On 09/12/2013 08:32 PM, adrelanos wrote: > So we have the (intel/amd)-microcode and the firmware-linux-nonfree > package which should be installed to improve security? Are there any > other packages of this type?
Who said they improve security? We don't know what they are. And I doubt they will patch a backdoor at this moment, specially when you don't know what the hell they have in your hardware. So my guess is that it's more likely their microcode is inserting a backdoor instead of patching it. > > What would you do if there was an exploit in the wild, which uses an > vulnerability in (intel/amd)? Let's say any website could prepare some > html code which would trigger a remote code execution. One that can only > be fixed by having the (intel/amd)-microcode package installed. I doubt there's HTML code with the ability to trigger remote code execution. More likely some JavaScript which is still hard at CPU level or an iframe downloading things. This will depend on vulnerability from all levels to go into the CPU, which is a hard combination to get in the open-source world. But let's say it's available an exploit like that: we are an universal operating system because we do not only support x86/x86_64. My suggestion would be: change your arch. I already own several ARM-machines, I suggest you buy something like this just in case. > > Is this a possible scenario? Everything is possible. > > What would you (Debian) do in this case? I don't know. We are a community, and I'm not a spokeperson for Debian although I'm a Debian Developer. I can't answer this. -- The Debian Project - http://debian.org/ Jose Luis Rivas - http://joseluisrivas.net/#ghostbar -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
