Profile picture
CopperheadOS @CopperheadOS
, 7 tweets, 2 min read Read on Twitter
These are completely conflicting opinions:

1) Closed source software with no obfuscation and all compiled code accessible in a controlled environment is substantially harder to audit
2) Publishing sources doesn't make it substantially easier for attackers to find vulnerabilities
It's extremely hard to make the case that publishing sources makes it easier to find vulnerabilities when you're talking about simply stripping out comments and internal naming from Java / JavaScript code...

Take a look at underhanded-c.org/_page_id_25.ht… if you think sources are magic.
If you're trying to find an intentional backdoor, the developers are your adversaries. If you're looking at the sources they choose to publish, you're looking at the code in the format where they cleverly hid a vulnerability in a deniable way if they aren't total idiots.
Assuming your adversaries are idiots is always a bad move. It is not necessarily a good idea to even bother looking at the source code if you're looking for a backdoor. Imagine trying to find a backdoor in C sources by someone like @johnregehr with undefined behavior as a hobby.
Oh, and don't be so sure that reproducible builds where you're *highly* encouraged to use exactly the same (out-of-date!) toolchain as the adversaries is a great idea.

AOSP/CopperheadOS/Chromium builds are reproducible. Is it a security feature? We wouldn't claim it to be one...
Anyone that isn't a complete idiot isn't going to make a backdoor that isn't 100% deniable by being a completely plausible vulnerability.

The best way to do it is leveraging a library or toolchain bug where it's not even a bug in the code written by the adversary...
How often do you run into library / toolchain bugs? Just pick one, trigger the same bug you triggered by accident and there's your backdoor. It's not even a bug in your code. It's not just completely deniable that you added a backdoor, it won't even appear to be your mistake.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to CopperheadOS
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @CopperheadOS see all

Profile picture
By cloud-based assistance they mean their OS code downloads GPS almanacs. GNSS information is indeed available to carriers to improve location accuracy but they have a coarse location without that. It's part of 911 support and is likely required by law in many regions.
en.wikipedia.org/wiki/Enhanced_… and probably other things require this. Qualcomm doesn't appear to harvest any information like this themselves, but don't know about Huawei, MediaTek, Samsung, etc.

Need Airplane mode to stop broadcasting location anyway so E911 etc. isn't that scary.
We document the GPS almanac downloads as one of the default connections:

copperhead.co/android/docs/u…

It can be disabled but then the GPS takes a ridiculously long time to lock on which is particularly important for us without a network-based location service like Apple and Google.
Read 7 tweets
Profile picture
Stable kernel changes applied:

linux-hardened (4.14-lts) 4.14.35 -> 4.14.36 (git.kernel.org/stable/linux-s…)

github.com/copperhead/lin…
4.15 is end-of-life so there's no 4.15.19 release and it's time to move on to 4.16.

However, we failed at community collaboration with this project so we're going to be approaching it differently. We'll be switching to maintaining only what we need and funding development work.
We'll rebase onto each mainline tag (v4.16, v4.17, v4.18) with stable tags ignored and without our own releases for those. Not going to be developing or maintaining changes outside the scope of what we need like x86 support. It'll become actively developed soon (it hasn't been).
Read 5 tweets
Profile picture
They generally just use the OS location and compass APIs but some apps definitely do go above and beyond by using the movement sensors. Pretty sure that Google Maps uses it.
OS APIs for location on Android and iOS both have support for supplementing GPS usage with their network-based location services. They send data like nearby cell towers to Apple / Google services and get back coarse location information.
Android supports implementing other supplementary location services but they need to be bundled with the OS and added to a whitelist so there isn't really much of an ecosystem of those because they would need to be done partnered with device vendors in their fork of the OS.
Read 4 tweets

Related threads

Profile picture
Someone on github referring to a minor bug reported 18 days ago that I explained was not trivial to fix, writes "People say that redbull gives wings ;) Is there a way to speed up this endless process?" and I already want to give up open-source software, 1 hour into my work week.
To be honest at this point I find as a society we are failing to deserve open-source. Maintenance is a tedious job. Countless companies using software with zero intent to help paying decently for its quality and maintenance (and thus their _own_ safety) even when directly asked.
Feature-wise, people don't realize that submitting a PR is often doing 20% of the job, I have to evaluate it with the lens of everyone's interest, rework it and then maintain it forever. In a fair system studios should pay to post their PR! Logic has been turned upside down.
Read 10 tweets
Profile picture
Time to jump in the pulp time machine and head back to: 1992!

Come with me on a trombone odyssey...
In 1992 rap music taught us right from wrong...

Don't Copy That Floppy! A 1992 VHS from the #Software Publishers Association.
In 1992 we had the New #DoctorWho Adventures. Don't judge us!*

(*only @Markgatiss can do that)
Read 20 tweets
Profile picture
@jennycohn1 @BrennanCenter @jorie_graham @LuluFriesdat @lizlhoward 💡”Steps you can take as a voter to walk into the polls with more confidence”:

1. Does our jurisdiction use DRE (Direct-Recording Electronic) voting machines?
@jennycohn1 @BrennanCenter @jorie_graham @LuluFriesdat @lizlhoward 💡”Steps you can take as a voter to walk into the polls with more confidence”:

2. Ask: Is there a paper backup of electronic pollbooks?
@jennycohn1 @BrennanCenter @jorie_graham @LuluFriesdat @lizlhoward 💡”Steps you can take as a voter to walk into the polls with more confidence”:

3. Ask: does our jurisdiction use machines with a paper trail?
Read 7 tweets
Profile picture
@aditimukherji @ReisingerAndy @IPCC_CH @climate_haiku #Accessible (text) version, original (picture) version found above:

We wrote this report

at your request, and with care.

Will you listen, please?

(1/9)
@aditimukherji @ReisingerAndy @IPCC_CH @climate_haiku We're at 1 degree

now and it will hit 1.5

within three decades

(2/19, 17 more tweets to go)
@aditimukherji @ReisingerAndy @IPCC_CH @climate_haiku Past emissions will

warm the Earth for centuries –

but there's still a choice
Read 19 tweets
Profile picture
A thread for the "#software is not political" crowd. Whether you like it or not, all software is political because technology AFFECTS PEOPLE. If you came to #tech thinking you'd escape having to think about people, #politics, and society - you were mistaken. I'll show you why...
Before we start, remember this as you read. Just because YOU think the answer to any of these issues is clear-cut, it doesn't mean that issue is not political.

There are people who take the OPPOSITE position with just as much conviction, and they think it's clear-cut too.
Also - as an engineer, a developer or designer - if you choose to ignore the political and societal implications of your #technology, YOU HAVE MADE A POLITICAL CHOICE.
Read 12 tweets
Profile picture
0s and 1s commonly create speech that courts use -- that means precedence is set. #Code is speech -- they're languages made of bits! Point being, ISPs shouldn't be allowed to deny computer speech from being seen by others. #NetNeutrality

Evidence in thread:
#NetNeutrality Evidence case 1: Bradley v. State: @Facebook evidence used to ID assailants and other witnesses. Its compelling because translated bits were used to ID people. It proves third party intermediary bits translated into media are used by courts. scholar.google.com/scholar_case?c…
#SaveNetNeutrality Evidence case 2: Homeland Security v. Twitter: @DHSgov seized data that was digitized and sent to intermediary @Twitter. Twitter sued its an ongoing investigation. Regardless, It appears consumer's translated bits were treated as speech? clearinghouse.net/detail.php?id=…
Read 11 tweets

Trending hashtags

#engine #submissive #EU27 #Spectre #corpus #UX #software #SIEM #cheese #QAnons #OpenSource #environment #EU #ProjectProsperity #economists #supply #jeans #powerlessness #Cult45 #authoritarian #assembly #movement #ChequersPlan #discrimination #quote

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!