Re: [Arm-netbook] Questioning The Holy War
On Sat, Dec 08, 2018 at 10:28:18AM -0500, Chris Tyler wrote: > On Sat, Dec 8, 2018 at 7:07 AM Pablo Rath wrote: > > > On Fri, Dec 07, 2018 at 04:52:22PM -0500, Hendrik Boom wrote: > > > On Fri, Dec 07, 2018 at 12:59:44PM +0100, Pablo Rath wrote: > > > > > > > > How do you know if the source is closed? :) > > > > > > Let's assume this is a real question. > > > > Hendrik, I am sorry. I see, I have phrased my (rhetoric) question > > poorly. What I meant and should have written is mor like: "How can you > > know if a > > software behaves well and doesn't shoot the cat when you can't audit the > > source code?" > > > > I must point out an error here: Ken Thompson proved that auditing source > code (of software and the toolchain used to build it) is meaningless in his > paper "Reflections on Trusting Trust". Chris, I have to admit that I find your reply a bit unfair as we were not (yet) discussing such sophisticated details. Especially as the initial question was more in the direction of a comparison of proprietary, open source (with blobs) and completely libre systems and why everyone on this list is so focussed on "libre". I did some reading on the "trusting trust" topic and want to share what I found: I have never heard of that paper before so I had to look that up. A blogpost by Bruce Schneier led me to David A. Wheeler's 2009 PhD dissertation "Fully Countering Trusting Trust through Diverse Double-Compiling". The dissertation and a lot of additional information can be found at [1]. The dissertation explains how to fully counter the "trusting trust" attack by using the “Diverse Double-Compiling” (DDC) technique. "DDC, in contrast, uses additional compilers as a check on the first. This fundamentally changes things, because now an attacker must simultaneously subvert both the original compiler, and all of the compilers used in DDC. Subverting multiple compilers is much harder than subverting one, especially since the defender can choose which compilers to use in DDC and can choose the compilers used in DDC after the attack has been performed." ([1], section "DDC’s use of trusted compiler(s) fundamentally increases trustworthiness") I also recommend the section "Reproducible (deterministic) builds" in [1]: "Deterministic builds aren’t enough if the compiler executable is subverted, but thankfully, DDC enables multi-party verification of compiler executables (you still have to check the source, but that is a much easier problem)." So according to David A. Wheeler the "trusting trust" attack can be fully countered and we are back in a state where auditing source is not meaningless. Source: [1] https://dwheeler.com/trusting-trust/ > (That said, I still prefer to be able to read the source -- just saying we > shouldn't attribute disproven benefits to source reading!). There are many attack vectors that make checking the source look ridiculous (compromised hardware, evil maid attack, ...). We can also question if the auditing process is working well enough but I think thats is not the point of this thread as it doesn't help to answer the initial questions. kind regards Pablo ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
Re: [Arm-netbook] Questioning The Holy War
Chris Tyler writes: > I must point out an error here: Ken Thompson proved that auditing source > code (of software and the toolchain used to build it) is meaningless in his > paper "Reflections on Trusting Trust". That’s why it’s important to have trustable tools and reproducible builds. For trustable tools there’s ongoing work on a complete source bootstrap from an auditable source/binary hybrid all the way to a modern GNU system. See [1] and [2]. Reproducible builds guarantee that a given binary actually corresponds to source code. Having both of these properties does allow us to reason about the properties of our binaries. [1] https://savannah.nongnu.org/projects/stage0/ [2] https://www.gnu.org/software/mes/ -- Ricardo ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
Re: [Arm-netbook] Questioning The Holy War
On Sat, Dec 8, 2018 at 11:20 AM Hendrik Boom wrote: > On Sat, Dec 08, 2018 at 10:28:18AM -0500, Chris Tyler wrote: > > On Sat, Dec 8, 2018 at 7:07 AM Pablo Rath wrote: > > > > > On Fri, Dec 07, 2018 at 04:52:22PM -0500, Hendrik Boom wrote: > > > > On Fri, Dec 07, 2018 at 12:59:44PM +0100, Pablo Rath wrote: > > > > > > > > > > How do you know if the source is closed? :) > > > > > > > > Let's assume this is a real question. > > > > > > Hendrik, I am sorry. I see, I have phrased my (rhetoric) question > > > poorly. What I meant and should have written is mor like: "How can you > > > know if a > > > software behaves well and doesn't shoot the cat when you can't audit > the > > > source code?" > > > > > > > I must point out an error here: Ken Thompson proved that auditing source > > code (of software and the toolchain used to build it) is meaningless in > his > > paper "Reflections on Trusting Trust". That paper/talk was released 34 > > years ago, and it wasn't theoretical -- it was based on malware that he'd > > successfully released into the wild many years before. > > I remember reading that talk -- Wasn't it a Turing lecture? -- and I don't > recall him saying he actually did release that malware -- he just > explained > what he *could* have done. But he didn't deny it either. > From text of the talk: "The actual bug that I planted in the compiler..." and discussion at the time indicated that this... feature... had been present for years. I think it was safe for him to mention in '84 because many (though not all) were migrating off the original toolchain by that point. -Chris ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
Re: [Arm-netbook] Questioning The Holy War
On Sat, Dec 08, 2018 at 11:19:43AM -0500, Hendrik Boom wrote: > On Sat, Dec 08, 2018 at 10:28:18AM -0500, Chris Tyler wrote: > > On Sat, Dec 8, 2018 at 7:07 AM Pablo Rath wrote: > > > > > On Fri, Dec 07, 2018 at 04:52:22PM -0500, Hendrik Boom wrote: > > > > On Fri, Dec 07, 2018 at 12:59:44PM +0100, Pablo Rath wrote: > > > > > > > > > > How do you know if the source is closed? :) > > > > > > > > Let's assume this is a real question. > > > > > > Hendrik, I am sorry. I see, I have phrased my (rhetoric) question > > > poorly. What I meant and should have written is mor like: "How can you > > > know if a > > > software behaves well and doesn't shoot the cat when you can't audit the > > > source code?" > > > > > > > I must point out an error here: Ken Thompson proved that auditing source > > code (of software and the toolchain used to build it) is meaningless in his > > paper "Reflections on Trusting Trust". That paper/talk was released 34 > > years ago, and it wasn't theoretical -- it was based on malware that he'd > > successfully released into the wild many years before. > > I remember reading that talk -- Wasn't it a Turing lecture? -- and I don't > recall him saying he actually did release that malware -- he just explained > what he *could* have done. But he didn't deny it either. > > Or do you have firther information on this? If so I'd like to hear it. > > Let me be pleased there is more than one C compiler in existence. And that > it is undecidable whether an arbitrary piece of code actually compiles C, so > that his malware, should it exist, is limited in scope. > This problem is one of the reasons why bootstrappable.org, GNU Mes and such things exist so it is easier to detect when object code does not correspond to source code. Regards, Florian ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
Re: [Arm-netbook] Questioning The Holy War
On December 8, 2018 10:28:18 AM EST, Chris Tyler wrote: >On Sat, Dec 8, 2018 at 7:07 AM Pablo Rath wrote: > >> On Fri, Dec 07, 2018 at 04:52:22PM -0500, Hendrik Boom wrote: >> > On Fri, Dec 07, 2018 at 12:59:44PM +0100, Pablo Rath wrote: >> > > >> > > How do you know if the source is closed? :) >> > >> > Let's assume this is a real question. >> >> Hendrik, I am sorry. I see, I have phrased my (rhetoric) question >> poorly. What I meant and should have written is mor like: "How can >you >> know if a >> software behaves well and doesn't shoot the cat when you can't audit >the >> source code?" >> > >I must point out an error here: Ken Thompson proved that auditing >source >code (of software and the toolchain used to build it) is meaningless in >his >paper "Reflections on Trusting Trust". His talk didn't show that it's meaningless but that its not always sufficient. > That paper/talk was released 34 >years ago, and it wasn't theoretical -- it was based on malware that >he'd >successfully released into the wild many years before. > >(That said, I still prefer to be able to read the source -- just saying >we >shouldn't attribute disproven benefits to source reading!). > >-Chris >___ >arm-netbook mailing list arm-netbook@lists.phcomp.co.uk >http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook >Send large attachments to arm-netb...@files.phcomp.co.uk ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
Re: [Arm-netbook] Questioning The Holy War
On Sat, Dec 08, 2018 at 10:28:18AM -0500, Chris Tyler wrote: > On Sat, Dec 8, 2018 at 7:07 AM Pablo Rath wrote: > > > On Fri, Dec 07, 2018 at 04:52:22PM -0500, Hendrik Boom wrote: > > > On Fri, Dec 07, 2018 at 12:59:44PM +0100, Pablo Rath wrote: > > > > > > > > How do you know if the source is closed? :) > > > > > > Let's assume this is a real question. > > > > Hendrik, I am sorry. I see, I have phrased my (rhetoric) question > > poorly. What I meant and should have written is mor like: "How can you > > know if a > > software behaves well and doesn't shoot the cat when you can't audit the > > source code?" > > > > I must point out an error here: Ken Thompson proved that auditing source > code (of software and the toolchain used to build it) is meaningless in his > paper "Reflections on Trusting Trust". That paper/talk was released 34 > years ago, and it wasn't theoretical -- it was based on malware that he'd > successfully released into the wild many years before. I remember reading that talk -- Wasn't it a Turing lecture? -- and I don't recall him saying he actually did release that malware -- he just explained what he *could* have done. But he didn't deny it either. Or do you have firther information on this? If so I'd like to hear it. Let me be pleased there is more than one C compiler in existence. And that it is undecidable whether an arbitrary piece of code actually compiles C, so that his malware, should it exist, is limited in scope. What I've heard on this topic is a mere rumour about the IBM Fortran H compiler -- that there was a bug in the optimisation of bitwise logic operations that was present in the object code but not in the source code. Apparently those bitwise logic operations were used in the optimiser, and there was, unfortunately, a fixed point other than the intended one. And I think we are getting close (but we're not there yet) to the general philosophical question whether we can actually know anything at all. -- hendrik > > (That said, I still prefer to be able to read the source -- just saying we > shouldn't attribute disproven benefits to source reading!). > > -Chris > ___ > arm-netbook mailing list arm-netbook@lists.phcomp.co.uk > http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook > Send large attachments to arm-netb...@files.phcomp.co.uk ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
Re: [Arm-netbook] Questioning The Holy War
On Sat, Dec 8, 2018 at 7:07 AM Pablo Rath wrote: > On Fri, Dec 07, 2018 at 04:52:22PM -0500, Hendrik Boom wrote: > > On Fri, Dec 07, 2018 at 12:59:44PM +0100, Pablo Rath wrote: > > > > > > How do you know if the source is closed? :) > > > > Let's assume this is a real question. > > Hendrik, I am sorry. I see, I have phrased my (rhetoric) question > poorly. What I meant and should have written is mor like: "How can you > know if a > software behaves well and doesn't shoot the cat when you can't audit the > source code?" > I must point out an error here: Ken Thompson proved that auditing source code (of software and the toolchain used to build it) is meaningless in his paper "Reflections on Trusting Trust". That paper/talk was released 34 years ago, and it wasn't theoretical -- it was based on malware that he'd successfully released into the wild many years before. (That said, I still prefer to be able to read the source -- just saying we shouldn't attribute disproven benefits to source reading!). -Chris ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
Re: [Arm-netbook] Questioning The Holy War
On Fri, Dec 07, 2018 at 04:52:22PM -0500, Hendrik Boom wrote: > On Fri, Dec 07, 2018 at 12:59:44PM +0100, Pablo Rath wrote: > > > > How do you know if the source is closed? :) > > Let's assume this is a real question. Hendrik, I am sorry. I see, I have phrased my (rhetoric) question poorly. What I meant and should have written is mor like: "How can you know if a software behaves well and doesn't shoot the cat when you can't audit the source code?" > If you try to get a copy of the source and are refused without signing > a nondisclosure afgreement, there's good chance that it's closed. Software should be distributed with a license and the source or with instructions where the source is publicly available. If a file or program lacks a license we have to assume it is proprietary. Of course asking helps in case of doubt. kind regards Pablo ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
Re: [Arm-netbook] Questioning The Holy War
On Fri, 7 Dec 2018 13:25:31 + Luke Kenneth Casson Leighton wrote: > On Fri, 07 Dec 2018 08:19:50 -0500 > Stefan Monnier wrote: > > > Yet, almost every message on this list seems to carry with it the > > > implication -- if not express statement -- that if a given > > > application can't be openly audited on a remarkably low level by a > > > random layperson at a random time and place -- ... -- it must > > > therefore be evil and untrustworthy. There are actually 3 arguments to favor this view point: 1. You learn by experience. Picture young children. They break things to learn how they work. No introspection means severely limited understanding. 2. If schools and libraries would *actually* teach programming, as opposed to MS-word Macros which enslave the person to a product (yes, here in the US), then there would be less people who would be incompetent when it comes to CS. The source being readily accessible lends itself to this goal. 3. "Many eyes make all bugs shallow." -- Linus Torvalds (Never said they were all geniuses or something.) > > If a president refuses to show his tax records, I consider it as > > evidence that I can't trust him/her. > > > > Same goes for software. > > > > and yet... people still vote for them... :) > And buy the software. "Who is the more foolish, the fool or the fool who [buys stuff from] [votes for] him?" -- Obi-wan Kenobi (Star Wars) purposefully misquoted. David ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
Re: [Arm-netbook] Questioning The Holy War
On Fri, Dec 07, 2018 at 12:59:44PM +0100, Pablo Rath wrote: > > How do you know if the source is closed? :) Let's assume this is a real question. If you try to get a copy of the source and are refused without signing a nondisclosure afgreement, there's good chance that it's closed. -- hendrik ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
Re: [Arm-netbook] Questioning The Holy War
On Fri, Dec 7, 2018 at 1:20 PM Stefan Monnier wrote: > If a president refuses to show his tax records, I consider it as > evidence that I can't trust him/her. and yet... people still vote for them... :) ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
Re: [Arm-netbook] Questioning The Holy War
> Yet, almost every message on this list seems to carry with it the > implication -- if not express statement -- that if a given application > can't be openly audited on a remarkably low level by a random > layperson at a random time and place -- ... -- it must therefore be > evil and untrustworthy If a president refuses to show his tax records, I consider it as evidence that I can't trust him/her. Same goes for software. Stefan ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
Re: [Arm-netbook] Questioning The Holy War
On Thu, Dec 06, 2018 at 11:22:33PM -0500, Christopher Havel wrote: > Okay. Forgive me, Luke, for inciting what will inevitably be a > stake-burning that will be of such grand proportion as to be visible in > space... > > ...but... > > ...I have to admit that I just don't "get it". Let us try to stay civil :) > > And not having access to Flash is always an annoyance when it > occurs. Isn't flash already dead? I am quite happy that it gets less and less relevant each day as it appeared to be such a pain in the neck and caused a lot of troubles when switching to Linux years ago. >Even my phone is a Samsung Galaxy S7 - not exactly flying the flag > of happy freedom-ness. > Altough I type this reply from a Libreboot T400 (RYF certified) running Debian stable with only the main repo enabled I also own and use a smartphone and a tablet running android. > ...and that's kind of where I usually draw the line. If a guven application > doesn't 'shoot the cat' -- cause obvious system instability or exhibit > other overtly malicious activity during use -- and it performs the task(s) > it was designed for, it seems to me it ought to be considered just fine, at > least for the most part. How do you know if the source is closed? :) There are many (valid) reasons to reject closed source software ranging from "because I can", "I am just curious", "scientific and research", "security", "bad past experience with closed source", "forced upgrades" and so on. I believe that the FLOSS-model is better but it is not the holy grail either. Apparently FLOSS has bugs, security holes and unexpected problems. Errors are a part of our human existence. The internet is full of discussions, essays, blogposts and free books on this topic so I think there is no need to repeat these sources. In the end you have to make this decision for yourself based on your knowledge and critical evalation of your sources. > Yet, almost every message on this list seems to carry with it the > implication -- if not express statement -- that if a given application > can't be openly audited on a remarkably low level by a random layperson at > a random time and place -- leaving alone the fact that most ordinary > individuals severely lack the knowledge and education required for that > task -- it must therefore be evil and untrustworthy and oh god we can't > have any of that sort of thing around here, shoo shoo... Well, this is a libre centered mailing list and in my opinion a quite friendly one. I have been burned by projects that were "open source" and turned out to require blobs. It can be so hard to find out if certain hardware will require blobs so I find the strict libre approach of eoma68 and this mailing list quite liberating. kind regards Pablo ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
Re: [Arm-netbook] Questioning The Holy War
On Thu, Dec 06, 2018 at 11:22:33PM -0500, Christopher Havel wrote: > Yet, almost every message on this list seems to carry with it the > implication -- if not express statement -- that if a given application > can't be openly audited on a remarkably low level by a random layperson at > a random time and place -- leaving alone the fact that most ordinary > individuals severely lack the knowledge and education required for that > task -- it must therefore be evil and untrustworthy and oh god we can't > have any of that sort of thing around here, shoo shoo... > There are many independent developers laypeople can pay to port, inspect and change free software. Regards, Florian ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
Re: [Arm-netbook] Questioning The Holy War
Hi, There's lots of ways for your current uses to "shoot the cat"; perhaps you've been lucky so far. Or perhaps you accept what they do behind the scenes. First, MS Office. They deliberately add incompatibilities, forcing you to upgrade (ie. pay them again) so you can open that Word 20xx file from your client/employer/tax man/whatever. Nowadays they're moving to a subscription model, so you'll have to pay monthly to be able to edit and view documents. Having Flash installed may lead to compromising your bank details, your system, or any other data you care for. Your phone will likely stop getting updates, or it will get an update making it slower that you cannot remove. All cases leading to planned obsolescence -> buy a new phone. The OS and apps you run spy on you, selling all data they can gather to the highest bidder. If you're lucky, this only results in more ads for you. We have plenty of examples of closed software being malicious, but not in an overt way. Perhaps they call home. Perhaps they spy on your activities, to make sure you're not trying to cheat or do anything they won't approve of. Perhaps that so chic note-taking app is trying to steal your bank credentials in the background. If you haven't yet been bitten by anything, you won't be as careful or think of what might happen. Had you had a book of yours removed off your Kindle, your Steam account blocked because you had a debugger installed, your battle.net account blocked because you ran a game in Wine, an important piece of software stop working and demand an upgrade, or numerous other examples of closed sw being not-so-friendly... All this is just the negative aspects too. How will you fix a bug or add a feature to closed sw? What if the company making it has gone bankrupt, and you cannot even get them to do so? - Lauri ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
[Arm-netbook] Questioning The Holy War
Okay. Forgive me, Luke, for inciting what will inevitably be a stake-burning that will be of such grand proportion as to be visible in space... ...but... ...I have to admit that I just don't "get it". When I write, I save my documents in Word 97-2003 *.doc format. Sometimes I even make a PDF copy. When I listen to music, it's inevitably an MP3. When I go shopping, I like to sit in the Subway at the local Walmart and mooch off the wifi- to the point that, specifically because it has no wifi, I won't go to the Wendy's across the parking lot even though I like their food better. And not having access to Flash is always an annoyance when it occurs. Even my phone is a Samsung Galaxy S7 - not exactly flying the flag of happy freedom-ness. All the stuff I do and rely on daily in my computer is closed-source. I prefer Linux as an operating system primarily because (a) it is a standalone setup which does not require third-party applications for ordinary daily operation, the way Windows does, (b) it's incredibly modular, (c) it doesn't think I'm stupid (much), and (d) I can't beat the price. In using both Linux and Windows (and, to a somewhat lesser extent, DOS and whatever's in a Commodore 64) over the roughly two-and-a-half decades of my life in which I've had my own computer, the only applications I've ever had that actually shot the cat (metaphorically) were applications designed for that purpose, i.e. malware - and in all instances, that was on Windows. (There is one exception that was me being a dummy and turning off a vital system component and then rebooting, the result of which was an unavoidable reinstall -- but that was quite early on and something far more along the lines of a moderately entertaining learning experience than anything else.) ...and that's kind of where I usually draw the line. If a guven application doesn't 'shoot the cat' -- cause obvious system instability or exhibit other overtly malicious activity during use -- and it performs the task(s) it was designed for, it seems to me it ought to be considered just fine, at least for the most part. Yet, almost every message on this list seems to carry with it the implication -- if not express statement -- that if a given application can't be openly audited on a remarkably low level by a random layperson at a random time and place -- leaving alone the fact that most ordinary individuals severely lack the knowledge and education required for that task -- it must therefore be evil and untrustworthy and oh god we can't have any of that sort of thing around here, shoo shoo... Maybe I'm just too ordinary (although that's one thing I've never been accused of!) but I just don't understand. If a program demonstrably does its job, keeps its pants up, and doesn't 'shoot the cat', at least in everyday use, it's got to be, at worst -- as Douglas Adams would say -- "mostly harmless "... right...? ___ arm-netbook mailing list arm-netbook@lists.phcomp.co.uk http://lists.phcomp.co.uk/mailman/listinfo/arm-netbook Send large attachments to arm-netb...@files.phcomp.co.uk
