gnu-misc-discuss
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Truth matters when writing software and selecting leaders


From: Jean Louis
Subject: Re: Truth matters when writing software and selecting leaders
Date: Wed, 31 Mar 2021 17:55:00 +0300
User-agent: Mutt/2.0.6 (2021-03-06)

* Martin <smartin@disroot.org> [2021-03-31 17:00]:
> On 3/30/21 7:10 PM, Jean Louis wrote:
> > * Martin <smartin@disroot.org> [2021-03-30 19:58]:
> > You may, but we don't, as it is vague term. On GNU website, we never
> > use "open source" to refer to free software, as we have to promote
> > freedom.

> what's your definition of freedom then?

When I say freedom, it is used in the context of free software how it
is already well defined on the website, I gave you references. I am
glad to receive that freedom with GNU and other free software, and I
distribute to other people as well.

When I say "to promote freedom" on this mailing list, it refers to
free software as defined, and users' rights, which I say are basic
human rights to be in charge of any actions done on their behalf.

As a paralegal since almost 20 years, when a person wish to authorize
somebody else to do some actions on person's behalf, then there are 2
different powers of attorney:

- General Power of Attorney -- usually authorizes another person to do
  ANY kind of actions on person's behalf, for example to purchase
  house, website domain, open up bank accounts, demand money, and so
  on.

- Specific Power of Attorney -- authorizes attorney or representative
  to do some specific actions, for example, it could authorize
  attorney or assigned person to purchase vehicle on somebody's
  behalf.

Those legal documents have to be signed usually in front of a public
notary who makes sure that person is aware of all details written in
the document.

Normally, we do not legally authorize people to read, listen, hear,
record, process our data, and do other unauthorized actions with our
data, our information, so much related to life.

Software programs and authors conquered the legality and took their
right to claim that "by downloading this software" or "by using this
website" one receives some kind of a license and accept any kind of
otherwise unauthorized actions, like sending personal information,
tracking your behavior, researching your behavior, selling your face,
your habits, your situation of posession of your devices, like if you
are rich or poor, processing your information, doing actions on your
compute which actions you have never authorized, and repeating same
actions trillions of times.

Person was not technically capable to understand such authorization
given to proprietary software companies, and thus IMHO, all such
authorizations are invalid, and should be persectued by criminal law,
depending of the country.

But countries think that software is some kind of a written deed, and
treat is under copyrights, I would not.

I would treat it as set of actions executed on user's computer,
usually processing user's data, and conducted by author. As that is
what it is.

Unauthorized processing of actions with users' data is criminal.

I do not think that authorization by click or blind acceptance of
software is legally right. Neither I do not think that for free
software.

For any software, it has to be free software, as only so users can
verify if actions are actually authorized or not.

For any software, that is assumed to be free software in future, users
should or could trust developers who verify the software and designate
what such software does with users' data. If it only play files, it
would be easily accepted, but if it can do potential harm to user's
privacy, something like that would need to be looked from criminal
view point.

As if anybody ENTERS my room, and takes FEW papers from a table,
regardless what is on those papers, that is so much criminal that
deserves few years in prison.

Computer software is used in the same way, to automate computers to
send user's data, process, sell it, profit on it -- and people do not
recognize it as crime. But majority of people did not really
understand the impact of it, and did not consciously give their powers
to software authors.

> > I probably have more years than you, so I am aware of the movement
> > called "open source" and licking asses of corporations.

> "free software" movement is actively endorsing a lot of projects that are
> not bootstrappable for many years. This is like a gift for corporations who
> can freely exploit your resources.

You are free to contribute your knowledge and report issues where
appropriate. This list will not be read by them.

> > > Does the GNU "free software" definition is protected under some
> > > trademark laws? If not than why you blindly assume that everyone
> > > should use it as it only please you?

> > I don't. I said in this GNU environment, on mailing lists, in
> > contributions, in publishing, designations and similar, we strive to
> > use proper terminology to express the purposes of free software
> > philosophy better, it is voluntarily.

> And how you protect your self from internal manipulations?

I would not know what is internal manipulation. I have been eating
beans and polenta, and something is happening internally, what do you
mean?

> It's good that you mentioned that, because in the beginning actually
> everything was bootstrappable, and nowadays almost nothing - how
> bizarre is our evolution of freedom.

I understand your devotion, but technically I cannot help on
that. Guix does good job there, join there and file your issues.

> > You speak of developers, they are now many, but not proportionally
> > many as in early years of micro computing era, since about begin of
> > 1980. Number of developers is today so much less proportionally to
> > number of computers - we are under developed in 2021. Sorry, what you
> > mention is not what end users are. I meet end users every day, they
> > use computers for DVD, movies and music, sharing files by using USB,
> > some of them know how to write a letter, and some will even make a
> > presentation. That is largest majority of computer end users.

> What you are talking about? No one is using DVD anymore.

Judging on that statement, I can see you live in a small world. But
planet is big. You have got confinements and you do not know what is
planet. Travel around, go south wherever you are located, unless in NZ
or AU. Research and see what people are doing.

> DVD has died like floppy disks many years ago.

In the small world, maybe. Outside, there is another world.

> It should be related directly to the definition in order to protect
> your freedom. Reproducibility and bootstrappability can be also used
> from transparent scripts in run time. Moreover you can implement
> this concepts in many different ways.

I have already demonstrated that reproducibility will not mean
nothing to majority of users, as there is no established chain of
trust. Unless you wish to debunk me, but you have not made an
attempt. GNU/Linux distributions have already been compromised by
exact examples how I gave you.

When speaking of reproducibility you cannot just raise focus on one
single point in the chain, without verifying whole chain AND making
sure that it is safe. But nobody so far can do that. All what you can
do is get some final hash that build is same as how it was created at
some other point. Because there is no established chain of trust,
reproducibility is just one small very tiny, more or less unimportant
piece of security in computing.

Example for better understanding: what is the point of making sure
that you reproduced the software from server X in the same way how
server X has created it, if there were inclusions of malicious
backdoors by the server X? You would not be able to verify the huge
series of software not to have anything included as a backdoor. You
cannot possibly verify larger number of remote servers from where
upstream software have been obtained. In other words, it is not
practical.

As idea though is good, but we are late, and our society is corrupted
with proprietary software.

Bootstrappability will mean nothing to majority of end users. Same
problem is here. You can boostrap some software, but you cannot
possibly establish full chain of trust. So it is one small tiny piece
of computer security.

> Below I've just smashed your very naive and completely not realistic in
> practice example

Well let me see, forgive me, I comment on email as I read it. Old
habit.

> > > > Example of malicious intent easily to be placed online:
> > > > 
> > > > 1. Insert various malicious code into GCC, that is to place backdoor
> > > >      shells in all kinds of network services.

> Every user usually has it's own version of GCC from various distros that by
> default care about reproducibility so the malicious code doesn't affect
> them.

I never heard of GNU/Linux distribution that cares of reproducibility
by default. Can you give me some example?

I know Guix and Nix that promote it, but I do not know others.

> If the attacker decide to pollute the upstream source than most
> probably the code will be immediately rejected or disclosed by the
> global army of bounty hunters. Anyway the attacker, revisers,
> maintainers and core developers who just touch this malicious code
> are risking their reputation.

I did not speak of attackers polluting upstream source, but that did
happen in past and can happen any time. It happened to some major
GNU/Linux distributions.

Examples:

https://nakedsecurity.sophos.com/2018/06/29/linux-distro-hacked-on-github-all-code-considered-compromised/

https://securityaffairs.co/wordpress/88047/hacking/canonical-github-account-hacked.html

https://nakedsecurity.sophos.com/2016/02/22/worlds-biggest-linux-distro-infected-with-malware/

I have been speaking of creating new GNU/Linux distribution and
promoting it as genuine.

> > > > 2. Build GCC.

> usually you can do it in various different architectures and your
> bug could not be so portable or it could be also easily detected in
> this stage.

It would not be portable, nobody would know nothing about it. People
would download disk images and install operating system.

> > > > 3. Make new GNU/Linux distribution.

> what about Debian, RedHat, FreeBSD, MacOSX, Solaris, GNU/Hurd and
> other OSes?

Any free software distribution may be impacted maliciously. For MacOSX
and Solaris, I do not know if they are free.

> > > > 4. Publish it as fully free software, promote it as you wish.
> > > > 
> > > > 5. Provide hashes of binaries, packages, PGP signatures.
> > > > 
> > > > 6. Provide reproducibility for all binaries, except of few
> > > > compilers.

> Uff are you really planning to design your own compiler and linux
> distribution in this attack?

Thank you, but I do not feel smashed.

It is very easy to make GCC compiler that is malicious, it is created
by script kiddies, not even hackers. Instructions are
online. Including some of code from below links into all compiled
binaries that support networking would be one way to go, I did not
look into it, I am showing a model.

https://github.com/raunvk/stealthware-backdoor

https://github.com/droberson/icmp-backdoor

Sorry, I don't feel smashed, the example still stands. 

> > > > 8. After some time, ping on some servers, like ping the port 7801 and
> > > >      then 5 times 7802, knock on the door, and open up the root
> > > >      shell.

> Hehehe you don't need to be advanced user to see this kind of traffic on a
> wireshark  :)

Now - why you think it is so? It is because there are backdoors on
various ports, depending of devices.

As maintainer of many dedicated servers and VPS-es since about 20
years, I have seen that intruders do intrude. My experience is with
GNU/Linux, I did not keep BSD-variants online. 

> No you completely miss the concept. In a perfect world if everything is
> reproducible than all the compilations are deterministic. It means that for
> a given environment your source code will always produce the same
> binaries.

I understand the concept. Is it not obvious that I do understand.

But it is just a tiny tinnie-minnie part of computer security. For
majority of users, again, it means nothing in particular. It may mean
for those Bitcoin miners or corporations.

> > > officially endorsed by the GNU organization.
> > You are free to contribute and make it better.

> The problem in this particular case is that there was already contribution
> to create the usable version of GNAT that was bootstrappable. But some
> pseudo "free software" freedom fighters decided to remove that code and hide
> all the tracks of this crime. This binary seed can be full of malicious code
> just like any commercial binary blob you are so afraid of.

Could you please be specific with it and report it on a right mailing
list as a bug?

-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns




reply via email to

[Prev in Thread] Current Thread [Next in Thread]