←back to thread

We should have the ability to run any code we want on hardware we own

(hugotunius.se)
2071 points K0nserv | 6 comments | 31 Aug 25 21:46 UTC | HN request time: 1.413s | source | bottom
Show context
zmmmmm ◴[01 Sep 25 02:51 UTC] No.45088995[source]
> In this context this would mean having the ability and documentation to build or install alternative operating systems on this hardware

It doesn't work. Everything from banks to Netflix and others are slowly edging out anything where they can't fully verify the chain of control to an entity they can have a legal or contractual relationship with. To be clear, this is fundamental, not incidental. You can't run your own operating system because it's not in Netflix's financial interest for you to do so. Or your banks, or your government. They all benefit from you not having control, so you can't.

This is why it's so important to defend the real principles here not just the technical artefacts of them. Netflix shouldn't be able to insist on a particular type of DRM for me to receive their service. Governments shouldn't be able to prevent me from end to end encrypting things. I should be able to opt into all this if I want more security, but it can't be mandatory. However all of these things are not technical, they are principles and rights that we have to argue for.

replies(38): >>45089166 #>>45089202 #>>45089284 #>>45089333 #>>45089427 #>>45089429 #>>45089435 #>>45089489 #>>45089510 #>>45089540 #>>45089671 #>>45089713 #>>45089774 #>>45089807 #>>45089822 #>>45089863 #>>45089898 #>>45089923 #>>45089969 #>>45090089 #>>45090324 #>>45090433 #>>45090512 #>>45090536 #>>45090578 #>>45090671 #>>45090714 #>>45090902 #>>45090919 #>>45091186 #>>45091432 #>>45091515 #>>45091629 #>>45091710 #>>45092238 #>>45092325 #>>45092412 #>>45092773 #
josephg ◴[01 Sep 25 04:34 UTC] No.45089489[source]
My parents are getting old and they aren't tech savvy. The missing piece here is that I want my parents to have a computer they can safely do their banking on, without leaving them vulnerable to scams and viruses and the like. I like that they have iphones. Doing internet banking on their phone is safer than doing it on their desktop computer. Why is that?

The reason is that the desktop PC security model is deeply flawed. In modern desktop operating systems, we protect user A from user B. But any program running on my computer is - for some reason - completely trusted with my data. Any program I run is allowed to silently edit, delete or steal anything I own. Unless you install special software, you can't even tell if any of this is happening. This makes every transitive dependency of every program on your computer a potential attack vector.

I want computers to be hackable. But I don't also want my computer to be able to be hacked so easily. Right now, I have to choose between doing banking on my (maybe - hopefully - safe) computer. Or doing banking on my definitely safe iphone. What a horrible choice.

Personally I think we need to start making computers that provide the best of both worlds. I want much more control over what code can do on my computer. I also want programs to be able to run in a safe, sandboxed way. But I should be the one in charge of that sandbox. Not Google. Definitely not Apple. But there's currently no desktop environment that provides that ability.

I think the argument against locked down computers (like iphones and androids) would be a lot stronger if linux & friends provided a real alternative that was both safe and secure. If big companies are the only ones which provide a safe computing experience, we're asking for trouble.

replies(21): >>45089546 #>>45089576 #>>45089598 #>>45089602 #>>45089643 #>>45089690 #>>45089745 #>>45089884 #>>45090077 #>>45090112 #>>45090128 #>>45090605 #>>45090660 #>>45091074 #>>45091275 #>>45091454 #>>45091793 #>>45092007 #>>45092495 #>>45092746 #>>45114735 #
raxxorraxor ◴[01 Sep 25 13:19 UTC] No.45092495[source]
It is the other way around. The security model of mobile devices seriously inhibits innovation and we end up with ever the same crappy apps we don't really need.

I also don't believe more people get scammed on PC compared to mobile platforms. Scammers go where the most naive people congregate.

A sensibly configured Linux system is very secure compared to your mobile device. No security model can really shield against user stupidity. The people would need completely different devices as they simply aren't fit to use a computer. My parents are the same, but I won't accept a bad compromise of an OS just because they essentially need other devices.

At some point a user will be asked to allow execution of code they got through some fishy mail. There is no defense against that other than for the user sticking to books.

replies(1): >>45092547 #
1. hollerith ◴[01 Sep 25 13:28 UTC] No.45092547[source]
>A sensibly configured [desktop, i.e., not just a headless server] Linux system is very secure compared to your mobile device.

That is not true. It is understandable that you believe it because it gets repeated a lot, but those repeaters are doing what you are, namely repeating what they heard (and sometimes what they want to be true) without sufficient actual knowledge of what they are talking about.

replies(1): >>45092727 #
2. raxxorraxor ◴[01 Sep 25 13:59 UTC] No.45092727[source]
It is fairly true, what is your definition here? The main attack vector today is malicious mails being opened. These usually don't target linux systems and fail to execute.

Sure, it is circumstancial security, but exploits exist for mobile devices as well.

replies(1): >>45092850 #
3. hollerith ◴[01 Sep 25 14:16 UTC] No.45092850[source]
Media decoders are an important attack vector. Examples include PDF viewers and the library that produces thumbnails for display by the file browser. (One way to attack a media decoder is to get the user to open a malicious email, but there are other ways.)

The web browser is an important attack vector, and there are no Linux distros that sandboxes the browser anywhere near as effectively as Android and ChromeOS do except maybe Qubes, but Qubes is stuck using X for the display server and using Zen, both of which have been abandoned by their maintainers and aren't receiving enough maintenance attention to fix security vulnerabilities. I.e., Qubes's reputation for security probably comes from the fact that it was relatively secure many years ago.

Android and ChromeOS use selinux to sandbox the browser. Fedora uses selinux, too, but it only sandboxes server software: any program including a web browser started by the user is unconstrained (unaffected) by Fedora's selinux implementation.

The kernel is another important attack vector (and Linus has always been bored by and impatient with security considerations.)

Ditto the C library. Note that GrapheneOS uses a special, hardened C libary (which in the last few years has migrated to at least one security-focused Linux distro, namely, secureblue, but of course none of the people that show up here on HN proudly proclaiming that Linux is more secure than iOS or Android use secureblue, and the lead of the secureblue project freely admits that MacOS iOS Android and ChromeOS are more secure than secureblue is).

You know how one of the arguments for Wayland is the fact that there is no way to prevent any process from reading the contents of any X window? Well, to actually achieve this "window privacy" inherent in Wayland requires active support from the compositor, and Gnome has the only Wayland compositor that actually provides this support.

Till the vulnerability started getting exploited some time last year, anyone could upload a theme to KDE's theme store that could run arbitrary code when the user chose to install it. No one was reviewing uploaded themes for malware or warning users of the danger.

Hyprland uses a trampoline (files at a known location in the file system that are occasionally executed by Hyprland) for reasons that are hard to explain if we assume that Hyprland's maintainers care anything about security.

replies(1): >>45094326 #
4. raxxorraxor ◴[01 Sep 25 16:48 UTC] No.45094326{3}[source]
Of course the browser still is an attack vector but the relevancy of that vector is lower today. Same goes for these examples. These are exploits and they will always exist, sandbox or not. A few years ago you could log in to MacOS as root without a password. Meta just released a memo two days ago that Whatsapp exploits compromised Android and iOS devices. Guess it was sandboxed, but all users allowed the app to access files and contacts anyway.

Today the main problem is social engineering and scams. The disadvantage of mobile OS are too great to justify bad approaches to desktop systems or security in general. And for browsers that means the security threat isn't some arcane media decoder, it is the well made phishing site.

But my argument is more that perhaps I don't want window privacy because it doesn't fit my security needs and reduces functionality and access. And one assumption in that is that one compromised app can compromise the whole system in the worst case and believe risks must be mitigated elsewhere. In case of doubt, I can reasonably sandbox something I execute myself, if the need is warranted.

I would love a good file explorer for my mobile device. But file access is restricted. How many hours wasted to bad security...

replies(1): >>45094658 #
5. seba_dos1 ◴[01 Sep 25 17:21 UTC] No.45094658{4}[source]
It's always entertaining to see security people struggling to understand what security is there for. They just consider "security" as the goal in itself, because being more secure is obviously good, right? Yo dawg, I've put a sandbox into your sandbox so you can be secure while you are secure.

If you insist that using software with trampolines means not "caring anything about security", I'm afraid it's a you problem. I'll still be happy to hug my partner when she comes home regardless of what germs might have been on a tram's seat she was sitting on on the way there, regardless of whether someone thinks that this means I don't care anything about health (I'm sure someone does).

In case someone needs it spelled out: I do care, but there are other things I care about too and I won't let some minuscule threats ruin them.

replies(1): >>45095863 #
6. josephg ◴[01 Sep 25 19:34 UTC] No.45095863{5}[source]
The threat model I think about a lot is supply chain attacks.

We’ve found out about a handful of such attacks over the last few years - like xz. And I’ve seen the number of random dependencies which get pulled in by most nodejs, cargo or python projects. The dependencies just scroll on by. There is no vetting process for putting code in npm or cargo. Nobody signs off on anything. Nobody reads the source code. There are no checks, and you can put anything in there.

If malicious code slipped in, would you even notice? I probably wouldn’t. How terrifying.

Linux’s security model means that any malicious code in a crate can run as me and access all of my files. Or delete them or whatever it wants to do. To me this is crazy. There’s no reason to give arbitrary untrusted code full permissions to all of my files and data - but there we have it.

I worry that it’s only a matter of time before we see more attacks like this. It’s such an obvious attack. And our lax endpoint security makes the vulnerability a way bigger problem than it needs to be. It would be trivial for a remote attacker to install C&C software on my computer. They could grab my SSH certificates and install backdoors in any of my projects on github. Read my email. Impersonate me. Crypto locker my stuff. Install malicious extensions into my web browser. And on and on.

None of this would be possible with proper isolation. There’s no reason a build.rs file needs write access to my whole filesystem. It’s crazy.