[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Automatic downloading of non-free software by stuff in main



Hi Adam,

I think you're probably already away of the factual portions of my
claims below, but I'm making them for the benefit of the broader
audience.

At 2017-12-01T18:11:34+0100, Adam Borowski wrote:
> > > No, those derivatives are damage.  While their hearts are in the right
> > > place, they cause data loss and security holes by at least making people on
> > > Intel and AMD machines use known-buggy microcode.
[...]
> While their _intent_ is good, they are telling others to run software with
> known severe bugs.

It's wise to assume that all software that hasn't been formally _and_
independently verified has severe bugs.  And just because a bug is not
known to _you_ doesn't mean it isn't known to government snoops,
corporate revenue-maximizers, and criminals.

> Microcode itself has data loss and local exploits (such
> as an unprivileged user of an unprivileged VM taking over the host machine),
> then often comes in one bunch with IME updates that close remote holes.

And how do we know they aren't opening new ones due to the same factors
(bad design or bad intent) that led to the originals?

> And once remote holes come into play, it's no longer a matter of just what's
> running on your own computer.

We can be confident that all modern Intel- and AMD-based systems are
pre-compromised and running effectively hostile code fresh from the
factory.

1. https://libreboot.org/faq.html#intel
2. https://libreboot.org/faq.html#amd
3. https://lwn.net/Articles/738649/

-- 
Regards,
Branden

Attachment: signature.asc
Description: PGP signature


Reply to: