The world seems to be an unfortunate situation in terms of cybersecurity

Wed Jul 12 13:56:20 PDT 2017

Grsec has been removed from many projects because of trademark dilution or
something. Maybe grsec should revoke the license for using outdated grsec
when compiled in future operating systems.

 More open source projects would be more likely receive money if right
after the EULA page in the installer, it listed the amount paid to each
open source project (to paraphrase The Simpsons, zero is an amount).
(although the EULA text for many installers include a portion that people
are supposed to remove)

Despite that, projects backed by large groups aren't that secure. According
to Zerodium price chart, the manpower cost to create a remote jailbreak
exploit for Android and Windows is less than one manyear, which should be
severely humiliating. Or at least there should be humiliating memes
circulating.

Google makes billions. Apple makes billions. Microsoft makes billions.
Black Lives Matter receives a hundred million. There might be a
psychological factor in paying someone to work for you who you can't
actually boss around. This has impaired the global economy.

Those billions go without saying, come from somewhere. Celebrities promoted
Tor, but there hasn't been much done to improve internet security,
particularly since they are popular victims (actually many were wiretapped
by Anthony Pellicano). Sure, there was the Trustworthy Computing
Initiative, and the Core Infrastructure Initiative, but somehow the Open
Handset Alliance didn't produce a secure operating system. There exists the
concept of consumer cooperatives, but most nonprofits are nearly as
democratically run, and somehow we ended up with the great reform of moving
metadata collection to the telephone companies in a democracy. Many non
profits could stand to explain their large allowances for travel.

Subgraph OS exists, but it doesn't aim to be amnesiac or allow for non-Tor
use. Very few other operating systems seem to achieve that degree of
hardening.

Let's consider the math for this. You can include strong security features,
but it would cost 50% more time or something. According to the pareto
principle, 80% of time is spent on 20% of problems, although I wouldn't
know the applicability to software. Some time ago, Cloudflare didn't
realize an html parser was crashing, and when they improved the performance
of it, it resulted in Cloudbleed. Just in time compilation on browsers have
shown to have problems.

Personally I think a hybrid kernel based on KVM would be best, but I don't
know anything. At least it would allow the user to set certain applications
as amnesiac. Obviously any application that can make arbitrary connections
is untrustworthy.

https://en.wikipedia.org/wiki/List_of_open-source_hardware_projects
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3100 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20170712/174f280a/attachment.txt>