aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Duncan <pabs@pablotron.org>2024-07-26 10:23:57 -0400
committerPaul Duncan <pabs@pablotron.org>2024-07-26 10:23:57 -0400
commit323bd6e94742923c4766635847c86426707bb582 (patch)
treed4d94e595165839484e637b4457e4bdd9271dd78
parent2a3a3db3ba7011470d55a0c8d5ea3cc73a5ec965 (diff)
downloadpablotron.org-323bd6e94742923c4766635847c86426707bb582.tar.bz2
pablotron.org-323bd6e94742923c4766635847c86426707bb582.zip
TODO.md: add post ideas: firefox nonsense, cloudstrike, and secure boot
-rw-r--r--TODO.md83
1 files changed, 83 insertions, 0 deletions
diff --git a/TODO.md b/TODO.md
index df56504..a001c94 100644
--- a/TODO.md
+++ b/TODO.md
@@ -297,6 +297,89 @@
- xchacha (larger nonce)
- language:
https://www.orwellfoundation.com/the-orwell-foundation/orwell/essays-and-other-works/politics-and-the-english-language/
+- remove firefox crap:
+ <https://support.mozilla.org/en-US/questions/1292122>
+- firefox privacy-preserving nonsense
+- problems w/ tracking apis:
+ - orwellian name (does not preserve privacy)
+ - analogies for folks to understand correlation: clue, sudoku, wordle
+ - eff article (in lwn comment) talks about 3 pieces of info to
+ uniquely identify someone
+ - commenter on lwn: history shows tracking apis are additive (it
+ accretes)
+ - <https://arstechnica.com/gadgets/2024/07/google-will-not-disable-tracking-cookies-in-chrome-after-years-of-trying/>
+ - nonsense might be in good faith: upton sinclair "it's difficult to
+ get a man to understand something when his job depends on him not
+ understanding it"; both google and mozilla depend on advertising
+ - false premise about advertising being the sole or even optimal
+ method of supporting sites, that the onus is on users to support
+ a particular method, or that there are only two options.
+ - orwell, politics and the english language:
+ <https://www.orwellfoundation.com/the-orwell-foundation/orwell/essays-and-other-works/politics-and-the-english-language/>
+ - carl sagan, baloney detection kit:
+ <https://www.themarginalian.org/2014/01/03/baloney-detection-kit-carl-sagan/>
+ <https://en.wikipedia.org/wiki/The_Demon-Haunted_World#Baloney_detection_kit>
+ - good quotes and general sentiment: "creeping dark pattern" and "we
+ take your privacy and security... seriously":
+ <https://www.jwz.org/blog/2024/07/your-personal-information-is-very-important-to-us-part-two/>
+- commentary on crowdstrike
+ - lots of ideas floating around, all with tradeoffs. no perfect
+ solution (engineering problem, all have tradeoffs)
+ - me: homogeneous systems (panama disease for bananas)
+ - monoculture: overspecialize and you breed in weakness
+ - attempt to simplify workload for IT administrators has
+ created a monoculture
+ - IT policies should be descriptive, not prescriptive
+ - "needs more testing", "testing can only demonstrate the presense of
+ bugs, not the absense of them"
+ combinatorial explosion can make it impossible to test all inputs
+ for even seemingly simple functions. example:
+ `u64 f(u64 n) { return 1/(rand_val-n); }`
+ - "beware of this code, i have only proven it correct, not tested
+ it"
+ - "testing can only demonstrate the presense of bugs, not the
+ absense of them"
+ - needs a/b boot (what android does)
+ <https://www.phoronix.com/news/systemd-Auto-Boot-Assessment>
+ problem (in comments of phoronix article): crowdstrike deliberately
+ bypassing
+ - needs verification on signed drivers: driver is signed and verified,
+ reads invalid config file
+ - should be impossible to end up in invalid state ("halting problem",
+ also limits the expressive power of configuration; e.g. "accidental
+ interpreters")
+ - code should execute in a trusted environment (already done with ebpf
+ in linux and that still causes crashes, relies on a "sufficient
+ smart compiler/validator")
+ (bpf verifier <https://lwn.net/Articles/982077/>)
+ - phased deploys (e.g., like chrome. relies on sysadmins to set this
+ up properly)
+ - <https://arstechnica.com/information-technology/2024/07/crowdstrike-blames-testing-bugs-for-security-update-that-took-down-8-5m-windows-pcs/>
+ (preliminary post-incident report. not doing staggered rollouts,
+ only doing partial testing)
+ - summary of problems: <https://arstechnica.com/information-technology/2024/07/crowdstrike-blames-testing-bugs-for-security-update-that-took-down-8-5m-windows-pcs/?comments=1&post=43014397>
+ - crowdstrike tos: <https://arstechnica.com/information-technology/2024/07/crowdstrike-blames-testing-bugs-for-security-update-that-took-down-8-5m-windows-pcs/?comments=1&post=43014524>
+ - NULL bytes caused by crash with unflushed write(): <https://www.crowdstrike.com/blog/tech-analysis-channel-file-may-contain-null-bytes/>
+- "open source model" coopting language (also orwell, yeesh):
+ <https://lwn.net/Articles/982954/>
+ - humpty dumpty in through the looking glass "when i use a word
+ it means precisely what i intend it to mean. nothing more and
+ nothing less"
+ (license isn't open, source -- e.g., training material -- isn't open
+ it's not "AI", just co-opting language to mean the opposite of what
+ the words actually mean)
+- ocsp: good riddance to bad rubbish: <https://lwn.net/Articles/982965/>
+- secureboot broken:
+ <https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/>
+ - modern security too hard to use.
+ - imperial violet "have one joint and keep it well-oiled"
+ - comment thread on reddit about unsafe rsa/aes-cbc combo:
+ <https://old.reddit.com/r/programming/comments/1e4ugqm/public_key_cryptography_to_share_secrets_easily/>
+ - log of goochat w/ alonzo on 2024-07-26 with summary of this stuff
+ - busted full disk encryption implementations
+ - cryptopals introduction (most crypto fatally broken)
+ - etc
+ - lots of older stuff is "knives up in dishwasher"
## linkdump (2022-08-10):
- css bg fade: