Sign in / up

back to article Shuttleworth: Firmware is the universal Trojan

Canonical boss Mark Shuttleworth has called on the world to abandon proprietary firmware code, calling all such code “a threat vector”. In this blog post, Shuttleworth makes the case that manufacturers are simply too incompetent, and attackers (including government security agencies) too competent, for security-by-obscurity in …

COMMENTS

House rules Send corrections
This topic is closed for new posts.

Page:

    1. Ed 13
      Reply Icon
      FAIL

      "Great, you give him an F because his solution is too complex to implement yet you cannot come up with a better one ..."

      He was just pointing out that complexity == cost, which doesn't go down well in a capitalist free market economy, so people will go with proprietary as it cheaper.

      0 0
    2. Charles 9
      Reply Icon

      Trojans are one problem, the other being their reluctance to allow third parties to redistribute their blobs, which of course is their way of controlling their blobs.

      That's because those blobs represent trade secrets if not patents. The blobs represent a guard against industrial espionage by a rival firm, so there's a money angle for them meaning they won't give them up. Firm like this, if forced to open up, would probably pack up and go home instead, leaving no one to offer innovations.

      2 4
      1. MacroRodent
        Reply Icon

        Serious industrial spies will have no trouble getting hold of a binary blob to analyze, even if its redistribution is restricted (spies by definition do not obey the rules). Such redistribution restrictions hamper only honest users.

        3 0
        1. Hans 1
          Reply Icon
          Linux

          >Serious industrial spies will have no trouble getting hold of a binary blob to analyze

          Exactly

          To the others that downvoted me and reply with utter FUD (You seriously believe that, no, really ? Wow!):

          Claiming blobs secure your patents/features from competing firms is simply silly. Imagine all the drivers that exist for GNU/Linux where no blobs are needed - are the businesses that create those devices all gone bust ? Guess what, no.

          Besides, OSS code is MUCH cheaper than proprietary code, because you have volunteers.

          So I stand by my initial claim, blobs are evil and need to go - so much 20th century practice. Welcome to the new world of free and open firmwares.

          Wanna install OpenVPN on your DSL router, you can do so now with open firmware ...

          2 2
        2. Charles 9
          Reply Icon

          But the thing is, trade secrets and patents are protected by law. That's why industrial espionage is illegal. The blob shows intent to keep secret, sorta like the DMCA provision.

          Also, hardware patents prevent people from rolling their own, so you're up the creek with a Hobson's choice.

          0 0
  2. cracked
    Stop

    End Of Life

    Hello, what can I help you with today?

    Oh, I'm very sorry to hear that; but I'm sure your bank will compensate you ... Now, how long have you owned your current toaster?

    I see ... And when you purchased it, did the salesman inform you of the EOL Date?

    Oh ... Well, it was the year after you bought it.

    What? No, obviously the manufacturer is no longer updating the firmware for that model. No ... I'm sorry to say that the firmware from the current model isn't compatible.

    What!!? You thought it would make your toast for years to come! But it does so much more than simply toast!

    Yes, of course it does. That was required so that it could upload the number of slices you toasted to that ... cloud-based calorie-counter ... What' was it called? Ah, I forget ... I think it closed down a year or two ago ...

    Hmm? You don't use a cloud-based calorie-counter? Ah; then this probably wasn't the toaster for you!

    What? Well yes, it was still uploaded ... Oh, to some default profile the manufacturer created, I should imagine ... Has the data been what?! Good lord I shouldn't think so; it's just some simple firmware.

    You didn't realise? Did you read the manual? Ah no, there wouldn't be; not for a product in that price bracket - You would have to downloaded it, from the manufacturer's website.

    Have they really?! Well, I guess that does happen in this industry.

    And you bought it two years ago, you say? ... Well, it's about time for a new one then, isn't it! The burning of bread has moved on a pace, since you were last in the market. Can I recommend the latest ...

    25 1
    1. Charles 9
      Reply Icon

      Re: End Of Life

      There would probably be unintended consequences, but what if there was a policy that prescribed that "working life" periods were determined by someone other than the manufacturer? Of course, the obvious question becomes, "Who?" DTA mode again...

      0 0
  3. Aslan

    Prudent

    This sounds like a wonderfully prudent idea.

    I believe the way this would work is the properties of the hardware are provided in firmware, and then the OS loads code to the firmware flash, or if code is already loaded checksums the content. Thus you see the same level of performance, but have a system you can check to see if you control.

    0 0
  4. tentimes

    He;s right - but MS etc won't give up the money from NSA

    There is no way that the NSA will let this one slip by. They will just increase the secret billions they give Microsoft etc to keep this working for them. Kill every fledgling company that makes a board that boots to kernel, buy it out etc. BIOS and firmware are too tasty for America to let go of them.

    0 3
    1. dogged
      Reply Icon

      Re: He;s right - but MS etc won't give up the money from NSA

      Where's the AC with his cut&paste Microsoft security troll when you need him?

      You dullard.

      4 0
  5. Michael H.F. Wilkinson Silver badge

    It's not just the "regular" firmware

    What about all the microcode in most, if not all CISC processors (not sure about modern RISC machines)? In principle it could be doing all sorts of things beyond performing the instruction requested by the given op-code.

    Opening up the code for inspection might work, but then you would still need to check the actual product shipped to ensure it adheres to the open specifications.

    The problem with paranoia is choosing an appropriate point to stop suspicions, and start trusting. I have no easy answer for that.

    4 0
    1. Roo
      Reply Icon

      Re: It's not just the "regular" firmware

      "Opening up the code for inspection might work, but then you would still need to check the actual product shipped to ensure it adheres to the open specifications."

      You are allowed to ship an open test suite with your an spec. Also there is nothing stopping people from writing their own tests - at least they have a spec they can test against... ;)

      "The problem with paranoia is choosing an appropriate point to stop suspicions, and start trusting. I have no easy answer for that."

      It's a question of cost-benefit. At present the cost-benefit of checking my home router to see if it's been reconfigured (sometimes the ISP likes to dip in and erase all the firewall rules - let alone hackers) without my say so is actually firmly in negative territory at the moment. A static hardware description underpinning a cut-down OpenBSD install on that router would save me an awful amount of time and pain.

      3 0
  6. Anonymous Coward
    Anonymous Coward

    almost right

    Firmware the universal trojan? Surely that's the NSA/GCHQ.

    0 1

Page:

This topic is closed for new posts.

Other stories you might like