From 323bd6e94742923c4766635847c86426707bb582 Mon Sep 17 00:00:00 2001
From: Paul Duncan <pabs@pablotron.org>
Date: Fri, 26 Jul 2024 10:23:57 -0400
Subject: TODO.md: add post ideas: firefox nonsense, cloudstrike, and secure
 boot

---
 TODO.md | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)

diff --git a/TODO.md b/TODO.md
index df56504..a001c94 100644
--- a/TODO.md
+++ b/TODO.md
@@ -297,6 +297,89 @@
   - xchacha (larger nonce)
 - language:
   https://www.orwellfoundation.com/the-orwell-foundation/orwell/essays-and-other-works/politics-and-the-english-language/
+- remove firefox crap:
+  <https://support.mozilla.org/en-US/questions/1292122>
+- firefox privacy-preserving nonsense
+- problems w/ tracking apis:
+  - orwellian name (does not preserve privacy)
+  - analogies for folks to understand correlation: clue, sudoku, wordle
+  - eff article (in lwn comment) talks about 3 pieces of info to
+    uniquely identify someone
+  - commenter on lwn: history shows tracking apis are additive (it
+    accretes)
+  - <https://arstechnica.com/gadgets/2024/07/google-will-not-disable-tracking-cookies-in-chrome-after-years-of-trying/>
+  - nonsense might be in good faith: upton sinclair "it's difficult to
+    get a man to understand something when his job depends on him not
+    understanding it"; both google and mozilla depend on advertising
+  - false premise about advertising being the sole or even optimal
+    method of supporting sites, that the onus is on users to support
+    a particular method, or that there are only two options.
+  - orwell, politics and the english language:
+    <https://www.orwellfoundation.com/the-orwell-foundation/orwell/essays-and-other-works/politics-and-the-english-language/>
+  - carl sagan, baloney detection kit:
+    <https://www.themarginalian.org/2014/01/03/baloney-detection-kit-carl-sagan/>
+    <https://en.wikipedia.org/wiki/The_Demon-Haunted_World#Baloney_detection_kit>
+  - good quotes and general sentiment: "creeping dark pattern" and "we
+    take your privacy and security... seriously":
+    <https://www.jwz.org/blog/2024/07/your-personal-information-is-very-important-to-us-part-two/>
+- commentary on crowdstrike
+  - lots of ideas floating around, all with tradeoffs.  no perfect
+    solution (engineering problem, all have tradeoffs)
+  - me: homogeneous systems (panama disease for bananas)
+    - monoculture: overspecialize and you breed in weakness
+    - attempt to simplify workload for IT administrators has
+      created a monoculture
+    - IT policies should be descriptive, not prescriptive
+  - "needs more testing", "testing can only demonstrate the presense of
+    bugs, not the absense of them"
+    combinatorial explosion can make it impossible to test all inputs
+    for even seemingly simple functions.  example:
+      `u64 f(u64 n) { return 1/(rand_val-n); }`
+    - "beware of this code, i have only proven it correct, not tested
+      it"
+    - "testing can only demonstrate the presense of bugs, not the
+      absense of them"
+  - needs a/b boot (what android does)
+    <https://www.phoronix.com/news/systemd-Auto-Boot-Assessment>
+    problem (in comments of phoronix article): crowdstrike deliberately
+    bypassing
+  - needs verification on signed drivers: driver is signed and verified,
+    reads invalid config file
+  - should be impossible to end up in invalid state ("halting problem",
+    also limits the expressive power of configuration; e.g. "accidental
+    interpreters")
+  - code should execute in a trusted environment (already done with ebpf
+    in linux and that still causes crashes, relies on a "sufficient
+    smart compiler/validator")
+    (bpf verifier <https://lwn.net/Articles/982077/>)
+  - phased deploys (e.g., like chrome.  relies on sysadmins to set this
+    up properly)
+  - <https://arstechnica.com/information-technology/2024/07/crowdstrike-blames-testing-bugs-for-security-update-that-took-down-8-5m-windows-pcs/>
+    (preliminary post-incident report.  not doing staggered rollouts,
+    only doing partial testing)
+  - summary of problems: <https://arstechnica.com/information-technology/2024/07/crowdstrike-blames-testing-bugs-for-security-update-that-took-down-8-5m-windows-pcs/?comments=1&post=43014397>
+  - crowdstrike tos: <https://arstechnica.com/information-technology/2024/07/crowdstrike-blames-testing-bugs-for-security-update-that-took-down-8-5m-windows-pcs/?comments=1&post=43014524>
+  - NULL bytes caused by crash with unflushed write(): <https://www.crowdstrike.com/blog/tech-analysis-channel-file-may-contain-null-bytes/>
+- "open source model" coopting language (also orwell, yeesh):
+  <https://lwn.net/Articles/982954/>
+  - humpty dumpty in through the looking glass "when i use a word
+    it means precisely what i intend it to mean.  nothing more and
+    nothing less"
+  (license isn't open, source -- e.g., training material -- isn't open
+  it's not "AI", just co-opting language to mean the opposite of what
+  the words actually mean)
+- ocsp: good riddance to bad rubbish: <https://lwn.net/Articles/982965/>
+- secureboot broken:
+  <https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/>
+  - modern security too hard to use.
+  - imperial violet "have one joint and keep it well-oiled"
+  - comment thread on reddit about unsafe rsa/aes-cbc combo:
+    <https://old.reddit.com/r/programming/comments/1e4ugqm/public_key_cryptography_to_share_secrets_easily/>
+  - log of goochat w/ alonzo on 2024-07-26 with summary of this stuff
+  - busted full disk encryption implementations
+  - cryptopals introduction (most crypto fatally broken)
+  - etc
+  - lots of older stuff is "knives up in dishwasher"
 
 ## linkdump (2022-08-10):
 - css bg fade:
-- 
cgit v1.2.3