TyperTech
Regular Member
- Joined
- Feb 26, 2024
- Posts
- 44
- Reaction score
- 0
- Status
- Offline
- Last Seen
Electric Sheep by Other Names
Computers 101 for the Opsec Student
It would be cruel to write a guide subtitled "Miscellaneous Notes on Computers and Opsec" without writing about computers and opsec, so- if you're following this guide in order from the index linked at the top of this post- let's turn to the missing part of that now.
What exactly is a "computer" though? You probably think of a desktop setup or a laptop when you hear the word, but even then 2-in-1 devices suggest the boundaries aren't that clearly defined. Do the boxes crammed together in buildings finding your cat videos and suggesting new ones count? What about modern microwaves or those stupidly annoying robots called Furbies? They have microchips in them. Are you a computer- and if so, do you have any tips on how to pass the captcha that everyone loves to hate?
After thinking about these cases for a while, it seems most useful to use a dictionary definition¹⁰ with some slight modifications and take a computer to be a device which
a device that stores, retrieves, and processes data
by executing programs, which can be added through external inputs while running, in a consistent manner.
That includes desktops and laptops, as well as newer-generation Furbies with their capacity for online updates, servers in data centers (which accept new programs over a network) and- as will come up below- tablets, smartphones, and even some flip-phones. But with no apparent way to use their full programmable capabilities through the buttons, microphones or infrared sensors they offer, older Furbies and most microwaves wouldn't qualify. Neither would humans, purely because of the inconsistency we do things with. We tire, make mistakes, develop new habits, and take moral stances.
Our Amoral Devices and FOSS
Before even touching on the technical aspects of computing, I want to take a nice opportunity to segue from the end of the last paragraph. Even the quietest and least woolly computers behave like electric sheep, following instructions unquestioningly. Would you hand over a friend's incriminating data to some three-letter agency, or stop doing the thing that keeps a loved one alive because a stranger on another continent asked you to? Even if you did, you would probably feel very uncomfortable and even guilty for doing it. A computer wouldn't though- unless its rules specifically block the instruction, desktops will upload private files to who-knows-where¹² ¹³ and pacemakers will shut off¹¹ without a moment's hesitation. The only "morality" or "common sense" a computer has comes from the people writing the programs it runs. They are the ones who see the bigger picture and assess the ethics of how the software works, before putting their instructions in a format the computer can understand and letting it do the manual labor.
That can become a problem when you and the developers have different views on things. They can't always fleece you of your freedoms or pull the wool over your eyes, but they can tell you to trust them or go pound eggs if they want. Computers don't try and understand things- only follow them step-by-step - so it doesn't matter to them if everything is labeled clearly and neatly arranged or just smashed together like a three-year-old's handwriting with bits and pieces everywhere. If the software is "messed up" before a developer sends it out, though, it makes a big difference to a human who wants to understand what it does and what it's trying to do. If you can't read it, the only option is to accept the developer found any mistakes and made decisions in your best interest at all times.
Enter FOSS, or FLOSS, or open-source software, or free software, or libre software, or... There are many names and some important differences between them, but for opsec the only thing that matters is what they share in common: anyone is allowed to read and modify the code as the developer originally wrote it. You still have to learn some things about computer programming to be able to read it and for various reasons might still want the "messed up" version, but it means you can have someone you trust enforce their moral code and standard of satisfaction that the software works as it's supposed to on the program instead of just relying on the original developer. This is critically important in opsec for mission-critical software in situations where your interests might be opposed to those of the powers that be, so it's always a good idea to look at the license for any software you plan to use in your sensitive setup(s) and reject it if it isn't open source¹⁴. As the next section will show, though, sometimes a trade-off may be necessary.
Software, Firmware, and Hardware
Enter an actual computer. OK, don't actually do that unless you have money to burn and a desire to get hurt, but it might help to look at one. There are two major "parts" of the machine that you've probably heard of: the hardware, which you can throw at the wall in a fit of rage, and the software, which you can't. Both are complex fields many people find interesting. Unless you're a high-profile target across the world, though, only one needs a detailed discussion for opsec purposes.
Software can broadly be classified into three groups. At the top, user-space applications are the most recognizable kind, covering everything from Angry Birds to Microsoft Word and perhaps Angry Words somewhere in between (anybody willing to invest?)¹⁵. You can install new ones easily and remove most of them without much hassle, using them for all sorts of things while they live on your device. There's not much to say about them without subdividing the category yet again, because of how widely varied they can be.
Below them, though, operating systems (or OSes for short) are much tamer. These are the lifeblood that feeds all the many user-space applications you might install, giving them basic functions like accessing the hardware and using files in one clean, friendly bundle.¹⁶ The different ways of doing this sadly make it impossible to take any user-space application and run it regardless of operating system: programs written for Microsoft's Windows can't usually be re-used as-is on Apple's MacOS, nor on any Linux or Unix system, and vice versa. A historical relationship¹⁸ means programs written for MacOS have a better chance of running on the various Linuxes and Unixes, and the Linuxes have even better compatibility among themselves, but the work in "porting" programs from one operating system to another limits the ability of new OSes to spread. There's only two other operating system families worth mentioning, in fact: Apple's iOS (related to MacOS²²) and the Android family (related to the Linuxes¹⁸). All can be installed on devices with a compatible CPU, but the process is more involved than installing a user-space application.
To make things somewhat confusing, OSes usually come with user-space applications pre-installed, and may not allow some of them to be uninstalled. Although some of the choices are debatable or downright terrible, it does make sense- the operating system doesn't do much of interest by itself, just facilitate user-space applications trying to do those things.
Finally, at the very bottom, firmware just makes hardware work. It's so basic and attached to one specific piece of hardware¹⁷ that it hardly even counts as software at all- often it wouldn't be if building designer microchips wasn't so difficult and expensive. In fact the only reason to mention it here is to discuss the trade-off mentioned in the last section. Open source user-space applications are easy to find for just about anything reasonably common, and there are plenty of open source operating systems, but using only open source firmware limits the options available to a few specialist stores. This is a serious problem given how much power firmware has to see and manipulate your data¹⁹ ²⁰ ²¹, but for the same reason it's a risk only the highest-profile criminals need consider: it usually takes local access or high-level technical ability to exploit firmware (thanks /u/LaplacesDeterminism for pointing out the error here!) and presents a massive PR challenge for the manufacturer, so it's not a common mode of attack.
Still, it's a choice you'll have to make.
Computers 101 for the Opsec Student
It would be cruel to write a guide subtitled "Miscellaneous Notes on Computers and Opsec" without writing about computers and opsec, so- if you're following this guide in order from the index linked at the top of this post- let's turn to the missing part of that now.
What exactly is a "computer" though? You probably think of a desktop setup or a laptop when you hear the word, but even then 2-in-1 devices suggest the boundaries aren't that clearly defined. Do the boxes crammed together in buildings finding your cat videos and suggesting new ones count? What about modern microwaves or those stupidly annoying robots called Furbies? They have microchips in them. Are you a computer- and if so, do you have any tips on how to pass the captcha that everyone loves to hate?
After thinking about these cases for a while, it seems most useful to use a dictionary definition¹⁰ with some slight modifications and take a computer to be a device which
a device that stores, retrieves, and processes data
by executing programs, which can be added through external inputs while running, in a consistent manner.
That includes desktops and laptops, as well as newer-generation Furbies with their capacity for online updates, servers in data centers (which accept new programs over a network) and- as will come up below- tablets, smartphones, and even some flip-phones. But with no apparent way to use their full programmable capabilities through the buttons, microphones or infrared sensors they offer, older Furbies and most microwaves wouldn't qualify. Neither would humans, purely because of the inconsistency we do things with. We tire, make mistakes, develop new habits, and take moral stances.
Our Amoral Devices and FOSS
Before even touching on the technical aspects of computing, I want to take a nice opportunity to segue from the end of the last paragraph. Even the quietest and least woolly computers behave like electric sheep, following instructions unquestioningly. Would you hand over a friend's incriminating data to some three-letter agency, or stop doing the thing that keeps a loved one alive because a stranger on another continent asked you to? Even if you did, you would probably feel very uncomfortable and even guilty for doing it. A computer wouldn't though- unless its rules specifically block the instruction, desktops will upload private files to who-knows-where¹² ¹³ and pacemakers will shut off¹¹ without a moment's hesitation. The only "morality" or "common sense" a computer has comes from the people writing the programs it runs. They are the ones who see the bigger picture and assess the ethics of how the software works, before putting their instructions in a format the computer can understand and letting it do the manual labor.
That can become a problem when you and the developers have different views on things. They can't always fleece you of your freedoms or pull the wool over your eyes, but they can tell you to trust them or go pound eggs if they want. Computers don't try and understand things- only follow them step-by-step - so it doesn't matter to them if everything is labeled clearly and neatly arranged or just smashed together like a three-year-old's handwriting with bits and pieces everywhere. If the software is "messed up" before a developer sends it out, though, it makes a big difference to a human who wants to understand what it does and what it's trying to do. If you can't read it, the only option is to accept the developer found any mistakes and made decisions in your best interest at all times.
Enter FOSS, or FLOSS, or open-source software, or free software, or libre software, or... There are many names and some important differences between them, but for opsec the only thing that matters is what they share in common: anyone is allowed to read and modify the code as the developer originally wrote it. You still have to learn some things about computer programming to be able to read it and for various reasons might still want the "messed up" version, but it means you can have someone you trust enforce their moral code and standard of satisfaction that the software works as it's supposed to on the program instead of just relying on the original developer. This is critically important in opsec for mission-critical software in situations where your interests might be opposed to those of the powers that be, so it's always a good idea to look at the license for any software you plan to use in your sensitive setup(s) and reject it if it isn't open source¹⁴. As the next section will show, though, sometimes a trade-off may be necessary.
Software, Firmware, and Hardware
Enter an actual computer. OK, don't actually do that unless you have money to burn and a desire to get hurt, but it might help to look at one. There are two major "parts" of the machine that you've probably heard of: the hardware, which you can throw at the wall in a fit of rage, and the software, which you can't. Both are complex fields many people find interesting. Unless you're a high-profile target across the world, though, only one needs a detailed discussion for opsec purposes.
Software can broadly be classified into three groups. At the top, user-space applications are the most recognizable kind, covering everything from Angry Birds to Microsoft Word and perhaps Angry Words somewhere in between (anybody willing to invest?)¹⁵. You can install new ones easily and remove most of them without much hassle, using them for all sorts of things while they live on your device. There's not much to say about them without subdividing the category yet again, because of how widely varied they can be.
Below them, though, operating systems (or OSes for short) are much tamer. These are the lifeblood that feeds all the many user-space applications you might install, giving them basic functions like accessing the hardware and using files in one clean, friendly bundle.¹⁶ The different ways of doing this sadly make it impossible to take any user-space application and run it regardless of operating system: programs written for Microsoft's Windows can't usually be re-used as-is on Apple's MacOS, nor on any Linux or Unix system, and vice versa. A historical relationship¹⁸ means programs written for MacOS have a better chance of running on the various Linuxes and Unixes, and the Linuxes have even better compatibility among themselves, but the work in "porting" programs from one operating system to another limits the ability of new OSes to spread. There's only two other operating system families worth mentioning, in fact: Apple's iOS (related to MacOS²²) and the Android family (related to the Linuxes¹⁸). All can be installed on devices with a compatible CPU, but the process is more involved than installing a user-space application.
To make things somewhat confusing, OSes usually come with user-space applications pre-installed, and may not allow some of them to be uninstalled. Although some of the choices are debatable or downright terrible, it does make sense- the operating system doesn't do much of interest by itself, just facilitate user-space applications trying to do those things.
Finally, at the very bottom, firmware just makes hardware work. It's so basic and attached to one specific piece of hardware¹⁷ that it hardly even counts as software at all- often it wouldn't be if building designer microchips wasn't so difficult and expensive. In fact the only reason to mention it here is to discuss the trade-off mentioned in the last section. Open source user-space applications are easy to find for just about anything reasonably common, and there are plenty of open source operating systems, but using only open source firmware limits the options available to a few specialist stores. This is a serious problem given how much power firmware has to see and manipulate your data¹⁹ ²⁰ ²¹, but for the same reason it's a risk only the highest-profile criminals need consider: it usually takes local access or high-level technical ability to exploit firmware (thanks /u/LaplacesDeterminism for pointing out the error here!) and presents a massive PR challenge for the manufacturer, so it's not a common mode of attack.
Still, it's a choice you'll have to make.