[Cerowrt-devel] Huawei banned by US gov...

[Cerowrt-devel] Huawei banned by US gov...

[Dave Taht]

And we labor on...

https://tech.slashdot.org/story/19/05/15/2136242/trump-signs-executive-order-barring-us-companies-from-using-huawei-gear

To me, the only long term way to even start to get out of this
nightmare (as we cannot trust anyone else's gear either, and we have
other reminders of corruption like the volkswagon scandal) is to
mandate the release of source code, with reproducible builds[1], for
just about everything connected to the internet or used in safety
critical applications, like cars. Even that's not good enough, but it
would be a start. Even back when we took on the FCC on this issue, (
http://www.taht.net/~d/fcc_saner_software_practices.pdf )  I never
imagined it would get this bad.

'round here we did produce one really trustable router in the cerowrt
project, which was 100% open source top to bottom, which serves as an
existence proof - and certainly any piece of gear reflashed with
openwrt is vastly better and more secure  than what we get from the
manufacturer - but even then, I always worried that my build
infrastructure for cerowrt was or could be compromised and took as
many steps as I could to make sure it wasn't - cross checking builds,
attacking it with various attack tools, etc.

Friends don't let friends run factory firmware, we used to say. Being
able to build from sources yourself is a huge improvement in potential
trustability - (but even then the famous paper on reflections on
trusting trust applies). And so far, neither the open source or
reproducable builds concepts have entered the public debate.

Every piece of hardware nowadays is rife with binary blobs and there
are all sorts of insecurities in all the core cpus and co-processors
designed today.

And it isn't of course, just security in huawei's case - intel just
exited the business - they are way ahead of the US firms in general in
so many areas.

I have no idea where networked computing can go anymore, particularly
in the light of the latest MDS vulns revealed over the past few days (
https://lwn.net/Articles/788522/ ). I long ago turned off
hyperthreading on everything I cared about, moved my most critical
resources out of the cloud, but I doubt others can do that. I know
people that run a vm inside a vm. I keep hoping someone will invest
something major into the mill computing's cpu architecture - which
does no speculation and has some really robust memory and stack
smashing protection features (
http://millcomputing.com/wiki/Protection ), and certainly there's hope
that risc-v chips could be built with a higher layer of trust than any
arm or intel cpu today (but needs substancial investment into open
on-chip peripherals)

This really isn't a bloat list thing, but the slashdot discussion is
toxic. Is there a mailing list where these sorts of issues can be
rationally discussed?

Maybe if intel just released all their 5G IP into the public domain?

/me goes back to bed

[1] https://en.wikipedia.org/wiki/Reproducible_builds

-- 

Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740

Re: [Cerowrt-devel] Huawei banned by US gov...

[David P. Reed]

[-- Attachment #1: Type: text/plain, Size: 4634 bytes --]


In my personal view, the lack of any evidence that Huawei has any more government-controlled or classified compartmented Top Secret offensive Cyberwar exploits than Cisco, Qualcomm, Broadcom, Mellanox, F5, NSO group, etc. is quite a strong indication that there's no relevant "there" there.
 
Given the debunking of both the Supermicro and Huawei fraudulent claims (made by high level "government sources" in the intelligence community), this entire thing looks to me like an attempt to use a fake National Emergency to achieve Trade War goals desired by companies close to the US Government agencies (esp. now that the Secretary of Defense is a recent Boeing CEO who profits directly from such imaginary threats).
 
Now, I think that this "open up the sources" answer is a really good part of a solution. The other parts are having resiliency built in to our systems. The Internet is full of resiliency today. A balkanized and "sort of air-gapped" US transport network infrastructure is far more fragile and subject to both random failure and targeted disruption.
 
But who is asking me?  Fear is being stoked.
 
 
On Thursday, May 16, 2019 5:58am, "Dave Taht" <dave.taht@gmail.com> said:



> And we labor on...
> 
> https://tech.slashdot.org/story/19/05/15/2136242/trump-signs-executive-order-barring-us-companies-from-using-huawei-gear
> 
> To me, the only long term way to even start to get out of this
> nightmare (as we cannot trust anyone else's gear either, and we have
> other reminders of corruption like the volkswagon scandal) is to
> mandate the release of source code, with reproducible builds[1], for
> just about everything connected to the internet or used in safety
> critical applications, like cars. Even that's not good enough, but it
> would be a start. Even back when we took on the FCC on this issue, (
> http://www.taht.net/~d/fcc_saner_software_practices.pdf ) I never
> imagined it would get this bad.
> 
> 'round here we did produce one really trustable router in the cerowrt
> project, which was 100% open source top to bottom, which serves as an
> existence proof - and certainly any piece of gear reflashed with
> openwrt is vastly better and more secure than what we get from the
> manufacturer - but even then, I always worried that my build
> infrastructure for cerowrt was or could be compromised and took as
> many steps as I could to make sure it wasn't - cross checking builds,
> attacking it with various attack tools, etc.
> 
> Friends don't let friends run factory firmware, we used to say. Being
> able to build from sources yourself is a huge improvement in potential
> trustability - (but even then the famous paper on reflections on
> trusting trust applies). And so far, neither the open source or
> reproducable builds concepts have entered the public debate.
> 
> Every piece of hardware nowadays is rife with binary blobs and there
> are all sorts of insecurities in all the core cpus and co-processors
> designed today.
> 
> And it isn't of course, just security in huawei's case - intel just
> exited the business - they are way ahead of the US firms in general in
> so many areas.
> 
> I have no idea where networked computing can go anymore, particularly
> in the light of the latest MDS vulns revealed over the past few days (
> https://lwn.net/Articles/788522/ ). I long ago turned off
> hyperthreading on everything I cared about, moved my most critical
> resources out of the cloud, but I doubt others can do that. I know
> people that run a vm inside a vm. I keep hoping someone will invest
> something major into the mill computing's cpu architecture - which
> does no speculation and has some really robust memory and stack
> smashing protection features (
> http://millcomputing.com/wiki/Protection ), and certainly there's hope
> that risc-v chips could be built with a higher layer of trust than any
> arm or intel cpu today (but needs substancial investment into open
> on-chip peripherals)
> 
> This really isn't a bloat list thing, but the slashdot discussion is
> toxic. Is there a mailing list where these sorts of issues can be
> rationally discussed?
> 
> Maybe if intel just released all their 5G IP into the public domain?
> 
> /me goes back to bed
> 
> [1] https://en.wikipedia.org/wiki/Reproducible_builds
> 
> --
> 
> Dave Täht
> CTO, TekLibre, LLC
> http://www.teklibre.com
> Tel: 1-831-205-9740
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
> 

[-- Attachment #2: Type: text/html, Size: 6328 bytes --]

Re: [Cerowrt-devel] Huawei banned by US gov...

[Dave Taht]

One thing I've been trying to do (again) is more outreach outside our
direct circles, on various subjects, in various ways. Up until
recently I was pretty happy with the overall progress of the fq_codel
deployment, and it was things like this not bufferbloat-related that
were getting me down the most.

Jim, esr, and I wrote letters to the editor on this subject of the
washington post, guardian  and the economist, recently. This is an
ancient technique, but so long as we're persistent about having a (or
multiple) letters like that, at a low level of effort, perhaps that is
one "new" way to "get through". We need to keep trying various
avenues. The rules, though, of letters to the editor is that they have
to be unique, and well, give each one a week or three, then try
another pub, I figure is unique enough. After a while, perhaps an open
letter. I have no idea... but we have to try! More of us, have to try.
If someone(s) from here can merely get something on some subject they
care about into their local newspaper, it's a plus.

I've had quite a lot of solace in playing a ton of rock and roll of
late, notably an updated version of "working class hero" that I should
sit down and record. Playing the guitar is just about the only way I
feel even halfway connected to anything of late.  "It gpls me"
recently got the most hits of any song I've ever posted.

Buying a press release a we did before on the fcc fight, did work, but
it was expensive, and never crossed over into the business press.
Trying to create an environment when something suddenly becomes
"obvious" to a lot of people, requires a supersaturated solution. For
all I know the world (I certainly am) is at its breaking point
regarding all the security (and bufferbloat!) problems in the
computing world and ready to accept something new instead of business
as usual.

Recently I had one of the weirder things happen in a while. For about
a month, I've been using in various public and private conversations
an analogy "about me being a scared and scarred survivor of a poetry
slam between vogons and bokononists", and realizing how few had read
Vonnegut's "cat's cradle" to understand what I meant, fully.
Yesterday, or the day before, slashdot had a whole bunch of people
refer to that book and I felt a bit less mis-understood. Co-incidence?
no idea....

One of the things that cheers me up is that book was published in the
early 60s and civilization survived, after, admittedly, getting neck
deep in the big muddy.
So anyway, here's that song, that has a fascinating history:

https://www.youtube.com/watch?v=uXnJVkEX8O4

and to me applies to a lot of folk, currently in power. Perhaps the
times are a changin, too.

On Thu, May 16, 2019 at 4:12 PM David P. Reed <dpreed@deepplum.com> wrote:
>
> In my personal view, the lack of any evidence that Huawei has any more government-controlled or classified compartmented Top Secret offensive Cyberwar exploits than Cisco, Qualcomm, Broadcom, Mellanox, F5, NSO group, etc. is quite a strong indication that there's no relevant "there" there.
>
>
>
> Given the debunking of both the Supermicro and Huawei fraudulent claims (made by high level "government sources" in the intelligence community), this entire thing looks to me like an attempt to use a fake National Emergency to achieve Trade War goals desired by companies close to the US Government agencies (esp. now that the Secretary of Defense is a recent Boeing CEO who profits directly from such imaginary threats).
>
>
>
> Now, I think that this "open up the sources" answer is a really good part of a solution. The other parts are having resiliency built in to our systems. The Internet is full of resiliency today. A balkanized and "sort of air-gapped" US transport network infrastructure is far more fragile and subject to both random failure and targeted disruption.
>
>
>
> But who is asking me?  Fear is being stoked.

Answers outside the box need to be presented to the purveyors of power
and public manipulation... and the public.

>
>
>
>
> On Thursday, May 16, 2019 5:58am, "Dave Taht" <dave.taht@gmail.com> said:
>
> > And we labor on...
> >
> > https://tech.slashdot.org/story/19/05/15/2136242/trump-signs-executive-order-barring-us-companies-from-using-huawei-gear
> >
> > To me, the only long term way to even start to get out of this
> > nightmare (as we cannot trust anyone else's gear either, and we have
> > other reminders of corruption like the volkswagon scandal) is to
> > mandate the release of source code, with reproducible builds[1], for
> > just about everything connected to the internet or used in safety
> > critical applications, like cars. Even that's not good enough, but it
> > would be a start. Even back when we took on the FCC on this issue, (
> > http://www.taht.net/~d/fcc_saner_software_practices.pdf ) I never
> > imagined it would get this bad.
> >
> > 'round here we did produce one really trustable router in the cerowrt
> > project, which was 100% open source top to bottom, which serves as an
> > existence proof - and certainly any piece of gear reflashed with
> > openwrt is vastly better and more secure than what we get from the
> > manufacturer - but even then, I always worried that my build
> > infrastructure for cerowrt was or could be compromised and took as
> > many steps as I could to make sure it wasn't - cross checking builds,
> > attacking it with various attack tools, etc.
> >
> > Friends don't let friends run factory firmware, we used to say. Being
> > able to build from sources yourself is a huge improvement in potential
> > trustability - (but even then the famous paper on reflections on
> > trusting trust applies). And so far, neither the open source or
> > reproducable builds concepts have entered the public debate.
> >
> > Every piece of hardware nowadays is rife with binary blobs and there
> > are all sorts of insecurities in all the core cpus and co-processors
> > designed today.
> >
> > And it isn't of course, just security in huawei's case - intel just
> > exited the business - they are way ahead of the US firms in general in
> > so many areas.
> >
> > I have no idea where networked computing can go anymore, particularly
> > in the light of the latest MDS vulns revealed over the past few days (
> > https://lwn.net/Articles/788522/ ). I long ago turned off
> > hyperthreading on everything I cared about, moved my most critical
> > resources out of the cloud, but I doubt others can do that. I know
> > people that run a vm inside a vm. I keep hoping someone will invest
> > something major into the mill computing's cpu architecture - which
> > does no speculation and has some really robust memory and stack
> > smashing protection features (
> > http://millcomputing.com/wiki/Protection ), and certainly there's hope
> > that risc-v chips could be built with a higher layer of trust than any
> > arm or intel cpu today (but needs substancial investment into open
> > on-chip peripherals)
> >
> > This really isn't a bloat list thing, but the slashdot discussion is
> > toxic. Is there a mailing list where these sorts of issues can be
> > rationally discussed?
> >
> > Maybe if intel just released all their 5G IP into the public domain?
> >
> > /me goes back to bed
> >
> > [1] https://en.wikipedia.org/wiki/Reproducible_builds
> >
> > --
> >
> > Dave Täht
> > CTO, TekLibre, LLC
> > http://www.teklibre.com
> > Tel: 1-831-205-9740
> > _______________________________________________
> > Cerowrt-devel mailing list
> > Cerowrt-devel@lists.bufferbloat.net
> > https://lists.bufferbloat.net/listinfo/cerowrt-devel
> >



-- 

Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740

Re: [Cerowrt-devel] Huawei banned by US gov...

[David P. Reed]

[-- Attachment #1: Type: text/plain, Size: 9042 bytes --]


Thanks for the song share. It's timely. I've been recommending this to all my Democrat friends. [ https://youtu.be/bLqKXrlD1TU ]( https://youtu.be/bLqKXrlD1TU ) [ https://youtu.be/GqNxne97ubc ]( https://youtu.be/GqNxne97ubc ) (the two song versions together) (The Republicans are too far gone to bother). I think you had to be there, though. They mostly don't get the point. The song describes the Democratic Party leading us into the Big Muddy back then, and now they think that party gave us civil rights and progress, and saved us from disaster. It didn't, it wasn't the sargeant. We did, by being the sergeant ourselves, recognizing the Parties were both part of the problem.
 
By the way, can I see the letters to the editor? Did they get published?
 
 
On Thursday, May 16, 2019 10:44am, "Dave Taht" <dave.taht@gmail.com> said:



> One thing I've been trying to do (again) is more outreach outside our
> direct circles, on various subjects, in various ways. Up until
> recently I was pretty happy with the overall progress of the fq_codel
> deployment, and it was things like this not bufferbloat-related that
> were getting me down the most.
> 
> Jim, esr, and I wrote letters to the editor on this subject of the
> washington post, guardian and the economist, recently. This is an
> ancient technique, but so long as we're persistent about having a (or
> multiple) letters like that, at a low level of effort, perhaps that is
> one "new" way to "get through". We need to keep trying various
> avenues. The rules, though, of letters to the editor is that they have
> to be unique, and well, give each one a week or three, then try
> another pub, I figure is unique enough. After a while, perhaps an open
> letter. I have no idea... but we have to try! More of us, have to try.
> If someone(s) from here can merely get something on some subject they
> care about into their local newspaper, it's a plus.
> 
> I've had quite a lot of solace in playing a ton of rock and roll of
> late, notably an updated version of "working class hero" that I should
> sit down and record. Playing the guitar is just about the only way I
> feel even halfway connected to anything of late. "It gpls me"
> recently got the most hits of any song I've ever posted.
> 
> Buying a press release a we did before on the fcc fight, did work, but
> it was expensive, and never crossed over into the business press.
> Trying to create an environment when something suddenly becomes
> "obvious" to a lot of people, requires a supersaturated solution. For
> all I know the world (I certainly am) is at its breaking point
> regarding all the security (and bufferbloat!) problems in the
> computing world and ready to accept something new instead of business
> as usual.
> 
> Recently I had one of the weirder things happen in a while. For about
> a month, I've been using in various public and private conversations
> an analogy "about me being a scared and scarred survivor of a poetry
> slam between vogons and bokononists", and realizing how few had read
> Vonnegut's "cat's cradle" to understand what I meant, fully.
> Yesterday, or the day before, slashdot had a whole bunch of people
> refer to that book and I felt a bit less mis-understood. Co-incidence?
> no idea....
> 
> One of the things that cheers me up is that book was published in the
> early 60s and civilization survived, after, admittedly, getting neck
> deep in the big muddy.
> So anyway, here's that song, that has a fascinating history:
> 
> https://www.youtube.com/watch?v=uXnJVkEX8O4
> 
> and to me applies to a lot of folk, currently in power. Perhaps the
> times are a changin, too.
> 
> On Thu, May 16, 2019 at 4:12 PM David P. Reed <dpreed@deepplum.com> wrote:
> >
> > In my personal view, the lack of any evidence that Huawei has any more
> government-controlled or classified compartmented Top Secret offensive Cyberwar
> exploits than Cisco, Qualcomm, Broadcom, Mellanox, F5, NSO group, etc. is quite a
> strong indication that there's no relevant "there" there.
> >
> >
> >
> > Given the debunking of both the Supermicro and Huawei fraudulent claims (made
> by high level "government sources" in the intelligence community), this entire
> thing looks to me like an attempt to use a fake National Emergency to achieve
> Trade War goals desired by companies close to the US Government agencies (esp. now
> that the Secretary of Defense is a recent Boeing CEO who profits directly from
> such imaginary threats).
> >
> >
> >
> > Now, I think that this "open up the sources" answer is a really good part of
> a solution. The other parts are having resiliency built in to our systems. The
> Internet is full of resiliency today. A balkanized and "sort of air-gapped" US
> transport network infrastructure is far more fragile and subject to both random
> failure and targeted disruption.
> >
> >
> >
> > But who is asking me? Fear is being stoked.
> 
> Answers outside the box need to be presented to the purveyors of power
> and public manipulation... and the public.
> 
> >
> >
> >
> >
> > On Thursday, May 16, 2019 5:58am, "Dave Taht" <dave.taht@gmail.com>
> said:
> >
> > > And we labor on...
> > >
> > >
> https://tech.slashdot.org/story/19/05/15/2136242/trump-signs-executive-order-barring-us-companies-from-using-huawei-gear
> > >
> > > To me, the only long term way to even start to get out of this
> > > nightmare (as we cannot trust anyone else's gear either, and we have
> > > other reminders of corruption like the volkswagon scandal) is to
> > > mandate the release of source code, with reproducible builds[1], for
> > > just about everything connected to the internet or used in safety
> > > critical applications, like cars. Even that's not good enough, but it
> > > would be a start. Even back when we took on the FCC on this issue, (
> > > http://www.taht.net/~d/fcc_saner_software_practices.pdf ) I never
> > > imagined it would get this bad.
> > >
> > > 'round here we did produce one really trustable router in the cerowrt
> > > project, which was 100% open source top to bottom, which serves as an
> > > existence proof - and certainly any piece of gear reflashed with
> > > openwrt is vastly better and more secure than what we get from the
> > > manufacturer - but even then, I always worried that my build
> > > infrastructure for cerowrt was or could be compromised and took as
> > > many steps as I could to make sure it wasn't - cross checking builds,
> > > attacking it with various attack tools, etc.
> > >
> > > Friends don't let friends run factory firmware, we used to say. Being
> > > able to build from sources yourself is a huge improvement in potential
> > > trustability - (but even then the famous paper on reflections on
> > > trusting trust applies). And so far, neither the open source or
> > > reproducable builds concepts have entered the public debate.
> > >
> > > Every piece of hardware nowadays is rife with binary blobs and there
> > > are all sorts of insecurities in all the core cpus and co-processors
> > > designed today.
> > >
> > > And it isn't of course, just security in huawei's case - intel just
> > > exited the business - they are way ahead of the US firms in general in
> > > so many areas.
> > >
> > > I have no idea where networked computing can go anymore, particularly
> > > in the light of the latest MDS vulns revealed over the past few days (
> > > https://lwn.net/Articles/788522/ ). I long ago turned off
> > > hyperthreading on everything I cared about, moved my most critical
> > > resources out of the cloud, but I doubt others can do that. I know
> > > people that run a vm inside a vm. I keep hoping someone will invest
> > > something major into the mill computing's cpu architecture - which
> > > does no speculation and has some really robust memory and stack
> > > smashing protection features (
> > > http://millcomputing.com/wiki/Protection ), and certainly there's hope
> > > that risc-v chips could be built with a higher layer of trust than any
> > > arm or intel cpu today (but needs substancial investment into open
> > > on-chip peripherals)
> > >
> > > This really isn't a bloat list thing, but the slashdot discussion is
> > > toxic. Is there a mailing list where these sorts of issues can be
> > > rationally discussed?
> > >
> > > Maybe if intel just released all their 5G IP into the public domain?
> > >
> > > /me goes back to bed
> > >
> > > [1] https://en.wikipedia.org/wiki/Reproducible_builds
> > >
> > > --
> > >
> > > Dave Täht
> > > CTO, TekLibre, LLC
> > > http://www.teklibre.com
> > > Tel: 1-831-205-9740
> > > _______________________________________________
> > > Cerowrt-devel mailing list
> > > Cerowrt-devel@lists.bufferbloat.net
> > > https://lists.bufferbloat.net/listinfo/cerowrt-devel
> > >
> 
> 
> 
> --
> 
> Dave Täht
> CTO, TekLibre, LLC
> http://www.teklibre.com
> Tel: 1-831-205-9740
> 

[-- Attachment #2: Type: text/html, Size: 11564 bytes --]