Re: Verifying Toolchain Semantics

[Ian Grant]

On Sun, Oct 5, 2014 at 2:58 AM, Mike Gerwitz <address@hidden> wrote:
> On Sat, Oct 04, 2014 at 09:35:09PM -0400, Ian Grant wrote:
>> Well, if I do succeed in distributing malware, it will be a good
>> demonstration of what I have been arguing for months now, which is
>> that your "core infrastructure" is _very,_ _very_ flaky, and that far
>> from being "the most important developers," you are in fact just
>> part-time amateur hackers playing at your 'hobbies'.
>>
>> What I am trying to do here is wake you people up from what will
>> otherwise prove to be terminal sleep. This is not a hobby, you are
>> combatants in a global information war, and it will cost some of you
>> your lives,
>
> As has been stated---your concerns are substantiated and understood,

I wasn't aware that my concerns _have_ been substantiated. How? I am
not sure they have been understood, either.

> and you clearly have much experience and information to contribute,
> but your unnecessary and unsubstantiated insults and holier-than-thou
> attitude prevent meaningful discussion, especially from those who are
> spectating and unwilling to participate in a discussion that is
> consequently destined to yield little more than childish banter and
> silence, albeit sprinkled with bits of very interesting information
> and resources.

I have not insulted anyone, as I explained in the other thread. I am
"holier than though" And I wish that wasn't the case. So if someone
can prove me wrong, then please do so, the sooner the better!

> The additional drama you infuse into the conversation---an example
> being the latter paragraph above---also works against you. There are
> many things that may cost us our lives, and I'm fairly certain that
> this does not make the top million or so for most of us. I'm killing
> myself sitting here typing this message.[0] From my understanding,
> you're allowing your body to degenerate as we speak.

Well my body is getting on for 50 years old, so it doesn't matter so
much. Here's a "better" example:

   http://en.wikipedia.org/wiki/Aaron_Swartz

>> I don't distribute plain text because it is too easy to alter. Once I
>> send one of these "essays" out I have no control over what happens to
>> it. So I try to make it as hard as I reasonably can for people to edit
>> what I have written.
>
> This argument is not valid---why is it hard to alter a PDF? In fact,
> PDF manipulation is a dark (and probably cancer-causing) art that's
> automated by countless businesses worldwide; it is a topic that eats
> up a significant portion of development time at my employer's office.

It is valid. If you want to see why, then try to alter one of the PDFs
I've sent out.
What will you do when I later send out a series of checksums using a
checksum algorithm that neither you or anyone else ever heard of
before?

> Have you considered just distributing a GPG/PGP signature with your
> works, or even signing the work itself? After all, this whole
> discussion is about proving the unlikelihood of and preventing the
> modification of data.

Of course I have thought of that, and rejected it as a pointless waste
of time! If you read what I've written, on this list and also in that
blog article Mark pointed up, you will see why I think this. And even
if public key crypto was positively secure, it is worthless when I
have no rational basis for confidence in the security of the system
which holds the private keys. PK crypto, in this state we're in, has
negative value: it just creates a false sense oif security, and
_discourages_ people from actually thinking about the real problem
because they "know" their comms. are secure. They don't know that at
all.

> ... Unlike the topic of complex binaries, your works
> are trivially verifiable even by hand---take advantage of that. If in ASCII,
> verification is a simple matter of diffing, even without cryptographic
> assurances, provided that your original work is archived in a number of
> reputable places (though I'd still sign my works);

I could ship them as low-res PNG files. But really, it would be much
better just to get good working PDF viewers. There are _millions_ of
important documents which are in PDF form. We need to be able to
reliably verify and reference text within them. These include things
like the Intel architecture reference manuals.

> [...] however, PDFs introduce
> an infinite number of display modifications that can be produce a document
> yielding a text isomorphic to the original---just because two PDFs of your
> work are 99% different when binary-compared doesn't mean that the visual
> meaning of text it renders is not 100% the same.

I am well aware of this, and it is one reason why we need to be able
to read PDFs reliably. We can then vary the concrete representation
and defeat attempts at mass-surveillance and also prevent people from
using automated methods to edit the files in transit. This was
implicit in the very first message I sent Stallman, Torvalds, deRaadt
etc. and which I later cc'ed to this list:

  http://lists.gnu.org/archive/html/guile-devel/2014-09/msg00021.html

And before some smart-ass says "Oh yeah, and how are you going to
verify the contents with cryptographic checksums?" I warn you to
_think_ first, because I will metaphorically tear you into fifty thin,
bloody little strips before you can say "Doh!"!

You do all know were making a movie about this whole affair, don't you?

   http://livelogic.blogspot.com/2014/04/what-is-sixth-estate.html

Ian