On 31/12/12 14:53, Ludovic V Meyer wrote: > 2012/12/30 AL13N <[email protected]> > >> Op zondag 30 december 2012 21:17:38 schreef Ludovic V Meyer: >>> Except it does let 3rd parties OS boot, at least on X86, since the norm >>> mandate it. >>> And for arm tablet, no one reacted when Apple, Acer, Samsung, Archos and >>> lots of others locked down their devices, so trying to argue that we now >>> expect them to be open would not work. >> >> actually, they didn't. you can root each of those iinm. >> > > Using 3rd exploit is not really what I call open, they are not supported, > likely against DMCA most of the time, and IMHO not reliable. > Not to mention that it requires a manual intervention on each device. If we > take the example of Apple, they closed every hole after a while when it was > practical to do,and used the existing leagal way to prevent them ( see in > 2009, > the update of the developper agreement ). And since I know you will surely > talk of if, the DCMA ruling for jailbreaking is just for phone, because > unlike France, telcos in USA do not have to unlock your phone after a few > months. > > Not to mention that afaik, despites them being "not closed" by your > definition, stuff like Iphonelinux are all dead in the water. > Cyanogenmod only exist because from time to time, Google do a code drop, > and they still suffer from needing a custom fork of the kernel. > > So if the goal is "to be able to run what I want on my device", that's > something that can already be done for applications. What people should say > is "running what I want provided no money directly leave my pocket, but I > do not mind spending days figuring how to do it, cause I prefer spend 1 > week than giving 100 bucks". > > this is about having a secure key hardcoded "burned" in the device, which is >> both stupid and annoying. because since apps need to be secured too, too >> many >> people have access to the root key. which means the chance of leak is >> higher. >> which means that your devices need to be thrown out when the rootkey is >> compromised or when it's deemed obsolete and a new key will be in place. >> > > The key is handled by Verisign, and since that's their jobs since around 18 > years, I think they are qualified to do it. > How many time in 18 years was the root cert of Verisign be compromised ? > > Also, you are totally wrong about throwing the device if the key is leaked. > This happened to the PS3 due to the world-record breaking ignorance of Sony > ( or one sub contractor ), and AFAIK, the PS3 all around the world still > work ( and also, no one formally complained about gaming consoles being > closed, despite some of them just being powerful PCs ). The same goes for > various phones/tablet who have been broken this way ( like the Asus > transformer, AFAIK ). > > Burning a key in silicium is what Apple have been doing since a long time. > That's also the modus operandi of TPM modules. They are used by several > banking institutions as a way to make sure the harddrive is protected with > bitlocker ( cause you do not want your highest executive laptops to be > stolen and that this cause privacy and security issues ). IE, that is > viewed as sufficient for FIPS certification and usage for military grade or > banking grade security. And I am pretty sure the private key is stored in > some HSM like the nShield solo or similar device. > > Not everybody work like your client ( the one we talked about yesterday on > IRC, if I am not wrong ). Some people take security seriously, and check > what happens. But that's not security of the root key that matter, since no > one ever asked for public scrutiny or a independent audit. > > the thing here is that since you buy a device, it's yours and you can do >> what >> you want with it. why would you give other parties control over your >> device? >> it's stupid. there needs to be a way as an owner to decide which root keys >> you >> trust or not. >> > > You do not give control to another party, you delegate trust handling to > another party. > That's exactly what you do with a browser. Or your bank, or anything in > life. > > Again, the norm mandate to be able to disable secureboot on x86 and to > choose the key. The whole petition is about those that do not follow the > norm, and for those, the incentive was to not being Windows 8 certified. So > as annoying this will be, that's the best way to find something that let > you run Linux. > > >>> And regarding using consumer protection channels, no one did anything to >>> make anything move since one year despite being widely publicized on >>> various blogs, so how is your proposal different ? >>> >>> Talk is cheap, if every people who proposed that ( for example, on >> slashdot >>> or various foras where nerds are discussing ), someone would have started >>> the work by the time. No one did, and that's because everybody that would >>> be serious enough know this is built on wrong assumptions. >> >> in the end talk is cheap and noone does anything about it. or rather >> instead >> of working together, all the companies who back the major linuxes decide >> to go >> down the easy route. (like subscribing into the microsoft program and using >> their root key...) >> > > All plans that requires someone else to do anything is just a way to blame > failure to someone else. If you delegate all your action to someone else, > you lose the right to complain about this group not doing what you want. > Only delusional fools would believe otherwise. > > In fact, hardware not working on Linux is a decades old problem. We all > have seen how boycott worked so well to have more hardware supported on > linux, and how people happily trade freedom for convenience ( like nvidia > drivers, printers, etc, etc ). People should just do a reality check from > time to time before proposing the same plan again and again. Last time I > checked, humans didn't evolve from goldfish, so maybe we could stop acting > like them. >
Apathy is not the answer. Claire
