Suppose you wish to lock down a device purely for the user's benefit, to prevent malicious software and the user accidentally breaking the device, but still permit authorized updates. However, both in the spirit of freedom, and to comply with the GPL version 3, you wish to allow the user to modify the software on the device.
Is this combination of goals realizable? How do you prevent malicious social engineering attacks which trick a user into modifying the device not in their best interest?
Practically, one can nearly accomplish this in the following ways. Avoid the user wanting to modify the device: no DRM! No other stupid shit like uninstallable programs. Provide a mechanism so users can do some modifications safely: user space code can run in a sandbox to prevent malicious behavior, e.g., Dalvik.
For the tinkerers who wish to modify beyond that, an authorization key for one's device is available by mail (not available on impulse: it takes a while to arrive; this thwarts social engineering). But modifications which become popular (and are not malicious) are taken up, signed, and redistributed (by the power of GPL!) by the original device manufacturer, again removing the incentive for the user to request an authorization key.
Another approach is some portion that is there for safety no one can modify (the "burned into ROM" exception to the GPL). But I'm skeptical whether the modifiable part can be Turing complete but avoid malicious software.
No comments :
Post a Comment