CPU as a service has come!

Giovanni Biscuolo g at xelera.eu
Mon Nov 27 12:52:55 UTC 2017

Hi Timothy,

first of all please smile thinking of the Great Irony of History that lead
MINIX to be probably the most installed OS on the market (I don't have the
figures but _strong_ suspicion) 

so now "we" have won the free software OS battle just to start the next one?

  «We are the Borg. Lower your shields and surrender your ships. We will add
  your biological and technological distinctiveness to our own. Your culture
  will adapt to service us. Resistance is futile.» (Star Trek - First
  Contact, 1996)

* Timothy Pearson [2017-11-24 14:56:21 -0600]:

>Sadly, I'm not sure that this massive leak matters much with e.g. local
>governments moving to Windows 10 that is already known to exfiltrate

please consider that the majority of local and EU policy-makers are not
doing this because they are despicable, simply they are sure **they can
manage** this kind of problems signing "special case EULAs" and alike,
trying to fix those issues by "de jure patches"

we should convince them that is a _losing_ path: given the scientific
evidences we are witnessing time after time, legal contracts cannot
fix those huge security and privacy (government security and privacy!)


>GDPR.  I'd love to hear someone from the EU weigh in on how this is
>possible from a legal perspective; I don't fully understand it from the
>other side of the pond.

me too, I love the principles stated in GDPR but I fear they will be
"useless de jure patches" given how much **the computing devices and
Internet _are_ broken by design**

this is why I appreciate (draft!) legislative proposals like those from
#youbroketheinternet [1]: they *may* be questionable but an interesting
starting point (and I'm still studying them)

please also consider that many respectable free software supporters are
proposing solutions that are **useless tech workarounds**; e.g. looking at
https://privacylab.yale.edu/ , in the "What we do" box, I read: "Hosting
Tor", "providing TAILS OS", "hardened GNU/Linux", privacy-respecting tools
such as PGP/GPG e-mail and E2EE messaging... 

>Also, if this sort of CPU-as-a-Service is concerning, why not use an ARM
>[0] or OpenPOWER [1] system that gives you full control?

please _do not_ concentrate on the "phenomenology of x386 brokenness" since
it' **not** the only one example; e.g. also some (all?) smartphones are
broken by design

so while I **love** all the projects you mentioned (there are many you
already listed in other messages AFAIK), I want to stress that **the market
alone cannot fix it**: is it clear enough?!? :-)

the very fact that **is** possible to sell **broken by design** computing
devices should be considered _unconstitutional_, this brings to the
consequence that selling **broken by design** computing devices should be
(severely) illegal [2]; the really good "side effect" of this would be that
selling broken devices is also considered _unfair competition_ versus
constitutional respectful vendors ;-)

>Especially for
>those already using libre software the switch is pretty painless.

ehrm: sorry if it sounds bold but please consider all the properties of
relationships coming from complex system theory such as nonlinearity,
emergence, spontaneous order, adaptation, and feedback loops (/me hacking
:-) )

in this complex system we **have to** consider that _few_ of us can
"easily" set up an entire free software **infrastructure** starting from
_the devices_ and ending with JS programs running in their browsers: that is
my job and I know I _cannot_ "sell" such a solution to my customers yet, OK?

_soon_ my customers will have to be GDPR compliant: how can I support them
in order to give reasonable confidence that their infrastructures will
not leak sensitive data they collect _even_ if they are using free software
"infrastructure wide"?

...I cannot even use an entire free infrastructure for "myself", partly
because I _already have_ a running infrastructure and would be quite
expensive (in monetary and time terms) to replace it... in case of
smartphones *almost* impossible (I'm still not convinced Replicant resolves
the **broken by design computing devices** problem, and the very fact that
Replicant is supported on too few smartphones *is* very limiting)

when talking about infrastructure please also consider that **all** of us
needs _some_ "external computing device", usually rented from a vendor: why
should I be "obliged by the market" to use a broken by design "bare metal"
host?!? why the _burden_ to verify the level of brokenness should be
contractually transferred to "me" and I cannot **pretend** that the host
_is_ secure **by design**?!?

I'm not alone in this _inability_ to free my devices, given that there is a
research group in Google (read: great resources) that has been struggling
for almost two years *just* to get rid of the most toxic "features" deeply
buried in their servers

we *need* the constitutional right to buy a device or sign an hosting
contract and trust the vendor will not use his physical access power to
break the security of such devices *by design*

OK, I've stressed this enough :-D

>forward one relatively easy way to deal with the problem is to put the
>data-slurping proprietary applications on a dedicated x86 machine that's
>isolated from the wider Internet as much as possible, and use rdesktop
>or similar to connect from a secure machine.

I respect this proposed solution *but* this is just a temporary (and costly)
workaround... and I'm not willing to follow you on this path :-) 

considering we are going towards an even increasing **broken Internet of
broken computing Things**™ the "final consequence" of this _could_ likely be
that one day those who wants to be free will be forced to opt-out from
_every_ "form" of their digital life and choose to be "analog only" [3] :-O

concluding: I want that my right to use interconnected digital devices
_remaining a free human being_ will be treated as a **constitutional**
fundamental right, all other policies and market regulation decisions
should be consequent



[1] http://youbroketheinternet.org/legislation/ObCrypto-law-proposal.pdf

[2] in Italy we are used to read messages like "è _severamente_ vietato"
("it's severely forbidden"): it always sound very funny to many of us :-)

[3] the infamous "blue or red phial" dilemma from Douglas Hofstadter's 1979 book Gödel, Escher, Bach
still inspiring many fictions 

Giovanni Biscuolo
Xelera - IT infrastructures

**per favore** Quota Bene: http://wiki.news.nic.it/QuotarBene
**please** use Inline Reply: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.fsfe.org/pipermail/discussion/attachments/20171127/c4bef98d/attachment.sig>

More information about the Discussion mailing list