On Tue, 29 Oct 2013 19:41:55 -0400 shawn wilson <ag4ve...@gmail.com> wrote:
> On Tue, Oct 29, 2013 at 7:28 PM, Celejar <cele...@gmail.com> wrote: > > On Tue, 29 Oct 2013 20:48:54 -0200 > > André Nunes Batista <andrenbati...@gmail.com> wrote: > > > > ... > > > >> phone users. But even in the case of traditional pc's, many people rely > >> on proprietary BIOS or proprietary firmware for special devices or > >> cards. > > > > I'm never really sure why people have such a hard time with that - even > > without them, you're still relying on proprietary logic in hardware. If > > you're really concerned that there could be something nasty in the BIOS > > or firmware, you shouldn't use any non-open hardware. And for that > > matter, even if you've seen the hardware specs, who says the > > manufactured part you buy really follows them exactly, and doesn't have > > a backdoor? > > > > https://plus.google.com/u/0/103470457057356043365/posts/9fyh5R9v2Ga > If you believe him, I wouldn't be so flippent about this. There are I'm sorry if I came across as flippant, but my point still stands: if you really don't trust the BIOS, there's no reason to trust the hardware itself. As to believing him, I really don't know what to say. He does seem to be a serious security guy, but this seems pretty fishy, and he's not providing any real information. In any event, insofar as I understand what he's saying, he's talking about some sort of BIOS malware, not a backdoor in the vendor provided BIOS, and I see no prima facie reason that such a creation wouldn't pose an equal threat to a system running an open BIOS as to one running a closed one. > also IPMI issues (I think there's a Defcon talk on it) ther you'll > never be able to do anything to fix because the hardware is closed. > > > You have to trust someone, somewhere. > > You shouldn't /have/ to. That you currently do need to trust someone > is probably an issue. I'm not as far as Stallman for F/OSS... until > companies can't keep up with security issues, then they've shown they > can't handle responsible updates and need to give up their IP that > people have purchased with good faith. But of course you have to trust someone! With Debian, you're trusting the devs, upstream and DDs. Yes, in principle one can audit all the code, but in practice, no one will ever audit all the code running on his machine, and most people won't audit any of it. So it boils down to trusting big commercial companies, or lots of individual devs. I suppose that arguments can be made for either side, but it's utterly impossible to run a system without trusting *anyone* at all. Celejar -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131029222139.86f1975396c48be7dd5af...@gmail.com