Hi David, On Thu, 2 Feb 2017 21:18:06 +0100 David Craven <[email protected]> wrote:
> > I don't think the firmware needs to be uploaded at all to the AR9285 > > device. > > I don't understand: > > 1. free firmware - anyone can update the firmware > 2. binary blob - the vendor can update the firmware > 3. fixed at manufacturing time - no one can update the firmware > > Option 1 is obviously superior to the other two. But how is option 3 > better than option 2? When it's option 3 then you personally can't be targeted without also targeting anyone else that could have bought that chip. With option 2 the vendor could create malicious firmware just for you - unbeknownst to you, of course. If the firmware is actually fixed and constant (option 3), the company has a very large disincentive to do anything bad to it. For example, let's say Intel had non-updateable microcode on its CPUs and it included a backdoor. If anyone *ever* found it, nobody would trust Intel ever again - and Intel couldn't sweep it under the rug because millions of physical chips that include the backdoor would be in the hands of different people. What could they do? On the other hand, if firmware is updateable by a (possibly automated) program, that program could easily check whether it's running on *your* computer specifically and then give you a special firmware. Now nobody but you has a chance to find it. Not to mention checking the date etc. With all the spying going on that's a *real* possibility. Also, many people already found backdoors in BIOS updates for example - so it's not theoretical. So that were the life-and-death things. From an engineering (integrator) standpoint a fixed firmware is also better since it doesn't change. So as an engineer you find out once and for all what it does now and it will continue doing that forever. Moreover, the vendor has an incentive to actually test the thing and fix all the showstoppers *before* selling you the device. With option 2, they really don't (and also could change their mind at any time after the sale (!)).
