Re: Have I been hacked?

To: debian-user@lists.debian.org
Subject: Re: Have I been hacked?
From: Darac Marjal <mailinglist@darac.org.uk>
Date: Mon, 12 Jan 2015 11:37:09 +0000
Message-id: <[🔎] 20150112113709.GB27374@darac.org.uk>
In-reply-to: <[🔎] 20150112091810.40d30fe6@jresid.jretrading.com>
References: <[🔎] 20150106180456.GA8657@fever.havannah.local> <[🔎] 7851846.GjTCVcmPuo@merkaba> <[🔎] 09012015001632.a7c9236b8b1d@desktop.copernicus.demon.co.uk> <[🔎] 3714920.DLpo8KHxcl@merkaba> <[🔎] CAAr43iMgLrUtSiitri17xOTaZ0Qvwip5eYMc1Z-Q+vSd_SSteg@mail.gmail.com> <[🔎] 54B08C3D.4090404@gmail.com> <[🔎] 10012015194257.e68f933cee76@desktop.copernicus.demon.co.uk> <[🔎] 54B2FA07.80001@thargoid.co.uk> <[🔎] CAAr43iOV07N20EFsd2qQbXa_t_-uTaVaBbbXg4fkYrEw7C_-hg@mail.gmail.com> <[🔎] 20150112091810.40d30fe6@jresid.jretrading.com>

On Mon, Jan 12, 2015 at 09:18:10AM +0000, Joe wrote:
> On Mon, 12 Jan 2015 17:24:41 +0900
> Joel Rees <joel.rees@gmail.com> wrote:
> 
> 
> > The only truly secure computer is the one that you wrote all the OS
> > and application code for.
> 
> *And* the compiler(s) and the rest of the build toolchain... *and* the
> BIOS, *and* the code for any network hardware you use...*and* the
> firmware of all of your hardware...

Actually, I disagree with this.

If I were to write all the OS and application code for my computer, and
all that other stuff, I would actually expect it to be LESS secure than
it currently is. Mostly because I don't know what I'm doing. And I
*REALLY* don't want to have to sit my parents down at a completely dead
computer and say "Happy Christmas. You'll have to start writing code to
boot strap this computer I got you. You might need to start with writing
an editor... somehow." Actually, where DO you start with that task?

OK, I could get people to review it, apply fixes but if the reason I'm
writing this all myself is because I don't trust other people, when why
would I trust their judgement?

No, the better solution is what we already have. The OS, the application
code, the build toolchain, the BIOS, the hardware firmware etc etc,
should be written by the people who know about these things. The code
should then be made available for peer review along with methods to
confirm that what's loaded onto the computer is what was reviewed.

Personally, I don't mind if a company says "the BIOS will only accept a
firmware update signed by our key" if they also timely update that
firmware with community patches. Open source doesn't really *have* to
mean "anyone can modify the code". "Anyone can suggest modifications,
which the original developers will approve/deny" should be an acceptable
step.

> 
> -- 
> Joe
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 20150112091810.40d30fe6@jresid.jretrading.com">https://lists.debian.org/[🔎] 20150112091810.40d30fe6@jresid.jretrading.com
>

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Have I been hacked?
  - From: Danny <mynixmail@gmail.com>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Brian <ad44@cityscape.co.uk>
- Re: Have I been hacked?
  - From: Martin Steigerwald <Martin@lichtvoll.de>
- Re: Have I been hacked?
  - From: Joel Rees <joel.rees@gmail.com>
- Re: Have I been hacked?
  - From: Jerry Stuckle <stucklejerry@gmail.com>
- Re: Have I been hacked?
  - From: Brian <ad44@cityscape.co.uk>
- Re: Have I been hacked?
  - From: Iain M Conochie <iain@thargoid.co.uk>
- Re: Have I been hacked?
  - From: Joel Rees <joel.rees@gmail.com>
- Re: Have I been hacked?
  - From: Joe <joe@jretrading.com>

Prev by Date: Re: Have I been hacked?
Next by Date: Re: Choosing/Rotating screen for greeter
Previous by thread: Re: Have I been hacked?
Next by thread: Re: Have I been hacked?
Index(es):
- Date
- Thread