Kyle Rankin @kyle@librem.one

Enough time has passed that I feel like I can share my (possibly controversial) perspective on software supply chain security without it seeming reactive or opportunistic: https://puri.sm/posts/the-future-of-software-supply-chain-security/

Have you ever noticed how many security experts speak out against encryption backdoors, but design systems that anchor all trust in their company's signing key?

Michigan police solved a murder with recordings of the suspect's voice stored on the victim's truck infotainment system. Michigan police pull data from cars "sometimes two to three times a week." #privacy https://www.nbcnews.com/tech/tech-news/snitches-wheels-police-turn-car-data-destroy-suspects-alibis-n1251939

Imagine if your ISP kicked your laptop off the Internet because Microsoft stopped providing it security updates. Imagine having to buy a new laptop every 2-3 years just so you could get updates. Phones are just small computers, they shouldn't have special rules.

TMobile is kicking old Android phones off their network in January because vendors have abandoned the hardware and they no longer get security updates. Android's model of forcing you to buy new hardware every few years to get security updates is broken. https://www.tmonews.com/2020/12/t-mobile-will-no-longer-support-devices-january/

I don't want a lot for Christmas
There is just one thing I need
I would like to download software
With a license that is freed

I just want code for my own
More than you could ever know
Make my wish come true
All I want for Christmas is GNU

I have opinions on the current supply chain attacks and software supply chain security but given my employer, I feel like sharing them now would seem like ambulance chasing so I'm waiting until the dust settles.

I also would never have guessed that SkyNet would be powered by Kubernetes...

Here's a fun pull quote: "The AI system was deliberately designed without a manual override to "provoke thought and learning in the test environment""

Who had "US Air Force launches SkyNet" on their 2020 bingo card? https://www.washingtonpost.com/business/2020/12/16/air-force-artificial-intelligence/

My big fat Greek reading list. (Actually almost finished with Durant, and this will be my second time reading The Iliad, but first time with Fagles translation.)

Want to take a COVID test at home? You must install an app to get the results: "Ellume’s test requires users to download an app on their smartphone to learn their test result. That app automatically sends data by Zip code to the cloud"

https://www.washingtonpost.com/health/2020/12/15/covid-home-rapid-test/

It's also because tight control w/ trust rooted in the vendor is "easy mode" for lazy security engineers. It's much harder to design security measures that treat end users like adults.

It's because most vendors think of customers as children that must be protected from themselves by removing as much agency and control as possible. This also makes customers completely dependent on them.

Have you noticed that a parent's default way to protect a child's security w/ tech (lock the device, tightly restrict what they can do, spy on everything) is exactly the same approach most vendors use to protect an adult customer's security?

Apple always uses security and privacy as a cover for more control: "Apple says it must tightly control the way software is installed ... to protect its customers from ... viruses and other security threats and ... apps that invade its customers’ privacy." https://www.washingtonpost.com/technology/2020/12/10/cydia-apple-lawsuit/

When it's particularly cold in my office, either my desk or my Model M keyboard contract unevenly such that the keyboard is no longer flat on the desk and wobbles until the office warms up.