Market Forces and Open Hardware
#1
Let's not forget how the OSI Model lost out to TCP/IP model, because market forces went gnu linux -- cheaper to pay a geek to configure the license-free software than to pay for proprietary licensing.  The market forces ruled the day.

Today, Risc-V has different licensing model than NVidia... how do we know which horse to back?  I read the thread where avid pine64 supporters make a few valid criticisms of risc-v:  just cause cpu is open, doesn't mean manufacturer will have all open components (but that's true of arm too), or that a downstream manufacturer can modify it, and then sell the modified version without open sourcing (well NVidia is already selling arm licenses, so this isn't any worse); or that it's riding the wave of open source popularity (That really isn't technical criticism at all, and sounds like something to say when you don't have any criticism).

Perhaps, in addition to being open, the Risc-V ISA may be better from assembly programmers' pov, if it is more elegantly organized and therefore simpler.
I see that pine64 has a risc-v soldering pinecil already using RiscV (but out-of-stock, of course--this "of course" is a bad rep to have in a market driven world.

I think that finding open hardware, installing linux, creating safe firewall, connecting to openvpn, etc,  is too complicated for the average family.  So I want to do it for them.  My end game is provisioning my local home school community with open-hardware devices running slackware ported to the architecture of said devices, connecting to openvpn, and running services that help the community collaborate safely, and which protect the students from inappropriate content.  And I'm getting older and don't want to wait.  The students are not adequately protected with what they are currently using, and they're getting older too quickly.  (I overheard a five year old talking to his mom's android phone:  "Is the tooth fairy real?"  -- that child needs safe results, or s/he's gonna grow up too fast)

Market forces do play  a factor, such that whichever open hardware  provider gets a product widely available (and not just for developers, and sneak previews) first will get the market share, from developers like me waiting to do stuff with it.  Pine64's "out of stock" thing is admirable from the point of view of keeping pinebook pros affordable--but if last year changed the law of supply and demand, I would prefer that pine64 outbid the competition on lots of 1080 pixel lcds, and keep production going, even if it meant raising the price.  That way, the community can survive.  I've heard lots of demands here for empathy for the developers and the non-profit nature of pine64 -- and I have it, and will be feeling for them if my dollar goes another way because that other way meets my end game first. 

But there's also a certain level of professionalism expected of any organization:  why have this contact page, if emails to sales@pine64.org won't receive responses (not even an auto-response)?  Lack of responses, even during shortages of lcds, will turn developers and prospective assets to the pine64 community away.  

Thus, let's not repeat OSI Model's quest for perfection, because, as they learned, the market doesn't wait.  I'm pretty sensitive.  I think pine64 needs a wakeup call , and this is it.
  Reply
#2
> I think that finding open hardware, installing linux, creating safe firewall, connecting to openvpn, etc, is too complicated for the average family. So I want to do it for them. My end game is provisioning my local home school community with open-hardware devices running slackware ported to the architecture of said devices, connecting to openvpn, and running services that help the community collaborate safely, and which protect the students from inappropriate content.

Go with what currently suites your needs then, rather than waiting out for something that may or may not be there in the future.

Honestly it doesn't sound like you local home school community need ARM/RISC-V and could make do with almost any system running Linux? The problems you describe are purely software. In which case I would suggest the second-hand computer market is the place to go for performance per currency. If for some reason they do need an SBC for example (say for twiddling a GPIO pin), then go with something like the Pine64 A64 which will have decent LTS and already is pretty well supported.

> Lack of responses, even during shortages of lcds, will turn developers and prospective assets to the pine64 community away.

When a resource has been depleted, an old company I used to work with would just take their phones off the hooks. Dealing with a million "when will it be ready" questions helps nobody, especially when you don't have a good answer to give.

> Thus, let's not repeat OSI Model's quest for perfection, because, as they learned, the market doesn't wait.

I think Pine are not trying to achieve perfection - they would be forever trying to chase this. They get as close as they can with reasonable effort. The first version of the PinePhone for example required lots of mods to get the functionality working correctly.

The problem they currently have is in sourcing a large number of cheap LCD panels to deliver the devices at the prices people expect. Even if they were willing to pay more, manufacturers are going to favour larger customers with larger orders. The reason there isn't many cheap LCD panels is because the more expensive panels are also in short supply. Changing the type of panel could require changing the driver and increases risk of DOA devices without extensive testing. There is no easy way out of this.

This components shortage is only going to get worse too - they were only just about keeping up with demand before the pandemic (I think it increases something like 20% year on year), it's actually not yet clear they can even recover by the end of the year. You're competing with industries that are willing to pay whatever it takes to get their product out the door (automotive, mobile, etc).
  Reply
#3
I want to do everything I can with hardware that is acquirable to protect the community's privacy as best as I can keep up with:  and risc-v cpus are not vulnerable to meltdown or spectre, which received enough media attention that some of our parents are aware of these vulnerabilities.  I've read that the linux kernel mitigations are inadequate.  I think the parents would feel more assured using and supporting open hardware on cpus that weren't susceptible to these manufacture oversights, or whatever they were that caused the vulnerabilities; it's not like cpu manufacturers earned the public's trust by disclosing the exploits:  they had to be warned by independent researchers, making the public wonder if they knew they were there the entire time. 

So 20% increase was last year -- the demand for open hardware is growing exponentially.  Unless pine64 was designed for scalability, so it can grow exponentially too, there's no way it can keep up with the demand for open hardware.  That's why I think it should raise its prices.  Low Supply High Demand = supplier raises price. 

It's common sense that simpler equations are easier to work with: if Risc-V ISA is is a simpler equation, then there's less complexity for exploits to hide in.  Risc-v sneak previews are in june, and mass production in september  .

I had some neo freerunners before android, and was sickened to see how money backed android left neomoko in the dust... and now I'm excited about pinephones and hope history doesn't repeat itself. 

An automatic email response when someone sends an email to sales@pine64.com, and mailing list to notify interested parties when devices are back in stock  -- together that solution is kinder than taking the phone off the hook.  (I've taken my phone off its hook plenty though, and understand:  it's pressure; stress; and I've got a deadline to meet, and don't need the phone distracting me from my work...)  And I like the work coming from pine64:  I have pinebook pro and pinephone usbports--pine64 stepped up to the plate to try and fill this demand for open hardware...

But the market will follow availability.  Some company will poor money into open hardware phone and get it into high production; their new phone will get the market share, because it could keep up with the exponential demand; and then pinephones can join the museum alongside the freerunners.  I hope that doesn't happen.
  Reply
#4
> I think the parents would feel more assured using and supporting open hardware on cpus that weren't susceptible to these manufacture oversights, or whatever they were that caused the vulnerabilities; it's not like cpu manufacturers earned the public's trust by disclosing the exploits: they had to be warned by independent researchers, making the public wonder if they knew they were there the entire time.

These are some ultra security concerned parents! I suggest that the security mitigations for AMD64 are pretty good, given the amount of eyes over them and automated testing for checking for their existence. There are still attacks like rowhammer that essentially don't really have any mitigation techniques.

> That's why I think it should raise its prices. Low Supply High Demand = supplier raises price.

Raise the prices and lose the hacker community. The low-price is exactly what puts these devices into the hands of hackers.

> But the market will follow availability. Some company will poor money into open hardware phone and get it into high production; their new phone will get the market share, because it could keep up with the exponential demand; and then pinephones can join the museum alongside the freerunners. I hope that doesn't happen.

I think generally the devices are available to those who wish to develop them. Bare in mind most of these devices are still far from a finished product. The PinePhone for example is still really lacking any daily-usable OS (although it gets close). These devices are simply not yet ready for mainstream adoption and might not ever be.
  Reply
#5
(03-07-2021, 11:30 PM)barray Wrote: These are some ultra security concerned parents!

Yes Indeed: our home school group is located in Eugene Oregon, the heart of utlra security concerned parents.   And rightly so, because the following is a philosophical fact: 

Privacy is essential; privacy provides a checks-and-balance to authoritarians, autocrats, and tyrants; anytime a political climate becomes too hostile for humanity, insurrection was made possible because the insurrectionists had private spaces to plot; privacy is essential for human dignity, because nobody is dignified all the time, and we need private bubbles where we can rant and rave like lunatics.

If I am driving around in my car, and I hear some news on the radio about a policy decision I disagree with, I would like to be able to cuss and curse, and say I'm gonna blow stuff up, and assassinate my leaders, in my own harmless undignified rage that I don't think anybody will ever see or hear. Private bubbles are healthy.

We are moving towards a direction where I have to be politically perfect around all my devices, less some national security algorithm detect threatening key words in my harmless maniacal rage, and agents disguised as health officials declare I have whichever virus is going around at the time, and I disappear in quarantined isolation from which I never return:  I don't know how many other concerned parents noticed that the lockdown protocols that were just established around the world in the name of public health, could also be used to quietly eliminate political targets!

I think these parents are correct to be concerned.  I want to create nation-state-proof level of private communication devices simply to defend privacy as a basic human right and need.  

> "The low-price is exactly what puts these devices into the hands of hackers. "

That should read in the past tense, as it is not putting any devices into any hands this year--which is my point.  What if the prices on lcds never return to what they once were?  $300 is still a low price.  You can always lower the price back to what it was, if the market returns to what it was.

>"These devices are simply not yet ready for mainstream adoption and might not ever be"

That's why I have to provision them first for my home-school community.  And, our parents would feel insulted if I ever called them "mainsteam" -- they would be happy to use devices I hacked together.  Unfortunately I was a late bloomer to linux and didn't make it my primary OS until 2006, however, even at that late stage, there were still quirks to work out on most installs:  something wouldn't work --sound, x11, printing, etc., and each install was like a little puzzle that I enjoyed solving.  Now linux installs easier than windows, and everything works (on x86).  But when we get to these pine64 devices, it's like the old days again:  fun puzzles.  My ten-year-old son loves his pinebook, and has no trouble using it, after I set it up for him.  It would be the same for the homeschool families.

These devices, after configured by developer, are ready for alternative adoption -- or at least they could be, if there were being produced...   I represent a unique set of alternative parents who are not infected with consumerism:  however, I agree that these devices might not ever be ready for your average consumer who will want a refund for every glitch, of which this world has too many. 

> "I think generally the devices are available to those who wish to develop them"

I want to develop them:  and they've been "out of stock" for months, which is why I'm bickering here... (sorry about that...) I have other puzzles to go and solve.  Peace.
  Reply
#6
> "I suggest that the security mitigations for AMD64 are pretty good, given the amount of eyes over them and automated testing for checking for their existence. There are still attacks like rowhammer that essentially don't really have any mitigation techniques"

Row Hammer was a good one to mention: I don't think risc-v has anything to do with it, as it targets the dram, and I suppose the risc-v beagle will have dram too... maybe risc-v with sram would be super secure--but sram chips seem to be measured in KB, and a MB chip is a huge one; 500 hundred of those would sure take up space and dinero...

You're right about low price -- I go through laptops like boots: lucky to get a couple of years out of em; I stopped using expensive laptops as soon as I was old enough to have to buy my own -- currently on $200 boxstore lenovo ideapad with amd hybrid cpu/gpu -- Don't need expensive laptops, because if I need to compile a linux kernel, or qt5, I can rent cloud resources by the minute: provision a linode with 64cpus, do the work, save the binary, and then delete the linode only having paid a few cents per minute--and when I do that, I have more processing cores than any expensive laptop... cloud virtualization really changed the game Smile
  Reply
#7
I understand your want for privacy and security, support it even, but it's unclear what your threat model is. If it's to simply stop state actors spying on you using some commercial device (think Amazon Ring sending data to the police) - then it should be enough to run an open source device.

The thing about these processor bugs you see with Intel and AMD is that they have been tested thoroughly - I would argue that ARM and RISC-V is yet to be put through the same level of testing. For example, has anybody done even basic instruction fuzzing on these platforms? I've not seen the work done... I would suggest security researchers checkout big-little cores specifically, there is some really crazy memory sharing going on there that could be abused.

> That should read in the past tense, as it is not putting any devices into any hands this year--which is my point. What if the prices on lcds never return to what they once were? $300 is still a low price. You can always lower the price back to what it was, if the market returns to what it was.

There is still an availability problem at any price at the moment. The low-volume orders Pine have are also a problem. Some factories won't even entertain them.

> Now linux installs easier than windows, and everything works (on x86).

After screwing around trying to get Windows 10 to install on a new laptop, I have to agree. I even installed Linux onto it in about 15 minutes to test the hardware was actually working correctly.

> I represent a unique set of alternative parents who are not infected with consumerism: however, I agree that these devices might not ever be ready for your average consumer who will want a refund for every glitch, of which this world has too many.

I think you find yourself in an even more fringe group than the hacker community then.

> Row Hammer was a good one to mention: I don't think risc-v has anything to do with it, as it targets the dram, and I suppose the risc-v beagle will have dram too... maybe risc-v with sram would be super secure--but sram chips seem to be measured in KB, and a MB chip is a huge one; 500 hundred of those would sure take up space and dinero...

If the memory is tightly packed, you're going to get electron leakage - only way out is ECC. It's really memory sharing that caused all this Spectre and Meltdown issues anyway. I expect before the end of the year somebody discovers a flaw in AMD's infini-fabric. I was reading something yesterday about how it's theoretically possible to bypass CPU ring protection too.

> currently on $200 boxstore lenovo ideapad with amd hybrid cpu/gpu

Not so sure about your threat model, Lenovo laptops have been caught shipping with Malware: https://www.makeuseof.com/tag/now-three-...o-laptops/
  Reply
#8
Lenovo too... yikes.

Threat Model :  Within the VPN, on homeschool group's intranet (just inward facing httpd accessible from vpn ips, but not from public ips), we want to host custom software for our group that lets us vote on our group's policies.  This software is just postgesql backing https.  I use lisp, so the application server is actually hunchentoot, using postmodern to connect to postgres...  There's a windows guy that knows some java in our group:  we don't get along that well; but his device would have a tunnel to the openvpn intranet, and so I have to consider internal threats as well as external.  Externally, I think our parents are more worried about creeps spying on their daughters than amazon ringing law enforcement; other than protecting our "election app,"  I mainly want to protect privacy on principle.  When I hear of a threat, I want to mitigate it to the best of my ability.  I guess there isn't a way to completely harden any app; I just want to do my best, and know that it's more protection than we had before, using our lenovos, and apples, androids, and the full gambit of what they've got now. 

As far as my lenovo:  I ran windows on it for a couple of hours when I first got it, to give it the most recent bios update before wiping it (with dd if=/urandom) and installing luks+lvm and then linux.  Here's what it's neofetch says: 

Code:
:::::::                      papa@papaz.example.com
            :::::::::::::::::::                -------------------------
        :::::::::::::::::::::::::            OS: Slackware 14.2 x86_64 (post 14.2 -current) x86_64
      ::::::::cllcccccllllllll::::::          Host: 80ST Lenovo ideapad 310-15ABR
    :::::::::lc              dc:::::::        Kernel: 5.10.20
  ::::::::cl  clllccllll    oc:::::::::      Uptime: 3 days, 1 hour, 20 mins
  :::::::::o  lc::::::::co  oc::::::::::    Packages: 1825 (pkgtool)
::::::::::o    cccclc:::::clcc::::::::::::    Shell: zsh 5.8
:::::::::::lc        cclccclc:::::::::::::    Resolution: 1366x768, 1920x1080
::::::::::::::lcclcc          lc::::::::::::  WM: stumpwm
::::::::::cclcc:::::lccclc    oc:::::::::::  Theme: Breeze [GTK2/3]
::::::::::o    l::::::::::l    lc:::::::::::  Icons: breeze [GTK2/3]
:::::cll:o    clcllcccll    o:::::::::::    Terminal: xfce4-terminal
:::::occ:o                  clc:::::::::::    Terminal Font: Monospace 12
  ::::ocl:ccslclccclclccclclc:::::::::::::    CPU: AMD A12-9700P RADEON R7 4C+6G (4) @ 2.500GHz
  :::oclcccccccccccccllllllllllllll:::::      GPU: AMD ATI Radeon R5/R6/R7 Graphics
    ::lcc1lcccccccccccccccccccccccco::::      Memory: 1765MiB / 11427MiB
      ::::::::::::::::::::::::::::::::
        ::::::::::::::::::::::::::::                                 
          ::::::::::::::::::::::                                     
                ::::::::::::

It's nearing its EOL, and I'm hunting something safe and cheap.  Them System76s are pricey, but at they do have good rep as far as integrity -- I don't think they're installing spyware... Do you have any other recommendations as far as reputable manufacturers with minimized blobs?
  Reply
#9
I'm still not sure I understand your threat model... This is what I think I understand:

1. You expect some external actor to be "spying on their daughters" - who?

2. "There's a windows guy" - so actors in your network with closed-binary devices?

3. "I mainly want to protect privacy on principle." - against? Advertisers, state actors?

Without really understanding exactly who you are protecting your system from, it is hard to coherently build a threat model. Of course some state actor with near infinite resources is one of the more tougher attackers to fend off, with script kiddies being among the easiest.

> It's nearing its EOL, and I'm hunting something safe and cheap.

Honestly if you are running Linux and it's up-to-date, don't worry so much.

> Them System76s are pricey, but at they do have good rep as far as integrity -- I don't think they're installing spyware...

Sure, I think they even disabled Intel ME (security engine). What you say about price kind of brings about my original point on the Pine range though...

> Do you have any other recommendations as far as reputable manufacturers with minimized blobs?

Not without knowing exactly who you are fending your system from. If you assume some state actor might be adding backdoors into binary blobs, your options become much more limited.

Your biggest problem is of course networking, so I would be looking at a decent firewall that can do some threat detection - as well as open-source WiFi/networking stacks. This is kind of what the PineCone Nutcracker project is all about.
  Reply
#10
Yay, the store supplied some more pinebook pros and pine phones, and the parents are tuned in to ordering them with me as the shipping recipient. 

To answer more of the questions :

>>> You expect some external actor to be "spying on their daughters" - who?

Expect is a strong word, like we'd be disappointed if we were wrong... it's more like "fearing the possibility of" rather than full on expectations...
Who?  Well, potential employees of internet service providers, the script kiddies, and the nation states:  all of the above.  The first two are more where the parents anxieties are, in regards to people spying on their children.

With nation states, however, the concern is more about spying on beliefs in a country where there is supposedly freedom of both speech and religion.

The century from 1936-2036 is tasked with an enormous responsibility:  the emergence of computer science and its relationships to humanity and ethics.  We're the first century of programmers, and we are building a foundation for future centuries, as always.  IMHO, it is important to consider the human right implications of every line of code.  It's not just important:  it's like a duty to posterity.  Its difficult enough for an individual to change an unhealthy habit, like excessive tobacco consumption--but it's even harder for a society to change an unhealthy custom, like  racism, the pecking disorder, or excessive consumerism.  Since computer science is relatively new and still in its first century, then we have a responsibility towards shaping its custom. 

In my home, behind close doors, I want to be able to say anything that strikes my fancy, without fear of state-level consequences.  I want to rant like a lunatic and scream insanities.  And I do.  I don't think we've degraded quite that low yet... but we're heading that direction... 2020 saw paid political agitators in the streets; peaceful protestors abducted off the streets by private mercenaries:  how long before the private mercenaries respond to belief system data collected by technological devices?  Wait.  I recant my former statement:  in fact, we have degraded that low. Consider how Dakota Access, LLC, hired TigerSwan for "pipeline security", and how Tigerswan used surveillance with support of local law authorities, to target, follow, and imprison people whose crime was caring about the purity of drinking water. 

Is TigerSwan a nation state?  No, its a corporation that get's hired by other corporations to do dirty work (bully and intimidate)... this is the exact type of entity that human beings need privacy protection from. 

Supposedly there is something called "freedom of speech" -- but encryption of hamm radio internet in USA is considered terrorism...  Protecting one's family from terrorism is considered terrorism... This is terrible. 

My vote is the most powerful thing given to me by my country:  powerful enough that elections get "interfered with".  Rival political opponents may have the cash to employ firms like TigerSwan.  

Since arranging face-to-face gatherings is more complicated than ever before (due to covid-19), the privacy of technological communication channels is more paramount than ever before. 

Without private technological channels for political discourse, democracy is doomed. 

So yes... lets nutracker.  Let's use sram instead of dram.  Let's build encrypted text-only low-bandwidth gopher networks that work on hamm radio, and use them in countries where such is still legal... 

And regardless of how they say we'll use the private technology space to traffic drugs and children and every other horrible thing you can think of to get you to vote it away... please know that you privately solidifying justified resistance is what they really fear, and the real motivations behind prohibition of encrypted p2p networks in usa...  I think we will have to find other ways to thwart those horrible things--because taking away privacy is just as horrible.

So that's my threat model.  There are currently no devices on the shelves of stores that can save us.  But at least there are open hardware manufacturers and it seems we are moving in the right direction.  Thanks pine64 for listening to your community of developers.    At least there's kill switches.  That row hammer though... seems like all is lost...

I'm glad the supply chain issues were worked out enough that some units got shipped out (restores the faith that market forces aren't wiping out pine64!) 

Cheers.  Despite all the TigerSwans, and the people who believe in such tactics, I still choose to be cheery, and keep the peace by practicing it...
  Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Open source NAS dillema harc 2 291 10-07-2024, 10:21 AM
Last Post: tophneal
  Enhancing Privacy with additional hardware killswitches Substing 2 773 07-25-2024, 07:49 PM
Last Post: Kevin Kofler
  cable modem open source aular 4 1,263 05-15-2024, 07:26 PM
Last Post: aular
  cable modem open source aular 0 596 04-26-2024, 09:22 PM
Last Post: aular
  hardware updates ??? aular 0 758 03-05-2024, 08:28 PM
Last Post: aular
  Cryptocurrency payment option and Pine hardware wallet, any thoughts? ohuw67 11 11,844 03-03-2023, 01:18 AM
Last Post: user641
Exclamation More hardware that needs killswitches HulaHoop 0 1,657 11-17-2022, 06:56 AM
Last Post: HulaHoop
  Does the pinephone have hardware kill switches located on the outside of the phone? unix21311 2 2,482 10-03-2022, 05:53 AM
Last Post: unix21311
  Pine64 Working on RISC-V Hardware! ImmyChan 0 1,268 07-04-2022, 02:32 PM
Last Post: ImmyChan
  Pine64 quality of the hardware support : the PinePhone case Gribouille 7 5,960 10-07-2021, 11:26 AM
Last Post: ypd

Forum Jump:


Users browsing this thread: 1 Guest(s)