LWN: Comments on "Horn: Mitigations are attack surface, too"

Horn: Mitigations are attack surface, too

immibis — Tue, 18 Feb 2020 10:24:34 +0000

And then they can contribute that code upstream, to comply.

Horn: Mitigations are attack surface, too

immibis — Tue, 18 Feb 2020 10:23:54 +0000

Upstream from Samsung is Google.

Horn: Mitigations are attack surface, too

tuna — Sat, 15 Feb 2020 11:50:54 +0000

You can compare how much freedom end users had on Windows phones. On some of Android phones (like Sony XPeria Z3) it is possible to run a fully free operating system (with the need for some blobs for certain hardware enablement).

Horn: Mitigations are attack surface, too

oldtomas — Sat, 15 Feb 2020 10:23:17 +0000

" [...] freedom for manufacturers which makes it possible to have freedom for end users as well"

Now this is one bold claim.

Based on experience, I'd say the results are very mixed, in both directions?

Horn: Mitigations are attack surface, too

xophos — Sat, 15 Feb 2020 07:10:55 +0000

Researchers care about actual safety. The it security industry just sells snake oil to make money.

Horn: Mitigations are attack surface, too

dvdeug — Fri, 14 Feb 2020 09:24:24 +0000

I don't think there's any claim that Linux could have succeeded without being Free Software. I doubt going semi-free would have worked; a lot of early distribution was done on commercial CD-ROMs, that couldn't have been done with a NC license, and many commercial companies kicked in over the years. We can debate whether the BSD license would have worked; I think GPL is better, but the AT&T lawsuit made the legal status of BSD between 1992 and 1994 confusing, which gave Linux some time to grab market and mind share.

I think it's clear that Linux and the BSDs smoked commercial Unixes, and I think it's clear that's because they were open systems that both individual hackers and various companies could use and distribute. MacOS X is the major commercial Unix left, and they're playing a game that only Apple really successfully plays. The rest is legacy systems and possibly certain huge or specialized systems.

Horn: Mitigations are attack surface, too

tuna — Thu, 13 Feb 2020 13:32:55 +0000

What would happen if upstream would not accept the contributed code? It would be pretty crazy for Google to have their trademark policy depend on Linus Thorvalds and others.

Horn: Mitigations are attack surface, too

bangert — Thu, 13 Feb 2020 08:58:57 +0000

It is sad how obvious his conclusions are.

There is a huge disconnect between the top security researchers and the bulk of the IT Security industry - to the degree that they are actually saying the opposite of each other.

Horn: Mitigations are attack surface, too

tuna — Thu, 13 Feb 2020 08:06:43 +0000

If you want to do new unique hardware (like little.Big cores, double screens, other stuff) you will need to change the core system. It is actually about freedom for manufacturers which makes it possible to have freedom for end users as well.

Horn: Mitigations are attack surface, too

ILMostro — Thu, 13 Feb 2020 08:01:35 +0000

The question then becomes, did Linux succeed in-spite of GPL or because of it? And, where does it go through Google's vision?

Horn: Mitigations are attack surface, too

pj — Thu, 13 Feb 2020 04:30:18 +0000

> Allowing "fragmentation" (aka "proprietary value add") is the primary reason Android succeeded.

IMO "proprietary value add" belongs as apps or as a HAL with a standardized API (ala Project Treble), not in Android core. Requiring non-software companies to maintain their own fork of an OS is just insane.

Horn: Mitigations are attack surface, too

pizza — Thu, 13 Feb 2020 01:23:33 +0000

Allowing "fragmentation" (aka "proprietary value add") is the primary reason Android succeeded.

As for upstream contribution, remember this is the same Google that replaced every GPL userspace with a more permissively licensed one. Meanwhile, they're working on doing that for the Linux kernel too.

Meanwhile, when Google attempts to attach conditions to the use of its trademarks have them up on antitrust charges in multiple jurisdictions.

Horn: Mitigations are attack surface, too

Deleted user 129183 — Wed, 12 Feb 2020 23:39:31 +0000

> How so?

They encouraged, or at least didn’t try to prevent, the Android fragmentation. They had the tools to discourage it: for example, they could have not allowed to use Android trademark by vendors who tried to add ‘device-specific code’ without contributing it to the upstream. So we ended with completely dysfunctional “ecosystem” where there’s no one “Android” system: instead, we have millions of incompatible forks, with all its implications, including security implications, as described in the article.

Horn: Mitigations are attack surface, too

clugstj — Wed, 12 Feb 2020 20:12:08 +0000

Just generic Google bashing

Horn: Mitigations are attack surface, too

pkern — Wed, 12 Feb 2020 18:48:07 +0000

How so? After all this seems to have been an out of tree patch by Samsung?

Horn: Mitigations are attack surface, too

Deleted user 129183 — Wed, 12 Feb 2020 18:10:38 +0000

Google heroically solving problems that they caused themselves, I see.