Brief items

Nested on the servers' motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn't part of the boards' original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental's servers could be found in Department of Defense data centers, the CIA's drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.

Still, the issue here isn't that we can't trust technology products made in China. Indeed there are numerous examples of other countries — including the United States and its allies — slipping their own "backdoors" into hardware and software products.

Like it or not, the vast majority of electronics are made in China, and this is unlikely to change anytime soon. The central issue is that we don't have any other choice right now. The reason is that by nearly all accounts it would be punishingly expensive to replicate that manufacturing process here in the United States.

Even if the U.S. government and Silicon Valley somehow mustered the funding and political will to do that, insisting that products sold to U.S. consumers or the U.S. government be made only with components made here in the U.S.A. would massively drive up the cost of all forms of technology. Consumers would almost certainly balk at buying these way more expensive devices. Years of experience has shown that consumers aren't interested in paying a huge premium for security when a comparable product with the features they want is available much more cheaply.

Beyond this issue, what I'm mostly concerned about these days is isolation between different apps. Our only solution on the desktop right now is Qubes and it seems rather overengineered for my needs. Compared with the security models of iOS or Android, we still have quite a lot of work to do to make sure (say) my IRC client cannot steal my bank credentials or (the horror!) vice-versa. ;)

In these five years, VyOS has been through highs and lows, up to speculation that the project is dead. Past year has been full of good focused work by the core team and community contributors, but the only way to make use of that work was to use nightly builds, and nightly builds are like a chocolate box a box of WWI era shells—you never know if it blows up when handled or not.

For too long, the Open Source world has been complicit with Google in undermining the privacy and freedom of Android users. It's understandable—Android has helped make Linux the most widely used operating system in the world, overthrowing Windows. Fighting against Google in the early days of smartphones, as it tried to establish Android as an alternative to completely proprietary offerings, would have been quixotic. But the time has come to assert free software's underlying ethical foundation and to move on from an Android world to something better—in all senses. Whether that will be Duval's eelo or something else is a matter for the Open Source community to debate. But it's a debate that we need to have now, as a choice, before it becomes a necessity.

If we designed the C [language] in 2018 and made it so we actually wanted to use it, then it would look very different. Probably a lot like Nim or Swift. I think that's still a niche that is currently unfilled; a modern, powerful language that doesn't try to provide the same guarantees as Rust and so can be much more minimalist. Minimalism can be very useful; it's easy to write and port compilers, easy to test them, etc. (Maybe C++ was invented because there were already really good C and Pascal compilers around, and compiler writers didn't want to go out of a job? :-P)