Inferencium/website
1
0
Fork 0
Code Issues Activity

Update webpage "Blog - #0" from version 5.0.0-beta.1+32 to 5.0.1-beta.1

Browse Source
This commit is contained in:
inference 2023-10-31 00:15:27 +00:00
parent ba2c10b5ac
commit fe8328e4f1
Signed by: inference
SSH Key Fingerprint: SHA256:FtEVfx1CmTKMy40VwZvF4k+3TC+QhCWy+EmPRg50Nnc
1 changed files with 164 additions and 147 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

311
blog/foss_is_working_against_itself.html
View File

@ -5,7 +5,7 @@
<!-- Copyright 2022 Jake Winters --> <!-- Copyright 2022 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause --> <!-- SPDX-License-Identifier: BSD-3-Clause -->
<!-- Version: 5.0.0-beta.1+32 --> <!-- Version: 5.0.1-beta.1 -->
<html> <html>
@ -14,162 +14,179 @@
<link rel="stylesheet" href="../main.css"> <link rel="stylesheet" href="../main.css">
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
</head> </head>
<!-- Navigation bar -->
<div class="sidebar">
<a href="../index.html"><img src="../asset/img/logo-inferencium-no_text.png" width="110px" height="110px"></a>
<a href="../index.html" class="title">Inferencium</a><br>
<br>
<br>
<div><a href="../about.html">About</a></div>
<div><a href="../contact.html">Contact</a></div>
<div><a href="../blog.html">Blog</a></div>
<div><a href="../documentation.html">Documentation</a></div>
<div><a href="../source.html">Source</a></div>
<div><a href="../key.html">Key</a></div>
<div><a href="../changelog.html">Changelog</a></div>
</div>
<body> <body>
<div class="sidebar">
<a href="../index.html"><img src="../asset/img/logo-inferencium-no_text.png" width="110px" height="110px"></a>
<a href="../index.html" class="title">Inferencium</a><br>
<br>
<br>
<div><a href="../about.html">About</a></div>
<div><a href="../contact.html">Contact</a></div>
<div><a href="../blog.html">Blog</a></div>
<div><a href="../documentation.html">Documentation</a></div>
<div><a href="../source.html">Source</a></div>
<div><a href="../key.html">Key</a></div>
<div><a href="../changelog.html">Changelog</a></div>
</div>
<h1>Blog - #0</h1> <h1>Blog - #0</h1>
<section id="blog"> <h2>FOSS is Working Against Itself</h2>
<h2>FOSS is Working Against Itself</h2> <p class="update_date">Posted: 2022-01-27 (UTC+00:00)</p>
<p class="update_date">Posted: 2022-01-27 (UTC+00:00)</p> <p class="update_date">Updated: 2022-11-09 (UTC+00:00)</p>
<p class="update_date">Updated: 2022-11-09 (UTC+00:00)</p> <section id="toc">
<!-- Table of contents --> <h2 id="toc"><a href="#toc">Table of Contents<a/></h2>
<section id="toc"> <ul>
<h2 id="toc"><a href="#toc">Table of Contents<a/></h2> <li><a href="#introduction">Introduction</a></li>
<ul> <li><a href="#examples">Examples</a></li>
<li><a href="#introduction">Introduction</a></li> <ul>
<li><a href="#examples">Examples</a></li> <li><a href="#examples-smartphones">Smartphones</a></li>
<ul> </ul>
<li><a href="#examples-smartphones">Smartphones</a></li> <li><a href="#solution">Solution</a></li>
</ul> <li><a href="#conclusion">Conclusion</a></li>
<li><a href="#solution">Solution</a></li> </ul>
<li><a href="#conclusion">Conclusion</a></li> </section>
</ul> <section id="introduction">
</section> <h2 id=introduction"><a href="#introduction">Introduction</a></h2>
<section id="introduction"> <p>The world has become a dangerous, privacy invading, human rights stripping,
<h2 id=introduction"><a href="#introduction">Introduction</a></h2> totalitarian place; in order to combat this, people are joining a growing, and
<p>The world has become a dangerous, privacy invading, human rights stripping, totalitarian place; dangerous, trend, which I will refer to in this post as the "Free and Open
in order to combat this, people are joining a growing, and dangerous, trend, which I will refer to Source (FOSS) movement". With that stated, I will now debunk the misinformation
in this post as the "Free and Open Source (FOSS) movement". With that stated, I will now debunk the being spread inside of this extremely flawed movement.</p>
misinformation being spread inside of this extremely flawed movement.</p> <p>The
<p>The <a href="https://en.wikipedia.org/wiki/Free_software">FOSS</a>
<a href="https://en.wikipedia.org/wiki/Free_software">FOSS</a> movement is an attempt to regain
movement is an attempt to regain <a href="https://en.wikipedia.org/wiki/Privacy">privacy</a>
<a href="https://en.wikipedia.org/wiki/Privacy">privacy</a> and
and <a href="https://en.wikipedia.org/wiki/Control_(psychology)">control</a>
<a href="https://en.wikipedia.org/wiki/Control_(psychology)">control</a> over our devices and data, but the entire concept of FOSS-only, at the current
over our devices and data, but the entire concept of FOSS-only, at the current time, is time, is severely, and dangerously, flawed. What the FOSS community does not
severely, and dangerously, flawed. What the FOSS community does not seem to understand is the fact seem to understand is the fact that most FOSS software cares not about
that most FOSS software cares not about <a href="https://en.wikipedia.org/wiki/Security">security</a>.
<a href="https://en.wikipedia.org/wiki/Security">security</a>. "Security"; keep that word in mind as you progress through this article. What is
"Security"; keep that word in mind as you progress through this article. What is security? Security security? Security is being safe and secure from adversaries and unwanted
is being safe and secure from adversaries and unwanted consequences; security protects our rights consequences; security protects our rights and allows us to protect ourselves.
and allows us to protect ourselves. Without security, we have no protection, and without protection, Without security, we have no protection, and without protection, we have a lack
we have a lack of certainty of everything else, including privacy and control, which is what the of certainty of everything else, including privacy and control, which is what
FOSS movement is seeking.</p> the FOSS movement is seeking.</p>
<p>FOSS projects rarely take security into account; they simply look at the surface level, rather <p>FOSS projects rarely take security into account; they simply look at the
than the actual surface level, rather than the actual
<a href="https://en.wikipedia.org/wiki/Root_cause_analysis">root cause</a> <a href="https://en.wikipedia.org/wiki/Root_cause_analysis">root cause</a>
of the issues they are attempting to fight against. In this case, the focus is on of the issues they are attempting to fight against. In this case, the focus is
privacy and control. Without security mechanisms to protect the privacy features and the ability to on privacy and control. Without security mechanisms to protect the privacy
control your devices and data, it can be stripped away as if it never existed in the first place, features and the ability to control your devices and data, it can be stripped
which, inevitably, leads us back to the beginning, and the cycle repeats. With this away as if it never existed in the first place, which, inevitably, leads us back
<a href="https://en.wikipedia.org/wiki/Ideology">ideology</a>, to the beginning, and the cycle repeats. With this
privacy and control will *never* be achieved. There is no foundation to build privacy <a href="https://en.wikipedia.org/wiki/Ideology">ideology</a>,
or control upon. It is impossible to build a solid, freedom respecting platform on this model.</p> privacy and control will <em>never</em> be achieved. There is no foundation to
</section> build privacy or control upon. It is impossible to build a solid, freedom
<section id="examples"> respecting platform on this model.</p>
<h2 id="examples"><a href="#examples">Examples</a></h2> </section>
<section id="examples-smartphones"> <section id="examples">
<h3 id="examples-smartphones"><a href="#examples-smartphones">Smartphones</a></h3> <h2 id="examples"><a href="#examples">Examples</a></h2>
<p>A FOSS phone, especially so-called <section id="examples-smartphones">
<a href="https://en.wikipedia.org/wiki/Linux_for_mobile_devices#Smartphones">"Linux phones"</a> <h3 id="examples-smartphones"><a href="#examples-smartphones">Smartphones</a></h3>
are completely <p>A FOSS phone, especially so-called
detrimental to privacy and control, because they do not have the security necessary to enforce that "<a href="https://en.wikipedia.org/wiki/Linux_for_mobile_devices#Smartphones">Linux phones</a>"
privacy. are completely detrimental to privacy and control, because they
<a href="https://en.wikipedia.org/wiki/Bootloader_unlocking">Unlocked bootloaders</a> do not have the security necessary to enforce that privacy.
prevent the device from <a href="https://en.wikipedia.org/wiki/Bootloader_unlocking">Unlocked bootloaders</a>
<a href="https://source.android.com/docs/security/features/verifiedboot/">verifying the integrity of the boot chain</a>, prevent the device from
including the OS, meaning any adversary, whether a <a href="https://source.android.com/docs/security/features/verifiedboot/">verifying the integrity of the boot chain</a>,
stranger who happens to pick up the device, or a big tech or government entity, can simply inject including the OS, meaning any adversary, whether a stranger who
malicious code into your software and you wouldn't have any idea it was there. If that's not enough happens to pick up the device, or a big tech or government
of a backdoor for you to reconsider your position, how about the trivial entity, can simply inject malicious code into your software and
<a href="https://en.wikipedia.org/wiki/Evil_maid_attack">evil maid</a> you wouldn't have any idea it was there. If that's not enough of
and data extraction attacks which could be executed on your device, without coercion? a backdoor for you to reconsider your position, how about the
With Android phones, this is bad enough to completely break the privacy and control the FOSS trivial
movement seeks, but "Linux phones" take it a step further by implementing barely any security, if <a href="https://en.wikipedia.org/wiki/Evil_maid_attack">evil maid</a>
any at all. and data extraction attacks which could be executed on your
<a href="https://en.wikipedia.org/wiki/Privilege_escalation">Privilege escalation</a> device, without coercion? With Android phones, this is bad
is trivial to achieve on any Linux system, which is the reason Linux enough to completely break the privacy and control the FOSS
<a href="https://en.wikipedia.org/wiki/Hardening_(computing)">hardening</a> movement seeks, but "Linux phones" take it a step further by
strategies often include restricting access to the root account; if you implementing barely any security, if any at all.
<a href="https://en.wikipedia.org/wiki/Rooting_(Android)">root your Android phone</a>, <a href="https://en.wikipedia.org/wiki/Privilege_escalation">Privilege escalation</a>
or use a "Linux phone", you've already destroyed the security model, is trivial to achieve on any Linux system, which is the reason
and thus privacy and control model you were attempting to achieve. Not only are these side effects Linux
of FOSS, so is the absolutely illogical restriction of not being able to, or making it unnecessarily <a href="https://en.wikipedia.org/wiki/Hardening_(computing)">hardening</a>
difficult to, install and update critical components of the system, such as proprietary strategies often include restricting access to the root account;
<a href="https://en.wikipedia.org/wiki/Firmware">firmware</a>, if you
which just so happens to be almost all of them. "Linux phones" are not as free as <a href="https://en.wikipedia.org/wiki/Rooting_(Android)">root your Android phone</a>,
they proclaim to be.</p> or use a "Linux phone", you've already destroyed the security
<p>You may ask "What's so bad about using model, and thus privacy and control model you were attempting to
<a href="https://lineageos.org/">LineageOS</a>?", achieve. Not only are these side effects of FOSS, so is the
to which I answer with "What's not bad about it?".</p> absolutely illogical restriction of not being able to, or making
it unnecessarily difficult to, install and update critical
components of the system, such as proprietary
<a href="https://en.wikipedia.org/wiki/Firmware">firmware</a>,
which just so happens to be almost all of them. "Linux phones"
are not as free as they proclaim to be.</p>
<p>You may ask "What's so bad about using
<a href="https://lineageos.org/">LineageOS</a>?",
to which I answer with "What's not bad about it?".
<ul> <ul>
<li>LineageOS uses <li>LineageOS uses
<a href="https://github.com/LineageOS/hudson/blob/master/lineage-build-targets">debug builds</a>, <a href="https://github.com/LineageOS/hudson/blob/master/lineage-build-targets">debug builds</a>,
not safe and secure release builds.</li> not safe and secure release builds.</li>
<li>LineageOS requires an unlocked bootloader. Even when installed on devices which support custom <li>LineageOS requires an unlocked bootloader.
Android Verified Boot (AVB) keys, the bootloader cannot be locked due to lack of the OS being Even when installed on devices which support
signed.</li> custom Android Verified Boot (AVB) keys, the
<li>LineageOS does not install critically important firmware without manual flashing, requiring users bootloader cannot be locked due to lack of the
to perform a second update to install this firmware; this likely causes users to ignore the OS being signed.</li>
notification or miss firmware updates.</li> <li>LineageOS does not install critically
important firmware without manual flashing,
requiring users to perform a second update to
install this firmware; this likely causes users
to ignore the notification or miss firmware
updates.</li>
<li>LineageOS does not implement <li>LineageOS does not implement
<a href="https://source.android.com/docs/security/features/verifiedboot/verified-boot#rollback-protection">rollback protection</a>, <a href="https://source.android.com/docs/security/features/verifiedboot/verified-boot#rollback-protection">rollback protection</a>,
meaning any adversary, from a stranger who physically picks up the device, meaning any adversary, from a stranger who
to a goverment entity remotely, can simply downgrade the OS to a previous version in order to physically picks up the device, to a goverment
exploit known entity remotely, can simply downgrade the OS to
a previous version in order to exploit known
<a href="https://en.wikipedia.org/wiki/Vulnerability_(computing)">security vulnerabilities</a>.</li> <a href="https://en.wikipedia.org/wiki/Vulnerability_(computing)">security vulnerabilities</a>.</li>
</ul> </ul>
<p>LineageOS is not the only Android OS (commonly, and incorrectly, referred to as a "ROM") with such </p>
issues, but it is one of the worst. The only things such insecure OSes can provide you are <p>LineageOS is not the only Android OS (commonly, and
customisation abilities, and a backdoor to your data. They are best suited as a development OS, not incorrectly, referred to as a "ROM") with such issues, but it is
a production OS.</p> one of the worst. The only things such insecure OSes can provide
</section> you are customisation abilities, and a backdoor to your data.
</section> They are best suited as a development OS, not a production
<section id="solution"> OS.</p>
<h2 id="solution"><a href="#solution">Solution</a></h2> </section>
<p>What can you do about this? The answer is simple; however, it does require you to use logic, </section>
fact, and evidence, not emotion, which is a difficult pill for most people to swallow. Use your <section id="solution">
adversaries' weapons against them. The only way to effectively combat the privacy invasion and lack <h2 id="solution"><a href="#solution">Solution</a></h2>
of control of our devices and data is to become a <p>What can you do about this? The answer is simple; however, it does require
<a href="https://en.wikipedia.org/wiki/Turncoat">renegade</a> you to use logic, fact, and evidence, not emotion, which is a difficult pill for
and not take sides. Yes, that means not taking sides with the closed source, most people to swallow. Use your adversaries' weapons against them. The only way
proprietary, big tech and government entities, but it also means not taking sides with any to effectively combat the privacy invasion and lack of control of our devices
FOSS entities. The only way to win this war is to take *whatever* hardware and software you can, and and data is to become a
use it tactically.</p> <a href="https://en.wikipedia.org/wiki/Turncoat">renegade</a>
<p>The only solution for phone security, privacy, and control, is to use a Google Pixel (currently, and not take sides. Yes, that means not taking sides with the closed-source,
Pixel 4a-series or newer) running proprietary, big tech and government entities, but it also means not taking
<a href="https://grapheneos.org/">GrapheneOS</a>. sides with any FOSS entities. The only way to win this war is to take
Google Pixel phones allow you complete bootloader freedom, including the <em>whatever</em> hardware and software you can, and use it tactically.</p>
<a href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later">ability to lock the bootloader after flashing a custom OS</a> <p>The best solution for device security, privacy, and control, is to use a
(GrapheneOS includes a custom OS signing key to allow locking the bootloader and enabling verified Google Pixel (currently, Pixel 5a-series or newer) running
boot to prevent <a href="https://grapheneos.org/">GrapheneOS</a>.
<a href="https://en.wikipedia.org/wiki/Malware">malware</a> Google Pixel devices allow you complete bootloader freedom, including the
persistence, evil maid attacks, and boot chain <a href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later">ability to lock the bootloader after flashing a custom OS</a>
<a href="https://en.wikipedia.org/wiki/Data_corruption">corruption</a>), (GrapheneOS includes a custom OS signing key to allow locking the bootloader and
<a href="https://support.google.com/nexus/answer/4457705">long device support lifecycles</a> enabling verified boot to prevent
(minimum 3 years for Pixel 4a-series to Pixel 5a, minimum 5 <a href="https://en.wikipedia.org/wiki/Malware">malware</a>
years for Pixel 6-series and newer), and persistence, evil maid attacks, and boot chain
<a href="https://source.android.com/docs/security/bulletin/pixel/">guaranteed monthly security updates</a> <a href="https://en.wikipedia.org/wiki/Data_corruption">corruption</a>),
for the entire support timeframe of the devices.</p> <a href="https://support.google.com/nexus/answer/4457705">long device support lifecycles</a>
</section> (minimum 3 years for Pixel 5a, minimum 5 years for Pixel 6-series and 7-series,
<section id="conclusion"> and minimum 7 years for Pixel 8-series and newer), and
<h2 id="conclusion"><a href="#conclusion">Conclusion</a></h2> <a href="https://source.android.com/docs/security/bulletin/pixel/">guaranteed monthly security updates</a>
<p>Use what you can, and do what you can. By neglecting security, you are, even if unintentionally, for the entire support timeframe of the devices.</p>
neglecting exactly what you are trying to gain; privacy and control.</p> </section>
</section> <section id="conclusion">
<h2 id="conclusion"><a href="#conclusion">Conclusion</a></h2>
<p>Use what you can, and do what you can. By neglecting security, you are, even
if unintentionally, neglecting exactly what you are trying to gain; privacy and
control.</p>
</section> </section>
</body> </body>
</html> </html>