And we labor on... https://tech.slashdot.org/story/19/05/15/2136242/trump-signs-executive-order-barring-us-companies-from-using-huawei-gear
To me, the only long term way to even start to get out of this nightmare (as we cannot trust anyone else's gear either, and we have other reminders of corruption like the volkswagon scandal) is to mandate the release of source code, with reproducible builds[1], for just about everything connected to the internet or used in safety critical applications, like cars. Even that's not good enough, but it would be a start. Even back when we took on the FCC on this issue, ( http://www.taht.net/~d/fcc_saner_software_practices.pdf ) I never imagined it would get this bad. 'round here we did produce one really trustable router in the cerowrt project, which was 100% open source top to bottom, which serves as an existence proof - and certainly any piece of gear reflashed with openwrt is vastly better and more secure than what we get from the manufacturer - but even then, I always worried that my build infrastructure for cerowrt was or could be compromised and took as many steps as I could to make sure it wasn't - cross checking builds, attacking it with various attack tools, etc. Friends don't let friends run factory firmware, we used to say. Being able to build from sources yourself is a huge improvement in potential trustability - (but even then the famous paper on reflections on trusting trust applies). And so far, neither the open source or reproducable builds concepts have entered the public debate. Every piece of hardware nowadays is rife with binary blobs and there are all sorts of insecurities in all the core cpus and co-processors designed today. And it isn't of course, just security in huawei's case - intel just exited the business - they are way ahead of the US firms in general in so many areas. I have no idea where networked computing can go anymore, particularly in the light of the latest MDS vulns revealed over the past few days ( https://lwn.net/Articles/788522/ ). I long ago turned off hyperthreading on everything I cared about, moved my most critical resources out of the cloud, but I doubt others can do that. I know people that run a vm inside a vm. I keep hoping someone will invest something major into the mill computing's cpu architecture - which does no speculation and has some really robust memory and stack smashing protection features ( http://millcomputing.com/wiki/Protection ), and certainly there's hope that risc-v chips could be built with a higher layer of trust than any arm or intel cpu today (but needs substancial investment into open on-chip peripherals) This really isn't a bloat list thing, but the slashdot discussion is toxic. Is there a mailing list where these sorts of issues can be rationally discussed? Maybe if intel just released all their 5G IP into the public domain? /me goes back to bed [1] https://en.wikipedia.org/wiki/Reproducible_builds -- Dave Täht CTO, TekLibre, LLC http://www.teklibre.com Tel: 1-831-205-9740 _______________________________________________ Cerowrt-devel mailing list Cerowrt-devel@lists.bufferbloat.net https://lists.bufferbloat.net/listinfo/cerowrt-devel
