192 lines
8.9 KiB
HTML
192 lines
8.9 KiB
HTML
<!DOCTYPE html>
|
|
|
|
<!-- Inferencium - Website - Blog - #0 -->
|
|
|
|
<!-- Copyright 2022 Inference -->
|
|
<!-- License: BSD 3-Clause Clear (with personal content exception) -->
|
|
|
|
<!-- 0.1.0.1 -->
|
|
|
|
|
|
<html>
|
|
|
|
<head>
|
|
<title>Inferencium - Blog - FOSS is Working Against Itself</title>
|
|
<link rel="stylesheet" href="../infnet.css">
|
|
</head>
|
|
|
|
<!-- Navigation bar. -->
|
|
<div class="sidebar">
|
|
<img src="../img/logo-inferencium-no_text.png" width="110px" height="110px">
|
|
<a class="title">Inferencium</a><br>
|
|
<br>
|
|
<br>
|
|
<div><a href="../about.html">About</a></div>
|
|
<div><a href="../contact.html">Contact</a></div>
|
|
<div><a href="../blog.html">Blog</a></div>
|
|
<div><a href="../source.html">Source</a></div>
|
|
</div>
|
|
|
|
<body>
|
|
<h1>Blog - #0</h1>
|
|
<br>
|
|
<h2>FOSS is Working Against Itself</h2>
|
|
<br>
|
|
<p>Posted: 2022-01-27 (UTC+00:00)</p>
|
|
<p>Updated: 2022-11-09 (UTC+00:00)</p>
|
|
<br>
|
|
|
|
<h4>Introduction</h4>
|
|
<p>The world has become a dangerous, privacy invading, human rights stripping,
|
|
totalitarian place; in order to combat this, people are joining a growing,
|
|
and dangerous, trend, which I will refer to in this post as the "Free and
|
|
Open Source (FOSS) movement".
|
|
With that stated, I will now debunk the misinformation being spread inside
|
|
of this extremely flawed movement.</p>
|
|
<br>
|
|
<p>The
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Free_software"
|
|
>FOSS</a> movement is an attempt to regain
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Privacy"
|
|
>privacy</a> and
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Control_(psychology)"
|
|
>control</a> over our devices and data, but the entire concept of FOSS-only, at
|
|
the current time, is severely, and dangerously, flawed. What the FOSS community
|
|
does not seem to understand is the fact that most FOSS software cares not about
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Security"
|
|
>security</a>.
|
|
"Security"; keep that word in mind as you progress through this article.
|
|
What is security? Security is being safe and secure from adversaries and
|
|
unwanted consequences; security protects our rights and allows us to
|
|
protect ourselves. Without security, we have no protection, and without
|
|
protection, we have a lack of certainty of everything else, including
|
|
privacy and control, which is what the FOSS movement is seeking.</p>
|
|
<br>
|
|
<p>FOSS projects rarely take security into account; they simply look at the
|
|
surface level, rather than the actual
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Root_cause_analysis"
|
|
>root cause</a> of the issues they are
|
|
attempting to fight against. In this case, the focus is on privacy and
|
|
control. Without security mechanisms to protect the privacy features and
|
|
the ability to control your devices and data, it can be stripped away as
|
|
if it never existed in the first place, which, inevitably, leads us back to
|
|
the beginning, and the cycle repeats. With this
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Ideology"
|
|
>ideology</a>, privacy and
|
|
control will *never* be achieved. There is no foundation to build privacy
|
|
or control upon. It is impossible to build a solid, freedom respecting
|
|
platform on this model.</p>
|
|
<br>
|
|
<h4>Example: Smartphones</h4>
|
|
<p>A FOSS phone, especially so-called
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Linux_for_mobile_devices#Smartphones"
|
|
>"Linux phones"</a> are completely
|
|
detrimental to privacy and control, because they do not have the security
|
|
necessary to enforce that privacy.
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Bootloader_unlocking"
|
|
>Unlocked bootloaders</a> prevent the device
|
|
from
|
|
<a class="body-link" href="https://source.android.com/docs/security/features/verifiedboot/"
|
|
>verifying the integrity of the boot chain</a>, including the OS, meaning
|
|
any adversary, whether a stranger who happens to pick up the device, or
|
|
a big tech or government entity, can simply inject malicious code into
|
|
your software and you wouldn't have any idea it was there. If that's not
|
|
enough of a backdoor for you to reconsider your position, how about the
|
|
trivial
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Evil_maid_attack"
|
|
>evil maid</a> and data extraction attacks which could be executed on
|
|
your device, without coercion? With Android phones, this is
|
|
bad enough to completely break the privacy and control the FOSS movement
|
|
seeks, but "Linux phones" take it a step further by implementing barely any
|
|
security, if any at all.
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Privilege_escalation"
|
|
>Privilege escalation</a> is trivial to achieve on any
|
|
Linux system, which is the reason Linux
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Hardening_(computing)"
|
|
>hardening</a> strategies often include
|
|
restricting access to the root account; if you
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Rooting_(Android)"
|
|
>root your Android phone</a>, or
|
|
use a "Linux phone", you've already destroyed the security model, and thus
|
|
privacy and control model you were attempting to achieve. Not only are
|
|
these side effects of FOSS, so is the absolutely illogical restriction of
|
|
not being able to, or making it unnecessarily difficult to, install and
|
|
update critical components of the system, such as proprietary
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Firmware"
|
|
>firmware</a>, which just so happens to be almost all of them.
|
|
"Linux phones" are not as free as they proclaim to be.</p>
|
|
<br>
|
|
<p>You may ask "What's so bad about using
|
|
<a class="body-link" href="https://lineageos.org/"
|
|
>LineageOS</a>?", to which I answer with
|
|
"What's not bad about it?".<br>
|
|
<br>
|
|
- LineageOS uses
|
|
<a class="body-link" href="https://github.com/LineageOS/hudson/blob/master/lineage-build-targets"
|
|
>debug builds</a>, not safe and secure release builds.<br>
|
|
- LineageOS requires an unlocked bootloader. Even when installed on devices
|
|
which support custom Android Verified Boot (AVB) keys, the bootloader cannot
|
|
be locked due to lack of the OS being signed.<br>
|
|
- LineageOS does not install critically important firmware without manual
|
|
flashing, requiring users to perform a second update to install this firmware;
|
|
this likely causes users to ignore the notification or miss firmware
|
|
updates.<br>
|
|
- LineageOS does not implement
|
|
<a class="body-link" href="https://source.android.com/docs/security/features/verifiedboot/verified-boot#rollback-protection"
|
|
>rollback protection</a>, meaning any adversary,
|
|
from a stranger who physically picks up the device, to a goverment entity
|
|
remotely, can simply downgrade the OS to a previous version in order to exploit
|
|
known
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Vulnerability_(computing)"
|
|
>security vulnerabilities</a>.<br>
|
|
<br>
|
|
LineageOS is not the only Android OS (commonly, and incorrectly, referred
|
|
to as a "ROM") with such issues, but it is one of the worst. The only
|
|
things such insecure OSes can provide you are customisation abilities, and
|
|
a backdoor to your data. They are best suited as a development OS, not a
|
|
production OS.</p>
|
|
<br>
|
|
<h4>Solution</h4>
|
|
<p>What can you do about this? The answer is simple; however, it does require
|
|
you to use logic, fact, and evidence, not emotion, which is a difficult
|
|
pill for most people to swallow. Use your adversaries' weapons against
|
|
them. The only way to effectively combat the privacy invasion and lack of
|
|
control of our devices and data is to become a
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Turncoat"
|
|
>renegade</a> and not take sides.
|
|
Yes, that means not taking sides with the closed source, proprietary, big
|
|
tech and government entities, but it also means not taking sides with any
|
|
FOSS entities. The only way to win this war is to take *whatever* hardware
|
|
and software you can, and use it tactically.</p>
|
|
<br>
|
|
<p>The only solution for phone security, privacy, and control, is to use
|
|
a Google Pixel (currently, Pixel 4a-series or newer) running
|
|
<a class="body-link" href="https://grapheneos.org/"
|
|
>GrapheneOS</a>. Google Pixel phones allow you complete bootloader freedom,
|
|
including the
|
|
<a class="body-link" href="https://android.googlesource.com/platform/external/avb/+/master/README.md#pixel-2-and-later"
|
|
>ability to lock the bootloader after flashing a custom OS</a>
|
|
(GrapheneOS includes a custom OS signing key to allow locking the bootloader
|
|
and enabling verified boot to prevent
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Malware"
|
|
>malware</a> persistence, evil maid attacks,
|
|
and boot chain
|
|
<a class="body-link" href="https://en.wikipedia.org/wiki/Data_corruption"
|
|
>corruption</a>),
|
|
<a class="body-link" href="https://support.google.com/nexus/answer/4457705"
|
|
>long device support lifecycles</a> (minimum 3 years for
|
|
Pixel 4a-series to Pixel 5a, minimum 5 years for Pixel 6-series and newer), and
|
|
<a class="body-link" href="https://source.android.com/docs/security/bulletin/pixel/"
|
|
>guaranteed monthly security updates</a> for the entire support timeframe of the
|
|
devices.</p>
|
|
<br>
|
|
<h4>Conclusion</h4>
|
|
<p>Use what you can, and do what you can. By neglecting security, you are,
|
|
even if unintentionally, neglecting exactly what you are trying to gain;
|
|
privacy and control.</p>
|
|
<br>
|
|
<br>
|
|
</body>
|
|
|
|
</html>
|