Hi, Christopher Howard writes: > On 02/10/2017 08:31 AM, David Craven wrote: >> Hi Maxim >> >>> +1. I don't see how having blobs helps security at all. >> >> Well the problem I was getting at is that things are not as fixed as >> they may seem. >> Quoting wikipedia: >> >>>> Decreasing cost of reprogrammable devices had almost eliminated the market for mask ROM by the year 2000. >> >> Translation: ROM is not RO. >> You have a point, although reading the article linked (from Wired), this kind of attack requires a lot of effort (to reverse engineer the proprietary interfaces used to reprogram the firmware of a HD). At this level of seriousness they might as well find other means to get at you, such as physically altering one of the device you use without you noticing. >> It is not a theoretical threat, and just as dangerous as other threats >> that people put a lot of effort in avoiding [0] >> They were using Windows and allowing people to shuffle USB keys. That fits strangely with "putting a lot of effort in avoiding security risks" ;). >> I don't see how trusting the manufacturer when buying the product is >> any different from trusting him down the road. I was talking about >> malicious third parties. Obviously planting something in difficult to >> upgrade persistent memory is a lucrative target for attackers - >> manipulating firmware becomes plain uninteresting in the other case. >> >>> The companies that should be the rewarded are the ones that release >>> firmware, source code, and tool chain. E.g., Thinkpenguin and the TPE-R1100. >> >>> Indeed, we ought to put our money where our mouth is, i.e. back the >>> companies which are helping the cause of free software/hardware. >> >> I don't think they actually produce any silicon, toolchain or firmware >> themselves. At least I didn't find a link to it. So they are basically >> using other peoples silicon, toolchain and firmware. Giving them >> credit for complying with the GPL is not quite right either. (But I >> don't know who's behind the thinkpenguin and it looks like a great >> accomplishement). >> Probably not themselves, but they could hire someone to work on it. I remember reading a story where ThinkPenguin had been involved in negotiating with a hardware company and played a part in having that company agree to release their firmware. Sadly I can't find that story anymore! And the company seems active in the free software community and promoting/defending values of the movement. You can have a look at their blog to see for yourself (https://www.thinkpenguin.com/blog). >> To independently verify the claim that the firmware they are using is >> indeed fixed, would actually require them to release both schematics >> and datasheets of their designs. >> >> [0] https://www.wired.com/2015/02/nsa-firmware-hacking/ >> > > Stallman did an extensive article in 2015 which I think is relevant to > this discussion: > > https://www.gnu.org/philosophy/free-hardware-designs.en.html > A recommended read for anyone interested in the idea of free hardware! Thanks for sharing. Maxim