Re: [GNU-linux-libre] Free firmware - A redefinition of the term and a new metric for it's measurement.

[Maxim Cournoyer]

Hi,

Christopher Howard <address@hidden> writes:

> On 02/10/2017 08:31 AM, David Craven wrote:
>> Hi Maxim
>> 
>>> +1. I don't see how having blobs helps security at all.
>> 
>> Well the problem I was getting at is that things are not as fixed as
>> they may seem.
>> Quoting wikipedia:
>> 
>>>> Decreasing cost of reprogrammable devices had almost eliminated the market 
>>>> for mask ROM by the year 2000.
>> 
>> Translation: ROM is not RO.
>>

You have a point, although reading the article linked (from Wired), this
kind of attack requires a lot of effort (to reverse engineer the
proprietary interfaces used to reprogram the firmware of a HD). At this
level of seriousness they might as well find other means to get at
you, such as physically altering one of the device you use without you
noticing.

>> It is not a theoretical threat, and just as dangerous as other threats
>> that people put a lot of effort in avoiding [0]
>>

They were using Windows and allowing people to shuffle USB keys. That
fits strangely with "putting a lot of effort in avoiding security risks"
;).

>> I don't see how trusting the manufacturer when buying the product is
>> any different from trusting him down the road. I was talking about
>> malicious third parties. Obviously planting something in difficult to
>> upgrade persistent memory is a lucrative target for attackers -
>> manipulating firmware becomes plain uninteresting in the other case.
>> 
>>> The companies that should be the rewarded are the ones that release
>>> firmware, source code, and tool chain. E.g., Thinkpenguin and the TPE-R1100.
>> 
>>> Indeed, we ought to put our money where our mouth is, i.e. back the
>>> companies which are helping the cause of free software/hardware.
>> 
>> I don't think they actually produce any silicon, toolchain or firmware
>> themselves. At least I didn't find a link to it. So they are basically
>> using other peoples silicon, toolchain and firmware. Giving them
>> credit for complying with the GPL is not quite right either. (But I
>> don't know who's behind the thinkpenguin and it looks like a great
>> accomplishement).
>>

Probably not themselves, but they could hire someone to work on it. I
remember reading a story where ThinkPenguin had been involved in
negotiating with a hardware company and played a part in having that
company agree to release their firmware. Sadly I can't find that story
anymore!  And the company seems active in the free software community
and promoting/defending values of the movement. You can have a look at
their blog to see for yourself (https://www.thinkpenguin.com/blog).

>> To independently verify the claim that the firmware they are using is
>> indeed fixed, would actually require them to release both schematics
>> and datasheets of their designs.
>> 
>> [0] https://www.wired.com/2015/02/nsa-firmware-hacking/
>> 
>
> Stallman did an extensive article in 2015 which I think is relevant to
> this discussion:
>
> https://www.gnu.org/philosophy/free-hardware-designs.en.html
>

A recommended read for anyone interested in the idea of free hardware!
Thanks for sharing.

Maxim

signature.asc
Description: PGP signature