[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: more evil firmwares found

Hash: SHA1

Colin Watson wrote:
| There are cases where getting the firmware source under any licence
| wouldn't help you, anyway. I'm assuming that actually being able to
| build the source, modified or otherwise, and put it into hardware is a
| requirement.
But, see, it isn't required that modified firmware be able to be put in
the *same* hardware.  :-)  Modification is routinely valuable for
purposes other than tweaking existing code -- code reuse in different
areas, for instance.

In the case of your company below, it could be used in different
hardware applications of the same chipset, for instance.  This would be
particularly applicable if you're using stock programmable chips in your
hardware; if you're using custom chips, not so much.

| Where I work at the moment (a company selling cryptographic hardware
| security modules), module firmware is signed using a highly secure key,
| and modules we release into the field will not accept new firmware
| unless it comes with a valid signature from this key.
Cool!  An actual security scheme!

| While I'd
| personally obviously like to see our source freer than it currently is,
| it's not clear that that would or should make it any more acceptable to
| Debian, since you wouldn't be able to do anything more than look at it
| with any hardware you can possibly get hold of,
Hmm; isn't that just a bit of an exaggeration?

| and changing that fact
| would defeat the entire purpose of the hardware (since, if you could
| upload trojaned firmware, then so could an attacker who's taken over
| your host system, and the point of hardware security is to protect your
| keys even if the host system is compromised).
| This is an edge case, I guess, but still.
Version: GnuPG v1.2.4 (GNU/Linux)


Reply to: