Securing Open-Source Software

Good essay arguing that open-source software is a critical national-security asset and needs to be treated as such:

Open source is at least as important to the economy, public services, and national security as proprietary code, but it lacks the same standards and safeguards. It bears the qualities of a public good and is as indispensable as national highways. Given open source’s value as a public asset, an institutional structure must be built that sustains and secures it.

This is not a novel idea. Open-source code has been called the “roads and bridges” of the current digital infrastructure that warrants the same “focus and funding.” Eric Brewer of Google explicitly called open-source software “critical infrastructure” in a recent keynote at the Open Source Summit in Austin, Texas. Several nations have adopted regulations that recognize open-source projects as significant public assets and central to their most important systems and services. Germany wants to treat open-source software as a public good and launched a sovereign tech fund to support open-source projects “just as much as bridges and roads,” and not just when a bridge collapses. The European Union adopted a formal open-source strategy that encourages it to “explore opportunities for dedicated support services for open source solutions [it] considers critical.”

Designing an institutional framework that would secure open source requires addressing adverse incentives, ensuring efficient resource allocation, and imposing minimum standards. But not all open-source projects are made equal. The first step is to identify which projects warrant this heightened level of scrutiny—projects that are critical to society. CISA defines critical infrastructure as industry sectors “so vital to the United States that [its] incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” Efforts should target the open-source projects that share those features.

Posted on July 27, 2022 at 7:03 AM31 Comments


Mike D. July 27, 2022 8:04 AM

I’m still having to sit through briefings that say “minimize use of open source and other software from untrusted sources” for my government job. It gets on my nerves, especially when the threat model they’re most scared of now is “insider threat.” The developer being someone you know isn’t a root of trust.

Clive Robinson July 27, 2022 8:36 AM

@ Mike D, ALL,

Re : Camels Noses.

“It gets on my nerves, especially when the threat model they’re most scared of now is “insider threat.””

Government is a game by committee, where the aim is not to score an own goal. So all players agree to keep the ball away from all goals as far as possible. Now you would think that would be the middle of the pitch… Well no, because some want someone else to score an own goal. So as you’ve nodoubt heard been said on more than one occasion,

“They keep moving the bl@@dy goal posts”.

Obviously the more players on the pitch, the more goal posts, thus the greater the opportunity to score an own goal. So various players form secret aliances to stop the ball coming close to each others goals… So the ball in play moves very eratically, travels great distance and achieves next to nothing…

Clive Robinson July 27, 2022 9:45 AM


That first paragraph does not bode well,

“Open source is at least as important to the economy, public services, and national security as proprietary code, but it lacks the same standards and safeguards.”

Whilst the first part of that statment is as true as it is for commercial “proprietary” or closed source code, the second part is at best an incorrect assumption.

When you aquire closed source code which proprietary code mainly is, you have nothing to verify the standards to which it was developed or the safeguards that it may have.

The bureaucratic way of doing this is “To big to fail” thinking, where by they “assume” certain major players will be able to back their play. Well the evidence has always been they are not and use lawyers as stratigic or all out weapons even against governments.

So what viewpoint are we getting,

“It bears the qualities of a public good and is as indispensable as national highways.

Anyone driven on “national highways” recently?, they could easily be named after my third favourit ice cream,

“Rocky Road”.

In the US especially infrastructure is often “Private Corps” supplying what is supposed to be a “Public Good” and in return they get a “licence” which in effect makes them part of a cartel or outright monopoly. Poor oversight means that the abuse that position in the name of “shareholder benifit”.

Thus the US finds it’s self with very short lived poorly maintained infrastructure compared to many other first world and quite a few second world nations as well. Getting 50years out of US infrastructure is a surprise, getting less than 50years in Europe would be a shock[1]…

Part of that abuse is to kill off competition not just in their own specific market sector but anything related as well. One way has been by “patents” another by “raised drawbridge legislation” and the old favourite of “load them down with regulation”…

Which brings us to,

“Given open source’s value as a public asset, an institutional structure must be built that sustains and secures it.”

Any “institutional structure” will be heirarchical, with power, control and thus coruption at the top.

But as inportabtly if funded from the public purse in a democracy, then the “institutions” main preoccupation will be “to grow” not protect of a “public asset” –which Open Source actually is not– or those that produce it.

The result will be “membership fees” or other “paid for” accreditation used as a weapon against individuals and small organisations…

So true “Open Source” will be “killed off” or end up “owned” by vested interests and “friends of politicians”…

[1] In the UK and other European Nations infrastructure built by the Roman’s two millennia ago is still in use in some places. In the UK there is one heck of a lot of Victorian infrastructure in sub surface works going back a century and a half. Mostly it still works as designed, the problems we are now having with it is realy societal changes of four to twenty times the capacity needed, and changes in the way we live. One such is “fat-bergs”,

Something many are also doing to their bodies in the form of arterial atheroma…

Winter July 27, 2022 10:05 AM

Open source is at least as important to the economy, public services, and national security as proprietary code, but it lacks the same standards and safeguards.

I think this is wrong.

First, the whole digital economy runs completely on FLOSS.

Second, the security standards of proprietary code are “mixed” down to “disastrous”. Many, very many, companies publish/sell out proprietary code but have no bug report procedure. Many are also actively hostile towards everyone who dares to report on bugs or security vulnerabilities.

More compete argumentation in Open Source Security Podcast:

You have to use Open Source

Open Source Supply Chains

TimH July 27, 2022 10:13 AM

Came to here to endorse what Clive and Winter put…”as proprietary code, but it lacks the same standards and safeguards.”

Tmobile has allowed customer sensitive data to be breached for the 5th time with their software, proprietary or not. They even lied about it by concealment, explicitly breaking the law, but no custodial consequences.

Until there are real penalties for web-facing code to be secure, there’s no incentive for any ‘standards and safeguards’ to be followed.

John tillotson July 27, 2022 10:19 AM

@ Clive

“Open source is at least as important to the economy, public services, and national security as proprietary code, but it lacks the same standards and safeguards.”

You’re absolutely right to be concerned with this statement.

Let’s call out to “proprietary software vendors” the following question: What “standards and safeguards” do you follow? And no, “using your customers as alpha testers” doesn’t count.

Frank B. July 27, 2022 11:57 AM

The U.S. is wringing it’s hands in worry over corporations who aren’t following up with available security patches from open source communities and projects after decades and decades of freeloading?

This is while corporations like Facebook, Google, Twitter and Reddit, who benefit immensely from open source projects, allow their users to spread medical mis-information and hatemongering propaganda across the globe eroding the democracy the U.S. and world supposedly hold dear face zero regulation or consequences?

We’re officially at peak stupid.

Clive Robinson July 27, 2022 12:30 PM

@ Frank B.,

“We’re officially at peak stupid.”

Sadly not even close yet.

The “fiddler” is just tuning up, you wait untill he plays the first reel… There will be way more than just feet flying…

@ ALL,

Having read the whole piece, on thing realy annoys me about the author. Despite legal training she claims not just that Open Source is a “public good” but effectively it’s not owned and therefore up for grabs…

As @Winter notes,

“the whole digital economy runs completely on FLOSS.”

And it brings in billions of dollars of revenue almost every day, yet pays back nothing to either the creators of the Open Source, or the Citizens the Corps also free load off by not paying taxes… Worse if the Governmebt does “pay developers” you can be assured those Corporates will get most of it in one way or another. Because that is the name of the game as we’ve seen with the “Walled Gardens” etc.

Arclight July 27, 2022 1:58 PM

I’m still puzzled by the fact that basically nobody ever offers to just pay the author of a critical open source project real money to fix vulnerabilities. I constantly hear about these teams pushing back on fixing something critical because they have day jobs and bills to pay, followed by discussions of how much $$$ it will cost to migrate thousands of servers to an alternative. Does nobody ever just send them a check to get it done?

Ted July 27, 2022 2:10 PM

The Lawfare podcast has a really good episode on the inaugural report of the CSRB, the Cyber Safety Review Board.

Their first report, as the original essay mentions, is on Log4j – the ubiquitous piece of open source software that contained a critical vulnerability discovered in late 2021. This vuln had a CVSS score of 10.0, the highest score possible.

The CSRB is proximately based on the NTSB, the National Transportation Safety Board that investigates civil transportation accidents.

Adkins and Alperovitch report that the CSRB actually had a lot of cooperation in their discovery process, both internationally and across a wide range of groups. The report contains 19 actionable recommendations, including recommendations for building a better software ecosystem.

Although this board is still in its infancy and only had 90 some days to produce this report, I think their work is valuable and will be impactful.

lurker July 27, 2022 4:25 PM

Random points:

an April 2022 expert security report found that 60 percent of the nearly 3 billion devices affected by the Log4Shell vulnerability remain unpatched, -Lawfare


Fingerpoint: whose fault are these?

Fix: wringing hands? No.
Institutionalising OSS as Lawfare suggests sounds like a one size fits all box. Paying OSS devs (from public funds?) introduces more problems than it might solve.

Some have said AI should audit code, but we know where AI comes from. It’s an interesting problem . .

Clive Robinson July 27, 2022 5:28 PM

@ Arclight,

“Does nobody ever just send them a check to get it done?”

If only it were legally that easy…

Over the years since WWII and the past three or four decades most Western Governments have made it extrodinarily difficult for companies to pay individuals. Supposedly to stop fraud and tax, evasion by both sides.

So this in effect requires the Open Source developer to set themselves up as a business or company. Which requires no end of paperwork (think about one day a week if you do it yourself).

But they may not be able to be, due to what is called “tax avoidence” via the likes of “off payrole earning”. Where the tax authority assumes you are acting in what they see as an unlawful manner.

Look up the history of the UK IR35 rules[1] to see just how bad it is.

The sick joke of it is large companies are now via the “gig economy” forcing minimum wage earners into “off payrole status” and people like “care assistants” who get payed less than minimum wages because of travel time and not getting anything like the correct amount of travel expenses have been faced with revenue investigations where they could loose everything they own and be made bankrupt so not be able to actually work for several years…

So no “just sending a check” could cause the developer to loose everything they own and be forced into destitution.

[1] UK Inland Revenue press release 35 back in 1999 was in part as a result of “Y2K contractors driving Ferraris at the tax payers expense” nonsense in the Daily Mail and similar “useful idiot” press. Put simply a press campaign had been run against IT Contractors because allegedly they were all charging £2000/hour for a minimum of a day to change eight lines of Cobol or similar, and had flashy cars on expenses parked in their drive ways causing resentment and envy in other British Workers…

The real issue was however was the unfair disparity between companies and their employees in their duties to HM Treasury via the Inland Revenue. Which gave rise to what is called “Off Pay Role Earning” which was seen politically as a major loss to the UK Treasury (it was not, and never realy was). Back then small companies could easily pay less than 20% of gross income in tax, in fact it was not that difficult to end up being owed money by the Inland Revenue via quite reasonable accounting practices. However for an emoloyee on “the pay role” back then if I remember correctly UK National insurance was 20% of an Employee’s annual pay as well as 30% of the same figure for tax upto £27,000 then 40% and so on, so a minimum of 60% of a professional level wage. Along with no ability to have reasonable expenses that small companies and even partnerships got. So IT Consultants were quite sensibly setting themselves up as “small companies” to get equitable treatment with their competitors such as consultants from the “Big Four” accountancy firms, Cap Gemini, Excenture etc, who had been taking the UK government for thousands of millions in ICT contracts and the like (the real drain on HM Treasury, but as they all gave kick-backs to Party Political funds, expeditures as well as lucrative speaking fees etc to individual politicians they were obviously “friends”).

SpaceLifeForm July 27, 2022 5:44 PM

Car Analogy Time

User = car
FLOSS = Freeway
Proprietary = Tollway
Secure working system = Destination

You have two allegedly fast routes. The on-ramps to either appear smooth. The Tollway promises no Toll to enter. The Tollway has lots of convienent on-ramps.

The on-ramp to the Freeway is not convienent, so one may think the Tollway will save time, so you think about the cost-time tradeoff.

But, while both routes may have potholes, there are more accidents on the Tollway impeding movement, and the Tollway has exit ramps closed due to construction. It becomes difficult to exit the Tollway.

There is always a Toll Booth before each exit.

The Tollway is built on poorly graded grounds, whereby flooding can become an issue. You may end up stuck for a long time.

After you enter the Tollway, the Clouds start building.

The FLOSS side roads may be best. You can find alternate routes, and if needed you can turn around.

May not be as fast, but slow and steady may actually get you to your destination sooner than you think. And safer.

You are driving a station wagon full of 9-track tapes.

Clive Robinson July 27, 2022 7:23 PM

@ Bruce, ALL,

Re : Coincidence or causality

Yesterday, I posted[1] to the thread on “Apple Lockdown Mode” and picked up on,

“Most message attachment types other than images are blocked.”

And said,

“Anyone else remember when “images” were a major attack vector?

For various reasons some image formats need a “Turing Complete Engine” that interprets the image file…”

Well one such case was the use of the near universally used image file manipulation package “ImageMagic” half a decade ago,

You will find at the bottom of that article,

“The threat at least in part stems from ImageMagick supporting more than 200 different formats, including nroff (man pages) and postscript.”

Both “nroff” and “postscript” files need a “Turing Complete Engine”(TCE) to process then, as do PDFs and quite a few more other image formats. As you usuallt have little no control over these embeded TCEs they are an ever present security threat in Closed Source “proprietary” code, and a very real pain in Open Source even to “Code Security Experts” because of,

1, Unbounded state “state”.
2, Unconstrained control path / chain loopback.
3, Uncontroled / Unchecked / Unverified file input causing control path change.

All three being security “no no’s” but all most always found with TCE usage.

TCEs are a very powerfull way to do a great deal with very little, in that you can write a quite powerfull interpreter in as little as a hundred lines of C code (ie turn a simple calculator into a Forth like interpreter). Or just import one like the “Tool Control Language”(TCL) of “WiSh Tk/TCL” fame. Or if you are mean and embittered –and who’s not these days– the equivalent of the DDS BASIC interpreter from the “International Obfuscated C Code Contest”(IOCCC) back in 1990. This link,

Provides both the original “obfuscated” DDS BASIC and an unscrambled and readable –by as near ordinary mortal as programers get– version.

Which should let anyone reading who is shall we say a managment type, who has heard of the supposed wonders of “code review” but never actually experienced the futility of them[2] get a feeling for the problems.

My advice as always in this respect is,

“Security is a Quality Process”

Every bit as much as Quality Assurance, in fact way more so. So if you do not treat it as such from the highest organisational levels downwards, then you are going to fail and fail horribly. Usually as you build up a “Tsunami of Technical Debt” you can never ever get out from underneath, and to use the surfing term you will suffer a “wipeout”.

[1] My post of yesterday,

[2] I’ve posted about the futility of “code reviews” in commercial organisations before several times on this blog. But this is the short version,

1, Marketing thus Managment want the best or Star Programers to code new features.
2, For the sake of “check list” testing QA paperwork, Managment need to have “Code Reviews”.
3, Managment want the cost and time and other resource impact of “Code Reviews” to be minimized.
4, Star Programers can be both inventive and “Prima-Donnas”.
5, Star Programers often resent or hate “Code Reviews”.
6, Programers asgined to “Code Reviews” are usually not Star programers and often have an entirely different mind set.
7, Code reviewers and Star Programers unfortunately often have poor relationships boardering on antagonistic.

All of which can result in some Star programers being “too inventive” for their own good, and deliberately writing code that is either to difficult to understand clearly or to hide things “to get one over” on Managment or Code Reviewers.

If you think you might have such an issue in your organisation, it often shows up in “bug track” systems where bugs get closed but not fixed with no, or very terse comment.

Clive Robinson July 27, 2022 9:57 PM

@ Arclight, ALL,

Re : “send them a check”

I’m sorry it looks like I’m picking on you I’m not.

But you could say it is your own fault 😉

By raising a very serious point, that has vexed many for quite some time, with neither easy or obvious solution. With vested interests and Governments not wanting it solved for many reasons some of which are far from obvious and from a personal privacy point of view of ordinary citizens quite scary.

Behind it is the deliberately pushed notion that people who are driven to “make a better world for others” are some how “communists” or “mentaly abnormal” or as once described by a saliva ejectulating MicroSoft No2 as “a cancer”.

Their hard work and basic ultruism to make what others glibly describe as a “public good” has due to that pushed notion some quite serious down sides, even for those who have some degree of fame in the broader community.

For instance in the US you have Eric S. Raymond writing,

It shows another facet of the problem, Open Source developers who do infrustructure or core work are often virtualy unknown and for various reasons sometimes not even employed and thus effectively living a “non existance”. Thus in the US do not get Health Care, Pension, or even a real bricks and morter roof over their head. Or even at the end of the day any certainty of even getting food on the table if they even have one…

In short some live a third world existance in a first world economy.

As such these people would not be able to “cash a cheque” because they do not meet the minimum requirement for a US Bank account.

Yet what they do with meager often non existant support or resources often supports the online world for hundreds of millions of people daily. With those who most abuse them profiting greatly.

But what happens when one has had enough of such abuse and says enough, and quite lawfully withdraws their “Intellectual Property”(IP), from an abusers grasp?

They get vilified abd treated like criminals for asserting their legal abd moral rights… As the left-pad writer found when he withdrew his IP from the now known to be highly dubuous NPM registry run by Isaac Schlueter as a personal fiefdom not what it he pretends it to be which is a “public infrastructure utility”.

No doubt the Node.js community will eventually wake up to the fact that Isaac Schlueter “has form”[1] and as such is not a fit and propper person to run such a registry. Thus consign NPM to the scrapheap along with the not immediately obvious plans of his venture capital backers to seize control of all the Node.js developers IP as well as turn Node.js into their private and thus profitable “walled garden” where they can control and dictate Node.js future…


anon July 27, 2022 10:32 PM


That first paragraph does not bode well,

“Open source is at least as important to the economy, public services, and national >security as proprietary code, but it lacks the same standards and safeguards.”

Whilst the first part of that statment is as true as it is for commercial >“proprietary” or closed source code, the second part is at best an incorrect >assumption.

When you aquire closed source code which proprietary code mainly is, you have nothing >to verify the standards to which it was developed or the safeguards that it may have.

This is untrue. If I pick Microsoft Windows software as an example, I’ve seen the box of microfische that was the Microsoft Windows source code while employed at a company that was only a customer of Microsoft (not a partner or dev shop). That wasn’t the only box of OS source code in our data center. We had source code for several versions of AT&T Unix and other OSes.

If anyone in the IT department, and we had about 100 staff, needed to know how Windows or Unix or another OS behaved, they could look it up and examine the code themselves.

I don’t know how much that box of code cost the company, but it had NDAs attached and whilte it was probably quite expensive it was likely only worth about 5 minutes of production downtime.

JonKnowsNothing July 28, 2022 1:26 AM

@Clive, @Arclight

re: To set themselves up as a business or company

In the USA, each state has it’s own business rules and there are Federal Government business rules too. Additionally, local counties and cities may have business rules too.

Years past in the rear view mirror, setting up a “computer business” wasn’t too difficult provided you earned enough business income to cover the extra costs.

Generically: You can be “self employed” or a “corporation”.

It’s now rare for companies to hire a direct self-employed person, even in the gig economy were workers are classified as such. There are legal reasons being fought out within the definition of “gig workers” vs “temp workers” vs “contract workers” vs “employees full time, part time, seasonal, on call”.

The other side is to build a small corporations, although if you are so inclined to become the next tech behemoth you can plan for The Big Corp. The Federal Tax code allows some small corporate businesses to use tax definitions as if they were just “self employed”. This is a simplification and it’s more complicated that that. It does impact the types of tax reports you have to file and the legal status of the corporation (see Delaware, Nevada, as Tax Avoidance States).

Example: In California a minimum of $800/year is due. Other states might be $400-$500.

There are City Business License fees from $25-$1,000 or more. And restrictions such as not storing inventory in your garage. Not having more than n-deliveries or n-package pickups per day .

County restrictions may not allow any business in a zone. Ag-Exclusive zones can have Ag Business but not Hi-Tech anything (no store, no tech mfg, no workshop).

There maybe restrictions on the number of vehicles: unlimited tractors but no parking for more than 2 cars + 1 handicap spot.

It ain’t easy to run a one person shop and still complete with the staffing agencies. You may get protection and acceptance from a legal engagement contract but lots of potential clients won’t give you to the time of day.

You can pay out thousands of dollars to earn a basic living. You have no security or appearance of security in work. You have to fund your own healthcare and pension. You have to pay lots of taxes and file monthly, quarterly, semi-annual and annual reports to various Local State and Federal Agencies. And any further education or keeping up with the technology courses, comes out of your pocket and costs more in lost work time.

Lots of people still do it.

The average attempts last (iirc badly) 2yrs, 5yrs, 10yrs, 15yrs. Most die before the 5yr mark and often have pledged their homes to get the SBA loan to fund the company so they rejoin the ranks of renters when things crash out. They have also maxed out their credit cards playing the musical chairs credit card game and the which checkbook has a positive balance today quiz.

Mike S July 28, 2022 3:54 AM


blockquote> to support open-source projects “just as much as bridges and roads,”

Given the state of US infrastructure, this doesn’t exactly bode well.

Who? July 28, 2022 5:35 AM

Hopefully FOSS lacks the same standards and safeguards as proprietary code. See, for example, How a management technology forced into billions of computers allows remotely taking control of them by sending an empty authentication string for more than a decade?

Security is a process, not a seal.

Clive Robinson July 28, 2022 5:52 AM

@ JonKnowsNothing, Arclight, ALL,

Re : “send them a check” and “business setup”

With regards,

“… often have pledged their homes to get the SBA loan to fund the company so they rejoin the ranks of renters …”

There are also,

1, The court records
2, The bankruptcy
3, The “forever” debt collectors

To haunt them beyond death.

There used to be a sick one-liner in the UK,

“To poor to die…”

Where the unsaid finish was,

“… can’t aford to be buried.”

But there is another side of course being bankrupt means not only do you have no money, that’s been taken away from you, but also and importantly any assets you had have become the property of others at “fire sale” prices or less.

Many years ago I went out on my own, after I had saved up what I had called,

“Two years drop dead money”.

That is I had enough money to survive for two years paying all my bills etc before I started.

I sent things up in a way such that I protected myself and my assets should things go wrong… So no falling into “loans or leases” or other financial snares and certainly no “business banking”. Part of the making safe had to be changed when later I had to become a part time employee of a company where I did just enough company hours to cover the new Government requirments and so on.

But I decided enough was enough, even though I was “making bank then some”. The Government changes were forcing me to go places I did not want to go. Not least of which but effectively “the final nail” was the rapidly increasing “bovine scat” paperwork being inflicted, took up more and more time. When it got to more than half a weekend every week and then some I realised I had to get others involved to “share the load”. But found that they would add significantly more paperwork, in exchange for only taking some of the paperwork away, and I would have to pay them as well… Then news came of changes to “emoloyee pensions” and it took only a few minutes to work out the enforced liabilities there…

So I shut up shop and “divested” the bits of the business off, ensuring I had paperwork to show the transfers of ownership had not only happened but were legal thus no come back on me, and I walked away into being a full time employee again.

I do however know of people trying to go it alone… One young couple one of whom is the daughter of a veey long time friend live in a van.

With “solar on the roof” an electric bike and trailer for shoping etc, a smokeless “wood burner stove” and gym membership to get clean in and a “Wifi Yagi” antenna on the roof and heavy duty blackout curtains all around and IR cctv and motion sensors covering all sides for security. During the day one has a full time employed job the other is building up a business and working out of “coffee shops”, Pubs/Bars, and Fast Food places even public libraries, university student fascilities and even hospital emergancy waiting rooms. Something that has since Covid lockdown become a lot more, acceptable, and easier.

Why do they do this? Simple to save enough money to build up sufficient money to make a sizable deposit –pay down– to get their own property… They would rather save a few thousand a month rather than “waste it on rent, council tax, utilities”. Plus as one wryly notes,

“If our relationship can survive this nomad existance…”

One thing that did surprise me is that they can get their van to the top floor in multi-story car parks where the use of a couple of traffic cones and yellow tape alows them to lay out extra solar pannels out of sight of CCTV etc[1]. Oh and visits to certain cemeteries, alows discreet connection to a mains water supply and drains so they can flush out foul tanks and fill clean tanks and even do some laundry[2].

Whilst living that way is not common in the UK yet, I gather it is becoming increasingly so in the US.

[1] One thing they have got that made me smile as it took me back to my days of “technical van squatting” on “contractor jobs” was you can get signs made up that use magnets to stick to not just the sides but top of the vehicle (the ones at the sides usefully covering windows but let some light in). Also bright orange and yellow work over clothes that are water proof and several “over vests” with logos etc. As the lassy notes “We do have some strange things under the bed, but it’s cosy”…

[2] Laundry takes a lot of water… 4UK/5US gallons –15-20 liters– will do about a weeks socks and underware for one or two people, the same again for tee/golf shirts night ware, and the same again for casual trousers. So even with using one loads “first&second rinse” as the next loads “pre&wash” you are still looking at 40-80 liters of water per person per week. One way to do this is from clean river / stream water which you then filter which can also help with reusing water for toilet flushing etc. You can easily filter with the multiple bag filter technique, starting with a loose weave you filter out crud in successive steps each taking out finer and finer particles getting down to “millbank bag” style makes it almost clean enough to drink safely… However a two step active charcoal and then hollow fiber, reverse osmotic, or ceramic, makes it as safely drinkable as tap water. I’m told that pump and filter systems used by exotic fish keepers can turn dark urine into safe drinking water likewise dish/laundry/washup water… I’ve never tried it and for some strange reason don’t ever envisage me doing so… 😉

Winter July 28, 2022 9:45 AM


There is always a certain amount of drudge in any job but “golden handcuffs” apply when there is some perk of the job for which you cannot leave (continuing healthcare)

Company health care are the cuffs. But then they vote out universal healthcare because they do not want to be free^h^h^h^h^h^h^h^h “Keep your government hands off my Medicare”.


Henrik Holst August 24, 2022 11:57 AM

@anon: “This is untrue. If I pick Microsoft Windows software as an example, I’ve seen the box of microfische that was the Microsoft Windows source code while employed at a company that was only a customer of Microsoft (not a partner or dev shop).”

— What you had access to there was the Microsoft Shared Source Program which was the source of some parts of some versions of Windows. It was mostly drivers and not enough to even build a single version of the Windows Kernel.

Petre Peter June 23, 2023 2:46 PM

You expressly acknowledge that if failure or damage to Apple hardware results from modification of the Open Source Components of the Apple Software, such failure or damage is excluded from the terms of the Apple hardware warranty.

Leon Theremin June 26, 2023 1:36 AM

There will be no computing freedom until the silicon trojans embedded in all US designed CPUs are removed. Open Source software won’t matter for security and safety if it is running on insecure hardware.

If you want freedom, you will have to ensure that no unseen radiation is enabling remote control of your devices.

Ask me anything about BadBIOS and hardware trojans.

Winter June 26, 2023 2:14 AM


There will be no computing freedom until the silicon trojans embedded in all US designed CPUs are removed.

Which will leave us with the trojans embedded by/in other countries. Why limit this to the US?

Btw, the trojans are embedded in the compilers that generate the layout. This is likely a Trusted Trust attack on the hardware.



Clive Robinson June 26, 2023 6:21 AM

@ Winter, Leon Theremin, ALL,

Re : Trust Chain.

“Which will leave us with the trojans embedded by/in other countries. Why limit this to the US?”

Remember that it’s not countries or the companies/corporates that work in them but individuals who betray the trust chain.

It’s why Ken Thompson was able to come up with his speach on the “Trusting Trust Attack” and how it was implemented.

But the attack was just one of thousands that could have been implemented at any and all levels of the computing stack. From the lowest level physics of a “bubbling up attack” to the highest legislational level of international treaties.

Years ago on this blog I pointed out that the order of technical attacks I would follow if I was the likes of one of the Five Eyes SigInt agencies was,

1, Systems
2, Protocols
3, Standards

I also noted that I would attack sources of entropy by which the “Roots of Trust” were selected.

In time all these were shown to be targeted by the NSA, GCHQ etc, and we assume by every other SigInt Agency that has or will obtain access to people who work with the trust chain.

I also pointed out in conversations with @Nick P how defective “code signing” was –and by the way still is– and how it could be attacked, again by people acting allegedly for a Chinese / Iranian / North Korean / Russian / etc agency.

On initially hearing about security researcher Dragos Ruiu’s problem back shortly after the Ed Snowden Revelations it took me about thirty seconds to work out how I would go about it. As a hardware engineer I knew all about the hole in the design of IBM PC’s that they had copied from the Apple ][ design that I’d “used and abused” since the 1970’s and had tried to implement audio networking. I was not the only one you can see the conversation between @RobertT and myself on this blog detailing it in some depth and Identifing AC97 as the most likely hardware candidate. I also described an experiment I carried out over “the weekend” to prove it worked. You will see quite a few people saying it was not possible… Then two students published their experiment in a corridor paper, and suddenly the whole world and his dog were BadBIOS experts… Did any of those who said it was not possible appologise, of course not, some however did became those instant experts getting in on the “Twilight Barking gigs”.

Also from inovative work I’d carried out in the 1980’s was “Active EmSec” attacks where the use of EM carriers both CW and modulated are used to cause data to be not just taken out from systems, but the flow of programs in systems changed. I pointed out this attack method worked quite well against the likes of Smart Cards, Electronic Wallets, and Pocket Gambling devices back in the 1990’s when the world started getting upset over Smart Cards and power supply related attacks.

The point is not that I’m one of those our host @Bruce pointed out “Think Hinky” but that “Thinking Hinky” is possible because of people and their behaviours and that as things stand you can not stop thrm betraying the trust chain. @RobertT upset one or two here when he pointed out you could hide things in the design of a chip that could not be seen by examining the chip. @Nick P went to some lengths on talking it over as did @figureitout. What @Nick P also noted was the US DoD did some open calls for ways to combat such chip tampering, and then just as it started getting interesting it all went quiet, as did those who had been involved… @Nick P concluded that it was likely that the DoD had hit “pay dirt” in some way and in effect classified it all…

Any way I applied my hinky thinking to the problem in a more general way and finally realised that with the way the computer industry worked due to all the assumptions it was built on there was no way you could stop humans betraying it’s trust chain…

Yes that’s right I’m saying that with the way the fundementals of computers work they can not be trusted. On doing a little research it turns out this was actually known in the early 1930’s before Turing wrote his now famous paper. A very original “thinking hinky” person had written a couple of what to most are incomprehensible papers that shook the assumptions at the foundations of mathmatics. His name Kurt Gödel, and if you have the right sort of mind you can see why the fundementals of computing systems as we currently design and use them can not be trusted.

So I sat on it and thought about the nature of “shifting sands” problems, from the saying about,

“You can not build a castle on shifting sands”

And realised that since Tudor King Henry VIII, and the founding of the first Navy, we had done way better than build castles on treatcherous sand, we had built mobile fortresses on water. It made me realise that you don’t have to trust the foundations you build on, only mitigate the effects of them acting against you.

It was then I remembered an old riddle about two doors and their guards, to walk through one door was death, the other life and freedom. You were alowed to ask just one question to either of the guards, knowing that one only told the truth and the other only lied but you had no idea which was which.

The answer is to ask one guard what the other guard would indicate was the door of life, knowing that which ever guard you asked you would be given the death door, so you should walk through the other.

It’s the basis of binary sequential logic and a variation of it to non binary systems gave rise to voting protocols used in high reliability and intrinsically safe, and fail safe systems. Importantly it’s sufficiently fundemental it can be applied to all computer security and those pesky human problems of betraying trust chains.

Importantly I realised that humans had come up with ways to get usefull work out of untrusted people whilst also preventing them attacking the trust chain. We call them prisons and the original work was picking tared hemp rope in their cells to make the fibers used for caulking the seams of wooden ships to make then water tight.

Further the work of Jeremy Bentham on prisons, and how to make them efficient as the “Panoptican”.

Throw in a little more thinking and the idea behind “Castle’s v Prisons” or as @Wael ended up calling it C-v-P then just CvP came into being and from there “Probabilistic Security”.

In effect you split any computing function down into very small “picking hemp” tasks and put each one in a very resource limited prison cell monitored by a guard that is only a fully quantified “state machine” and not a “Turing Machine” thus side steping the issue that Kurt Gödel had pointed out.

But each task is done multiple times in parallel by different cells independent of each other and you use voting protocols to look for any sign of betrayal.

Whilst it’s not impossible to attack such a system, you can make the probability it will be detected arbitarily high. Thus catch it before real damage can be done.

I’ve described the ideas in some depth towards the ends of many threads of this blog. As @Toth pointed out one day, some academics in the UK (call out to George Danezis at UCL[1]) have taken the ideas without acknowledgment and started building a business around them using ironically “smart cards”…

[1] George Danezis has a taste for “taking ideas” and in effect claiming them and then turning them into “start-ups” to get rich. Not an original idea but people do spot it going on and tell the originators of the ideas… It’s just further proof that “trusting trust systems” will always be not just abused but with good probability be detected…

Winter June 26, 2023 6:55 AM


Did any of those who said it was not possible appologise, of course not,

On the internet, who ever does apologize for being wrong? [1]

[1] My position is, that if you never can be wrong, you will never be right.
A broken clock is not right twice a day. A broken clock will never tell you the right time, because you will never know the right time from it.

Clive Robinson June 26, 2023 8:33 AM

@ Winter,

“On the internet, who ever does apologize for being wrong?”

Some do, you can find evidence to that in this blogs pages.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.