I just did an 'interview' with LegbaCore today:


In addition to previous UEFI Forum plugfest advice from Phoenix (RUN
CHIPSEC!!), also note below comment from LegbaCore.

They were professional enough to reject my request for some dirt on
insecure OEM models to blog about, and they are waiting for you to work
with them or improve things on your own. Note the 2016 deadline, months
of time to responsibly prepare. See this response:

Q: You had a Twitter post a few weeks (months?) back, saying that you
were going to start releasing information about OEM systems’s
vulnerabilities. What’s up with that project, I’m eager to see this
data, as Consumer Reports and other computer review sources are useless
for this most crucial pre-sales information. Any chance you could give
FirmwareSecurity.com a teaser of this information, perhaps one new OEM
model released in the last 6 months that’s insecure? :-)
A: We anticipate that the project to start making some vendors’ firmware
security failings more apparent (via a public website) will probably
kick off in early 2016. We want to give all vendors that we think may
have an interest in improving their security a chance to either talk
with us about working with them, or show that they can make measurable
security improvements on their own within this timeframe.

In case you're not aware, LegaCore's services include working with
hardware vendors to ensure their systems are secure.

Speak up if you'd like an email introduction. :-)

Also see blog post for upcoming LegbaCore training, in case your QA
teams need some training. :-)

And re: security researchers and professional behaviour, please note
their recent nod to Intel UEFI team with help with recent vulns:

I've also been trying to get the various PC reviewers to start running
CHIPSEC as part of their review, so pre-2016 is preferable.

RSS: http://firmwaresecurity.com/feed

PS: Check out their new OpROM checker, released 5 days ago, see blog!
edk2-devel mailing list

Reply via email to