On Fri, Jul 31, 2015 at 3:53 PM, jim bell <jdb10987@yahoo.com> wrote:
From: The Doctor <drwho@virtadpt.net>
I suppose what I'm bitching about (and I've probably just faceplanted by stepping into that particular pothole - it's my turn, I guess) is that there seems to be no part of the threat model where risk is acceptible. I mean, going all the way back to hand-wired electromechanical processors just to be able to bootstrap back to silicon and losing 20-30 years of technical advancement?
It's a fast rebuild using trusted principles, there are no tech discoveries needed, no loss of any tech. Yes you have to learn to apply trusted principles, that will take time. And keep up with whatever new tech comes after the time you start, which is normal. So for a while you just have to work harder, faster, better. That's standard practice and nothing new for a startup and people in them.
Somewhere, we went way off course. There is a saying: "Perfect is the enemy of working." I think that's where we as a group have lost our way.
The threats are known. The risks are known. Let's act.
I agree with that. I think it's better that we get 50% of the population to use encrypted phones, where the encryption isn't truly known to be perfect, than to get 1% of the population to use perfect encryption. Verifying the last little bit of doubt is going to cost a rather large amount of money. Raising the demand for crypto phones to 50% represents a huge market, which will be satisfied, and the profits for that market will pay for the next generation of closer-to-perfect phones.
Ok fine, let's say you don't care to trust your chip designing and printing hardware, and you opt to totally skip doing anything to rebuild or validate those parts of the trust chain [1]. But you still do want an open hardware crypto phone for yourself and the masses, which would you prefer to do: a) wait for some bigcorp like MS/Nokia Apple HTC to convincingly say and show an open hardware crypto design? b) send your own open hardware design to global foundries? c) send your own open hardware design to a comunity owned and operated open fab (still being subject to your choice in [1] above)? I suggest investing in (c) now will bring more and more community and other runs through it such that you can invest in [1] above later. You might even have to bank profit from (b) to get to (c). But anything involving (a) is not "Lets's act", unless you think your pleading and pressure (which is all you can do there) will be fruitful [2]. So at minimum you best start acting on (b) or (c). Right? [2] Still waiting on open video cards and drivers eh, how many decades of "raising the demand" has that been? Lol. Oh, but Apple did add some closed crypto'ey fingerprint'ey passphrase'ey thing to their phone, so maybe that was pressure, and trust'ey enough, and we can all "act" by throwing dollars at that instead of ever having our own (b/c/[1]), and just have faith instead. I'm tired of (a), and it's boring, and if not evil at least not really aligned to your interests. If you want something done, carry a big stick, or do it yourself until you have one.