[Cerowrt-devel] Huawei banned by US gov...

Dave Taht dave.taht at gmail.com
Thu May 16 05:58:28 EDT 2019


And we labor on...

https://tech.slashdot.org/story/19/05/15/2136242/trump-signs-executive-order-barring-us-companies-from-using-huawei-gear

To me, the only long term way to even start to get out of this
nightmare (as we cannot trust anyone else's gear either, and we have
other reminders of corruption like the volkswagon scandal) is to
mandate the release of source code, with reproducible builds[1], for
just about everything connected to the internet or used in safety
critical applications, like cars. Even that's not good enough, but it
would be a start. Even back when we took on the FCC on this issue, (
http://www.taht.net/~d/fcc_saner_software_practices.pdf )  I never
imagined it would get this bad.

'round here we did produce one really trustable router in the cerowrt
project, which was 100% open source top to bottom, which serves as an
existence proof - and certainly any piece of gear reflashed with
openwrt is vastly better and more secure  than what we get from the
manufacturer - but even then, I always worried that my build
infrastructure for cerowrt was or could be compromised and took as
many steps as I could to make sure it wasn't - cross checking builds,
attacking it with various attack tools, etc.

Friends don't let friends run factory firmware, we used to say. Being
able to build from sources yourself is a huge improvement in potential
trustability - (but even then the famous paper on reflections on
trusting trust applies). And so far, neither the open source or
reproducable builds concepts have entered the public debate.

Every piece of hardware nowadays is rife with binary blobs and there
are all sorts of insecurities in all the core cpus and co-processors
designed today.

And it isn't of course, just security in huawei's case - intel just
exited the business - they are way ahead of the US firms in general in
so many areas.

I have no idea where networked computing can go anymore, particularly
in the light of the latest MDS vulns revealed over the past few days (
https://lwn.net/Articles/788522/ ). I long ago turned off
hyperthreading on everything I cared about, moved my most critical
resources out of the cloud, but I doubt others can do that. I know
people that run a vm inside a vm. I keep hoping someone will invest
something major into the mill computing's cpu architecture - which
does no speculation and has some really robust memory and stack
smashing protection features (
http://millcomputing.com/wiki/Protection ), and certainly there's hope
that risc-v chips could be built with a higher layer of trust than any
arm or intel cpu today (but needs substancial investment into open
on-chip peripherals)

This really isn't a bloat list thing, but the slashdot discussion is
toxic. Is there a mailing list where these sorts of issues can be
rationally discussed?

Maybe if intel just released all their 5G IP into the public domain?

/me goes back to bed

[1] https://en.wikipedia.org/wiki/Reproducible_builds

-- 

Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740


More information about the Cerowrt-devel mailing list