From mboxrd@z Thu Jan 1 00:00:00 1970 From: Maxim Cournoyer Subject: Re: Free firmware - A redefinition of the term and a new metric for it's measurement. Date: Sun, 12 Feb 2017 23:02:29 -0800 Message-ID: <874lzy4lq2.fsf@gmail.com> References: <87tw8bjhqm.fsf@gmail.com> <2c7ae911-863f-4831-f024-060e5f899d3a@alaskasi.com> <87k2948d2q.fsf@gmail.com> <06cfad8d-0222-1c63-522d-013ecd2e6ce8@alaskasi.com> Reply-To: Workgroup for fully free GNU/Linux distributions Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: In-Reply-To: <06cfad8d-0222-1c63-522d-013ecd2e6ce8@alaskasi.com> (Christopher Howard's message of "Fri, 10 Feb 2017 09:21:48 -0900") List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: gnu-linux-libre-bounces+gldg-gnu-linux-libre=m.gmane.org@nongnu.org Sender: "gnu-linux-libre" To: Christopher Howard Cc: guix-devel , David Craven , Workgroup for fully free GNU/Linux distributions List-Id: guix-devel.gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi, Christopher Howard writes: > On 02/10/2017 08:31 AM, David Craven wrote: >> Hi Maxim >>=20 >>> +1. I don't see how having blobs helps security at all. >>=20 >> Well the problem I was getting at is that things are not as fixed as >> they may seem. >> Quoting wikipedia: >>=20 >>>> Decreasing cost of reprogrammable devices had almost eliminated the ma= rket for mask ROM by the year 2000. >>=20 >> Translation: ROM is not RO. >> You have a point, although reading the article linked (from Wired), this kind of attack requires a lot of effort (to reverse engineer the proprietary interfaces used to reprogram the firmware of a HD). At this level of seriousness they might as well find other means to get at you, such as physically altering one of the device you use without you noticing. >> It is not a theoretical threat, and just as dangerous as other threats >> that people put a lot of effort in avoiding [0] >> They were using Windows and allowing people to shuffle USB keys. That fits strangely with "putting a lot of effort in avoiding security risks" ;). >> I don't see how trusting the manufacturer when buying the product is >> any different from trusting him down the road. I was talking about >> malicious third parties. Obviously planting something in difficult to >> upgrade persistent memory is a lucrative target for attackers - >> manipulating firmware becomes plain uninteresting in the other case. >>=20 >>> The companies that should be the rewarded are the ones that release >>> firmware, source code, and tool chain. E.g., Thinkpenguin and the TPE-R= 1100. >>=20 >>> Indeed, we ought to put our money where our mouth is, i.e. back the >>> companies which are helping the cause of free software/hardware. >>=20 >> I don't think they actually produce any silicon, toolchain or firmware >> themselves. At least I didn't find a link to it. So they are basically >> using other peoples silicon, toolchain and firmware. Giving them >> credit for complying with the GPL is not quite right either. (But I >> don't know who's behind the thinkpenguin and it looks like a great >> accomplishement). >> Probably not themselves, but they could hire someone to work on it. I remember reading a story where ThinkPenguin had been involved in negotiating with a hardware company and played a part in having that company agree to release their firmware. Sadly I can't find that story anymore! And the company seems active in the free software community and promoting/defending values of the movement. You can have a look at their blog to see for yourself (https://www.thinkpenguin.com/blog). >> To independently verify the claim that the firmware they are using is >> indeed fixed, would actually require them to release both schematics >> and datasheets of their designs. >>=20 >> [0] https://www.wired.com/2015/02/nsa-firmware-hacking/ >>=20 > > Stallman did an extensive article in 2015 which I think is relevant to > this discussion: > > https://www.gnu.org/philosophy/free-hardware-designs.en.html > A recommended read for anyone interested in the idea of free hardware! Thanks for sharing. Maxim --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEJ9WGpPiQCFQyn/CfEmDkZILmNWIFAlihWgYACgkQEmDkZILm NWIAzA//XllMeclIw3e9gzUND5unsSnzTx18/YXrDwOfRNFa+TEhMfXQkmDBWnVk PzCQ0TkdRpocOokTEtyGpufsb8I4dtRAKtXdL3gE7nlDZ0f0DJS98uucBQGEfCbE F76V55OpDbYyPhWmH9HLraurv0L+8tKKKwat+7YSZnoTp0O5ZEWZAzNYRMBrochx x7eFlIho+B2tIYYoauHzX7Eo0NpAre2t0mWeO1Q7S/RET+OeqbIV769RBzSsJQn/ OsyJFd5aVsM+hpTfZVDZVoYBaJ5wb6sB3qKeil71BOmLHYxGy8UOKuArvr8jWotU Lh0f8TxHYQtVVN3/hGcP4uSu6Qf3n2KcQZcKKC1VYIO5GC4w+mGi95dZ7miz5B+Y 7Lq19jofoEN8QPs4a/u0lKwl1nlCiRzTfFhPiZALbjeZGR9iWinMT8hZgqcmKEXF JDgydT+q0LCtfVAqv+hcxS1Hp5aiAjF7sUBqblWc3IOzMEJ1zNT4qha6V2UvTD/d LxGlFX88TTnQTYhW4ppfmRlzhdRrnuiV9E/ncRcHOFCnyk6ykX/mJ+Jf+pWph2cy gi7CepfFFHJsrNmPeZv+Bl88X5DTux+QRHUR2HfHoloYiFRkH4AL1lvQJ3bbimW0 jcyxOkPA0Iyq4tRsTyRxoMLRUXwhbX55WvIvSYUhFcbX95SyjSI= =6AmH -----END PGP SIGNATURE----- --=-=-=--