Inferencium/website
1
0
Fork 0
Code Issues Activity
website/blog/foss-is-working-against-itself.html
inference 71ddae85aa Update link locations.
2022-08-03 23:22:26 +01:00

116 lines
6.2 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html>
<head>
<title>Inferencium Network - Blog - FOSS is Working Against Itself</title>
<link rel="stylesheet" href="../infnet.css">
</head>
<body>
<h1>Blog - #0</h1>
<br>
<h2>FOSS is Working Against Itself</h2>
<br>
<h3>2022-01-27 (UTC+00:00)</h3>
<br>
<h4>Introduction</h4>
<p>The world has become a dangerous, privacy invading, human rights stripping,<br>
totalitarian place; in order to combat this, people are joining a growing,<br>
and dangerous, trend, which I will refer to in this post as the "FOSS<br>
movement".<br>
With that stated, I will now debunk the misinformation being spread inside<br>
of this extremely flawed movement.</p>
<br>
<p>The FOSS movement is an attempt to regain privacy and control over our<br>
devices and data, but the entire concept of FOSS-only, at the current time,<br>
is severely, and dangerously, flawed. What the FOSS community does not seem<br>
to understand is the fact that most FOSS software cares not about security.<br>
"Security"; keep that word in mind as you progress through this article.<br>
What is security? Security is being safe and secure from adversaries and<br>
unwanted consequences; security protects our rights and allows us to<br>
protect ourselves. Without security, we have no protection, and without<br>
protection, we have a lack of certainty of everything else, including<br>
privacy and control, which is what the FOSS movement is seeking.</p>
<br>
<p>FOSS projects rarely take security into account; they simply look at the<br>
surface level, rather than the actual root cause of the issues they are<br>
attempting to fight against. In this case, the focus is on privacy and<br>
control. Without security mechanisms to protect the privacy features and<br>
the ability to control your devices and data, it can be stripped away as<br>
if it never existed in the first place, which, inevitably, leads us back to<br>
the beginning, and the cycle repeats. With this ideology, privacy and<br>
control will *never* be achieved. There is no foundation to build privacy<br>
or control upon. It is impossible to build a solid, freedom respecting<br>
platform on this model.</p>
<br>
<h4>Example: Smartphones</h4>
<p>A FOSS phone, especially so-called "Linux phones" are completely<br>
detrimental to privacy and control, because they do not have the security<br>
necessary to enforce that privacy. Unlocked bootloaders prevent the device<br>
from verifying the integrity of the boot chain, including the OS, meaning<br>
any big tech or government entity can simply inject malicious code into<br>
your software and you wouldn't have any idea it was there. If that's not<br>
enough of a backdoor for you to reconsider your position, how about the<br>
trivial evil maid and data extraction attacks which could be executed on<br>
your device, whether with coercion or not? With Android phones, this is<br>
bad enough to completely break the privacy and control the FOSS movement<br>
seeks, but "Linux phones" take it a step further by implementing barely any<br>
security, if any at all. Privilege escalation is trivial to achieve on any<br>
Linux system, which is the reason Linux hardening strategies often include<br>
restricting access to the root account; if you root your Android phone, or<br>
use a "Linux phone", you've already destroyed the security model, and thus<br>
privacy and control model you were attempting to achieve. Not only are<br>
these side effects of FOSS, so is the absolutely illogical restriction of<br>
not being able to, or making it unnecessarily difficult to, install and<br>
update critical components of the system, such as proprietary firmware,<br>
which just so happens to be almost all of them. "Linux phones" are not as<br>
free as they proclaim to be.</p>
<br>
<p>You may ask "What's so bad about using LineageOS?", to which I answer with<br>
"What's not bad about it?".<br>
<br>
- LineageOS uses debug builds, not safe and secure release builds.<br>
- LineageOS requires an unlocked bootloader.<br>
- LineageOS does not install critically important firmware without manual<br>
flashing.<br>
- LineageOS does not implement rollback protection, meaning any adversary,<br>
including a goverment entity, can simply downgrade the OS to a previous<br>
version in order to exploit known security vulnerabilities.<br>
<br>
LineageOS is not the only Android OS (commonly, and incorrectly, referred<br>
to as a "ROM") with such issues, but it is one of the worst. The only<br>
things such insecure OSes can provide you are customisation abilities, and<br>
a backdoor to your data. They are best suited as a development OS, not a<br>
production OS.</p>
<br>
<h4>Solution</h4>
<p>What can you do about this? The answer is simple; however, it does require<br>
you to use logic, fact, and evidence, not emotion, which is a difficult<br>
pill for most people to swallow. Use your adversaries' weapons against<br>
them. The only way to effectively combat the privacy invasion and lack of<br>
control of our devices and data is to become a renegade and not take sides.<br>
Yes, that means not taking sides with the closed source, proprietary, big<br>
tech and government entities, but it also means not taking sides with any<br>
FOSS entities. The only way to win this war is to take *whatever* hardware<br>
and software you can, and use it tactically.</p>
<br>
<p>The only solution for phone security, privacy, and control, is to use<br>
a Google Pixel (currently, 4 series or newer) running GrapheneOS. Google<br>
Pixel phones allow you complete bootloader freedom, including the ability<br>
to lock the bootloader after flashing a custom OS (GrapheneOS includes a<br>
custom OS signing key to allow locking the bootloader and enabling verified<br>
boot to prevent malware persistence, evil maid attacks, and boot chain<br>
corruption), long device support lifecycles (minimum 3 years for Pixel 3a<br>
series to Pixel 5a, minimum 5 years for Pixel 6 series), and fast,<br>
guaranteed security updates for the entire support timeframe of the<br>
devices.</p>
<br>
<h4>Conclusion</h4>
<p>Use what you can, and do what you can. By neglecting security, you are,<br>
even if unintentionally, neglecting exactly what you are trying to gain;<br>
privacy and control.</p>
<br>
<br>
<br>
<a href="../blog.html">Back</a>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink