b0600b375f14ccd3ba58f8f295ea75d0bd0b703d — Jakub Pastuszek 3 years ago f2fc62a + e61b9c6
Merge branch 'master' of git.entrophonic.net:user/brombek/blog
1 files changed, 132 insertions(+), 0 deletions(-)

A content/future.md
A content/future.md => content/future.md +132 -0
@@ 0,0 1,132 @@

* make this post less angry :D
* add links to other posts
 * there are good post about Rust "weaknesses" <- claiming them and also disproving them
 * lots of Plan 9 stuff out there
 * CVE stats
 * links to docs talking about ACLs vs ocaps

# Main problems we need to solve for the future

## Security

All stuff is connected. All stuff can be attacked by any other stuff.

### What?

We need to address main reasons for CVEs:

* Buffer over/under flow
* Free after use
* Double free
* Integer under/overflow errors
* Type confusion
* Code injection (XSS, SQLi etc.)
* Confused Deputy problems (Cross-site request forgery, privilege escalation)
* Race conditions
* Large attack surface
* Logic errors

DDoS due to crashes:

* Null pointers
* Concurrent access errors

## Spyware

All commercial software is already spayware or will become one thanks to "data is new oil" mentality - thanks ML people!
Advertisement is pushing humanity into consumerism and that will eventually end us due to resource depletion and environment destruction - this needs to stop.

### Why?

You cannot have democracy, freedom of expression, freedom of your own thought process while being constantly surveilled.
You cannot think for yourself if you are bombarded by highly targeted messages.

### What?

Windows is a spyware - "telemetry" cannot be turned off - it is illegal to do so!
MacOS now does the same as Windows, you cannot turn it off as it uses "hardware root of trust" chain to prevent tempering. iOS is being like that for many years now.
Anything Google is same, they became evil since they acquired Double Click (?).

# What future do we need

We need new free as in freedom OS that addresses security issues and is not spyware.

## Why?

Linux is based on Unix design. This design was created before networks were a thing. It's security model is broken (Access Control Lists) by design. Any attempt to fix it is a hack that adds to attack surface and complexity (Docker, Nix).

Plan 9 is still written in C (reason for the top CVEs) and is still using ACL security model (although lots of it is accidentally(?) based on object-capabilities thanks to P9 protocol).

## How?

### Programming language

To address top CVE classes we need to stop using programming languages that lead to them.
The "given enough eyeballs, all bugs are shallow" proved to be insufficient. Only mathematically verified models that verify your programs automatically can work for security.

There is only one language currently available that goes far enough to address most of this CVE classes and that is Rust.

So we need OS that is written in Rust and that if free as in freedom and that gets "enough eyeballs" to weed out logic errors that Rust only helps to avoid with it's type system.

### OS design

Linux has large attack surface (still tiny compared to Windows). To address this we need better abstractions on OS leve. Plan 9 protocol (P9) does provide an excellent example of such abstraction. Plan 9 has very small set of API primitives that were designed for the networking. This allows it to be much more secure than Linux.

Still Plan 9 will have buffer under/over flow issues, use after free, etc. due to use of C programming language - this is not avoidable!
Also Plan 9 uses ACLs that lead to Confused Deputy problems and in the end to privilege escalations. P9 protocol is object-capability based in practice so it does offer way more sophisticated security compared to Linux making such hacks like Docker and Nix not necessary.

So the new OS apart from being written in Rust needs to be using object-capability based security model from exclusively.

# The future

Free as in freedom, open source OS based on proofed ideas from Plan 9 (P9 protocol), with object-capability based security model and written in Rust is the way of the future.
We already live in the world where most population is surveilled in 1984 dystopia style where 20 successful ransomware attacks are performed weekly on companies that loose billions to get their data back or prevent them from being published (ex-filtration). Internet is a war zone with it's "background radiation" (all the scanning and attack traffic) going strong - just set up WordPress instance and wait few minutes, see what happens.

We must not fail!

# Please help this future to happen

## Rust complaints

### X is not as mature as C

Well, really? How did you figure it out. Nothing crated in last 50 years won't be as mature as C by definition, how brain dead are you!
Wow, so shocking that something created 10 years ago (version 1.0.0 released in 2015) is not as mature as something crated 1972 (48 years ago) and extremely successful and widely used since then.

Instead of complaining and discouraging people for using Rust, and this way delaying it becoming mature, why won't you help instead!

### But Rust has only one compiler implementations

First, see above!
Second this is false: https://github.com/thepowersgang/mrustc, and it is used in Guix to bootstrap Rust compiler written in Rust.
Also there exists original ML implementation.

Again stop being a moppet and help instead. This is not constructive!

### But Rust is slow!

"Rust is slowly compiling fast software" <- this. Again this is down to "X is not as mature as C" and also due to laws of physics - Rust compiler runs a complex correctness verification proof of your entire program so it will require more CPU cycles to do that.
Still there has been some impressive work done on Rust compiler to allow incremental compilation and to redesign the compiler using novel architecture that will speed it up further.

### But Rust programs have 300+ dependencies

Also true for C programs that:
* depend on many pre installed libraries
* often contain one file libraries "vendored" in there source code (XML parsers, gzip, base64, hash maps etc. are often included in) - this is due to lack of proper package manager like cargo.
* often use plugin/module system that hides dependencies (VLC, httpd, etc.)

Rust does statically link binaries to address broken OS design as described above. It is a compromise between having to manage all dependencies externally on OS level leading to conflicts and dependency hell and finally to Docker as a hack workaround to bad OS design and vendoring by hand buggy and unfixable impls in your program on rewriting everything from scratch every fucking time like C developers love to do (how many "growing vector" implementations are out there? how mayn of them has been fuzzed!?!).

Having well tested and secure implementations of basic things used everywhere is critical for security - stop writing Vec, HashMap and XML parsers just because it is easier than using existing libraries! Stop vendoring source code as no admin will ever know about it and it may contain critical issues!

# Want to help?

If you don't like Rust for some reason (e.g. because of the hype train that Mozilla crated at some sage) than at leas stop misleading people with false or logically dubious messages.
Ditch proprietary spyware - use Linux, learn Plan 9.
Ditch the Web, Facebook, Twitter, Google and all the other broken spyware - use Gropher, Geminin, Mastodon (I know it is a Web standard but still), XMPP, etc. as much as feasible.

Help projects like Redox and other new OS designs.
And for god sake stop deploying WordPress - this is literary destroying the internet due to being so popular and such a security disaster.
Don't use JS as it lock the Web in Google and enables all the tracking.