⋔ about ⋔ contact ⋔ licensing ⋔ oostats ⋔ wiki ⋔ support ⋔ faq ⋔ archives ⋔
416 words by gman999 written on 2017–04–03, last edit: 2017–09–03, tags: android, monocultures, os ⋔ Previous post: What Motivates You to Run a Tor Relay? ⋔ Next post: Tor Summit 2017 in Amsterdam
The central focus of TDP is operating system diversity by extending BSD Unix into the Tor network on all levels. From *BSD relays to Tor Browser ported to OpenBSD, TDP looks to hinder the capability of one operating system-specific vulnerability to harm the integrity of the entire Tor network.
From a different angle, Android edging out Windows as the primary client operating system is a notable change.
The user “desktop” no longer necessarily resides at the user’s desk. Particularly in less-developed countries and among many working-class people, the main platform for accessing the internet is the phone. Essentially, there is a definition shift in client internet-accessing systems, and Android takes the day with some 37.93% of the market.
This is a far cry from the old desktop monoculture debate (pdf) from the early 2000’s. It was only a matter of time before Android took the cake as the role of the phone changed and Android dominates the cheaper end of the phone market globally.
Of course operating system diversity for internet-accessing platforms is good. The question is really is this “good enough”?
Android systems tend to cover a range of versions, some patched to addressed security vulnerabilities, but most are not. There are some interesting new Android forks such as CopperheadOS, but mass adoption seems unlikely in the forseeable future.
No one gets bumped from their cellular carrier when their phone’s Android version faces an end-of-life development status, and many providers aren’t particularly interested in devoting resources to maintaining multiple branches of Android, and providing timely patching of known issues.
Replacing a Windows monoculture with a Windows/Android mix might seem like a significant step forward in terms of vulerability mitigation, but merely replacing crud with two cruds can’t be considered a victory for the security community.
The interesting angle might really be that the “desktop” is now attached to the end-user one linear step away from science fiction Cyborg reality, and that cell phone network providers and device manufacturers are not better than Microsoft at handling security disclosures. In fact, with hundreds of network providers and handset manufacturers now populating the Android market, it’s no longer about convincing one software company to address security issues. The goal of reasonably secure client systems seems more of a delusion than even a remote possibility with the decline of the Microsoft monoculture.
Yes, some diversity can be worse for security and network integrity.
Copyright © 2015–2017 by The Tor BSD Diversity Project (TDP). All Rights Reserved.