[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Most Security Assertions Dangerous [Re: YouTube via Onion Services]

Subject: Most Security Assertions Dangerous [Re: YouTube via Onion Services]
From: zen at freedbms.net (Zenaan Harkness)
Date: Fri, 7 Dec 2018 02:26:16 +1100
In-reply-to: <CAD2Ti2-7usMN-6sik6Ci3RwBjDyHFzwEnRtDJ_r7R7kXW=sBPw@mail.gmail.com>
References: <CAD2Ti2-7usMN-6sik6Ci3RwBjDyHFzwEnRtDJ_r7R7kXW=sBPw@mail.gmail.com>

On Thu, Dec 06, 2018 at 03:25:05AM -0500, grarpamp wrote:
> [1] You can't even say those for the release iso's of
> OpenBSD, FreeBSD, the Linux's, etc... back
> to their claimed source code repos... because
> either those repos have no internal cryptographic
> roots or hashes to sign over or with in the first place,
> or some process in the path from there to the iso's
> is not reproducible or cryptographically chained.

Git style signed content hash chains and reproducible builds FTW
muffaluggerahs!

So Debian Buster is over 90%, yay!

>From 2015 80%:

 Lots of progress for Debian's reproducible builds
 https://lwn.net/Articles/630074/

To Buster ~92.4%:
 https://isdebianreproducibleyet.com/
 â??NO! â?¦ but buster on amd64 is 92.4% reproducible right now!â??

To pretty dang gud bruh!:
 Debian reproducible builds project update, 2017-07-23,
 Stretch/amd64 reaching 94%
 https://lwn.net/Articles/728599/

 And some nice summary sheetskis and chartskis:
 https://tests.reproducible-builds.org/debian/reproducible.html

 https://wiki.debian.org/ReproducibleBuilds

> Same goes for Apple, Microsoft, Intel, AMD, ARM,
> Government, etc...
> You're all still woefully fucked therein because you keep
> buying the Kool-Aid, and refusing to demand, fix,
> ignore, or eliminate them and their issues.
> 
> #OpenFabs , #OpenHW , #OpenSW , #OpenDev , #OpenBiz , #CryptoCurrency
> , #Anarchism

Indeed.

> The list of requisites to even get close to improving
> the situation grows...

Improvement in problem definition is necessary, and is not an
"increase" in the requisites to e.g. security of personal
communications, simply a fuller understanding of the problem.

Alt: we are rising from ignorance. Painful but necessary awareness.

Let's add to the above list another obvious in hindsight:
#StackMinimization - including HW - i.e. trust boundaries (nee attack
surfaces) must be seriously minimized to reach something we can
collectively reason about in its elements (hw/ sw).

References:
- Most Security Assertions Dangerous [Re: YouTube via Onion Services]
  - From: grarpamp at gmail.com (grarpamp)

Prev by Date: Hand over encrypted data.
Next by Date: Scientific American: Is the U.S. Lagging in the Quest for Quantum Computing?
Previous by thread: Most Security Assertions Dangerous [Re: YouTube via Onion Services]
Next by thread: [tor-talk] Most Security Assertions Dangerous [Re: YouTube via Onion Services]
Index(es):
- Date
- Thread