lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0609290940480.3952@g5.osdl.org>
Date:	Fri, 29 Sep 2006 09:51:40 -0700 (PDT)
From:	Linus Torvalds <torvalds@...l.org>
To:	Helge Hafting <helge.hafting@...el.hist.no>
cc:	tglx@...utronix.de, Alan Cox <alan@...rguk.ukuu.org.uk>,
	Neil Brown <neilb@...e.de>,
	Michiel de Boer <x@...elhomicide.demon.nl>,
	James Bottomley <James.Bottomley@...elEye.com>,
	linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: GPLv3 Position Statement



On Fri, 29 Sep 2006, Helge Hafting wrote:
>   
> This seems silly to me.  Sure, lasers and medical equipment is
> dangerous if used wrong.  When such equipment is
> controlled by software, then changing that software brings
> huge responsibility.  But it shouldn't be made impossible.

It may be "silly", but hey, it's often a law. 

Also, even if it wasn't about laws, there is a very valid argument that 
you should be able to be silly. There's a reason people don't get locked 
up in prisons just for being silly or crazy - sometimes something that 
seems silly may turn out to be a great idea. 

And people seem to totally ignore that there is no correct answer to "who 
may do software updates?". People rant and rave about companies that stop 
_you_ from making software updates, but then they ignore the fact that 
this also stops truly bad people from doing it behind your back.

Quite frankly, in many situations, I'd sure as hell be sure that any 
random person with physical access to a machine (even if it was mine, and 
even if I'm _one_ of them) could not just upgrade a piece of software.

Sometimes you can make those protections yourself (ie you add passwords, 
and lock down the hardware - think of any University student computer 
center or a library or something), but what a lot of people seem to 
totally ignore is that often it's a hell of a lot more convenient for 
_everybody_ if the vendor just does it.

And no, the answer is not "just give the password to people who buy the 
hardware". That requires individualized passwords, probably on a 
per-machine basis. That's often simply not _practical_, or is just much 
more expensive. It's quite natural for a vendor in this kind of situation 
to just have one very secret private key per model or something like that.

In other words, these secret keys that people rant against JUST MAKE 
SENSE. Trying to outlaw the technology is idiotic, and shortsighted.

If you don't want a machine that is locked down, just don't buy it. It's 
that simple. But don't try to take the right away from others to buy that 
kind of convenience.

And yes, Tivo is exactly such a situation. It's damn convenient. I've got 
two Tivo's myself (and yes - I actually paid full price for them. I was 
given one of the original ones, but that's long since scrapped, and even 
that one I paid the subscription fee myself). But you don't have to buy 
them. You can build your own at any time, and it will probably be more 
powerful.

So people are trying to claim that something is "wrong", even though it 
clearly is. The people arguing for "freedom" are totally ignoring my 
freedom to buy stuff that is convenient, and ignore real concerns where 
things like TPM etc actually can make a lot of sense.

Can it be used for bad things? Sure. Knives are dangerous too, but that 
doesn't make them "wrong" or something you shouldn't allow.

			Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ