Google are Data Sheiks and how to secure things without their budget
Ryan Carboni
ryacko at gmail.com
Fri Sep 22 13:01:47 PDT 2017
In the Middle East, a few lucky families control the nation, and thus the
oil wealth, thus perpetuating their rule. The Middle East isn't known for
contributing much to the world's infrastructure or science.
The same goes for Google.
Mentioned in the past that Google doesn't ban having "noreply" in username,
allowing for phishing accounts to be used on their service. You have to be
some kind of sociopath to see something terrible happening and not trying
to at least think of something that could be done.
They have immense amounts of money, so their contributions to cybersecurity
rank from (in monetary value), SHA-1 collision search (a million GPU
hours), $200,000 for Android exploits, and $1,000 to fuzz browser DOMs for
only ten seconds per attempt.
They did discover numerous "security-related" crashes. Don't know if they
decided to check for memory bound errors that didn't cause a crash. That
might take more than ten seconds though. Twenty?
Will they offer $200,000 for Chromium OS exploits? If they can't do it,
shouldn't they cut back on Chromium OS and put everything behind Android?
Or rework Xen-ARM to replace Chrome OS and Android?
Corporations brag about smartphone resolution, but they should brag about
security. Maybe force them to?
Of course, McAfee got rich selling snake oil, by being alarmist.
Fortunately there are real reasons to be alarmist nowadays! Or just do what
puri.sm is doing and mumble... privacy... security... something. Does one
really lose that much privacy with a smartphone with the default apps and
settings? (you do have to set-up the backup) But the EFF quit W3C after DRM
(surely there is a middle ground that makes DRM unviable on any slow
computer). What is anyone going to do about webrtc?
Anyway, here's a spin on an old saying, demand a mile, get an inch, demand
it again, (and listen to them complain that they give you an inch and you
want a mile). Allegedly some people have complained of various leftist
nonprofits as being shake down organizations. Raise a fuss over insecurity,
demand proportionate funding from corporations, name and shame, etc etc.
Democracy is numerous people shouting over each other for what they want.
Ideally though, one would have a low performance computer with high
volatile memory, Qubes-style separation. AVOID COMPRESSING MEMORY. Local
attestation, hash the loaded instructions, and induce a fault if the
instructions change (thus causing any insecurity to be limited to
improperly coded APIs). Integrate ClamAV, and harden it's sandbox?
Computers should be separated into hobbyist (for learning and
experimentation) and production computers (for anything actually
important). Motherboards with soldered chips, and integrated SSD for the
operating system. Shorting a fuse will disable updating the operating
system for those activists.
I mean...
https://en.wikipedia.org/wiki/Instructions_per_second#Timeline_of_instructions_per_second
Computers are fast. Transistors are small. Whatever you people think you're
doing, it is not happening. It is not going to happen.
What does it say that Zuckerberg owns a Macbook, and tapes over the speaker
jack?
Soghoian also criticises Google for failing to step up to the plate.
> "Google could pay for the development of Grsecurity using the money found
> between the cushions of their sofa," he insists. "This is not a big-ticket
> item in the grand scheme of Google's budget."
What is cheaper? A Pinebook with Android or a Librem 5? Probably unfair,
the pixels per inch for the pinebook is a lot lower.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4318 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20170922/0562862e/attachment.txt>
More information about the cypherpunks
mailing list