Blog - #0


FOSS is Working Against Itself


2022-01-27 (UTC+00:00)


Author: Inference


The world has become a dangerous, privacy invading, human rights stripping,
totalitarian place; in order to combat this, people are joining a growing,
and dangerous, trend, which I will refer to in this post as the "FOSS
movement".
With that stated, I will now debunk the misinformation being spread inside
of this extremely flawed movement.

The FOSS movement is an attempt to regain privacy and control over our
devices and data, but the entire concept of FOSS-only, at the current time,
is severely, and dangerously, flawed. What the FOSS community does not seem
to understand is the fact that most FOSS software cares not about security.
"Security"; keep that word in mind as you progress through this article.
What is security? Security is being safe and secure from adversaries and
unwanted consequences; security protects our rights and allows us to
protect ourselves. Without security, we have no protection, and without
protection, we have a lack of certainty of everything else, including
privacy and control, which is what the FOSS movement is seeking.

FOSS projects rarely take security into account; they simply look at the
surface level, rather than the actual root cause of the issues they are
attempting to fight against. In this case, the focus is on privacy and
control. Without security mechanisms to protect the privacy features and
the ability to control your devices and data, it can be stripped away as
if it never existed in the first place, which, inevitably, leads us back to
the beginning, and the cycle repeats. With this ideology, privacy and
control will *never* be achieved. There is no foundation to build privacy
or control upon. It is impossible to build a solid, freedom respecting
platform on this model.

The only way to effectively combat the privacy invasion and lack of control
of our devices and data is to become a renegade and not take sides.
Yes, that means not taking sides with the closed source, proprietary, big
tech and government entities, but it also means not taking sides with any
FOSS entities. The only way to win this war is to take *whatever* hardware
and software you can, and use it tactically. A FOSS phone, especially
so-called "Linux phones" are completely detrimental to privacy and control,
because they do not have the security necessary to enforce that privacy.
Unlocked bootloaders prevent the device from verifying the integrity of the
boot chain, including the OS, meaning any big tech or government entity can
simply inject malicious code into your software and you wouldn't have any
idea it was there. If that's not enough of a backdoor for you to reconsider
your position, how about the trivial evil maid and data extraction attacks
which could be executed on your device, whether with coercion or not?
With Android phones, this is bad enough to completely break the privacy
and control the FOSS movement seeks, but "Linux phones" take it a step
further by implementing barely any security, if any at all. Privilege
escalation is trivial to achieve on any Linux system, which is the reason
Linux hardening strategies often include restricting access to the root
account; if you root your Android phone, or use a "Linux phone", you've
already destroyed the security model, and thus privacy and control model
you were attempting to achieve. Not only are these side effects of FOSS,
so is the absolutely illogical restriction of not being able to, or making
it unnecessarily difficult to, install and update critical components of
the system, such as proprietary firmware, which just so happens to be
almost all of them. "Linux phones" are not as free as they proclaim to be.

You may ask "What's so bad about using LineageOS?", to which I answer with
"What's not bad about it?".
- LineageOS uses debug builds, not safe and secure release builds.
- LineageOS requires an unlocked bootloader.
- LineageOS does not install critically important firmware without manual
flashing.
- LineageOS does not implement rollback protection, meaning any adversary,
including a goverment entity, can simply downgrade the OS to a previous
version in order to exploit known security vulnerabilities.

LineageOS is not the only Android OS (commonly, and incorrectly, referred
to as a "ROM") with such issues, but it is one of the worst. The only
things such insecure OSes can provide you are customisation abilities, and
a backdoor to your data.

What can you do about this? The answer is simple; however, it does require
you to use logic, fact, and evidence, not emotion, which is a difficult
pill for most people to swallow. Use your adversaries' weapons against
them. The only solution for phone security, privacy, and control, is to use
a Google Pixel (currently, 3a series or newer) running GrapheneOS. Google
Pixel phones allow you complete bootloader freedom, including the ability
to lock the bootloader after flashing a custom OS (GrapheneOS includes a
custom OS signing key to allow locking the bootloader and enabling verified
boot to prevent malware persistence, evil maid attacks, and boot chain
corruption), long device support lifecycles (minimum 3 years for Pixel 3a
series to Pixel 5a, minimum 5 years for Pixel 6 series), and fast,
guaranteed security updates for the entire support timeframe of the
devices.

Use what you can, and do what you can. By neglecting security, you are,
even if unintentionally, neglecting exactly what you are trying to gain;
privacy and control.



Back