0
1

[–] RiverWind [S] 0 points 1 points (+1|-0) ago 

  • The laptop has no known impediments to receiving the FSF (Free Software Foundation) RYF (Respects Your Freedom) award.
  • Modular design engineered to end planned obsolescence and make upgrading components easy and eco-friendly.
  • The computing component fits in your wallet and can be slotted into a laptop case, mini-computer chassis, or other devices.

[–] [deleted] 0 points 1 points (+1|-0) ago  (edited ago)

[Deleted]

0
0

[–] RiverWind [S] 0 points 0 points (+0|-0) ago 

For those interested in what possible alternatives there might be to the Allwinner, there is a summary on the crowdfunding page.

0
0

[–] RiverWind [S] 0 points 0 points (+0|-0) ago  (edited ago)

Thanks for raising this issue. The developer is aware of this "debugging code", which could reasonably have been left in to assist factories with no coding experience.

Because the project is Libre and will likely receive the FSF RYF accolade, all code in the device that ships will grant the four freedoms:

  • Use as you wish
  • Study and read everything
  • Allow modifications
  • Allow copying and sharing

Surely, this unwanted 'feature' will be removed from the kernel that ships with the Libre device.

Excors comments on the article:

This is the source code - it's a very straightforward kernel driver, in a standard location for machine-specific drivers, which creates a /proc/sunxi_debug/sunxi_debug file that does a strncmp("rootmydevice",(char)buf,12) and a printk("now you are root\n"). There's clearly no attempt to hide it at all. The driver even advertises its own presence in the kernel log every time you boot the device.*

If Allwinner had any malicious intent, they've already got nearly three million lines of code that differ from the upstream kernel (drivers for GPUs, wireless, cameras, etc) and it'd be really easy to hide a backdoor somewhere in the middle of that, where nobody will ever look. That would be much more effective than this "rootmydevice" driver, which is easy to spot, and which won't work as a backdoor for very long since it has to be removed once somebody spots it.

Since this would be such a stupid design for a malicious backdoor, it's far more plausible that it's just an accidental one added by a developer who wanted an easy way to debug unrooted Android devices, followed by careless code review that let it get into a shipping branch.

Or maybe they made it so obvious because that's exactly what the Chinese government wants us to think! But there are plenty of other legitimate security problems here - the vast amounts of non-upstream code, the lack of code review, the use of a 3.4.39 kernel version from 2013 (the latest upstream release on that branch is 3.4.112), the general lack of caring about security across pretty much the entire industry (in my experience it's always lower down the list of priorities than "getting the product shipped" and "meeting performance benchmark targets") - and I think it's more productive to worry about all those things before getting paranoid about backdoor double-bluffs.