Re: more evil firmwares found

[Colin Watson <cjwatson@flatline.org.uk>]

On Thu, Apr 15, 2004 at 09:43:07AM +0200, Eduard Bloch wrote:
> #include <hallo.h>
> * Nathanael Nerode [Wed, Apr 14 2004, 01:49:03PM]:
[I don't know what happened to the attributions here]
> > >> (a) Nobody seems to be *listening*; they keep saying "Everyone will need
> > >> this firmware!".
> > > 
> > > No. I think you are blinded after fighting the evil non-free software,
> > > so much that you don't see the limits of feasibility.
> > And I think you're seeing the limits of feasibility where they aren't.
> 
> The limits are there. You just dreamed that you can force hardware
> vendors to share their IP, giving away things they need to earn the
> money to survive. But now it's time to wake up.

There are cases where getting the firmware source under any licence
wouldn't help you, anyway. I'm assuming that actually being able to
build the source, modified or otherwise, and put it into hardware is a
requirement.

Where I work at the moment (a company selling cryptographic hardware
security modules), module firmware is signed using a highly secure key,
and modules we release into the field will not accept new firmware
unless it comes with a valid signature from this key. While I'd
personally obviously like to see our source freer than it currently is,
it's not clear that that would or should make it any more acceptable to
Debian, since you wouldn't be able to do anything more than look at it
with any hardware you can possibly get hold of, and changing that fact
would defeat the entire purpose of the hardware (since, if you could
upload trojaned firmware, then so could an attacker who's taken over
your host system, and the point of hardware security is to protect your
keys even if the host system is compromised).

This is an edge case, I guess, but still.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]