These practical problems make the project less feasible:
1. Making end applications implement your protocol (eg Facebook) makes it way harder to scale, simply because the enshittified big tech apps are unlikely to care. Now the apps will have to maintain a separate service and not get paid to do it.
2. Having deliberate physical couriers travel across borders are a massive risk - a hop to hop mesh network where connectivity can be easily established across all users (every user is a courier when they connect to unlimited mobile data or wifi) will make the network a lot more available
> These practical problems make the project less feasible:
I agree! But...
> 1. Making end applications implement your protocol (eg Facebook) makes it way harder to scale, simply because the enshittified big tech apps are unlikely to care. Now the apps will have to maintain a separate service and not get paid to do it.
My bet is that, once we gain sufficient ground, Facebook and other mainstream social networks will be interested in building an alternative clients powered by Awala, just like Twitter built "Twitter Lite" back in the day. It's likely to be a PR stunt.
OTOH, third parties could build such applications, as long as the social networks give them access to their APIs (without extortionate fees!).
Until we gain sufficient ground, we'll carry on with in-house Awala-compatible apps like Letro.[1]
> 2. Having deliberate physical couriers travel across borders are a massive risk
> a hop to hop mesh network where connectivity can be easily established across all users (every user is a courier when they connect to unlimited mobile data or wifi) will make the network a lot more available
I don't think that's a practical solution. Bluetooth-based meshnets are rather cumbersome to use, and WiFi-based ones are not even feasible (on Android, for example, you'd have to root your phone). Also, the regions we're targeting have low-spec devices, where most won't have enough capacity to replicate so much data from their family/neighbours.
It would be more useful to build a bluetooth mesh network (like what airtags already uses) to carry small pieces of information across long distances without internet access instead of having physical couriers that need to deliberately stop and have people connect to them to store data and potentially charge a fee
It should be ubiquitous and something that just works when someone passes by
Bluetooth LE support would be great. That's the one P2P thing that allows Apple and other devices to communicate without an internet connection (or at least a Wi-Fi infrastructure network).
Without splashy narrative and quantifiable risk the vendors won't change and the general public won't perceive the danger of unsupported devices. Public bounties are one way to change both so this seems like a reasonable project with net benefit.
Let's say there's a group of people living a small, old house. They have the money to move to a bigger, newer one, but there's sentimental and other value to the one they're in.
Yeah, they don't have the latest door chain and fancy security systems, but that just means they don't open the door to random people who come knocking and are more careful and wary of burglars.
Now imagine a real estate company paying people to try and break into houses like theirs in order to scare the people into spending money and moving to a bigger and newer house they don't want to move to, claiming that the people don't know any better and need to be FUD'd for their own good.
A better analogy is a product safety bulletin, if your stove has a design flaw that can burn down your house the main difference is whether you or the manufacturer knows to do something about it. The bugs exist and people exploit them, it's mostly a question of whether the general public is aware. Breaking into houses requires a lot of labor to scale, exploiting software bugs doesn't so past some point more people knowing about them doesn't increase risk in the same way.
After 25 years of this debate it's pretty clear what works.
Just went to get some BIOS files for the 5th gen Intel NUCs and they've purged them from the site. It's like when Microsoft purged the KB of everything not in current support. Burning of libraries, it's sickening.
It might put pressure on customers to demand products with longer support lifecycles, which in turn forces vendors to offer longer support and/or make their software and APIs open source once support ends.
>It might put pressure on customers to demand products with longer support lifecycles
It won't. It'll allow vendors to put pressure on customers to buy new shit to replace their old shit that still works just fine that the vendor would rather not spend the resources patching.
The first best thing for vulnerabilities is fixing them, the second best is knowing they exist and what they specifically are (so one can either try to mitigate them or make an informed choice on replacing equipment).
I don't see it like that at all. Some 0-days can (somewhat) be mitigated by other hardware/software.
I rather have as many "known" 0-days in the open. Then having it the other way. Even if it means I won't see any updates to affected devices or software
I'm thinking that bugs may not necessarily disappear when the device or application where they are discovered is EOL'd. This research could discover attack vectors and vulnerabilities that will need to be addressed in active implementations.
Do you think devices are retired because they aren't sold? Why would you want that information to be known only by bad actors? Just imagine trying to convince someone who mounted a beautiful android 4.4 tablet to control their smart home (heh) 5 years ago that they will have to redo every thing because they bought into a proprietary protocol and the base os isn't receiving security updates.
Or do you truly believe you are safe if you hide under your bedsheet?
It's about the barrier to entry and amount of effort to exploit something. When public information comes out about a vulnerability that can't be patched in a reasonable amount of time (due to EOL or some other reason), the bad actors have the upper hand.
Giving ransomware actors free bugs for mass exploitation when they are unlikely to be patched is just putting innocent users in harms way. It doesn't really make a dent in the shit vendors' profits, so the only other motives are 1) to show off your cool research or 2) protest ridiculous EOL deadlines (which sure, might make a difference).
You’re assuming bad actors don’t already know about these zero days. You have to assume any possible vulnerability is already being exploited. Publishing zero days in EOL devices reduces the information asymmetry.
When there's no publicly known bug, someone needs to spend the time and effort to research it; when public POCs come out every skid cybercrime crew jumps on and starts exploiting it for financial gain.
Fun idea, although nobody who is serious enough about hacking will use their home PC as source, more likely it will be some random grandpa's old router. Even putting that aside, we can't exactly send a SWAT team to China...
Look at what they are saying. They want to document all sorts of bugs in past products for future research purposes. And they want to draw attention to the product that it be replaced.
I agree putting such burdens on companies with little IT resources isn’t healthy for the company, its customers or anyone else. This is hostile.
If you put a product out in the field which can potentially be remotely exploited it’s on you to either patch it when someone does find an exploit or possibly open source everything so others can. If you genuinely can’t support it I guess you could put a self-destruct mechanism in which remotely bricks the device instead, just don’t expect your customers to be happy about it.
... or maybe build a foolproof product that cannot be hacked or attacked. Maybe products that don't get updated loose their access to the internet. And the only way you can get access is through some clamped down application.
