Hi all,
glad my glamorous title obtained your attention :-D
I'm joking about Black Friday, I'm _not_ joking about "CPU as a service"
since the issue I recently labeled in this ML as the "MINIX on ring -3 discovery" is not clear to at least one of my FSFE-pen-friends, I have be more specific
also, please I would like to know if and eventually how FSFE will address this kind of issues when talking with EU or local representatives about the "Consumer rights and device sovereignty" policy goal for 2019 https://fsfe.org/activities/policy/eu/policy-goals/consumer-rights.en.html
considering what I'm going to show here, we should definitely extend the device sovereignty to **all users**: public and private companies, governments and all other institutions too, not only consumers (ouch!) :-O
...so please also remind EU and local representative that **(part of) their (sorry: our) IT systems are also affected** by this serious issue
Executive summary ------------------
«One Ring to rule them all, One Ring to find them, One Ring to bring them all and in the darkness bind them»
on all Intel processors sold after 2008 there's a running *proprietary* variation of the not copyleft free software MINIX 3 (unknown version), MINIX is running in "ring -3" [1]
now we have the proofs that:
1. **no** "user facing OS" operating system have final control of the x86 platform 2. between the "user facing OS" and the hardware there are at least 2 ½ OS kernels (MINIX and UEFI) 3. these are proprietary and very likely exploit-friendly 4. the exploits can persist, i.e. be written to FLASH, and you can't fix that 5. the user have _no access_ to the MINIX running in ring -3
MINIX is running on three separate x86 cores on modern chips, on that OS are running:
1. TCP/IP networking stacks (4 and 6) 2. File systems 3. Drivers (disk, net, USB, mouse) 4. Web servers
please **do not** consider this kind of issues specific to a single brand of CPUs, since we still do not have proofs but the development path is the very same
*** Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared. *** (Ronald Minnich)
The not so short story -----------------------
the fact: on Wednesday, October 25 2017 Ronald Minnich from Google told the world about this: «With the WikiLeaks release of the vault7 material, the security of the UEFI (Unified Extensible Firmware Interface) firmware used in most PCs and laptops is once again a concern. UEFI is a proprietary and closed-source operating system, with a codebase almost as large as the Linux kernel, that runs when the system is powered on and continues to run after it boots the OS (hence its designation as a “Ring -2 hypervisor"). It is a great place to hide exploits since it never stops running, and these exploits are undetectable by kernels and programs.»
this article presents a short version of the story: http://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/ I used this for my executive summary ;-)
the issue is **not** new (known since 2016, at least) and presented many times also in FSF/FSFE "circles", eg. here https://www.fsf.org/blogs/licensing/intel-me-and-why-we-should-get-rid-of-me and here https://lists.fsfe.org/pipermail/discussion/2016-April/010912.html
EFF and Matthew Garrett where more specific about the nature of the issue on May 8 2017 here https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-haza... and here https://mjg59.dreamwidth.org/48429.html
so: what's new now?!?
since October 25 (save the date!) what **is** new is that we have a scientific proof of the real nature of this _mess_
...and we know that Google *is* _desperately_ trying to get rid of this issue from their systems *but* they are failing to fully do this
please enjoy the full Garrett's talk in this video https://www.youtube.com/watch?v=iffTJ1vPCSo
he said: "always use coreboot if you can, but if you are stuck with a situation..." (29:21 of the video) ... libreboot is maybe better, IMHO
so, ladies and gentlemen I'll introduce you "CPU as a service"
do we have to accept an EULA?!?
ciao Giovanni
[1] https://en.wikipedia.org/wiki/Protection_ring what the hell is ring -3 ?!?! who "invented" it? where is it documented? should we expect to see "ring -9" in the future? how we could even allow anyone in the world to implement such a perverted environment?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Sadly, I'm not sure that this massive leak matters much with e.g. local governments moving to Windows 10 that is already known to exfiltrate data. The entire premise of using "<hardware|software>-as-a-Service" with minimal control and/or privacy seems to be already well established in the EU, even though it would also seem to directly contradict the GDPR. I'd love to hear someone from the EU weigh in on how this is possible from a legal perspective; I don't fully understand it from the other side of the pond.
Also, if this sort of CPU-as-a-Service is concerning, why not use an ARM [0] or OpenPOWER [1] system that gives you full control? Especially for those already using libre software the switch is pretty painless. Going forward one relatively easy way to deal with the problem is to put the data-slurping proprietary applications on a dedicated x86 machine that's isolated from the wider Internet as much as possible, and use rdesktop or similar to connect from a secure machine. Might also be a good idea to start researching how to make data diodes more accessible to the "average" libre software user, so that data from the x86 machine can flow to the non-x86 machines but not vice-versa.
Just my $0.02!
[0] https://www.nxp.com/support/developer-resources/software-development-tools/q...
[1] https://raptorcs.com/TALOSII/
On 11/24/2017 10:19 AM, Giovanni Biscuolo wrote:
Hi all,
glad my glamorous title obtained your attention :-D
I'm joking about Black Friday, I'm _not_ joking about "CPU as a service"
since the issue I recently labeled in this ML as the "MINIX on ring -3 discovery" is not clear to at least one of my FSFE-pen-friends, I have be more specific
also, please I would like to know if and eventually how FSFE will address this kind of issues when talking with EU or local representatives about the "Consumer rights and device sovereignty" policy goal for 2019 https://fsfe.org/activities/policy/eu/policy-goals/consumer-rights.en.html
considering what I'm going to show here, we should definitely extend the device sovereignty to **all users**: public and private companies, governments and all other institutions too, not only consumers (ouch!) :-O
...so please also remind EU and local representative that **(part of) their (sorry: our) IT systems are also affected** by this serious issue Executive summary
«One Ring to rule them all, One Ring to find them, One Ring to bring them all and in the darkness bind them»
on all Intel processors sold after 2008 there's a running *proprietary* variation of the not copyleft free software MINIX 3 (unknown version), MINIX is running in "ring -3" [1]
now we have the proofs that:
- **no** "user facing OS" operating system have final control of the x86
platform 2. between the "user facing OS" and the hardware there are at least 2 ½ OS kernels (MINIX and UEFI) 3. these are proprietary and very likely exploit-friendly 4. the exploits can persist, i.e. be written to FLASH, and you can't fix that 5. the user have _no access_ to the MINIX running in ring -3
MINIX is running on three separate x86 cores on modern chips, on that OS are running:
- TCP/IP networking stacks (4 and 6)
- File systems
- Drivers (disk, net, USB, mouse)
- Web servers
please **do not** consider this kind of issues specific to a single brand of CPUs, since we still do not have proofs but the development path is the very same
*** Are you scared yet? If you're not scared yet, maybe I didn't explain it very well, because I sure am scared. *** (Ronald Minnich)
The not so short story
the fact: on Wednesday, October 25 2017 Ronald Minnich from Google told the world about this: «With the WikiLeaks release of the vault7 material, the security of the UEFI (Unified Extensible Firmware Interface) firmware used in most PCs and laptops is once again a concern. UEFI is a proprietary and closed-source operating system, with a codebase almost as large as the Linux kernel, that runs when the system is powered on and continues to run after it boots the OS (hence its designation as a “Ring -2 hypervisor"). It is a great place to hide exploits since it never stops running, and these exploits are undetectable by kernels and programs.»
this article presents a short version of the story: http://www.zdnet.com/article/minix-intels-hidden-in-chip-operating-system/ I used this for my executive summary ;-)
the issue is **not** new (known since 2016, at least) and presented many times also in FSF/FSFE "circles", eg. here https://www.fsf.org/blogs/licensing/intel-me-and-why-we-should-get-rid-of-me
and here https://lists.fsfe.org/pipermail/discussion/2016-April/010912.html
EFF and Matthew Garrett where more specific about the nature of the issue on May 8 2017 here https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-haza...
and here https://mjg59.dreamwidth.org/48429.html
so: what's new now?!?
since October 25 (save the date!) what **is** new is that we have a scientific proof of the real nature of this _mess_
...and we know that Google *is* _desperately_ trying to get rid of this issue from their systems *but* they are failing to fully do this
please enjoy the full Garrett's talk in this video https://www.youtube.com/watch?v=iffTJ1vPCSo
he said: "always use coreboot if you can, but if you are stuck with a situation..." (29:21 of the video) ... libreboot is maybe better, IMHO
so, ladies and gentlemen I'll introduce you "CPU as a service"
do we have to accept an EULA?!?
ciao Giovanni
[1] https://en.wikipedia.org/wiki/Protection_ring what the hell is ring -3 ?!?! who "invented" it? where is it documented? should we expect to see "ring -9" in the future? how we could even allow anyone in the world to implement such a perverted environment?
Discussion mailing list Discussion@lists.fsfe.org https://lists.fsfe.org/mailman/listinfo/discussion
- -- Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com
Hi Timothy,
first of all please smile thinking of the Great Irony of History that lead MINIX to be probably the most installed OS on the market (I don't have the figures but _strong_ suspicion)
so now "we" have won the free software OS battle just to start the next one? :-)
«We are the Borg. Lower your shields and surrender your ships. We will add your biological and technological distinctiveness to our own. Your culture will adapt to service us. Resistance is futile.» (Star Trek - First Contact, 1996)
* Timothy Pearson [2017-11-24 14:56:21 -0600]:
Sadly, I'm not sure that this massive leak matters much with e.g. local governments moving to Windows 10 that is already known to exfiltrate data.
please consider that the majority of local and EU policy-makers are not doing this because they are despicable, simply they are sure **they can manage** this kind of problems signing "special case EULAs" and alike, trying to fix those issues by "de jure patches"
we should convince them that is a _losing_ path: given the scientific evidences we are witnessing time after time, legal contracts cannot fix those huge security and privacy (government security and privacy!) problems
[...]
GDPR. I'd love to hear someone from the EU weigh in on how this is possible from a legal perspective; I don't fully understand it from the other side of the pond.
me too, I love the principles stated in GDPR but I fear they will be "useless de jure patches" given how much **the computing devices and Internet _are_ broken by design**
this is why I appreciate (draft!) legislative proposals like those from #youbroketheinternet [1]: they *may* be questionable but an interesting starting point (and I'm still studying them)
please also consider that many respectable free software supporters are proposing solutions that are **useless tech workarounds**; e.g. looking at https://privacylab.yale.edu/ , in the "What we do" box, I read: "Hosting Tor", "providing TAILS OS", "hardened GNU/Linux", privacy-respecting tools such as PGP/GPG e-mail and E2EE messaging...
Also, if this sort of CPU-as-a-Service is concerning, why not use an ARM [0] or OpenPOWER [1] system that gives you full control?
please _do not_ concentrate on the "phenomenology of x386 brokenness" since it' **not** the only one example; e.g. also some (all?) smartphones are broken by design
so while I **love** all the projects you mentioned (there are many you already listed in other messages AFAIK), I want to stress that **the market alone cannot fix it**: is it clear enough?!? :-)
the very fact that **is** possible to sell **broken by design** computing devices should be considered _unconstitutional_, this brings to the consequence that selling **broken by design** computing devices should be (severely) illegal [2]; the really good "side effect" of this would be that selling broken devices is also considered _unfair competition_ versus constitutional respectful vendors ;-)
Especially for those already using libre software the switch is pretty painless.
ehrm: sorry if it sounds bold but please consider all the properties of relationships coming from complex system theory such as nonlinearity, emergence, spontaneous order, adaptation, and feedback loops (/me hacking :-) )
in this complex system we **have to** consider that _few_ of us can "easily" set up an entire free software **infrastructure** starting from _the devices_ and ending with JS programs running in their browsers: that is my job and I know I _cannot_ "sell" such a solution to my customers yet, OK?
_soon_ my customers will have to be GDPR compliant: how can I support them in order to give reasonable confidence that their infrastructures will not leak sensitive data they collect _even_ if they are using free software "infrastructure wide"?
...I cannot even use an entire free infrastructure for "myself", partly because I _already have_ a running infrastructure and would be quite expensive (in monetary and time terms) to replace it... in case of smartphones *almost* impossible (I'm still not convinced Replicant resolves the **broken by design computing devices** problem, and the very fact that Replicant is supported on too few smartphones *is* very limiting)
when talking about infrastructure please also consider that **all** of us needs _some_ "external computing device", usually rented from a vendor: why should I be "obliged by the market" to use a broken by design "bare metal" host?!? why the _burden_ to verify the level of brokenness should be contractually transferred to "me" and I cannot **pretend** that the host _is_ secure **by design**?!?
I'm not alone in this _inability_ to free my devices, given that there is a research group in Google (read: great resources) that has been struggling for almost two years *just* to get rid of the most toxic "features" deeply buried in their servers
we *need* the constitutional right to buy a device or sign an hosting contract and trust the vendor will not use his physical access power to break the security of such devices *by design*
OK, I've stressed this enough :-D
Going forward one relatively easy way to deal with the problem is to put the data-slurping proprietary applications on a dedicated x86 machine that's isolated from the wider Internet as much as possible, and use rdesktop or similar to connect from a secure machine.
I respect this proposed solution *but* this is just a temporary (and costly) workaround... and I'm not willing to follow you on this path :-)
considering we are going towards an even increasing **broken Internet of broken computing Things**™ the "final consequence" of this _could_ likely be that one day those who wants to be free will be forced to opt-out from _every_ "form" of their digital life and choose to be "analog only" [3] :-O
concluding: I want that my right to use interconnected digital devices _remaining a free human being_ will be treated as a **constitutional** fundamental right, all other policies and market regulation decisions should be consequent
[...]
Ciao Giovanni
[1] http://youbroketheinternet.org/legislation/ObCrypto-law-proposal.pdf
[2] in Italy we are used to read messages like "è _severamente_ vietato" ("it's severely forbidden"): it always sound very funny to many of us :-)
[3] the infamous "blue or red phial" dilemma from Douglas Hofstadter's 1979 book Gödel, Escher, Bach https://en.wikipedia.org/wiki/Red_pill_and_blue_pill#G.C3.B6del.2C_Escher.2C... still inspiring many fictions
On Monday 27. November 2017 13.52.55 Giovanni Biscuolo wrote:
please also consider that many respectable free software supporters are proposing solutions that are **useless tech workarounds**; e.g. looking at https://privacylab.yale.edu/ , in the "What we do" box, I read: "Hosting Tor", "providing TAILS OS", "hardened GNU/Linux", privacy-respecting tools such as PGP/GPG e-mail and E2EE messaging...
I know that you're trying to communicate that control of the hardware is essential, but those other things still complement efforts to maintain overall control of our computing environments, uphold privacy, and so on. As such, they are not useless.
Only if they are being proposed as complete solutions can they be considered as useless, ineffective or giving a false sense of security (workarounds, as you note). But at the same time, you wouldn't advocate controlling the hardware and then openly wonder why anyone would bother encrypting things or running secure operating systems.
So we need to consider all of these things, or at least many of them. These days, I constantly find myself reminding people to beware of the zero-sum game, as they promote their favourite things at the expense of other, equally worthwhile things. This is no different.
Paul
Hi Paul,
* Paul Boddie [2017-11-28 23:06:24 +0100]:
On Monday 27. November 2017 13.52.55 Giovanni Biscuolo wrote:
please also consider that many respectable free software supporters are proposing solutions that are **useless tech workarounds**; e.g. looking at https://privacylab.yale.edu/ , in the "What we do" box, I read: "Hosting Tor", "providing TAILS OS", "hardened GNU/Linux", privacy-respecting tools such as PGP/GPG e-mail and E2EE messaging...
I know that you're trying to communicate that control of the hardware is essential,
yes, and since I know that **useless* sounds harsh, I must comment about this
I seriously *love* and use each of the above mentioned projects _and_ have a profound sense of gratitude for the people behind them; I also know that using that software is *much* better than not to use them (I'd be not here ;-) )
that said, please consider I used the term **useless** as an analogy in this context: «The summer of 2013 will remain the moment we finally realized how broken the Internet was [1], and how much this had been abused.» (http://youbroketheinternet.org/)
[1] http://secushare.org/broken-internet this page presents a serious analysis of the inherent problems of Internet design and currently proposed solutions, unfortunately just tech workarounds (useless in the context of __documented__ abuses, we still do not know nothing about the _undocumented_ ones)
so, as long as the statement "Internet is broken by design" should _not_ be discarded just because it's harsh **and** it does not mean people should not use privacy and anonymity enhancing measures provided by the workarounds when using Internet, please consider not to trash away my **useless tech workarounds** "label" :-)
in other words (sorry if I'm stressing on this), some computing devices have become **virtual machines** running in a stealth host with a complete OS running on it; you have not root access to the host, just to the virtual machine (NIBM - aka not invented by me)
everyone relying on virtual machines must know what it means from a privacy and anonymity POV
I'm fine using virtual machines, I'm using a lot of them for my business and for my customers... so to paraphrase the #youbroketheinternet statement above: «The autumn of 2018 will remain the moment Giovanni Biscuolo finally realized how broken *his* computing devices was, and how much this could be abused; anyway he absolutely trusts his vendors, providers, local government and all other governments around the world and he is confident his broken devices will **never** be abused by the unknown root user»
but those other things still complement efforts to maintain overall control of our computing environments, uphold privacy, and so on. As such, they are not useless.
sorry but I disagree with you :-)
they are very useful for a broad spectrum of attack vectors, but useless on virtual machines for *narrow* but potentially destructive attack vectors
[...]
then openly wonder why anyone would bother encrypting things or running secure operating systems.
never said that: I bother encryption and all other security, privacy and anonymity tech... but they are limited and I use it for a plenty of _other_ reasons (e.g. I use LUKS on all my hosts in case of theft)
So we need to consider all of these things, or at least many of them. These days, I constantly find myself reminding people to beware of the zero-sum game, as they promote their favourite things at the expense of other, equally worthwhile things. This is no different.
I'm not promoting anything, I'm just questioning the proposed solutions in the light of this new "discovery"
...not true, I'm _promoting_ a serious question: can the market alone fix the "CPU as a service" issue?
I've no solution
Ciao Giovanni
On Wednesday 29. November 2017 10.01.25 Giovanni Biscuolo wrote:
in other words (sorry if I'm stressing on this), some computing devices have become **virtual machines** running in a stealth host with a complete OS running on it; you have not root access to the host, just to the virtual machine (NIBM - aka not invented by me)
Right. For example, it is important that people question whether their smartphone's "root" mode, generously allowed by the vendor, is actually giving them "device root" privileges or whether it just lets them install something they like into a virtual machine.
[...]
So we need to consider all of these things, or at least many of them. These days, I constantly find myself reminding people to beware of the zero-sum game, as they promote their favourite things at the expense of other, equally worthwhile things. This is no different.
I'm not promoting anything, I'm just questioning the proposed solutions in the light of this new "discovery"
But it is irresponsible to categorise various kinds of technology as "useless" when they are only insufficient under certain circumstances, such as those where people can access your device and read your keychain as if they were you, for example. People may think that they and others are focusing on the wrong things when we can surely agree that these are also the right things to use and to work on.
I would formulate this as a matter of the hardware *undermining* the successful use of these other technologies, which may make the *application* of those technologies appear "useless" if the hardware's undesirable characteristics are exploited, but do not make the technologies themselves useless. With a remedy for the hardware problem, these technologies do not suddenly become inherently useful, because they were useful all along.
...not true, I'm _promoting_ a serious question: can the market alone fix the "CPU as a service" issue?
It depends on what measures are in place to prevent people "corrupting" the hardware without some kind of strong, independent regulation. It has been noted that adopting other CPU architectures doesn't solve this problem ("what about the foundries?" and so on), but that doesn't make things like RISC-V (which may ultimately be part of Google's way out of this) "useless" and not worth pursuing. The solution involves pursuing many things at once and recognising that they are all worthwhile.
Paul
* Giovanni Biscuolo [2017-11-24 17:19:23 +0100]:
glad my glamorous title obtained your attention :-D
sorry I'm an idiot since I did not realized that my joke on "Black Friday" *almost surely* means that someone deleted my message as SPAM, in this case you can find it in the archives:
https://lists.fsfe.org/pipermail/discussion/2017-November/012060.html
[...]
ciao Giovanni
On 24 November 2017 18:19:23 EET, Giovanni Biscuolo g@xelera.eu wrote:
[...]
- between the "user facing OS" and the hardware there are at least 2 ½
OS kernels (MINIX and UEFI) 3. these are proprietary and very likely exploit-friendly
Update: Have been exploited... (And you wouldn't even realize it!) https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-...
- the exploits can persist, i.e. be written to FLASH, and you can't
fix that [...]
In short: We are essentially being forced, without even being told, to run buggy proprietary code in a very powerful and very capable hyper-hyper-visor of our OS, which can (benign or maliciously) control both the (free) software we run and the hardware we "own", without our knowledge. (See also in-line comment below..)
Greetings, Jann PGP 0xE7A47A578A30148A
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/28/2017 03:23 PM, Jann KRUSE wrote:
In short: We are essentially being forced, without even being told, to run buggy proprietary code in a very powerful and very capable hyper-hyper-visor of our OS, which can (benign or maliciously) control both the (free) software we run and the hardware we "own", without our knowledge. (See also in-line comment below..)
Greetings, Jann PGP 0xE7A47A578A30148A
As before, though, you're only forced into this you need to stay on x86.
IMHO part of the reasoning for this lockdown is that the majority of x86 sales by volume are still to consumers. Therefore, there is strong call to prevent the machine lessee (hesitate to call anyone bound by an EULA an "owner") from doing anything that might be considered unacceptable (e.g. breaking DRM, posting restricted content, using unlicensed software like Linux, possibly even depending on region criticising the authorities). We're already seeing some of this in the wild in that the 4k streaming services require the ME and its DRM in order to run.
It's still early enough to at least forcibly split "production", owner-controlled hardware from the "consumption" leased hardware. However this only happens if people support the vendors that are still making owner controlled hardware by selecting their products over the competing leased x86 systems.
Anecdotally, I have personally seen way too many people supposedly interested in libre software that are literally locking themselves into the x86 walled garden over games. Think about that: *games*. Giving up privacy and control to waste time in front of a *game*. This is the mentality that needs to be fixed, that somehow consuming content is more important than being able to create it. No idea how to do that right now.
As always, just my $0.02.
- -- Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com
Jost to note that not all copies of Linux are unlicensed.
The unlicensed ones are those shipped or provided by non-free system distributions that happen to break the terms of the license (currently: 99%).
Besides, the Linux project itself seems to currently put non-free parts inside it so, one always has to do some cleanup even if getting a copy from Linux project itself.
2017-11-28T15:33:06-0600 Timothy Pearson wrote:
On 11/28/2017 03:23 PM, Jann KRUSE wrote:
In short: We are essentially being forced, without even being told, to run buggy proprietary code in a very powerful and very capable hyper-hyper-visor of our OS, which can (benign or maliciously) control both the (free) software we run and the hardware we "own", without our knowledge. (See also in-line comment below..)
Greetings, Jann PGP 0xE7A47A578A30148A
As before, though, you're only forced into this you need to stay on x86.
IMHO part of the reasoning for this lockdown is that the majority of x86 sales by volume are still to consumers. Therefore, there is strong call to prevent the machine lessee (hesitate to call anyone bound by an EULA an "owner") from doing anything that might be considered unacceptable (e.g. breaking DRM, posting restricted content, using unlicensed software like Linux, possibly even depending on region criticising the authorities). We're already seeing some of this in the wild in that the 4k streaming services require the ME and its DRM in order to run.
It's still early enough to at least forcibly split "production", owner-controlled hardware from the "consumption" leased hardware. However this only happens if people support the vendors that are still making owner controlled hardware by selecting their products over the competing leased x86 systems.
Anecdotally, I have personally seen way too many people supposedly interested in libre software that are literally locking themselves into the x86 walled garden over games. Think about that: *games*. Giving up privacy and control to waste time in front of a *game*. This is the mentality that needs to be fixed, that somehow consuming content is more important than being able to create it. No idea how to do that right now.
As always, just my $0.02.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I was using "unlicensed" somewhat facetiously from a large content provider perspective; specifically, in the common usage of "not paying a license fee back to the vendor on a continuous basis". The general idea was that the machine vendor wants to see a financial kickback after sale in return for leasing the hardware to the end user at or near cost -- this is what motivates the preinstalled bloatware and things like SuperFish.
Sorry for the confusion!
On 11/28/2017 03:45 PM, Adonay Felipe Nogueira wrote:
Jost to note that not all copies of Linux are unlicensed.
The unlicensed ones are those shipped or provided by non-free system distributions that happen to break the terms of the license (currently: 99%).
Besides, the Linux project itself seems to currently put non-free parts inside it so, one always has to do some cleanup even if getting a copy from Linux project itself.
2017-11-28T15:33:06-0600 Timothy Pearson wrote:
On 11/28/2017 03:23 PM, Jann KRUSE wrote:
In short: We are essentially being forced, without even being told, to run buggy proprietary code in a very powerful and very capable hyper-hyper-visor of our OS, which can (benign or maliciously) control both the (free) software we run and the hardware we "own", without our knowledge. (See also in-line comment below..)
Greetings, Jann PGP 0xE7A47A578A30148A
As before, though, you're only forced into this you need to stay on x86.
IMHO part of the reasoning for this lockdown is that the majority of x86 sales by volume are still to consumers. Therefore, there is strong call to prevent the machine lessee (hesitate to call anyone bound by an EULA an "owner") from doing anything that might be considered unacceptable (e.g. breaking DRM, posting restricted content, using unlicensed software like Linux, possibly even depending on region criticising the authorities). We're already seeing some of this in the wild in that the 4k streaming services require the ME and its DRM in order to run.
It's still early enough to at least forcibly split "production", owner-controlled hardware from the "consumption" leased hardware. However this only happens if people support the vendors that are still making owner controlled hardware by selecting their products over the competing leased x86 systems.
Anecdotally, I have personally seen way too many people supposedly interested in libre software that are literally locking themselves into the x86 walled garden over games. Think about that: *games*. Giving up privacy and control to waste time in front of a *game*. This is the mentality that needs to be fixed, that somehow consuming content is more important than being able to create it. No idea how to do that right now.
As always, just my $0.02.
- -- Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com
Il 28 novembre 2017 22:33:06 CET, Timothy Pearson tpearson@raptorengineering.com ha scritto:
[…] Think about that: *games*. Giving up privacy and control to waste time in front of a *game*. […]
(I'm sorry, I know this is not a reasonable use of the list) You've never played "Metal Gear Solid", have you? I might have drunk the koolaid, but I really believe videogames can be a revolutionary medium of expression, much like books, paintings, sculptures, movies, comics... To dismiss them like you did, if it's not hyperbole, is wrong. I value freedom more than videogames, but they can be much more than you make them sound.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/28/2017 04:47 PM, White_Rabbit wrote:
Il 28 novembre 2017 22:33:06 CET, Timothy Pearson tpearson@raptorengineering.com ha scritto:
[…] Think about that: *games*. Giving up privacy and control to waste time in front of a *game*. […]
(I'm sorry, I know this is not a reasonable use of the list) You've never played "Metal Gear Solid", have you? I might have drunk the koolaid, but I really believe videogames can be a revolutionary medium of expression, much like books, paintings, sculptures, movies, comics... To dismiss them like you did, if it's not hyperbole, is wrong. I value freedom more than videogames, but they can be much more than you make them sound.
Oh, I agree they are a valuable artistic medium, and I have a few myself that I greatly enjoy. However, not only do I disagree with the onerous EULA for many of the larger titles, but I strongly object to the game copyright extending beyond 20 years or so, especially when the manufacturer won't update or sell the game any more after only a year or two post release.
I only object to people giving up their privacy, control, etc. over other aspects of their life because the game is considered more important. That is the wrong attitude; the game may be valuable, but is it really more valuable than anything the individual might ever create (or want to create) using a computer?
Locked-down x86 boxes are practically a dime a dozen; gaming can be easily done on one of those while real work is done elsewhere. But trying to get people to understand this has yielded unexpected resistance, largely due to the costs of then having to maintain two separate computers. I really don't know what to do to fix this, as I don't think it *can* be fixed given the issues of the x86 platform.
Personally, I keep all of the DRM boxes separate and isolated. Amazon streaming goes through a dedicated "garbage" PC that never sees any personal data, etc. No idea if others are willing adopt this model or will just surrender the last shreds of their personal life to keep up with games and streaming video...
- -- Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com
Hi,
Timothy Pearson tpearson@raptorengineering.com writes:
Giving up privacy and control to waste time in front of a *game*.
I agree with you that freedom is more important than games. But in the long run, we need to find other solutions than telling people not to use things. Phones are bad because they all come with proprietary blobs, so don't use them. New technology: Often bad, better wait till it's old and better understood. Online services that you don't host yourself: Bad, dont' use them. Games: Usually bad, don't use them. I understand that freedom is important but to most people, giving up games they really enjoy is also giving up some of their freedom and people who use services other people host also feel increased freedom because they can spend their time doing something other than managing a server. So what I'm saying is that we need to be careful not to tell people we want them to lead a live of deprivation.
Happy hacking! Florian
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/29/2017 11:16 AM, Florian Snow wrote:
Hi,
Timothy Pearson tpearson@raptorengineering.com writes:
Giving up privacy and control to waste time in front of a *game*.
I agree with you that freedom is more important than games. But in the long run, we need to find other solutions than telling people not to use things. Phones are bad because they all come with proprietary blobs, so don't use them. New technology: Often bad, better wait till it's old and better understood. Online services that you don't host yourself: Bad, dont' use them. Games: Usually bad, don't use them. I understand that freedom is important but to most people, giving up games they really enjoy is also giving up some of their freedom and people who use services other people host also feel increased freedom because they can spend their time doing something other than managing a server. So what I'm saying is that we need to be careful not to tell people we want them to lead a live of deprivation.
Happy hacking! Florian
Yes, I agree. The question is, in a society where any new features / ways of doing things are expected at no cost or well below the real cost of creating things, how does society as a whole move away from the resultant need to "monetise" the resulting products in unethical ways?
I guess this is really a variation on the age-old practice of "loss leaders", but taken to such an extreme that it's now expected of every tech product. Combined with 120+ year copyright it's rather hard to come up with a solution other than to just not use the unethical products in the first place, sadly.
- -- Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com
Hi Timothy,
# Timothy Pearson [2017-11-29 20:25 +0100]:
Yes, I agree. The question is, in a society where any new features / ways of doing things are expected at no cost or well below the real cost of creating things, how does society as a whole move away from the resultant need to "monetise" the resulting products in unethical ways?
No answer to your question but some additional thoughts:
If you were talking only about web services, I'd understand. But in other areas technical products sometimes are obviously overpriced and people seem to tolerate, understand and/or even respect that. Examples: Apple products or some popular proprietary software like MS Office or Adobe stuff.
The only difference to the "no-cost" web services like social networks is that they are paid by the users' data and privacy – hard to quantify but I'd say this is overpriced, too.
Best, Max
Hi,
Timothy Pearson tpearson@raptorengineering.com writes:
I guess this is really a variation on the age-old practice of "loss leaders", but taken to such an extreme that it's now expected of every tech product. Combined with 120+ year copyright it's rather hard to come up with a solution other than to just not use the unethical products in the first place, sadly.
I tend to agree. However, I always hope I'm simply not creative enough to come up with other solutions. That's why I keep trying.
Happy hacking! Florian
Dear Jann,
* Jann KRUSE [2017-11-28 21:23:54 +0000]:
Update: Have been exploited... (And you wouldn't even realize it!) https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-...
as you correctly pointed out below, the real problem is not unintentional occurrence of exploitable bugs: this is normal on all OSs and can be addressed (with various level of difficulty, **very** hardly in this case)
«To root, or not to root, that is the question:» who have root access to the hyper-hyper-visor?
this soon leads to the following questions:
1 is root access documented anywhere on earth? 2 how can I manage the root password in order to be compliant with national mandatory security regulations? [1]
mumble, mumble...
[...]
In short: We are essentially being forced, without even being told, to run buggy proprietary code in a very powerful and very capable hyper-hyper-visori
very nice executive ultra-summary thanks! :-)
Ciao Giovanni
[1] https://en.m.wikipedia.org/wiki/Cyber-security_regulation there are a **lot** of mandatory regulations considering password management _vital_ to the security of IT infrastructure
(a latere, semi-serious)
May I propose an amendment to the first freedom (as in https://www.gnu.org/philosophy/free-sw.html)?
"The freedom to run the program as you wish, for any purpose (freedom 0)."
should become
"The freedom to run (or NOT to run) the program as you wish, for any purpose (freedom 0)."
Of course it's redundant, but it emphasizes the liberty to opt-out.
If I'm not mistaken, this is already there.
They are freedoms, not obligations against the user. They must be possoble of course, but the user isn't obligated to make use of all of the freedoms, the same applies to freedom 0, see [1].
[1] http://dcc.ufmg.br/~lcerf/rms.webm. This is multi-audio-track file. First is with speech in English and commentaries unchanged (either in English or in Brazilian Portuguese); second is with speech translated to Brazilian Portuguese (it has some minor errors and cuts but it's OK for the majority of the speech).
2017-11-29T12:21:54+0100 Andrea Trentini wrote:
(a latere, semi-serious)
May I propose an amendment to the first freedom (as in https://www.gnu.org/philosophy/free-sw.html)?
"The freedom to run the program as you wish, for any purpose (freedom 0)."
should become
"The freedom to run (or NOT to run) the program as you wish, for any purpose (freedom 0)."
Of course it's redundant, but it emphasizes the liberty to opt-out.