 · 2023-03-13 13:22:35 +00:00 · baecc51f96
commit baecc51f96
parent 29c9dc7613
1 changed files with 156 additions and 132 deletions
--- a/blog/foss_is_working_against_itself.html
+++ b/blog/foss_is_working_against_itself.html
@ -5,7 +5,7 @@
 <!-- Copyright 2022-2023 Jake Winters -->
 <!-- SPDX-License-Identifier: BSD-3-Clause-Clear -->
-<!-- Version: 3.0.0.12 -->
+<!-- Version: 3.1.0.13 -->
 <html>
@ -36,138 +36,162 @@
 		<br>
 		<br>
-<h2>FOSS is Working Against Itself</h2>
+		<h2>FOSS is Working Against Itself</h2>
-<br>
+		<br>
-<p class="update_date">Posted: 2022-01-27 (UTC+00:00)</p>
+		<p class="update_date">Posted: 2022-01-27 (UTC+00:00)</p>
-<p class="update_date">Updated: 2022-11-09 (UTC+00:00)</p>
+		<p class="update_date">Updated: 2022-11-09 (UTC+00:00)</p>
-<br>
+		<br>
-<h4>Introduction</h4>
+				<!-- Table of contents. -->
-<p>The world has become a dangerous, privacy invading, human rights stripping, totalitarian place;
+		<h2 id="toc"><a href="#toc" class="h2"
-in order to combat this, people are joining a growing, and dangerous, trend, which I will refer to
+		>Table of Contents<a/></h2>
-in this post as the "Free and Open Source (FOSS) movement". With that stated, I will now debunk the
+		<ul>
-misinformation being spread inside of this extremely flawed movement.</p>
+				<li><a href="#introduction" class="body-link"
-<br>
+				>Introduction</a></li>
-<p>The
+				<li><a href="#examples" class="body-link"
-<a class="body-link" href="https://en.wikipedia.org/wiki/Free_software"
+				>Examples</a></li>
->FOSS</a> movement is an attempt to regain
+				<ul>
-<a class="body-link" href="https://en.wikipedia.org/wiki/Privacy"
+						<li><a href="#example-smartphones" class="body-link"
->privacy</a> and
+						>Smartphones</a></li>
-<a class="body-link" href="https://en.wikipedia.org/wiki/Control_(psychology)"
+				</ul>
->control</a> over our devices and data, but the entire concept of FOSS-only, at the current time, is
+				<li><a href="#solution" class="body-link"
-severely, and dangerously, flawed. What the FOSS community does not seem to understand is the fact
+				>Solution</a></li>
-that most FOSS software cares not about
+				<li><a href="#conclusion" class="body-link"
-<a class="body-link" href="https://en.wikipedia.org/wiki/Security"
+				>Conclusion</a></li>
->security</a>.
+		</ul>
-"Security"; keep that word in mind as you progress through this article. What is security? Security
+
-is being safe and secure from adversaries and unwanted consequences; security protects our rights
+		<h4 id=introduction"><a href="#introduction" class="h4"
-and allows us to protect ourselves. Without security, we have no protection, and without protection,
+		>Introduction</a></h4>
-we have a lack of certainty of everything else, including privacy and control, which is what the
+		<p>The world has become a dangerous, privacy invading, human rights stripping, totalitarian place;
-FOSS movement is seeking.</p>
+		in order to combat this, people are joining a growing, and dangerous, trend, which I will refer to
-<br>
+		in this post as the "Free and Open Source (FOSS) movement". With that stated, I will now debunk the
-<p>FOSS projects rarely take security into account; they simply look at the surface level, rather
+		misinformation being spread inside of this extremely flawed movement.</p>
-than the actual
+		<br>
-<a class="body-link" href="https://en.wikipedia.org/wiki/Root_cause_analysis"
+		<p>The
->root cause</a> of the issues they are attempting to fight against. In this case, the focus is on
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Free_software"
-privacy and control. Without security mechanisms to protect the privacy features and the ability to
+		>FOSS</a> movement is an attempt to regain
-control your devices and data, it can be stripped away as if it never existed in the first place,
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Privacy"
-which, inevitably, leads us back to the beginning, and the cycle repeats. With this
+		>privacy</a> and
-<a class="body-link" href="https://en.wikipedia.org/wiki/Ideology"
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Control_(psychology)"
->ideology</a>, privacy and control will *never* be achieved. There is no foundation to build privacy
+		>control</a> over our devices and data, but the entire concept of FOSS-only, at the current time, is
-or control upon. It is impossible to build a solid, freedom respecting platform on this model.</p>
+		severely, and dangerously, flawed. What the FOSS community does not seem to understand is the fact
-<br>
+		that most FOSS software cares not about
-<h4>Example: Smartphones</h4>
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Security"
-<p>A FOSS phone, especially so-called
+		>security</a>.
-<a class="body-link" href="https://en.wikipedia.org/wiki/Linux_for_mobile_devices#Smartphones"
+		"Security"; keep that word in mind as you progress through this article. What is security? Security
->"Linux phones"</a> are completely
+		is being safe and secure from adversaries and unwanted consequences; security protects our rights
-detrimental to privacy and control, because they do not have the security necessary to enforce that
+		and allows us to protect ourselves. Without security, we have no protection, and without protection,
-privacy.
+		we have a lack of certainty of everything else, including privacy and control, which is what the
-<a class="body-link" href="https://en.wikipedia.org/wiki/Bootloader_unlocking"
+		FOSS movement is seeking.</p>
->Unlocked bootloaders</a> prevent the device from
+		<br>
-<a class="body-link" href="https://source.android.com/docs/security/features/verifiedboot/"
+		<p>FOSS projects rarely take security into account; they simply look at the surface level, rather
->verifying the integrity of the boot chain</a>, including the OS, meaning any adversary, whether a
+		than the actual
-stranger who happens to pick up the device, or a big tech or government entity, can simply inject
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Root_cause_analysis"
-malicious code into your software and you wouldn't have any idea it was there. If that's not enough
+		>root cause</a> of the issues they are attempting to fight against. In this case, the focus is on
-of a backdoor for you to reconsider your position, how about the trivial
+		privacy and control. Without security mechanisms to protect the privacy features and the ability to
-<a class="body-link" href="https://en.wikipedia.org/wiki/Evil_maid_attack"
+		control your devices and data, it can be stripped away as if it never existed in the first place,
->evil maid</a> and data extraction attacks which could be executed on your device, without coercion?
+		which, inevitably, leads us back to the beginning, and the cycle repeats. With this
-With Android phones, this is bad enough to completely break the privacy and control the FOSS
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Ideology"
-movement seeks, but "Linux phones" take it a step further by implementing barely any security, if
+		>ideology</a>, privacy and control will *never* be achieved. There is no foundation to build privacy
-any at all.
+		or control upon. It is impossible to build a solid, freedom respecting platform on this model.</p>
-<a class="body-link" href="https://en.wikipedia.org/wiki/Privilege_escalation"
+		<br>
->Privilege escalation</a> is trivial to achieve on any Linux system, which is the reason Linux
+
-<a class="body-link" href="https://en.wikipedia.org/wiki/Hardening_(computing)"
+		<h4 id="examples"><a href="#examples" class="h4"
->hardening</a> strategies often include restricting access to the root account; if you
+		>Examples</a></h4>
-<a class="body-link" href="https://en.wikipedia.org/wiki/Rooting_(Android)"
+		<br>
->root your Android phone</a>, or use a "Linux phone", you've already destroyed the security model,
+		<h5 id="example-smartphones"><a href="#example-smartphones"
-and thus privacy and control model you were attempting to achieve. Not only are these side effects
+		>Smartphones</a></h5>
-of FOSS, so is the absolutely illogical restriction of not being able to, or making it unnecessarily
+		<p>A FOSS phone, especially so-called
-difficult to, install and update critical components of the system, such as proprietary
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Linux_for_mobile_devices#Smartphones"
-<a class="body-link" href="https://en.wikipedia.org/wiki/Firmware"
+		>"Linux phones"</a> are completely
->firmware</a>, which just so happens to be almost all of them. "Linux phones" are not as free as
+		detrimental to privacy and control, because they do not have the security necessary to enforce that
-they proclaim to be.</p>
+		privacy.
-<br>
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Bootloader_unlocking"
-<p>You may ask "What's so bad about using
+		>Unlocked bootloaders</a> prevent the device from
-<a class="body-link" href="https://lineageos.org/"
+		<a class="body-link" href="https://source.android.com/docs/security/features/verifiedboot/"
->LineageOS</a>?", to which I answer with "What's not bad about it?".<br>
+		>verifying the integrity of the boot chain</a>, including the OS, meaning any adversary, whether a
-<br>
+		stranger who happens to pick up the device, or a big tech or government entity, can simply inject
- LineageOS uses
+		malicious code into your software and you wouldn't have any idea it was there. If that's not enough
-<a class="body-link" href="https://github.com/LineageOS/hudson/blob/master/lineage-build-targets"
+		of a backdoor for you to reconsider your position, how about the trivial
->debug builds</a>, not safe and secure release builds.<br>
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Evil_maid_attack"
- LineageOS requires an unlocked bootloader. Even when installed on devices which support custom
+		>evil maid</a> and data extraction attacks which could be executed on your device, without coercion?
-Android Verified Boot (AVB) keys, the bootloader cannot be locked due to lack of the OS being
+		With Android phones, this is bad enough to completely break the privacy and control the FOSS
-signed.<br>
+		movement seeks, but "Linux phones" take it a step further by implementing barely any security, if
- LineageOS does not install critically important firmware without manual flashing, requiring users
+		any at all.
-to perform a second update to install this firmware; this likely causes users to ignore the
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Privilege_escalation"
-notification or miss firmware updates.<br>
+		>Privilege escalation</a> is trivial to achieve on any Linux system, which is the reason Linux
- LineageOS does not implement
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Hardening_(computing)"
-<a class="body-link" href="https://source.android.com/docs/security/features/verifiedboot/
+		>hardening</a> strategies often include restricting access to the root account; if you
-verified-boot#rollback-protection"
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Rooting_(Android)"
->rollback protection</a>, meaning any adversary, from a stranger who physically picks up the device,
+		>root your Android phone</a>, or use a "Linux phone", you've already destroyed the security model,
-to a goverment entity remotely, can simply downgrade the OS to a previous version in order to
+		and thus privacy and control model you were attempting to achieve. Not only are these side effects
-exploit known
+		of FOSS, so is the absolutely illogical restriction of not being able to, or making it unnecessarily
-<a class="body-link" href="https://en.wikipedia.org/wiki/Vulnerability_(computing)"
+		difficult to, install and update critical components of the system, such as proprietary
->security vulnerabilities</a>.<br>
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Firmware"
-<br>
+		>firmware</a>, which just so happens to be almost all of them. "Linux phones" are not as free as
-LineageOS is not the only Android OS (commonly, and incorrectly, referred to as a "ROM") with such
+		they proclaim to be.</p>
-issues, but it is one of the worst. The only things such insecure OSes can provide you are
+		<br>
-customisation abilities, and a backdoor to your data. They are best suited as a development OS, not
+		<p>You may ask "What's so bad about using
-a production OS.</p>
+		<a class="body-link" href="https://lineageos.org/"
-<br>
+		>LineageOS</a>?", to which I answer with "What's not bad about it?".<br>
-<h4>Solution</h4>
+		<br>
-<p>What can you do about this? The answer is simple; however, it does require you to use logic,
+		- LineageOS uses
-fact, and evidence, not emotion, which is a difficult pill for most people to swallow. Use your
+		<a class="body-link" href="https://github.com/LineageOS/hudson/blob/master/lineage-build-targets"
-adversaries' weapons against them. The only way to effectively combat the privacy invasion and lack
+		>debug builds</a>, not safe and secure release builds.<br>
-of control of our devices and data is to become a
+		- LineageOS requires an unlocked bootloader. Even when installed on devices which support custom
-<a class="body-link" href="https://en.wikipedia.org/wiki/Turncoat"
+		Android Verified Boot (AVB) keys, the bootloader cannot be locked due to lack of the OS being
->renegade</a> and not take sides. Yes, that means not taking sides with the closed source,
+		signed.<br>
-proprietary, big tech and government entities, but it also means not taking sides with any
+		- LineageOS does not install critically important firmware without manual flashing, requiring users
-FOSS entities. The only way to win this war is to take *whatever* hardware and software you can, and
+		to perform a second update to install this firmware; this likely causes users to ignore the
-use it tactically.</p>
+		notification or miss firmware updates.<br>
-<br>
+		- LineageOS does not implement
-<p>The only solution for phone security, privacy, and control, is to use a Google Pixel (currently,
+		<a class="body-link" href="https://source.android.com/docs/security/features/verifiedboot/
-Pixel 4a-series or newer) running
+		verified-boot#rollback-protection"
-<a class="body-link" href="https://grapheneos.org/"
+		>rollback protection</a>, meaning any adversary, from a stranger who physically picks up the device,
->GrapheneOS</a>. Google Pixel phones allow you complete bootloader freedom, including the
+		to a goverment entity remotely, can simply downgrade the OS to a previous version in order to
-<a class="body-link" href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later"
+		exploit known
->ability to lock the bootloader after flashing a custom OS</a>
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Vulnerability_(computing)"
-(GrapheneOS includes a custom OS signing key to allow locking the bootloader and enabling verified
+		>security vulnerabilities</a>.<br>
-boot to prevent
+		<br>
-<a class="body-link" href="https://en.wikipedia.org/wiki/Malware"
+		LineageOS is not the only Android OS (commonly, and incorrectly, referred to as a "ROM") with such
->malware</a> persistence, evil maid attacks, and boot chain
+		issues, but it is one of the worst. The only things such insecure OSes can provide you are
-<a class="body-link" href="https://en.wikipedia.org/wiki/Data_corruption"
+		customisation abilities, and a backdoor to your data. They are best suited as a development OS, not
->corruption</a>),
+		a production OS.</p>
-<a class="body-link" href="https://support.google.com/nexus/answer/4457705"
+		<br>
->long device support lifecycles</a> (minimum 3 years for Pixel 4a-series to Pixel 5a, minimum 5
+		<h4 id="solution"><a href="#solution" class="h4">Solution</a></h4>
-years for Pixel 6-series and newer), and
+		<p>What can you do about this? The answer is simple; however, it does require you to use logic,
-<a class="body-link" href="https://source.android.com/docs/security/bulletin/pixel/"
+		fact, and evidence, not emotion, which is a difficult pill for most people to swallow. Use your
->guaranteed monthly security updates</a> for the entire support timeframe of the devices.</p>
+		adversaries' weapons against them. The only way to effectively combat the privacy invasion and lack
-<br>
+		of control of our devices and data is to become a
-<h4>Conclusion</h4>
+		<a class="body-link" href="https://en.wikipedia.org/wiki/Turncoat"
-<p>Use what you can, and do what you can. By neglecting security, you are, even if unintentionally,
+		>renegade</a> and not take sides. Yes, that means not taking sides with the closed source,
-neglecting exactly what you are trying to gain; privacy and control.</p>
+		proprietary, big tech and government entities, but it also means not taking sides with any
-<br>
+		FOSS entities. The only way to win this war is to take *whatever* hardware and software you can, and
-<br>
+		use it tactically.</p>
 		<br>
 		<p>The only solution for phone security, privacy, and control, is to use a Google Pixel (currently,
 		Pixel 4a-series or newer) running
 		<a class="body-link" href="https://grapheneos.org/"
 		>GrapheneOS</a>. Google Pixel phones allow you complete bootloader freedom, including the
 		<a class="body-link" href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later"
 		>ability to lock the bootloader after flashing a custom OS</a>
 		(GrapheneOS includes a custom OS signing key to allow locking the bootloader and enabling verified
 		boot to prevent
 		<a class="body-link" href="https://en.wikipedia.org/wiki/Malware"
 		>malware</a> persistence, evil maid attacks, and boot chain
 		<a class="body-link" href="https://en.wikipedia.org/wiki/Data_corruption"
 		>corruption</a>),
 		<a class="body-link" href="https://support.google.com/nexus/answer/4457705"
 		>long device support lifecycles</a> (minimum 3 years for Pixel 4a-series to Pixel 5a, minimum 5
 		years for Pixel 6-series and newer), and
 		<a class="body-link" href="https://source.android.com/docs/security/bulletin/pixel/"
 		>guaranteed monthly security updates</a> for the entire support timeframe of the devices.</p>
 		<br>
 		<h4 id="conclusion"><a href="#conclusion" class="h4">Conclusion</a></h4>
 		<p>Use what you can, and do what you can. By neglecting security, you are, even if unintentionally,
 		neglecting exactly what you are trying to gain; privacy and control.</p>
 		<br>
 		<br>
 </body>
 </html>