Conversation
Notices
-
Embed this notice
Alexandre Oliva (lxo@gnusocial.net)'s status on Monday, 12-Dec-2022 23:25:40 JST 
Alexandre Oliva
security is a very frequently misused term.
lots of people speak of security against certain threats, but don't worry at all about threats from the (proprietary) software vendor, that GNU's transparency guards from better than any proprietary malware.
what are the threat models in your mind?- 翠星石 likes this.
-
Embed this notice
Alexandre Oliva (lxo@gnusocial.net)'s status on Tuesday, 13-Dec-2022 23:51:43 JST
Alexandre Oliva
u realize we can check compilers too, right?
and that even someone other than the supplier can check both the compiler and the software, right?
one can check and test blackbox, but it's never quite as thorough as whitebox can be.
so you're right that being blackbox doesn't prevent finding (some) problems, but the only thing this proves is that security is not an excuse to deny users freedom. your example of ME is not proprietary for security, it's proprietary for control, which is the usual reason.
as for GNU, it's a *lot* of software, with several very significant differences. plenty of it is run locally, without setuid or network access, so its security exposure is very low, but there's enough network-connected software in there nowadays that the audits by several commercial suppliers of GNU/Linux have surely been welcome. surely the low-hanging fruit is long gone, but... it's software, it's constantly evolving, so it's likely that there are bugs, some of which could even amount to security threats. but even if I knew about any, there are more responsible ways to publish 0-days than posting about them on social media ;-)翠星石 likes this. -
Embed this notice
Lestat (lestat@ieji.de)'s status on Tuesday, 13-Dec-2022 23:51:44 JST 
Lestat
@lxo Exploits, vulnerabilities
Also on ur proprietary take...u do realise proprietary software can also be checked same as open source..infact even better because the compiler also gets checked..thats how they get audited and its called reverse engineering
翠星石 repeated this. -
Embed this notice
Alexandre Oliva (lxo@gnusocial.net)'s status on Wednesday, 14-Dec-2022 03:20:49 JST
Alexandre Oliva
erhm... you're now talking about linux, but you'd first about GNU. I expected you to know the difference between userland and kernel. you know GNU has its own kernel, and it's not Linux, right? it's not used much, so probably of limited interest WRT security, though.
I wouldn't ever advise counting on reverse engineering to find security issues if you have source code to apply all sorts of code analysis tools all the way from sources to the binary, aided by debug info and whatnot to trace findings from the binaries all the way back to the binaries. having only the binaries doesn't bring you any advantage, it rather makes the whole effort more difficult. anything you can do with the binaries of a proprietary program, you can also do with the binaries of a freedom-respecting program. but there's plenty you can do with a freedom-respecting program that is just not possible if all you have are the binaries. arguing otherwise strikes me as almost as absurd as suggesting that programming with blinds on your eyes is better because it's better not to see the source code :-)翠星石 likes this. -
Embed this notice
Lestat (lestat@ieji.de)'s status on Wednesday, 14-Dec-2022 03:20:50 JST
Lestat
@lxo @lxo well ofc u can check compilers but reverse engineering allows to see what it did to the code it compiled. Also youre very wrong to say low hanging fruit in standard linux are gone...(Chromeos and Android are different) Unless u put lots of effort into it it lacks sandboxing...Linux also lacks the now legacy and everywhere used W^X exploit mitigation (incase it isnt clear not having W^X is ridiculously idiotic),Linux also has NO protection for uninitialized memory outside of-
翠星石 repeated this. -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Wednesday, 14-Dec-2022 15:50:52 JST 
翠星石
@lestat >i also believe all frontend software should be open source.
I personally fight hard against the proprietary trick known as "open source".
The Intel ME isn't a backdoor, it's a frontdoor.
Sure you can disable AMT (by damn you need to so people can't login to ring -2 with a blank password), but with Intel being Intel, I reckon there's plenty of exploits even with AMT disabled. -
Embed this notice
Lestat (lestat@ieji.de)'s status on Wednesday, 14-Dec-2022 15:50:54 JST
Lestat
@lxo also just incase i give the wrong impression i also believe all frontend software should be open source.
All GNU social JP content and data are available under the