siiky
2023/05/10
2023/05/10
2023/05/12
post,security,technology
it sucks to have nuanced views on the internet
“systemd has the right goals but also has poor architecture: i like operating it but i don’t like its underlying design” is so much harder to digest than “systemd good” or “systemd bad”
“sandboxing is good when done in a way that gives users the ability to control how their programs run, and doesn’t have to make your computer locked down like iOS” is harder to digest than “sandboxing good’ or “sandboxing bad”.
“verified boot that lets users control the signing key allows users to verify that the boot sequence is what they want it to be, ensuring that their FDE isn’t compromised; however, most existing implementations give vendors control that should belong to users” is harder to digest than “verified boot good” or “verified boot == DRM”.
it’s hard not to sound like a corporate shill, which is the opposite of what I’m trying to be whenever I start talking about security. Fossbros have given the entire FLOSS community these warped preconceived notions on what sandboxing, verified boot, and even Systemd are and aren’t.
Even more annoyingly nuanced security views:
“Google has too much control over the web platform, yet Chromium is head and shoulders above Firefox and Webkit2GTK from a security perspective (yes, I know about fission and rlbox). I want Chromium alternatives to succeed and I don’t want Google to dominate the Web, but I see others who share my views recommend Firefox without understanding or explaining the trade-offs involved. This results in people making less informed decisions. I personally use both browsers for different use-cases.” is like 10000 times harder to digest than “chromium bad”. Like, I agree, but I also disagree. I love to hate it from an ideological POV, and hate to kind of like its technical approach to isolation and hardening.
I love OpenBSD; it’s such a simple and understandable well-designed OS. It’s way too underappreciated. But people should use it for the right reasons. Don’t use it because your threat model calls for a more secure OS; use it because you love UNIX and simple operating systems. OBSD has some very well-designed components, like a secure malloc design and great userspace tools. It was one of the first distros to go full ASLR. But some of its most significant mitigations (e.g. W^X) are easily bypassable and it’s missing some modern mitigations (MAC, CFI, etc). HardendBSD and (imo) certain Linux distros are ahead on these fronts. Despite this it’s my favorite place to thinker and will be for the forseeable future.
The server, desktop, and mobile computing models are all quite different. The desktop involves giving programs the same user privileges and giving them free reign over all a user’s data; the server model splits programs into different unprivileged users isolated from each other, with one admin account configuring everything; the mobile model gives programs private storage and ensures that programs can’t read each others’ data and need permission to read shared storage. Each has unique benefits. I like the Pinephone because it give me the desktop model in my pocket, which is optimized for some tasks that mobile isn’t good at. I don’t see it as an Android replacement because it doesn’t give me the security benefits of the mobile model. I’ll probably not use it for 2fa but I’d be happy to use it for tinkering, testing cross-platform programs, and cool use-cases like running a temporary web server on mobile data. Linux-phone devs should focus on being the best pocket Linux distros and doing things that the mobile computing model is bad at, not competing with Android.
Software freedom/FLOSS is critical step for giving users autonomy over their computing; being able to understand a program’s high-level architecture/design, patch it, and share it are necessary to be able to own it. But FLOSS isn’t necessary to understand what a program does; binary analysis and run-time analysis (e.g. using strace) combine well to accomplish that. Nowadays, FLOSS projects like libcurl, openssl, and Linux depend on black-box testers like fuzzers to find vulns, not source code analysis; this is ! FLOSS is necessary for control, not security; support it for the right reasons. Binary obfuscation and DRM are terrible, though; those actually do impede analysis.
On verified boot: users are typically given the choice of locking away some control in favor of improved security (to varying degrees), or having full control but needing to be more vigilant because they're given fewer guarantees. I can't blame users for making either choice *as long as they do so for the right reasons*. Things get really fucking problematic when fossbros start saying "secure boot is evil, let's get rid of verified boot".
Secure boot is a problematic implementation of a good idea, and it sucks that people have to choose their poison. Don't campaign for eliminating secure boot, campaign for *a better implementation* of verified boot that gives users control.