From fe8328e4f1f03379a2a86f1069f674ef67e978a1 Mon Sep 17 00:00:00 2001 From: inference Date: Tue, 31 Oct 2023 00:15:27 +0000 Subject: [PATCH] Update webpage "Blog - #0" from version 5.0.0-beta.1+32 to 5.0.1-beta.1 --- blog/foss_is_working_against_itself.html | 311 ++++++++++++----------- 1 file changed, 164 insertions(+), 147 deletions(-) diff --git a/blog/foss_is_working_against_itself.html b/blog/foss_is_working_against_itself.html index 3e19b7f..5d5d423 100644 --- a/blog/foss_is_working_against_itself.html +++ b/blog/foss_is_working_against_itself.html @@ -5,7 +5,7 @@ - + @@ -14,162 +14,179 @@ - -
- - Inferencium
-
-
-
About
-
Contact
-
Blog
-
Documentation
-
Source
-
Key
-
Changelog
-
+
+ + Inferencium
+
+
+
About
+
Contact
+
Blog
+
Documentation
+
Source
+
Key
+
Changelog
+

Blog - #0

-
-

FOSS is Working Against Itself

-

Posted: 2022-01-27 (UTC+00:00)

-

Updated: 2022-11-09 (UTC+00:00)

- -
-

Table of Contents

- -
-
-

Introduction

-

The world has become a dangerous, privacy invading, human rights stripping, totalitarian place; - in order to combat this, people are joining a growing, and dangerous, trend, which I will refer to - in this post as the "Free and Open Source (FOSS) movement". With that stated, I will now debunk the - misinformation being spread inside of this extremely flawed movement.

-

The - FOSS - movement is an attempt to regain - privacy - and - control - over our devices and data, but the entire concept of FOSS-only, at the current time, is - severely, and dangerously, flawed. What the FOSS community does not seem to understand is the fact - that most FOSS software cares not about - security. - "Security"; keep that word in mind as you progress through this article. What is security? Security - is being safe and secure from adversaries and unwanted consequences; security protects our rights - and allows us to protect ourselves. Without security, we have no protection, and without protection, - we have a lack of certainty of everything else, including privacy and control, which is what the - FOSS movement is seeking.

-

FOSS projects rarely take security into account; they simply look at the surface level, rather - than the actual - root cause - of the issues they are attempting to fight against. In this case, the focus is on - privacy and control. Without security mechanisms to protect the privacy features and the ability to - control your devices and data, it can be stripped away as if it never existed in the first place, - which, inevitably, leads us back to the beginning, and the cycle repeats. With this - ideology, - privacy and control will *never* be achieved. There is no foundation to build privacy - or control upon. It is impossible to build a solid, freedom respecting platform on this model.

-
-
-

Examples

-
-

Smartphones

-

A FOSS phone, especially so-called - "Linux phones" - are completely - detrimental to privacy and control, because they do not have the security necessary to enforce that - privacy. - Unlocked bootloaders - prevent the device from - verifying the integrity of the boot chain, - including the OS, meaning any adversary, whether a - stranger who happens to pick up the device, or a big tech or government entity, can simply inject - malicious code into your software and you wouldn't have any idea it was there. If that's not enough - of a backdoor for you to reconsider your position, how about the trivial - evil maid - and data extraction attacks which could be executed on your device, without coercion? - With Android phones, this is bad enough to completely break the privacy and control the FOSS - movement seeks, but "Linux phones" take it a step further by implementing barely any security, if - any at all. - Privilege escalation - is trivial to achieve on any Linux system, which is the reason Linux - hardening - strategies often include restricting access to the root account; if you - root your Android phone, - or use a "Linux phone", you've already destroyed the security model, - and thus privacy and control model you were attempting to achieve. Not only are these side effects - of FOSS, so is the absolutely illogical restriction of not being able to, or making it unnecessarily - difficult to, install and update critical components of the system, such as proprietary - firmware, - which just so happens to be almost all of them. "Linux phones" are not as free as - they proclaim to be.

-

You may ask "What's so bad about using - LineageOS?", - to which I answer with "What's not bad about it?".

+

FOSS is Working Against Itself

+

Posted: 2022-01-27 (UTC+00:00)

+

Updated: 2022-11-09 (UTC+00:00)

+
+

Table of Contents

+ +
+
+

Introduction

+

The world has become a dangerous, privacy invading, human rights stripping, + totalitarian place; in order to combat this, people are joining a growing, and + dangerous, trend, which I will refer to in this post as the "Free and Open + Source (FOSS) movement". With that stated, I will now debunk the misinformation + being spread inside of this extremely flawed movement.

+

The + FOSS + movement is an attempt to regain + privacy + and + control + over our devices and data, but the entire concept of FOSS-only, at the current + time, is severely, and dangerously, flawed. What the FOSS community does not + seem to understand is the fact that most FOSS software cares not about + security. + "Security"; keep that word in mind as you progress through this article. What is + security? Security is being safe and secure from adversaries and unwanted + consequences; security protects our rights and allows us to protect ourselves. + Without security, we have no protection, and without protection, we have a lack + of certainty of everything else, including privacy and control, which is what + the FOSS movement is seeking.

+

FOSS projects rarely take security into account; they simply look at the + surface level, rather than the actual + root cause + of the issues they are attempting to fight against. In this case, the focus is + on privacy and control. Without security mechanisms to protect the privacy + features and the ability to control your devices and data, it can be stripped + away as if it never existed in the first place, which, inevitably, leads us back + to the beginning, and the cycle repeats. With this + ideology, + privacy and control will never be achieved. There is no foundation to + build privacy or control upon. It is impossible to build a solid, freedom + respecting platform on this model.

+
+
+

Examples

+
+

Smartphones

+

A FOSS phone, especially so-called + "Linux phones" + are completely detrimental to privacy and control, because they + do not have the security necessary to enforce that privacy. + Unlocked bootloaders + prevent the device from + verifying the integrity of the boot chain, + including the OS, meaning any adversary, whether a stranger who + happens to pick up the device, or a big tech or government + entity, can simply inject malicious code into your software and + you wouldn't have any idea it was there. If that's not enough of + a backdoor for you to reconsider your position, how about the + trivial + evil maid + and data extraction attacks which could be executed on your + device, without coercion? With Android phones, this is bad + enough to completely break the privacy and control the FOSS + movement seeks, but "Linux phones" take it a step further by + implementing barely any security, if any at all. + Privilege escalation + is trivial to achieve on any Linux system, which is the reason + Linux + hardening + strategies often include restricting access to the root account; + if you + root your Android phone, + or use a "Linux phone", you've already destroyed the security + model, and thus privacy and control model you were attempting to + achieve. Not only are these side effects of FOSS, so is the + absolutely illogical restriction of not being able to, or making + it unnecessarily difficult to, install and update critical + components of the system, such as proprietary + firmware, + which just so happens to be almost all of them. "Linux phones" + are not as free as they proclaim to be.

+

You may ask "What's so bad about using + LineageOS?", + to which I answer with "What's not bad about it?".

  • LineageOS uses debug builds, not safe and secure release builds.
    • -
  • LineageOS requires an unlocked bootloader. Even when installed on devices which support custom - Android Verified Boot (AVB) keys, the bootloader cannot be locked due to lack of the OS being - signed.
    • -
  • LineageOS does not install critically important firmware without manual flashing, requiring users - to perform a second update to install this firmware; this likely causes users to ignore the - notification or miss firmware updates.
    • +
  • LineageOS requires an unlocked bootloader. + Even when installed on devices which support + custom Android Verified Boot (AVB) keys, the + bootloader cannot be locked due to lack of the + OS being signed.
    • +
  • LineageOS does not install critically + important firmware without manual flashing, + requiring users to perform a second update to + install this firmware; this likely causes users + to ignore the notification or miss firmware + updates.
  • LineageOS does not implement rollback protection, - meaning any adversary, from a stranger who physically picks up the device, - to a goverment entity remotely, can simply downgrade the OS to a previous version in order to - exploit known + meaning any adversary, from a stranger who + physically picks up the device, to a goverment + entity remotely, can simply downgrade the OS to + a previous version in order to exploit known security vulnerabilities.
-

LineageOS is not the only Android OS (commonly, and incorrectly, referred to as a "ROM") with such - issues, but it is one of the worst. The only things such insecure OSes can provide you are - customisation abilities, and a backdoor to your data. They are best suited as a development OS, not - a production OS.

-
-
-
-

Solution

-

What can you do about this? The answer is simple; however, it does require you to use logic, - fact, and evidence, not emotion, which is a difficult pill for most people to swallow. Use your - adversaries' weapons against them. The only way to effectively combat the privacy invasion and lack - of control of our devices and data is to become a - renegade - and not take sides. Yes, that means not taking sides with the closed source, - proprietary, big tech and government entities, but it also means not taking sides with any - FOSS entities. The only way to win this war is to take *whatever* hardware and software you can, and - use it tactically.

-

The only solution for phone security, privacy, and control, is to use a Google Pixel (currently, - Pixel 4a-series or newer) running - GrapheneOS. - Google Pixel phones allow you complete bootloader freedom, including the - ability to lock the bootloader after flashing a custom OS - (GrapheneOS includes a custom OS signing key to allow locking the bootloader and enabling verified - boot to prevent - malware - persistence, evil maid attacks, and boot chain - corruption), - long device support lifecycles - (minimum 3 years for Pixel 4a-series to Pixel 5a, minimum 5 - years for Pixel 6-series and newer), and - guaranteed monthly security updates - for the entire support timeframe of the devices.

-
-
-

Conclusion

-

Use what you can, and do what you can. By neglecting security, you are, even if unintentionally, - neglecting exactly what you are trying to gain; privacy and control.

-
+

+

LineageOS is not the only Android OS (commonly, and + incorrectly, referred to as a "ROM") with such issues, but it is + one of the worst. The only things such insecure OSes can provide + you are customisation abilities, and a backdoor to your data. + They are best suited as a development OS, not a production + OS.

+
+
+
+

Solution

+

What can you do about this? The answer is simple; however, it does require + you to use logic, fact, and evidence, not emotion, which is a difficult pill for + most people to swallow. Use your adversaries' weapons against them. The only way + to effectively combat the privacy invasion and lack of control of our devices + and data is to become a + renegade + and not take sides. Yes, that means not taking sides with the closed-source, + proprietary, big tech and government entities, but it also means not taking + sides with any FOSS entities. The only way to win this war is to take + whatever hardware and software you can, and use it tactically.

+

The best solution for device security, privacy, and control, is to use a + Google Pixel (currently, Pixel 5a-series or newer) running + GrapheneOS. + Google Pixel devices allow you complete bootloader freedom, including the + ability to lock the bootloader after flashing a custom OS + (GrapheneOS includes a custom OS signing key to allow locking the bootloader and + enabling verified boot to prevent + malware + persistence, evil maid attacks, and boot chain + corruption), + long device support lifecycles + (minimum 3 years for Pixel 5a, minimum 5 years for Pixel 6-series and 7-series, + and minimum 7 years for Pixel 8-series and newer), and + guaranteed monthly security updates + for the entire support timeframe of the devices.

+
+
+

Conclusion

+

Use what you can, and do what you can. By neglecting security, you are, even + if unintentionally, neglecting exactly what you are trying to gain; privacy and + control.