Open Source Could Be a Casualty of the Trade War(bunniestudios.com) |
Open Source Could Be a Casualty of the Trade War(bunniestudios.com) |
[1] https://symbiflow.github.io/
[2] https://github.com/freechipsproject/chisel3
[3] https://github.com/freechipsproject/firrtl
The issue is that the executive order would make it unlawful to share technology with foreign adversaries. So it effectively forces open source projects to hard fork along geopolitical boundaries. For example, if (and these are still if's) Huawei were to be designated a foreign adversary; and, if Huawei were to develop a RISC-V implementation of interest; it would be unlawful for a US person to use that implementation, or otherwise "acquire" said technology from Huawei.
The underlying premise of the executive order, as I understand it, is that technology developed by, or under the influence of, foreign adversaries is potentially tainted. Thus to defend the US national security interest, US persons shall be penalized for using their technology.
Thus the concern is that US-based open source developers and users would be directly at risk by interacting with the very projects you cite, should they fall under the influence of a foreign adversary.
Or to put it more concretely: ARM might be very happy if Huawei were designated a foreign adversary, and Huawei invested heavily in RISC-V. Because then ARM could lobby US lawmakers to rule that RISC-V technology is tainted under the theories contained in the executive order, thus reducing competition from open source alternatives.
(editted to clean up grammar)
Apparently, Mr. Trump summoned Mr. Cook last week, and extended an offer of a tax break and other "relocation packages" on the size "not seen in human history" if Apple moves to USA.
Hearing things like that keeps reminding me that Taiwanese engineering fraternity is one of worlds best intelligence agencies :)
If we take no other lesson from the past 2.5 years...
Of course we have a lot of new judges so who knows.
I recall that happening in the 90's with a few different types of software due to U.S. software patents and corporate legal departments. VLC hasn't always been the go-to Linux multimedia application, for example.
[1] The infrastructure part is easy, the giving away access/bandwidth for free part is hard.
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
The bulwark defending the bulwark is the population.
Boom! I told people they might do that back in the crypto discussions. Custom crypto and high-assurance security are still munitions with only a few things re-classified such as mass-market, one-size-fits-all software and use of ciphers in browser (https). This is what they might do to the rest with the leverage if it was ever truly threatening. They’re already doing it to companies over Huawei.
I also speculated they might have done this to get backdoors in products. A combo of offering payment and threats together. We know they do the payments. I don’t know if they do export threats, though.
“some independent security research would have already found and published a paper on this. Given the level of fame and notoriety such a researcher would gain for finding the “smoking gun””
Bunny is being really naive here or maybe doesn’t understand computer espionage. Most subversion must be done in a way that doesn’t look like subversion. The system just has to be remotely exploitable. The best route to that is to intentionally leave in memory safety bugs or a configuration that enables privilege escalation. Hackers find those all the time in all kinds of devices. They say, “Hey, they just made a common mistake.” Maybe it was there on purpose. We won’t know.
“It’s no secret that the US has outsourced most of its electronics supply chain overseas. From the fabrication of silicon chips, to the injection molding of plastic cases, to the assembly of smartphones, it happens overseas, with several essential links going through or influenced by China.”
And this is why what the U.S. government is doing is incredibly stupid. You could substitute other industries in here. It’s a smarter move to minimize one’s dependency on a country before pissing that country off in a way that can prevent them getting what they depend on.
By that logic everyone from Apple to Xerox could possibly be enabling computer espionage. You’d never be able to prove a bug wasn’t a deliberate back door.
Take Obama's: 'If you like your health care plan, you'll be able to keep your health care plan' as an example. He repeated this message for many many times: https://www.politifact.com/obama-like-health-care-keep/
How do you objectively decide:
1) Is this statement true?
2) Did he lie about it?
Also, how do you handle "if there is something I should not know, do not tell me"?
Eg. Follow human rights, No great firewall and you can use it.
Global trade has done a lot of good for the world, in general, there hasn't been any big war in the last 70 years.
Why: 996
Presenting non sequitur as evidence has become par for the course. Let's step back to one day before the heartbleed bug was discovered in ssl libs, when a similar argument could've been made regarding the ssl library's security. Only to be disproven a day later.
I have met Bunnie, and he has a bit of a warped view of the world. I think it caused him to gloss over things like https://www.theregister.co.uk/2019/03/28/hcsec_huawei_oversi... where Huawei did not give a single shit about security in their cellular basestation codebase.
Sure, Huawei will read CVEs and sometimes deal with them, but really basic things like updating OpenSSL libraries seem near impossible for Huawei. Their hardware is thus vulnerable to exploitation by any ill intentioned person wandering by :c
Part of this is the whole stolen codebase problem, where Huawei (as Nortel's Chinese manufacturing partner) took their designs and code, without fully understanding them. They've been able to tack on a lot of neat stuff, but the underlying architecture is still not understood by their engineers.
The Huawei ban is very clearly a political anti-China move, not one based on technical reasons.
I don't know Bunnie and I only follow his blog posts sometimes but he's a strong proponent of open source software and open source hardware [1]. Bunnie is helping to develop a fully open source hardware laptop, Novena [2], that requires companies providing components to not require non disclosure agreements [3]. Bunnie is also specifically interested in FPGAs and making them and their toolschains available [4].
Your post seems like it has a veiled nationalistic and anti-open source undercurrent. Is Bunnies silence on the matter of the Huawei security issue reason for you to have this view? If so, do others not mentioning Intel's vulnerabilities [5] the past years also mean they have the same "warped view of the world".
To be clear, I'm not trying to absolve Huawei or Intel of anything. I'm trying to address the claim that Bunnie turns a blind eye to proprietary chipset and hardware technology more than others.
[1] https://www.eff.org/press/releases/hardware-hacker-anti-acta...
[2] https://www.bunniestudios.com/blog/?cat=28
[3] https://en.wikipedia.org/wiki/Andrew_Huang_(hacker)#Novena
> Huawei (...) took their designs and code, without fully understanding them.
Do you want to say that there aren't people in China smart enough to "update OpenSSL" in their codebase? Whichever way the codebase started to be used by the company?
A lot of companies and developers inherit the products created in some other times in some other companies and generally are able to update them.
Hope that works out for you. :-(
(I'd wager there'll be a few more Snowden types asking for asylum outside the US before this is all over.)
The division of the open source world into the “US part” and the “Chinese part” would be a roughly 50% cut in the efficiency of the FOSS ecosystem, and is on the table given the developments he describes.
This [1] appears to be written from a more right-wing stance, although it could just be rightly critical of Wilson's legacy. Regardless, it's not inaccurate. Hopefully the dislike of Trump will help to shock the rest of the system back into seeing a worth in a strong separation of powers. It's not that Obama didn't also disregard them, it's just that he's far more likeable and suits the views of a lot of people. Not so great when there's an incumbent you don't like.
And that's the point.
[1] https://www.grassrootinstitute.org/2012/09/constitution-201-...
It is rotten corporate culture that is starving critical maintenance work at these companies, creating the internet of vulnerable shit.
So you're right, you can't pipe them out through fiber channel but you don't need to. You just need to fund them wherever you want them.
That's the thing, though. The physical location of the developers and the legal nexus of the companies are different things. Any sovereign government can exert power over the actions of companies that operate elsewhere, so long as they have anything in their own jurisdiction that can be gripped and squeezed -- a "nexus". Sometimes sovereign nations will even create laws that are "extra-territorial", laws they expect to be obeyed beyond their own borders, even if only enforceable once you are within those borders.
If all your developers live in Europe, but you sell to US companies too, guess what? The US can push you around. Do you want to do business with a bank with any US footprint whatsoever, guess what? The US can push you around. Do your executives travel to the US? Guess what? etc etc etc.
The US is not a special case here: the use of local and international legal and financial pressure to achieve policy goals outside one's own borders is common. However the US is a superpower, has far more levers to push on, far more heft to push them with and far lesser immediate consequences for doing so. The EU and China are probably its only rivals in this kind of economic realpolitik.
But if Bhutan tried to do this? We wouldn't even hear about it.
Crypto didn't die when it was export-restricted, and that stuff is really complicated.
> We emphasize the narrowness of our First Amendment holding. We do not hold that all software is expressive. Much of it surely is not ... We hold merely that because the prepublication licensing regime challenged here applies directly to scientific expression, vests boundless discretion in government officials, and lacks adequate procedural safeguards, it constitutes an impermissible prior restraint on speech.
This is an anti-China move, but we do know Huawei builds vulnerable LTE basestations and products, and refuses to do the bare minimum to secure them, despite promising $20 billion in investment in software security (see the article I linked to earlier).
Samsung was embroiled in a very bitter IP dispute with Apple, in which it was found to have violated Apple's patents, essentially copying the design of the iPhone, and ordered to pay over a half a billion dollars.
Yet American companies aren't banned from doing business with Samsung, nor should they be.